Edit: the AuthorizeAttr attribute is set in the RegisterGlobalFilters function in Global.asax and the Anon attribute is marked directly above the actions that doesn´t need authorization.
Here is my code:
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
public class Anon : Attribute { }
public class Role : Attribute
{
public int Id;
public Role(int id)
{
Id = id;
}
}
public class AuthorizeAttr : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
if (!(filterContext.ActionDescriptor.IsDefined(typeof(Anon), false)) || !(filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(typeof(Anon), false)))
{
Procurement.User u = MvcApplication.GetCurrentUser(filterContext.HttpContext);
if (u == null || !u.enabled)
filterContext.Result = new RedirectResult("/Session/Login?msg=You must log in to use this site.&ReturnUrl=" + filterContext.RequestContext.HttpContext.Request.RawUrl);
if (filterContext.ActionDescriptor.IsDefined(typeof(Role), false))
{
object[] criterias = filterContext.ActionDescriptor.GetCustomAttributes(typ开发者_JAVA百科eof(Role), false);
bool authorized = true;
for (int x = 0; x < criterias.Length; x++)
{
if (((Role)criterias[x]).Id > u.roleId)
{
authorized = false;
break;
}
}
if (!authorized)
{
ContentResult C = new ContentResult();
C.Content = "<h1><b>The resource is unavailable!</b></h1>";
filterContext.Result = C;
}
}
}
}
}
In boolean algebra the negation of
isDefinedOnAction || isDefinedOnController
is:
!isDefinedOnAction && !isDefinedOnController
So you probably want an &&
condition:
public override void OnAuthorization(AuthorizationContext filterContext)
{
var isDefinedOnAction = filterContext.ActionDescriptor.IsDefined(typeof(Anon), false);
var isDefinedOnController = filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(typeof(Anon), false);
if (!isDefinedOnAction && !isDefinedOnController)
{
... the Anon attribute is not present neither on an action nor on a controller
=> perform your authorization here
}
}
or if you want ||
:
public override void OnAuthorization(AuthorizationContext filterContext)
{
var isDefinedOnAction = filterContext.ActionDescriptor.IsDefined(typeof(Anon), false);
var isDefinedOnController = filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(typeof(Anon), false);
if (isDefinedOnAction || isDefinedOnController)
{
... the attribute is present on either a controller or an action
=> do nothing here
}
else
{
... perform your authorization here
}
}
Obviously the first is by far more readable.
精彩评论