动态添加角色以授权控制器的属性

这就是我如何根据该用户角色的权限提取可以为每个方法授权用户的属性。 我希望这有助于其他人：

 /// 
 /// Custom authorization attribute for setting per-method accessibility /// 
 [AttributeUsage(AttributeTargets.Method, AllowMultiple = false, Inherited = true)] public class SetPermissionsAttribute : AuthorizeAttribute { /// 
 /// The name of each action that must be permissible for this method, separated by a comma. /// 
 public string Permissions { get; set; } protected override bool AuthorizeCore(HttpContextBase httpContext) { SalesDBContext db = new SalesDBContext(); UserManager userManager = new UserManager(new UserStore(new ApplicationDbContext())); ApplicationDbContext dbu = new ApplicationDbContext(); bool isUserAuthorized = base.AuthorizeCore(httpContext); string[] permissions = Permissions.Split(',').ToArray(); IEnumerable perms = permissions.Intersect(db.Permissions.Select(p => p.ActionName)); List roles = new List(); if (perms.Count() > 0) { foreach (var item in perms) { var currentUserId = httpContext.User.Identity.GetUserId(); var relatedPermisssionRole = dbu.Roles.Find(db.Permissions.Single(p => p.ActionName == item).RoleId).Name; if (userManager.IsInRole(currentUserId, relatedPermisssionRole)) { return true; } } } return false; } } 

这样的事情怎么样：

 [AttributeUsage(AttributeTargets.Method, AllowMultiple = false, Inherited = true)] public class MyCustomAuthorizationAttribute : AuthorizeAttribute { protected override bool AuthorizeCore(HttpContextBase httpContext) { // Do some logic here to pull authorised roles from backing store (AppSettings, MSSQL, MySQL, MongoDB etc) ... // Check that the user belongs to one or more of these roles bool isUserAuthorized = ....; if(isUserAuthorized) return true; return base.AuthorizeCore(httpContext); } } 

您可以将它与数据库一起使用，或者只是在web.config中维护一组授权角色。