Asp Core MVC 2.1基于每个用户策略的授权

我认为有两个关键可以干净地解决这个问题：

• 对单个需求使用多个处理程序，以允许不同规则对单个端点进行授权
• 在需求处理程序中使用依赖项注入，以允许处理程序中的动态规则/数据

多个处理程序

首先，创建一个简单的需求：

public class CustomPolicyRequirement : IAuthorizationRequirement { }

然后，为它创建所需的处理程序

public class MondaysRequirementHandler : AuthorizationHandler<CustomPolicyRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, CustomPolicyRequirement requirement)
{
// Allow John in on Mondays
if (DateTime.Now.DayOfWeek == DayOfWeek.Monday && context.User.Identity.Name == "John")
context.Succeed(requirement);
return Task.CompletedTask;
}
}
public class EveningsOnlyRequirementHandler : AuthorizationHandler<CustomPolicyRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, CustomPolicyRequirement requirement)
{
var now = DateTime.Now;
// Allow Richard in, as long as it's between 18:00 and 22:00
if (now.Hour >= 18 && now.Hour < 22 && context.User.Identity.Name == "Richard")
context.Succeed(requirement);
return Task.CompletedTask;
}
}
public class ProhibitedUserRequirementHandler : AuthorizationHandler<CustomPolicyRequirement>
{
readonly IProhibitedUsersService prohibitedUsersService;
public ProhibitedUserRequirementHandler(IProhibitedUsersService prohibitedUsersService)
=> this.prohibitedUsersService = prohibitedUsersService;
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, CustomPolicyRequirement requirement)
{
// Don't let prohbited users in, even if other handlers are satisfied
if (prohibitedUsersService.IsUserProhibited(context.User.Identity))
context.Fail();
return Task.CompletedTask;
}
}

由于所有的处理程序都与CustomPolicyRequirement相关联，因此只要至少有一个处理程序成功，而没有一个失败，就会满足要求。既不成功也不失败的处理者不会影响结果。

动态数据

第三个示例处理程序依赖于依赖注入的服务：

public interface IProhibitedUsersService
{
bool IsUserProhibited(IIdentity user);
}

该服务可以实现为从SQL数据库(或任何其他源)获取数据，这将允许在应用程序运行时调整规则。