1、web api 的权限的通过ABPauthoriation来判断的,
2、ABP 通过拦截器拦截权限让后判断
public class AuthorizationInterceptor : IInterceptor { private readonly IAuthorizationHelper _authorizationHelper; public AuthorizationInterceptor(IAuthorizationHelper authorizationHelper) { _authorizationHelper = authorizationHelper; } public void Intercept(IInvocation invocation) { _authorizationHelper.Authorize(invocation.MethodInvocationTarget, invocation.TargetType); invocation.Proceed(); } }
3、拦截原理
public virtual async Task AuthorizeAsync(MethodInfo methodInfo, Type type) { await CheckFeatures(methodInfo, type); await CheckPermissions(methodInfo, type); } protected virtual async Task CheckFeatures(MethodInfo methodInfo, Type type) { //检查必要特性 var featureAttributes = ReflectionHelper.GetAttributesOfMemberAndType<RequiresFeatureAttribute>(methodInfo, type); if (featureAttributes.Count <= 0) { return; } foreach (var featureAttribute in featureAttributes) { await _featureChecker.CheckEnabledAsync(featureAttribute.RequiresAll, featureAttribute.Features); } } protected virtual async Task CheckPermissions(MethodInfo methodInfo, Type type) { if (!_authConfiguration.IsEnabled) { return; } //是否有AllowAnonymous标记 if (AllowAnonymous(methodInfo, type)) { return; } var authorizeAttributes = ReflectionHelper .GetAttributesOfMemberAndType(methodInfo, type) .OfType<IAbpAuthorizeAttribute>() .ToArray(); if (!authorizeAttributes.Any()) { return; } await AuthorizeAsync(authorizeAttributes); }