Old topic, permission Design and Implementation!

Address: http://www.cnblogs.com/jiangbiao/archive/2012/12/03/2799803.html

 

Preface

I have also written two articles on permission and Asp.net Mvc identity verification, exception handling, and permission verification (interceptor). recently, in a new project, permission design has been re-designed. Some people have always said that the permission cannot be too dead, so we designed this permission management by trying to make the permissions as transparent as possible.

Design Concept

1. Because the project uses asp.net mvc, an action in mvc corresponds to a URL. Generally, an action will only do one thing, so we can get the requested action to know what you are going to do, So we store all the modules in the database and put the function buttons in the database, it can be constructed into a tree menu.

Here, navigation permissions are divided into navigation permissions and functional permissions. Navigation permissions refer to the buttons that are automatically assigned to the navigation tree according to the permissions during system running. Functional permissions refer to the buttons on this page. Here, I use an identifier to identify the navigation permissions and functional permissions. Because you log on to the system, you only need to obtain the navigation permission for verification when loading the navigation bar.

2. Save User Permissions. On the Role authorization page, load the data in the entire navigation table and use a tree-like display. In the role table, save the primary key ID of the module table.

3. associate a role with a user. You can directly associate the user's ID or employee ID.

4. Pull the permission and load the navigation. you can log on to the role table to obtain the roles that the user has. Obtain the module table ID. Based on the module table ID, obtain the module table data, remove the function permissions, and then dynamically load the navigation.

5. Functional permission verification scheme. This is also a long term of consideration. The previous idea was to directly pass a parameter value to determine whether to display this button. This time, we used HTML removal to hide and display functional buttons.

Implementation

1. Navigation permission verification: An Interceptor is used to verify the permissions before the action is executed.

Public override void OnActionExecuting (ActionExecutingContext filterContext) {// The current access address string Code = string. format ("/{0}/{1}", filterContext. routeData. values ["controller"]. toString (), filterContext. routeData. values ["action"]. toString ()). toLower (); string [] ListResource = ResourceBiz. instance. get (new string [] {"Url "}). select (p => p. url ). where (p =>! String. IsNullOrEmpty (p). Select (p => p. ToLower (). ToArray (); // obtain the module table Navigation Code. This field is compared with the current URL if (! ListResource. Contains (Code) // The URL that does not exist in the module table. return is not verified by default. if (! Authentication. getResourceCode (). contains (Code) // Authentication. getResourceCode () is the permissions of the current user {// verification fails through ContentResult Content = new ContentResult (); Content. content = "<script type = 'text/javascript '> alert ('permission Verification Failed! '); History. go (-1); </script> "; filterContext. Result = Content ;}}

2. Verify the functional permissions of the page: it also uses an interceptor. After the action is executed, obtain the HTML source code to be rendered for analysis and removal.

// Obtain the HTML to be rendered. The remove function button is public override void OnResultExecuted (ResultExecutedContext filterContext) {// The user control is not filtered if (! FilterContext. IsChildAction) filterContext. HttpContext. Response. Filter = new WhitespaceFilter (filterContext. HttpContext. Response, filterContext); // rewrite}

// Override public class WhitespaceFilter: System. IO. memoryStream {private System. IO. stream Filter = null; private ResultExecutedContext filterContext = null; private string Source = string. empty; // constructor, used to receive the public WhitespaceFilter (HttpResponseBase, ResultExecutedContext filterContexts) {Filter = HttpResponseBase. filter; filterContext = filterContexts;} // read the HTML source code public override voi. D Write (byte [] buffer, int offset, int count) {Source + = System. text. encoding. UTF8.GetString (buffer); // HTML source Code} // analyze the permission Processing public override void Close () {// The current access address string Code = string. format ("/{0}/{1}", filterContext. routeData. values ["controller"]. toString (), filterContext. routeData. values ["action"]. toString ()). toLower (); string [] ListResource = ResourceBiz. instance. get (new string [] {"Url "}). se Lect (p => p. Url). Where (p =>! String. isNullOrEmpty (p )). select (p => p. toLower ()). toArray (); // obtain all records in the module table if (ListResource. contains (Code) // The URL that does not exist in the module table. Verification is not performed by default. {// parse and process HtmlDocument Document = new HtmlDocument (); Document. loadHtml (Source); HtmlNode htmlNode = Document. documentNode;

/* You need to obtain all the common function permissions in this module, and then compare them with the functional permissions on this page. If you do not have this function permission, you can obtain the HTML section according to the rule and delete the * // * _______________________ button to start the analysis and processing function. Here you can add the verification rule _______________________ */HtmlNodeCollection hnc = htmlNode. selectNodes ("// a"); // obtain the function button HTML to be verified, which is defined by the developer, you can also give a specific Identifier to identify this tag as a function button, for example, htmlNode. selectNodes ("// a [@ class = 'add']"); get if (hnc! = Null) {foreach (HtmlNode node in hnc) {// obtain all the tags, and then obtain the href, Which is compared with the function permissions of the current user, delete string CodeStr = node if they are equal or contain. attributes ["href"]! = Null? Node. attributes ["href"]. value. toLower (): ""; node. parentNode. removeAll () ;}} Filter. write (System. text. encoding. UTF8.GetBytes (Source), 0, System. text. encoding. UTF8.GetByteCount (Source); base. close ();}}

In this way, all permissions in the system will be transparent. I only need to take all the situations into account during Functional permission verification. I don't know if most people can understand what I need to say in the text. It's really bad.