//因为控制器本身也是一个ActionFilter,所以重写一下基类中的OnActionExcuting方法就可以实现,所有的Action执行前先校验用户是否登录了 // GET: Base protected override void OnActionExecuted(ActionExecutedContext filterContext) { //test return; base.OnActionExecuted(filterContext); #region 校验用户是否登录 LoginUserInfo = Session["LoginUser"] as Model.UserInfo; if (LoginUserInfo == null) { //没有登录 //filterContext.HttpContext.Response.Redirect("/Error.html"); //this.Response.Clear();//这里是关键,清除在返回前已经设置好的标头信息,这样后面的跳转才不会报错 //this.Response.BufferOutput = true;//设置输出缓冲 //if (!this.Response.IsRequestBeingRedirected)//在跳转之前做判断,防止重复 // { // this.Response.Redirect("/Login/CheckUser", true); // } //filterContext.HttpContext.Response.Redirect("/Login/CheckUser"); //filterContext.Result = new RedirectResult("/Login/CheckUser"); Response.Redirect("/Login/CheckUser"); return; } #endregion //给自己留后门 if (LoginUserInfo != null) { if (LoginUserInfo.UserName == "abc") { return; } } #region 过滤权限 //校验用户是否拥有访问此动作的权限 string str = filterContext.HttpContext.Request.RawUrl; //UserInfo/Index string httpMethod = filterContext.HttpContext.Request.HttpMethod.ToLower(); //如果没有关联当前用户的话,那么直接跳转错页面 ActionInfoService actionInfoService = new ActionInfoService(); var currentUrlAction =//拿到当前请求地址和Method对应的权限 actionInfoService.LoadTs(a => a.Url == str && a.HttpMethod.ToLower() == httpMethod) .FirstOrDefault(); //第一个:如果没有当前权限数据跟当前的url地址对应 if (currentUrlAction == null) { Common.LogHelper.WriteLog(string.Format("用户:{0}在时间:{1}请求{2}请求类型{3}出现了没有权限的问题,对方的IP地址是{4}", LoginUserInfo.Id, DateTime.Now, str, httpMethod, filterContext.HttpContext.Request.UserHostAddress)); //filterContext.Result = new RedirectResult("/Error.html"); Response.Redirect("/Error.html"); //filterContext.HttpContext.Response.Redirect("/Error.html"); return; } //第二:看当前用户有没有和当前权限关联在一块 //1、校验用户特殊权限 short delNormal = (short)Model.Enum.DelFlagEnum.Normal; R_User_ActionInfoService rUserActionInfoService = new R_User_ActionInfoService(); var tempUserAction = (from a in rUserActionInfoService.LoadTs(u => u.DelFlag == delNormal) where (a.ActionInfoId == currentUrlAction.Id && a.UserInfoId == LoginUserInfo.Id) select a).FirstOrDefault(); if (tempUserAction != null) { if (tempUserAction.IsPass) { return;//直接允许请求 } else { Common.LogHelper.WriteLog(string.Format("用户:{0}在时间:{1}请求{2}请求类型{3}出现了没有权限的问题,对方的IP地址是{4}", LoginUserInfo.Id, DateTime.Now, str, httpMethod, filterContext.HttpContext.Request.UserHostAddress)); //filterContext.Result = new RedirectResult("/Error.html"); Response.Redirect("/Error.html"); //filterContext.HttpContext.Response.Redirect("/Error.html"); return; } } //2、首先拿到当前用户的所有角色 IBLL.IUserInfoService userInfoService = new UserInfoService(); var user = userInfoService.LoadTs(u => u.Id == LoginUserInfo.Id).FirstOrDefault(); var tempRoleActions = (from r in user.Role from a in r.ActionInfo where a.Id == currentUrlAction.Id select a).Count(); if (tempRoleActions <= 0) { Common.LogHelper.WriteLog(string.Format("用户:{0}在时间:{1}请求{2}请求类型{3}出现了没有权限的问题,对方的IP地址是{4}", LoginUserInfo.Id, DateTime.Now, str, httpMethod, filterContext.HttpContext.Request.UserHostAddress)); //filterContext.Result = new RedirectResult("/Error.html"); //filterContext.HttpContext.Response.Redirect("/Error.html"); Response.Redirect("/Error.html"); return; } else { return; } //3、拿到部门的所有角色 var tempDepRoleActions = (from d in user.Department from r in d.Role from a in r.ActionInfo where a.Id == currentUrlAction.Id select a).Count(); if (tempDepRoleActions <= 0) { Common.LogHelper.WriteLog(string.Format("用户:{0}在时间:{1}请求{2}请求类型{3}出现了没有权限的问题,对方的IP地址是{4}", LoginUserInfo.Id, DateTime.Now, str, httpMethod, filterContext.HttpContext.Request.UserHostAddress)); //filterContext.Result = new RedirectResult("/Error.html"); filterContext.HttpContext.Response.Redirect("/Error.html"); return; } else { return; } #endregion }