我有两个表,其中一个是作业,一个是管理员,当作业ID传递给视图'详细'时,可以访问该作业的详细信息。
Job_id Job_Title Manager_id
23 Chimney Sweep 65
24 Rat Catcher 84
Managers Email
65 arthur@work.com
66 fred@work.com
我想基于manager_email限制对视图的访问 - 例如,如果我们在http://jobsite/jobs/Detail/23,那么只有亚瑟可以访问视图..将使用AD来挑选用户的电子邮件..
任何指针都会非常感激!
答案 0 :(得分:4)
您可以编写自定义模型绑定器:
public class JobModelBinder : DefaultModelBinder
{
public override object BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext)
{
// fetch the job id from the request
var jobId = controllerContext.RouteData.Values["id"];
// fetch the currently connected username
string user = controllerContext.HttpContext.User.Identity.Name;
// Remark: You might need an additional step here
// to query AD and fetch the email
// Given the job id and the currently connected user, try
// to fetch the corresponding job
Job job = FetchJob(jobId, user);
if (job == null)
{
// We didn't find any job that corresponds to
// the currently connected user
// => we throw
throw new HttpException(403, "Forbidden");
}
return job;
}
private Job FetchJob(int jobId, string user)
{
throw new NotImplementedException();
}
}
然后让你的控制器:
public class JobsController : Controller
{
[Authorize]
public ActionResult Show([ModelBinder(typeof(JobModelBinder))]Job job)
{
return View(job);
}
}
自定义模型绑定器也可以在Application_Start中注册:
protected void Application_Start()
{
...
ModelBinders.Binders.Add(typeof(Job), new JobModelBinder());
}
这将简化您的控制器操作:
public class JobsController : Controller
{
[Authorize]
public ActionResult Show(Job job)
{
// If we get to that point it means that the
// currently connected user has the necessary
// permission to consult this view. The custom
// model binder would have populated the Job model
// and we can safely pass it to the view for display
return View(job);
}
}
此方法的另一个优点是您可以将依赖项注入自定义模型绑定器的构造函数中。尝试与AD和数据库通信时,可能需要这些依赖项。