权限验证。

2026-01-25 15:08:11 +00:00 · 2019-10-26 20:39:21 +08:00 · 2019-10-26 20:39:21 +08:00 · 0989b76c1b
commit 0989b76c1b
parent 00fdc123e6
2 changed files with 33 additions and 39 deletions
--- a/ShadowEditor.Server/Base/ApiAuthAttribute.cs
+++ b/ShadowEditor.Server/Base/ApiAuthAttribute.cs
@ -7,6 +7,10 @@ using System.Web.Http;
 using System.Web.Http.Controllers;
 using System.Web.Http.Filters;
 using System.Web.Security;
+using ShadowEditor.Model.System;
+using ShadowEditor.Server.Helpers;
+using ShadowEditor.Server.CustomAttribute;
+using Newtonsoft.Json;

 namespace ShadowEditor.Server.Base
 {
@ -22,50 +26,36 @@ namespace ShadowEditor.Server.Base
        /// <param name="actionContext"></param>
        public override void OnActionExecuting(HttpActionContext actionContext)
        {
-            try
+            if (!ConfigHelper.EnableAuthority)
            {
-                // 允许匿名访问
-                if (actionContext.ActionDescriptor.GetCustomAttributes<AllowAnonymousAttribute>().Count > 0)
-                {
-                    base.OnActionExecuting(actionContext);
-                    return;
-                }
-
-                // 获取cookie
-                var cookie = actionContext.Request.Headers.GetCookies();
-                if (cookie == null || cookie.Count < 1)
-                {
-                    DenyAction(actionContext, 301, "登录超时！");
-                    return;
-                }
-
-                // 获取票据
-                FormsAuthenticationTicket ticket = null;
-                foreach (var perCookie in cookie[0].Cookies)
-                {
-                    if (perCookie.Name == FormsAuthentication.FormsCookieName)
-                    {
-                        ticket = FormsAuthentication.Decrypt(perCookie.Value);
-                        break;
-                    }
-                }
-
-                // 验证票据
-                if (ticket == null)
-                {
-                    DenyAction(actionContext, 300, "无权限！");
-                    return;
-                }
-
-                // 验证权限后将获得的用户信息写入Session
-                HttpContext.Current.Items.Add("__userID", ticket.UserData); // 获取登陆时写入cookie的用户ID
-
                base.OnActionExecuting(actionContext);
+                return;
            }
-            catch
+
+            var attributes = actionContext.ActionDescriptor.GetCustomAttributes<AuthorityAttribute>();
+
+            if (attributes.Count == 0)
            {
-                DenyAction(actionContext, 300, "权限验证出错！");
+                base.OnActionExecuting(actionContext);
+                return;
            }
+
+            // 验证权限
+            var user = UserHelper.GetCurrentUser();
+
+            if (user == null)
+            {
+                DenyAction(actionContext, 301, "Not allowed.");
+                return;
+            }
+
+            if (user.Name == "Administrator")
+            {
+                base.OnActionExecuting(actionContext);
+                return;
+            }
+
+            base.OnActionExecuting(actionContext);
        }

        /// <summary>
--- a/ShadowEditor.Server/Helpers/UserHelper.cs
+++ b/ShadowEditor.Server/Helpers/UserHelper.cs
@ -66,6 +66,10 @@ namespace ShadowEditor.Server.Helpers
                return null;
            }

+            // 获取角色信息
+
+            // 获取权限信息
+
            return new UserModel
            {
                ID = doc["ID"].ToString(),