Limitations of user permissions in MVC projects
Development tools and key technologies: MVC
Author: PROJECTILES
Write time: 2020/08/16
Note: The following booking system to machine the role maintenance functions, for example, which set different levels of user access some functions throughout the system.
1. The customization of the super administrator must first ensure that there must be an absolute authority of the super administrator in the system, allowing the administrator to have the functions of the entire system to operate and modify, and also ensure that the administrator cannot be modified by other users , So the super administrator that must exist in the system cannot display the account information modification button.
Return the mask modification icon in the modification unit (block on the page) in the table.
Permission filtering is set according to the URL, the general URL is: /area name/controller name/Action. The string obtained by the browser is divided into strings, and the area name, controller name, and Action are obtained; the database is searched for existence, and the search result is cached in the memory after the user logs in, and then searched later. Generally, the main controller of the main page is placed outside the permission filter without setting the permission filter, and the area is placed inside.
2. New roles and permissions, and user permissions are added and modified by jumping to other pages. The permission function does not use modal boxes like other functions.
The first level of the view of newly added roles and permissions is the design of the overall framework module name of the table.
The second layer is the name of the specific function module-the corresponding is mainly the controller name.
3. Add the constructor function in the checked module, (JS new constructor function, description: constructor function is also a kind of function, but in order to distinguish between the commonly used functions, the function name of the constructor function adopts the big camel case (first letter capital).
Syntax: var o = new ClassName()
Prototype: the prototype property of the constructor.)
Set a class: ModuleID, add an attribute (moduleID) and this parameter can be passed or not. Defining a class in C# is defined by the class keyword, but defining a class in JS is defined by methods.
Define a [] array to traverse the inputs, and then loop inputs.lehgth> 0 is greater than zero, if it is greater than zero, there is a check permission.
Otherwise, go to the prompt to remind the user to set the required permissions.
4. Define a function method, set a query box, if the (msg.State) state is successful, it will prompt the operation is successful, and ask whether to return to the main page, otherwise refresh the page.
5. Add an internal class to the controller to transfer complex objects. You can build an object in the page and put the value to be transferred in the object to transfer complex data or lists.
6. Modify roles and permissions, use the page jump method to jump to the modified role view. The layout of the modified role page is basically the same as the page layout of the newly added role, except that the modification should have the function of removing the existing permissions and adding permissions that do not exist. , Keep the original permissions unchanged 3 kinds.
An anonymous object is new in the controller, and multiple objects are returned using JSON.
Traverse: listpermission list, and check module information in for loop.
The user role ID is used as the primary key when modifying, listModuleID is an array of checked module ID objects (data type is an array of ModuleID objects),
7. (1 ) the need to add (not in the database) is in listModuleID, but in oldModuleIDs No
②Not in the listModuleID that needs to be deleted, some in oldModuleIDs ③In the listModuleID that
remains unchanged, and some in oldModuleIDs The
comparison remains unchanged, the new part minus the intersection part, the
deleted part is old After subtracting the intersection, the constant is the intersection.
7. To delete the role, click the delete button in the table to delete the row of data.
Determine whether there is a user using the account. If intUseUserCount is equal to zero, delete it and
execute the deletion, where (removeList.Count + 1) is the number of affected rows and the deleted role data is the same as the number of affected rows.
8. To apply the permission module, first externally connect all the module tables, and then connect to read the module tables owned by the user.
If the ID is greater than zero, it means there is permission for the module, and if it is equal to zero, it means there is no permission for the module.
Delete modules that the user does not have.
This method is not safe, but the page is hidden and the permissions are not intercepted in the controller, so another method is used to intercept permissions.
Add a class in the App_Start folder of the project and
register the global filter:
Static: The modified method is a method of the class, not an instance method, and does not require object calls.
Then add the registered global filter in the project: Global.asax. The filter principle: A layer of code is covered outside the controller (N layers can be added). When there is no filter, the browser directly requests the controller After adding the filter, the browser must pass the information comparison of the filter to access the method in the controller. The information is not correct. The user does not have a part of the page access permission and is redirected to the unauthorized page.
9. Create a new folder in the project: Filter and then create a new class: PermissionFilter.
For permission check, first get the path requested by the user,
check skip some unnecessary verifications before login, such as verification code,
use the user ID for conversion, if it can be converted, proceed to the permission check,
If the conversion fails, the execution goes to the exception, Response (response), which is to redirect the response value to the login page.
There are two methods. The first is to query the permissions and corresponding modules only once when the user logs in to obtain the permission module information queried when logging in. However, there is a problem that if a user is already logged in, and the administrator modifies the user's permissions after the user logs in, the modified permissions will not take effect at this time.
The second method is to check the permissions for every request. The second method also has a problem, that is, if the website is a large-scale website, the data is complicated, and the second method is to check the permissions for each operation, which will result in slower query speed and affect User experience, of course, the second type is more secure.
