- 创建角色和权限表
在数据库中创建角色表和权限表,用于存储角色和权限信息。角色表至少包含角色ID和角色名称两个字段,权限表至少包含权限ID和权限名称两个字段。
CREATE TABLE [dbo].[Roles](
[RoleId] [int] IDENTITY(1,1) NOT NULL,
[RoleName] nvarchar NOT NULL,
CONSTRAINT [PK_Roles] PRIMARY KEY CLUSTERED
(
[RoleId] ASC
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
) ON [PRIMARY]
CREATE TABLE [dbo].[Permissions](
[PermissionId] [int] IDENTITY(1,1) NOT NULL,
[PermissionName] nvarchar NOT NULL,
CONSTRAINT [PK_Permissions] PRIMARY KEY CLUSTERED
(
[PermissionId] ASC
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
) ON [PRIMARY]
- 创建用户角色表
在数据库中创建用户角色表,用于存储用户和角色的关系。该表至少包含用户ID和角色ID两个字段。
CREATE TABLE [dbo].[UserRoles](
[UserId] [int] NOT NULL,
[RoleId] [int] NOT NULL,
CONSTRAINT [PK_UserRoles] PRIMARY KEY CLUSTERED
(
[UserId] ASC,
[RoleId] ASC
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
) ON [PRIMARY]
- 创建角色权限表
在数据库中创建角色权限表,用于存储角色和权限的关系。该表至少包含角色ID和权限ID两个字段。
CREATE TABLE [dbo].[RolePermissions](
[RoleId] [int] NOT NULL,
[PermissionId] [int] NOT NULL,
CONSTRAINT [PK_RolePermissions] PRIMARY KEY CLUSTERED
(
[RoleId] ASC,
[PermissionId] ASC
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
) ON [PRIMARY]
- 实现权限验证
在MVC中,实现权限验证通常是通过Action过滤器来实现的。创建一个继承自ActionFilterAttribute的类,重写OnActionExecuting方法,判断当前用户是否拥有访问该Action的权限。如果没有权限,可以跳转到错误页面或者返回错误信息。
public class RBACAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var user = filterContext.HttpContext.User.Identity;
if (!user.IsAuthenticated)
{
filterContext.Result = new HttpUnauthorizedResult();
return;
}
var permission = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName + "." + filterContext.ActionDescriptor.ActionName;
var roles = GetRolesByUser(user.Name);
if (!HasPermission(roles, permission))
{
filterContext.Result = new HttpStatusCodeResult(HttpStatusCode.Forbidden);
return;
}
base.OnActionExecuting(filterContext);
}
private bool HasPermission(List<string> roles, string permission)
{
using (var db = new ApplicationDbContext())
{
foreach (var role in roles)
{
var roleId = db.Roles.Where(r => r.RoleName == role).Select(r => r.RoleId).FirstOrDefault();
if (roleId == 0) continue;
var permissionId = db.Permissions.Where(p => p.PermissionName == permission).Select(p => p.PermissionId).FirstOrDefault();
if (permissionId == 0) continue;
var count = db.RolePermissions.Count(rp => rp.RoleId == roleId && rp.PermissionId == permissionId);
if (count > 0) return true;
}
}
return false;
}
private List<string> GetRolesByUser(string userName)
{
var roles = new List<string>();
using (var db = new ApplicationDbContext())
{
var userId = db.Users.Where(u => u.UserName == userName).Select(u => u.Id).FirstOrDefault();
if (userId == null) return roles;
roles = db.UserRoles.Where(ur => ur.UserId == userId).Select(ur => ur.Role.RoleName).ToList();
}
return roles;
}
}
在Controller中使用RBACAttribute标记需要进行权限验证的Action:
[RBAC]
public ActionResult Index()
{
return View();
}
- 实现角色管理和权限管理
管理员可以通过角色管理和权限管理界面,对角色和权限进行添加、删除、修改等操作。在添加用户时,管理员可以为用户分配角色,从而授权用户访问对应的权限。
public class RolesController : Controller
{
private readonly ApplicationDbContext _db = new ApplicationDbContext();
// GET: Roles
public ActionResult Index()
{
var roles = _db.Roles.ToList();
return View(roles);
}
// GET: Roles/Create
public ActionResult Create()
{
return View();
}
// POST: Roles/Create
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Create(Role role)
{
if (ModelState.IsValid)
{
_db.Roles.Add(role);
_db.SaveChanges();
return RedirectToAction("Index");
}
return View(role);
}
// GET: Roles/Edit/5
public ActionResult Edit(int? id)
{
if (id == null)
{
return new HttpStatusCodeResult(HttpStatusCode.BadRequest);
}
var role = _db.Roles.Find(id);
if (role == null)
{
return HttpNotFound();
}
return View(role);
}
// POST: Roles/Edit/5
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Edit(Role role)
{
if (ModelState.IsValid)
{
_db.Entry(role).State = EntityState.Modified;
_db.SaveChanges();
return RedirectToAction("Index");
}
return View(role);
}
// GET: Roles/Delete/5
public ActionResult Delete(int? id)
{
if (id == null)
{
return new HttpStatusCodeResult(HttpStatusCode.BadRequest);
}
var role = _db.Roles.Find(id);
if (role == null)
{
return HttpNotFound();
}
return View(role);
}
// POST: Roles/Delete/5
[HttpPost, ActionName("Delete")]
[ValidateAntiForgeryToken]
public ActionResult DeleteConfirmed(int id)
{
var role = _db.Roles.Find(id);
_db.Roles.Remove(role);
_db.SaveChanges();
return RedirectToAction("Index");
}
protected override void Dispose(bool disposing)
{
if (disposing)
{
_db.Dispose();
}
base.Dispose(disposing);
}
}
public class PermissionsController : Controller
{
private readonly ApplicationDbContext _db = new ApplicationDbContext();
// GET: Permissions
public ActionResult Index()
{
var permissions = _db.Permissions.ToList();
return View(permissions);
}
// GET: Permissions/Create
public ActionResult Create()
{
return View();
}
// POST: Permissions/Create
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Create(Permission permission)
{
if (ModelState.IsValid)
{
_db.Permissions.Add(permission);
_db.SaveChanges();
return RedirectToAction("Index");
}
return View(permission);
}
// GET: Permissions/Edit/5
public ActionResult Edit(int? id)
{
if (id == null)
{
return new HttpStatusCodeResult(HttpStatusCode.BadRequest);
}
var permission = _db.Permissions.Find(id);
if (permission == null)
{
return HttpNotFound();
}
return View(permission);
}
// POST: Permissions/Edit/5
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Edit(Permission permission)
{
if (ModelState.IsValid)
{
_db.Entry(permission).State = EntityState.Modified;
_db.SaveChanges();
return RedirectToAction("Index");
}
return View(permission);
}
// GET: Permissions/Delete/5
public ActionResult Delete(int? id)
{
if (id == null)
{
return new HttpStatusCodeResult(HttpStatusCode.BadRequest);
}
var permission = _db.Permissions.Find(id);
if (permission == null)
{
return HttpNotFound();
}
return View(permission);
}
// POST: Permissions/Delete/5
[HttpPost, ActionName("Delete")]
[ValidateAntiForgeryToken]
public ActionResult DeleteConfirmed(int id)
{
var permission = _db.Permissions.Find(id);
_db.Permissions.Remove(permission);
_db.SaveChanges();
return RedirectToAction("Index");
}
protected override void Dispose(bool disposing)
{
if (disposing)
{
_db.Dispose();
}
base.Dispose(disposing);
}
}
- 实现用户登录
用户登录后,可以根据用户ID获取用户所属的角色,从而获取用户的权限。在Action过滤器中,根据用户的角色和权限表,判断用户是否有访问该Action的权限。
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
if (!ModelState.IsValid)
{
return View(model);
}
var user = await UserManager.FindAsync(model.UserName, model.Password);
if (user == null)
{
ModelState.AddModelError("", "Invalid login attempt.");
return View(model);
}
await SignInAsync(user, model.RememberMe);
var roles = GetRolesByUser(user.UserName);
HttpContext.Session["Roles"] = roles;
return RedirectToLocal(returnUrl);
}
private List<string> GetRolesByUser(string userName)
{
var roles = new List<string>();
using (var db = new ApplicationDbContext())
{
var userId = db.Users.Where(u => u.UserName == userName).Select(u => u.Id).FirstOrDefault();
if (userId == null) return roles;
roles = db.UserRoles.Where(ur => ur.UserId == userId).Select(ur => ur.Role.RoleName).ToList();
}
return roles;
}