问题描述
我试图禁止用户角色 Upsert 在 Manager(仅限编辑范围)中的访问。
所以我想访问经理在他/她提交后编辑帖子。因为我使用 RepositoryPattern IunitOfWork,所以做这个工作人员有点复杂,因为我找不到任何解决方案,我尝试了几个解决方案,但根本不起作用。
由于 Upsert 方法包含 Insert 方法和 Update。
所以Manager只能插入数据,不能更新数据。一旦 Manager 尝试编辑帖子,它需要显示消息 Forbidden access。
这是我的代码
public IActionResult Upsert(int? Id)
{
TicketVM ticketVM = new()
{
Ticket = new Ticket(),TicketTypeList = _unitOfwork.TicketType.GetAll().Select(i => new SelectListItem
{
Text = i.Name,Value = i.Id.ToString()
}),ApplicationUser = new ApplicationUser(),Client = new Client()
};
var userName = User.FindFirstValue(ClaimTypes.Email);
var user = HttpContext.User.Identity.Name;
ticketVM.Ticket.ApplicationUser = _db.ApplicationUsers.FirstOrDefault(u => u.Email == userName);
if (Id == null)
{
return View(ticketVM);
}
ticketVM.Ticket = _unitOfwork.Ticket.Get(Id.GetValueOrDefault());
if (ticketVM.Ticket == null)
{
NotFound();
}
return View(ticketVM);
}
[HttpPost]
[ValidateAntiForgeryToken]
public IActionResult Upsert(TicketVM ticketVM)
{
var userName = User.FindFirstValue(ClaimTypes.Email);
var user = HttpContext.User.Identity.Name;
if (ticketVM.Ticket.UserId > 0)
{
var usert = _db.ApplicationUsers.FirstOrDefault(u => u.Id == ticketVM.Ticket.UserId);
ticketVM.Ticket.ApplicationUser = usert;
}
else
{
var usert = _db.ApplicationUsers.FirstOrDefault(u => u.Email == userName);
ticketVM.Ticket.ApplicationUser = usert;
}
if (ModelState.IsValid)
{
if (ticketVM.Ticket.Id == 0)
{
ticketVM.Ticket.Status = TicketStatus.Otvoren.ToString();
_unitOfwork.Ticket.Add(ticketVM.Ticket);
}
else
{
_unitOfwork.Ticket.Update(ticketVM.Ticket);
//ticketVM.Ticket.Status = ((TicketStatus)Convert.ToInt32(ticketVM.Ticket.Status)).ToString();
if (ticketVM.Ticket.Status.ToString() == "1")
{
ticketVM.Ticket.Status = "Otvoren";
}
else if (ticketVM.Ticket.Status.ToString() == "2")
{
ticketVM.Ticket.Status = "NaCekanju";
}
else
{
ticketVM.Ticket.Status = "Zatvoren";
}
}
_unitOfwork.Save();
return RedirectToAction(nameof(Index));
}
else
{
ticketVM.TicketTypeList = _unitOfwork.TicketType.GetAll().Select(i => new SelectListItem
{
Text = i.Name,Value = i.Id.ToString()
});
if (ticketVM.Ticket.Id != 0)
{
ticketVM.Ticket = _unitOfwork.Ticket.Get(ticketVM.Ticket.Id);
}
}
return View(ticketVM);
}
到目前为止,我尝试在我的视图中禁止访问
@model VmSTicketing.Models.viewmodels.TicketVM
@using VmSTicketing.Utility
@using VmSTicketing.Models.Enum;
@{
ViewData["Title"] = "Upsert";
Layout = "~/Views/Shared/AdminLTE/_Layout.cshtml";
var title = "Kreiraj Tiket";
}
<form method="post">
<div class="row p-3 border">
<div asp-validation-summary="ModelOnly" class="text-danger"></div>
@if (Model.Ticket.Id != 0)
{
//edit
title = "Uredi tiket";
<input type="hidden" asp-for="Ticket.Id" />
<input type="hidden" asp-for="Ticket.UserId" />
}
<div class="col-12 border-bottom">
<h2 class="text-primary">@title</h2>
</div>
<div class="col-8 pt-4">
<div class="form-group row">
<div class="col-4">
<label>Vrsta Tiketa: </label>
</div>
<div class="col-8">
@Html.DropDownListFor(m => m.Ticket.TicketTypeID,Model.TicketTypeList,"--Izaberi vrstu tiketa--",new { @class = "form-control" })
<span asp-validation-for="Ticket.TicketTypeID" class="text-danger"></span>
</div>
</div>
<div class="form-group row">
<div class="col-4">
<label>Opis problema</label>
</div>
<div class="col-8">
<textarea asp-for="Ticket.Description" class="form-control"></textarea>
<span asp-validation-for="Ticket.Description" class="text-danger"></span>
</div>
</div>
@if (Model.Ticket.Id != 0 && User.IsInRole(SD.Role_Admin))
{
<div class="form-group row">
<div class="col-4">
<label asp-for="Ticket.DateAndTime"></label>
</div>
<div class="col-8">
<input asp-for="Ticket.DateAndTime" disabled class="form-control" />
<span asp-validation-for="Ticket.DateAndTime" class="text-danger"></span>
</div>
</div>
<div class="form-group row">
<div class="col-4">
<label>Status Tiketa</label>
</div>
<div class="col-8">
<select asp-for="@Model.Ticket.Status" asp-items="Html.GetEnumSelectList<VmSTicketing.Models.Enum.TicketStatus>()" class="form-control"></select>
</div>
</div>
}
<div class="form-group row">
<div class="col-8 offset-4">
@if (Model.Ticket.Id != 0)
{
<partial name="_EditAndBackToListButton" model="Model.Ticket.Id" />
}
else
{
<partial name="_CreateAndBackToListButton" />
}
</div>
</div>
</div>
</div>
</form>
所以Manager只能插入这两个字段
<div class="col-4">
<label>Vrsta Tiketa: </label>
</div>
<div class="col-8">
@Html.DropDownListFor(m => m.Ticket.TicketTypeID,new { @class = "form-control" })
<span asp-validation-for="Ticket.TicketTypeID" class="text-danger"></span>
</div>
<div class="form-group row">
<div class="col-4">
<label>Opis problema</label>
</div>
<div class="col-8">
<textarea asp-for="Ticket.Description" class="form-control"></textarea>
<span asp-validation-for="Ticket.Description" class="text-danger"></span>
</div>
</div>
但是一旦他/她尝试编辑它们,它应该显示类似于 Forbiden Access 的消息,但作为管理员用户,它应该有权访问所有此字段并可以编辑它们。
因为当 @if (Model.Ticket.Id != 0) 时它会自动重定向到 Edit 方法,否则重定向到 Create 方法。
我试图找到一些解决方案,但正如我所说,这有点难。
不确定如何在这里使用 [Authorize],因为更新和插入在一个函数中并且没有意义。
任何人都遇到过类似的问题,解决此问题的最佳方法是什么。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)