我已经设置应用程序允许每个用户有多个角色。
public class SelectRoleViewModel
{
public string Id { get; set; }
public bool Checked { get; set; }
public string RoleName { get; set; }
public string Description { get; set; }
}
public class EditUser
{
// other properties
public List<SelectRoleViewModel> Roles { get; set; }
}
现在在控件中,在Edit get方法中我写了这个
[CustomAuthorize(Roles = ("Admin,Manager"))]
public ActionResult Edit(string Id)
{
var editUser = GetEditUser(Id);
bool isAdmin = User.IsInRole("Admin");
if (!isAdmin)
{
if (editUser.Roles.Exists(x => x.RoleName == "Admin"))
{
return RedirectToAction("AccessNotAllowed", "Errors");
}
}
// Here just edit what you want
return View(editUser);
}
private EditUser GetEditUser(string Id)
{
var dbUser = UserManager.Users.Where(x => x.Id == Id).FirstOrDefault();
var currentRoles = dbUser.Roles.Select(x => x.RoleId).ToList();
var allRoles = _roleManager.Roles.ToList();
EditUser editUser = new EditUser();
foreach (var x in allRoles)
{
if (currentRoles.Contains(x.Id))
editUser.Roles.Add(new SelectRoleViewModel { Id = x.Id, RoleName = x.Name, Description = x.Description, Checked = true });
else
editUser.Roles.Add(new SelectRoleViewModel { Id = x.Id, RoleName = x.Name, Description = x.Description, Checked = false });
}
if (User.IsInRole("Manager"))
{
// don't show the admin role to set for users if authenticated user is manager
var adm = editUser.Roles
.Where(x => x.RoleName.Equals("Admin", StringComparison.OrdinalIgnoreCase))
.FirstOrDefault();
if (adm != null)
{
editUser.Roles.Remove(adm);
}
}
editUser.FirstName = dbUser.FirstName;
editUser.LastName = dbUser.LastName;
editUser.Email = dbUser.Email;
editUser.UserName = dbUser.UserName;
editUser.Id = dbUser.Id;
return editUser;
}
因此,管理员具有编辑用户和创建用户的权限,但是管理员不能创建具有admin角色的用户。我要做的是拒绝管理员编辑admin用户的访问权限。在我编写的代码中,它使用了用户角色的整个列表,并且由于有一个admin角色,它总是拒绝对编辑用户的访问。当我注释掉GetEditUser方法中的代码时,就会发生这种情况:
if (User.IsInRole("Manager"))
{
// don't show the admin role to set for users if authenticated user is manager
var adm = editUser.Roles
.Where(x => x.RoleName.Equals("Admin", StringComparison.OrdinalIgnoreCase))
.FirstOrDefault();
if (adm != null)
{
editUser.Roles.Remove(adm);
}
}
和这段代码(未注释),它完全从列表中删除了admin角色,所以管理员仍然可以编辑admin用户,因为它没有在if条件中找到可以比较的admin角色。
有人能帮我找到一个解决方案,以限制管理员访问编辑admin用户,并在创建新用户时隐藏管理员的admin角色,而无需更改用户只分配1个角色?应用的逻辑需要每个用户有多个角色
将指定的代码段移动到if(!isAdmin)中的Edit方法中:
if (!isAdmin)
{
if (editUser.Roles.Exists(x => x.RoleName == "Admin" && x.Checked))
{
return RedirectToAction("AccessNotAllowed", "Errors");
}
var adm = editUser.Roles
.Where(x => x.RoleName.Equals("Admin", StringComparison.OrdinalIgnoreCase))
.FirstOrDefault();
if (adm != null)
{
editUser.Roles.Remove(adm);
}
}