Role permission, RBAC

The above is a simplified version diagram.
User: User table, which stores User information
Role: Role table, which stores Role information
UserInRole: User Role ing table, which stores the relationship between users and roles. Multiple-to-many: one user can correspond to multiple
Roles, and different roles have the same permissions.
Permissions: Permission table. Different roles have different Permissions. The permission information is represented by a flag field,
The advantage is that you can use bitwise operations to calculate permissions. The disadvantage is that the permissions of bit identifiers are limited by theoretical values, such as int theory.
31 different permissions can be identified. Of course, you can add a field to make up for it. ApplicationID identifies different modules.
Application: module information.

[Flags]
Public enum Flag: long
{
View = 1,
Edit = 2,
Delete = 4
}

Feature [Flag] tells the compiler that when the compiler sees the Flag enumeration, it will allow you to use the | (or) operator to combine enumeration values,
Just like the integer power of two,
For example, Flag Administer = Flag. View | Flag. Edit | Flag. Delete; indicates a combination of three permissions.

Basic knowledge:

Bitwise operation

Enumeration Flag

When the compiler sees the Flag enumeration, it will allow you to use the | (or) operator to combine enumeration values,
Just like the integer power of two,
For example, Flag Administer = Flag. View | Flag. Edit | Flag. Delete;

Common Operations: Check for existence
Flag administer = Flag. View | Flag. Edit | Flag. Delete;
Public bool Check (Flag administer, Flag mask)
{
Bool bReturn = false;
If (administer & mask) = mask)
BReturn = true;

Return bReturn;
}
If you call Check (administer, Flag. Edit), true is returned.

Public Flag SetBit (Flag administer, Flag mask)
{
Return administer | = mask;

}

Administer | = mask; the operation is equivalent to administer = administer | mask;

Subtract a State from the enumeration.
Administer & = mask;

For example:
Flag administer = Flag. View | Flag. Edit | Flag. Delete;
If you want to disable the delete permission.
Administer & = Flag. Delete;

In addition, you can leave the flag type unspecified.
Public enum Flag: long
{
View,
Edit,
Delete
}
If you need to set it, follow the following rule: View = 1, Edit = 2, Delete = 4, Reply = 8 is accumulated to the power of 2. Why? Because he uses binary operations,
When you use a value such as View = 1, Edit = 2, Delete = 3, Reply = 4, Flag. the Delete value is Flag. delete or View = 1 | Edit = 2.

Each user can assign different permissions to different roles and calculate all possible combinations of permissions with different permissions, the user obtains the permission.

In the CS system, the Permissions table uses two fields to identify Permissions.
AllowMask and DenyMask take precedence over Deny. That is to say, when the permission is marked as Deny, the user is prohibited to perform this operation regardless of Allow.

In addition, just one ApplicationID field is not enough for the permission design of the Forum class, because different permissions need to be set for each forum to control the permission granularity, you can add a Permission table and change ApplicationID to Forum ID.
In this way, you can set different permissions for different sections.

Well, the next question is how to hook up with the. net built-in permission system ..

In the asp.net system, HttpContext. Current. User implements an interface IPrincipal, which contains the Identity of another interface.

We inherit this interface when designing the User class.
Public class User: IPrincipal
{
String username;
Public string Username
{
Get {return username ;}
Set {username = value ;}
}
}

Implementation of IPrincipal Interface
Public IIdentity Identity
{
Get {
If (! String. IsNullOrEmpty (username ))
_ Identity = new GenericIdentity (username, "Forums ");
Return (IIdentity) _ Identity;
}
}

Public bool IsInRole (string role)
{
.....
}

How can I hook up with asp.net? Here we can check it during login.

If (HttpContext. Current! = Null ){
User u = Users. GetUser (name );
HttpContext. Current. User = u;

In use
User u = HttpContext. Current. User as User;
Of course, you can check the user role and use it directly.

 

If (HttpContext. Current. User. Identity. IsAuthenticated & HttpContext. Current. User. IsInRole (role name ))

In addition, when the user permission policy is attached to the current thread, use the following method:
AppDomain. CurrentDomain. SetPrincipalPolicy (User );

Now, how can I check the permission?

I prefer to use Attribute

[AttributeUsage (AttributeTargets. Class | AttributeTargets. Method | AttributeTargets. Property | AttributeTargets. Delegate, Inherited = true, AllowMultiple = true)]
Public class CheckPermissionAttribute: Attribute
{

Int appID;
Public int ApplicationID
{
Get {return appID ;}
Set {appID = value ;}
}
Permission _ allMask;
Public Permission AllMask
{
Get {return _ allMask ;}
Set {_ allMask = value ;}
}

Public CheckPermissionAttribute (ApplicationID app, Permission allMask)
{
AppID = app;
_ AllMask = allMask;
}
Public CheckPermissionAttribute (Permission allMask)
{
_ AllMask = allMask;
}

}
The first AttributeUsage parameter indicates that this attribute can be applied to classes, methods, attributes, and proxies.
Inherited checks the Inherited permissions.
AllowMultiple is used for many times.

Follow these steps to design a base class inherited from Page:

Public class PageBase: Page
{
Flag _ allMask;

/// <Summary>
/// Check the type permission
/// </Summary>
Public void CheckClass ()
{
Type type = this. GetType ();
CheckPermissionAttribute att = (CheckPermissionAttribute) CheckPermissionAttribute. getcustomattriof (type, typeof (CheckPermissionAttribute ));
If (att! = Null)
{
Check (att. AllMask );
}
}

/// <Summary>
/// Check the function call permission
/// </Summary>
/// <Param name = "methodName"> method name </param>
Public void CheckMethod (string methodName)
{
Type type = this. GetType ();
String name = "*";
If (! String. IsNullOrEmpty (methodName ))
Name = methodName;
MemberInfo [] mis = type. FindMembers (MemberTypes. Method, BindingFlags. Instance | BindingFlags. NonPublic | BindingFlags. Public | BindingFlags. IgnoreCase, Type. FilterNameIgnoreCase, name );
Foreach (MethodInfo m in mis)
{
CheckPermissionAttribute att = (CheckPermissionAttribute) CheckPermissionAttribute. getcustomattriof (m, typeof (CheckPermissionAttribute ));
If (att! = Null)
{

Check (att. AllMask );

}

}
Return;


}
Public void Check (Flag permissions)
{
If (! CheckPermission (permissions ))
{
String url = string. Format ("MsgPage. aspx? Msg = {0} ", HttpUtility. UrlEncode (" You are not authorized to access this resource "));
Response. Redirect (url );
}
}
Public void Check (ApplicationID appID, Flag permissions)
{
PermissionManager pm = Spaces. PermissionManager. Instance (appType );
If (! CheckPermission (pm, permissions ))
{
String url = string. Format ("MsgPage. aspx? Msg = {0} ", HttpUtility. UrlEncode (" You are not authorized to access this resource "));
Response. Redirect (url );
}

}

Protected override void OnInit (EventArgs e)
{
CheckClass ();
Base. OnInit (e );
}
}

How to use:

[CheckPermission (2, Flag. View)]
Public partial class MyPage: PageBase
{

}

If you do not have the permission to view it, the system will guide the error page.

It is quite convenient to use in the class.

It is troublesome to apply methods to a method. I have not found how to obtain the currently called class name in the class on the page.

You can call the CheckMethod (method name), as shown in figure
[CheckPermission (2, Flag. Delete)]
Public partial class MyPage: PageBase
{
Public void test ()
{
CheckMethod ("test ");
.......
}
}

This still requires repetitive work.