重写AuthorizeAttribute,可以很方便的管理网页浏览权限
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
public static bool isAuthenticated = false;
public override void OnAuthorization(AuthorizationContext filterContext)
{
if (!isAuthenticated)
{
filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary(new { controller = "account", action = "login", returnUrl = filterContext.HttpContext.Request.Url, returnMessage = "您无权查看." }));
return;
}
base.OnAuthorization(filterContext);
}
}
你会发现变量isAuthenticated,这个变量很重要。页面的浏览权限就是通过这个变量控制的,如果是false就表示没登陆,不能查看网页;如果是true,表示已登陆,可以查看网页。
MVC自动生成的账户管理的控制/视图/模型中,即Account。例如登陆方法,
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
if (!ModelState.IsValid)
{
return View(model);
}
// 这不会计入到为执行帐户锁定而统计的登录失败次数中
// 若要在多次输入错误密码的情况下触发帐户锁定,请更改为 shouldLockout: true
var result = await SignInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, shouldLockout: false);
switch (result)
{
case SignInStatus.Success: //登录成功
CustomAuthorizeAttribute.isAuthenticated = true;
return RedirectToLocal(returnUrl);
case SignInStatus.LockedOut:
return View("Lockout");
case SignInStatus.RequiresVerification:
return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = model.RememberMe });
case SignInStatus.Failure:
default:
ModelState.AddModelError("", "Invalid login attempts.");
return View(model);
}
}
再看看公共页面_LoginPartial.cshtml中的代码:
@if (Request.IsAuthenticated) //只有登录了才显示注册、用户管理中心、注销链接
{
using (Html.BeginForm("LogOff", "Account", FormMethod.Post, new { id = "logoutForm", @class = "navbar-right" }))
{
@Html.AntiForgeryToken()
<ul class="nav navbar-nav navbar-right">
<li>@Html.ActionLink(@Html.Lang("welcome") + User.Identity.GetUserName() + "!", "Index", "Manage", routeValues: null, htmlAttributes: new { title = "Manage" })</li>
<li><a href="javascript:document.getElementById('logoutForm').submit()">@Html.Lang("logoff")</a></li>
<li>@Html.ActionLink(@Html.Lang("register"), "Register", "Account", routeValues: null, htmlAttributes: new { id = "registerLink" })</li>
</ul>
}
}
else //否则,只有注册链接
{
<ul >
<li>@Html.ActionLink(@Html.Lang("login"), "Login", "Account", routeValues: null, htmlAttributes: new { id = "loginLink" })</li>
</ul>
}
管理页面的后台方法都加上[CustomAuthorize],页面就只能登录后才能看。
如果你的网站有很多个页面,则每个控制页面的后台都要加上[CustomAuthorize],包括get的和post的,代码如下:
[CustomAuthorize]
public ActionResult Index()
{。。。}
[CustomAuthorize]
[HttpPost]
public ActionResult Index(string date1, string date2)
{。。。}