background:
1. C/S system architecture
2. Front-end Extjs
3. Background C#
4. Database SQL
The front end communicates with the background through ajAx requests.
The front-end application page uniformly inherits the entry class BasePage
application page
public partial class xxxxxxx :BasePage
{
//y business code......
}
BasePage
public class BasePage : System.Web.UI.Page
{
//Implement data permission check here
}
need:
Complete the data operation permission verification and remind the front end
analyze:
Because all pages inherit BasePage, you can now add code to BasePage. The background function is realized, because the permission judgment is performed based on the current user ID and the requested page.
In order to improve efficiency, the judgment can be completed in the storage process and the result can be returned.
In addition, for the convenience of management and tracking, the log is recorded after the judgment is completed
stored procedure
-- ===============================================
-- Author : Zhang Lihui
-- Create date: 2023-3-24
-- Description: System access control AOP
-- ============================== ==================
create PROCEDURE [dbo].[Hztech_Aop]
@userID as nvarchar(20),
@URI as nvarchar(200),
@result as nvarchar(20) output ,
@msg as nvarchar(200) output
AS
BEGIN
declare @roleid as int --role ID
declare @location as int-- the location of DataStore/
declare @moduleAndPage as nvarchar(200)--module/page and request parameters
declare @module as nvarchar(50) --module
declare @pageAndOptype as nvarchar(100)-- page
declare @page as nvarchar(100)-- page
declare @optype as nvarchar(50) --optype
declare @Edit as bit
declare @Del as bit
declare @Close as bit
declare @Lock as bit
declare @Unop as bit
declare @Export as bit
declare @pageName as nvarchar(100)
declare @pass nvarchar(20)
set @pass=' refuse'
set @pageName='query'
--1 get role id by user id
select @roleid=isnull(roleid,0) from [xxxx_UserRoles] where UserID=@userID
if(@roleid is null or @roleid=0)
begin
set @pass='refuse'
set @msg='You are not authorized to perform any operation. '
set @result= 0
goto logg
end
--2 Get menu permissions through url and role ID
--2.1 Determine whether it is a datastore request
set @location=charindex('xxxxxxxxxx/',@URI,
if(@location<=0)
begin
set @msg='pass+log, non-xxxxxxxxxx operation. '
set @result= 1
goto logg
end
--2.2 contains DataStore/
set @moduleAndPage= SUBSTRING(@URI,@location+len('xxxxxxxxxxxx/'),len(@URI)-4)
--parsing URL
set @module =dbo.GetSplitOfIndex(@moduleAndPage,'/',1)--module
set @pageAndOptype=dbo.GetSplitOfIndex(@moduleAndPage,'/',2)--@pageAndOptype
set @page=dbo.GetSplitOfIndex(@pageAndOptype,' ?',1) --yyy.aspx?optype=xxxx
set @optype=dbo.GetSplitOfIndex(@pageAndOptype,'?',2)-- optype=xxxx
set @optype=dbo.GetSplitOfIndex(@optype,'=' ,
if(CHARINDEX('&',@optype,0)>0) -- contains multiple parameters
begin
set @optype=dbo.GetSplitOfIndex(@optype,'&',1) -- xxxx
end
--3 to determine whether it is needed Control permissions
/* optype value range
. . . . . . .
*/
--3.1 Query operation
if(@optype='getPobillAndDetail' or @optype='showfile' or charindex('Select',@optype,0)>0
or @optype='WorkFlowApprovePobill' -- approval submission
)
begin
set @pass='log'
set @msg='pass, non-modification operation. '
set @result= 1
goto logg
end
--3.
where [Url] like '%/'+@module+'/%' and roleid=@roleid
--4 Judging whether there is permission
if (charindex('Submit',@optype,0)>0--dialog single form submission
or @optype='savePOBill' --document saving
if(@Edit=1)--editable
begin
set @result= 1
end
else
begin
set @result=0
goto logg
end
end
---Other permission verification omitted
... .....
else
set @result=0-- otherwise refuse refuse
if(@result=1)
set @pass='pass'
--5 log logg
:
if(@result=0)
set @msg='Unauthorized to perform the current operation'+@optype
insert into sys_aoplog([code]
,[name]
,[uri]
,[verifyresult], module,[page],optype,remark) values (@userID,@ pageName,@URI,@pass,@module,@page,@optype,@msg)
--6 return result
return @result
END
The front end calls the stored procedure for authentication
//判断权限
bool purCheck= dataOperate.ExeAopProc(aurl, currentUser.UserID.ToString(), out purMsg);
if (!purCheck)
{
string jsonlist1 = Common.ExtAjaxRequest.GetOperateRet("0", purCheck, purMsg);
Response.Write(jsonlist1);
Response.End();
}
Effect:
background log
knock off.