在本章中,无涯教程将讨论Authorize属性,到目前为止,在应用程序中,已经允许匿名用户执行任何操作,他们可以编辑员工详细信息并查看详细信息,但是没有创建新员工的功能。首先添加创建功能,然后使用Authorize属性限制用户访问。
首先需要在 Views→Home 文件夹中创建一个新的MVC View页面,并将其命名为Create.cshtml,然后添加以下代码。
@model Employee @{ ViewBag.Title = "Create"; } <h1>Create</h1>@using (Html.BeginForm()) { <div> @Html.LabelFor(m => m.Name) @Html.EditorFor(m => m.Name) @Html.ValidationMessageFor(m => m.Name) </div>
<div> <input type = "submit" value = "Save" /> </div> }
现在,将在HomeController中为POST和GET添加 action方法,如以下程序所示。
[HttpGet]
public ViewResult Create() {
return View();
}
[HttpPost]
public IActionResult Create(EmployeeEditViewModel model) {
if (ModelState.IsValid) {
var employee = new Employee();
employee.Name = model.Name;
var context = new FirstAppDemoDbContext();
</span><span class="typ">SQLEmployeeData</span><span class="pln"> sqlData </span><span class="pun">=</span><span class="pln"> </span><span class="kwd">new</span><span class="pln"> </span><span class="typ">SQLEmployeeData</span><span class="pun">(</span><span class="pln">context</span><span class="pun">);</span><span class="pln">
sqlData</span><span class="pun">.</span><span class="typ">Add</span><span class="pun">(</span><span class="pln">employee</span><span class="pun">);</span><span class="pln">
</span><span class="kwd">return</span><span class="pln"> </span><span class="typ">RedirectToAction</span><span class="pun">(</span><span class="str">"Details"</span><span class="pun">,</span><span class="pln"> </span><span class="kwd">new</span><span class="pln"> </span><span class="pun">{</span><span class="pln"> id </span><span class="pun">=</span><span class="pln"> employee</span><span class="pun">.</span><span class="typ">Id</span><span class="pln"> </span><span class="pun">});</span><span class="pln">
}
return View();
}
在Index.cshtml文件中添加指向创建视图的链接,如以下程序所示。
@model HomePageViewModel
@{
ViewBag.Title = "Home";
}
<h1>Welcome!</h1>
<table>
@foreach (var employee in Model.Employees) {
<tr>
<td>@employee.Name
<td>
<a asp-controller = "Home" asp-action = "Details"
asp-routeid = "@employee.Id">Details</a>
</span><span class="pun"><</span><span class="pln">a asp</span><span class="pun">-</span><span class="pln">controller </span><span class="pun">=</span><span class="pln"> </span><span class="str">"Home"</span><span class="pln"> asp</span><span class="pun">-</span><span class="pln">action </span><span class="pun">=</span><span class="pln"> </span><span class="str">"Edit"</span><span class="pln">
asp</span><span class="pun">-</span><span class="pln">routeid </span><span class="pun">=</span><span class="pln"> </span><span class="str">"@employee.Id"</span><span class="pun">></span><span class="typ">Edit</span><span class="pun"></</span><span class="pln">a</span><span class="pun">></span><span class="pln">
</span><span class="pun"></</span><span class="pln">td</span><span class="pun">></span><span class="pln">
</span><span class="pun"></</span><span class="pln">tr</span><span class="pun">></span><span class="pln">
}
</table>
<div>
<a asp-action = "Create">Create</a>
</div>
运行应用程序;您将看到以下页面。
在主页上,您将看到"Create"链接。单击"Create"链接时,它将带您进入"Create view"。
在名称字段中输入名称,然后单击保存按钮。
现在,您将看到新添加员工的详细视图。单击"Home"链接。
在此应用程序中,每个用户都可以创建,编辑员工,每个人都可以看到详细信息视图,要更改此行为,以便匿名用户只能在主页上看到员工列表,但是其他所有操作都需要用户标识自己的身份并登录,可以使用 Authorize属性。
您可以将Authorize属性放在控制器上或控制器内部的单个动作上。
[Authorize] public class HomeController : Controller { //.... }
在控制器本身上放置Authorize属性时,authorize属性将应用于内部的所有操作。
除非用户通过授权检查,否则MVC框架将不允许请求执行受此属性保护的操作。
默认情况下,如果不使用其他参数,则Authorize属性将进行的唯一检查就是确保用户已登录,以便知道其身份。
还有一个AllowAnonymous属性。当您想使用控制器上的Authorize属性来保护其中的所有动作时,此属性很有用,但是您想要取消保护此单个动作或一个或两个动作并允许匿名用户执行该特定动作。
[AllowAnonymous] public ViewResult Index() { var model = new HomePageViewModel();using (var context = new FirstAppDemoDbContext()) { SQLEmployeeData sqlData = new SQLEmployeeData(context); model.Employees = sqlData.GetAll(); }
return View(model); }
在应用程序中尝试这些属性。在运行的应用程序中,匿名用户可以编辑员工。
希望对此进行更改,并迫使用户登录并标识自己,然后才能编辑员工。现在进入HomeController,在此,将限制访问操作。始终可以将Authorize属性放要保护的那些特定操作上,还可以将Authorize属性放在控制器本身上,并且此Authorize属性位于Microsoft.AspNet.Authorization命名空间中。
现在,将使用Authorize属性,并强制用户标识自己进入此控制器,但以下程序所示的主页除外。
[Authorize]
public class HomeController : Controller {
[AllowAnonymous]
public ViewResult Index() {
var model = new HomePageViewModel();
using (var context = new FirstAppDemoDbContext()) {
SQLEmployeeData sqlData = new SQLEmployeeData(context);
model.Employees = sqlData.GetAll();
}
return View(model);
}
public IActionResult Details(int id) {
var context = new FirstAppDemoDbContext();
SQLEmployeeData sqlData = new SQLEmployeeData(context);
var model = sqlData.Get(id);
</span><span class="kwd">if</span><span class="pln"> </span><span class="pun">(</span><span class="pln">model </span><span class="pun">==</span><span class="pln"> </span><span class="kwd">null</span><span class="pun">)</span><span class="pln"> </span><span class="pun">{</span><span class="pln">
</span><span class="kwd">return</span><span class="pln"> </span><span class="typ">RedirectToAction</span><span class="pun">(</span><span class="str">"Index"</span><span class="pun">);</span><span class="pln">
</span><span class="pun">}</span><span class="pln">
</span><span class="kwd">return</span><span class="pln"> </span><span class="typ">View</span><span class="pun">(</span><span class="pln">model</span><span class="pun">);</span><span class="pln">
}
[HttpGet]
public IActionResult Edit(int id) {
var context = new FirstAppDemoDbContext();
SQLEmployeeData sqlData = new SQLEmployeeData(context);
var model = sqlData.Get(id);
</span><span class="kwd">if</span><span class="pln"> </span><span class="pun">(</span><span class="pln">model </span><span class="pun">==</span><span class="pln"> </span><span class="kwd">null</span><span class="pun">)</span><span class="pln"> </span><span class="pun">{</span><span class="pln">
</span><span class="kwd">return</span><span class="pln"> </span><span class="typ">RedirectToAction</span><span class="pun">(</span><span class="str">"Index"</span><span class="pun">);</span><span class="pln">
</span><span class="pun">}</span><span class="pln">
</span><span class="kwd">return</span><span class="pln"> </span><span class="typ">View</span><span class="pun">(</span><span class="pln">model</span><span class="pun">);</span><span class="pln">
}
[HttpPost]
public IActionResult Edit(int id, EmployeeEditViewModel input) {
var context = new FirstAppDemoDbContext();
SQLEmployeeData sqlData = new SQLEmployeeData(context);
var employee = sqlData.Get(id);
</span><span class="kwd">if</span><span class="pln"> </span><span class="pun">(</span><span class="pln">employee </span><span class="pun">!=</span><span class="pln"> </span><span class="kwd">null</span><span class="pln"> </span><span class="pun">&&</span><span class="pln"> </span><span class="typ">ModelState</span><span class="pun">.</span><span class="typ">IsValid</span><span class="pun">)</span><span class="pln"> </span><span class="pun">{</span><span class="pln">
employee</span><span class="pun">.</span><span class="typ">Name</span><span class="pln"> </span><span class="pun">=</span><span class="pln"> input</span><span class="pun">.</span><span class="typ">Name</span><span class="pun">;</span><span class="pln">
context</span><span class="pun">.</span><span class="typ">SaveChanges</span><span class="pun">();</span><span class="pln">
</span><span class="kwd">return</span><span class="pln"> </span><span class="typ">RedirectToAction</span><span class="pun">(</span><span class="str">"Details"</span><span class="pun">,</span><span class="pln"> </span><span class="kwd">new</span><span class="pln"> </span><span class="pun">{</span><span class="pln"> id </span><span class="pun">=</span><span class="pln"> employee</span><span class="pun">.</span><span class="typ">Id</span><span class="pln"> </span><span class="pun">});</span><span class="pln">
</span><span class="pun">}</span><span class="pln">
</span><span class="kwd">return</span><span class="pln"> </span><span class="typ">View</span><span class="pun">(</span><span class="pln">employee</span><span class="pun">);</span><span class="pln">
}
[HttpGet]
public ViewResult Create() {
return View();
}
[HttpPost]
public IActionResult Create(EmployeeEditViewModel model) {
if (ModelState.IsValid) {
var employee = new Employee();
employee.Name = model.Name;
var context = new FirstAppDemoDbContext();
</span><span class="typ">SQLEmployeeData</span><span class="pln"> sqlData </span><span class="pun">=</span><span class="pln"> </span><span class="kwd">new</span><span class="pln"> </span><span class="typ">SQLEmployeeData</span><span class="pun">(</span><span class="pln">context</span><span class="pun">);</span><span class="pln">
sqlData</span><span class="pun">.</span><span class="typ">Add</span><span class="pun">(</span><span class="pln">employee</span><span class="pun">);</span><span class="pln">
</span><span class="kwd">return</span><span class="pln"> </span><span class="typ">RedirectToAction</span><span class="pun">(</span><span class="str">"Details"</span><span class="pun">,</span><span class="pln"> </span><span class="kwd">new</span><span class="pln"> </span><span class="pun">{</span><span class="pln"> id </span><span class="pun">=</span><span class="pln"> employee</span><span class="pun">.</span><span class="typ">Id</span><span class="pln"> </span><span class="pun">});</span><span class="pln">
</span><span class="pun">}</span><span class="pln">
</span><span class="kwd">return</span><span class="pln"> </span><span class="typ">View</span><span class="pun">();</span><span class="pln">
}
}
显示雇员列表的主页或 Index.cshtml 文件具有 AllowAnonymous属性。现在运行您的应用程序。
按F12键,这将打开开发人员工具。现在,进入"Network"标签。
无涯教程希望在开发人员工具中注意几件事,因此可以看到它们是如何工作的。单击"Edit"链接时,将看到空白页。
如果您查看开发人员工具,则会看到从服务器返回的HTTP状态代码是 401状态代码。
401状态码告诉浏览器,由于缺少有效的身份验证凭据,因此不允许该请求通过,这告诉Authorize属性正在工作。
同样,当您单击主页上的"Create"链接时,您将看到与以下屏幕截图所示相同的错误。
在这里,最糟糕的是,用户留在空白页面上,除非他们打开了开发人员工具,否则他们可能不知道这是身份验证问题。
这时Identity框架可以介入并提供帮助的地方。
一旦安装并配置了Identity框架,将了解其工作原理。
但是现在,可以看到 Authorize属性正常工作。
