/// <summary>
/// 检查用户是否满足指定的权限要求
/// </summary>
/// <param name="user">用户</param>
/// <param name="requirement">权限要求</param>
/// <param name="errorMessage">验证不通过时的信息</param>
public virtual bool IsAuthorized(User user, AuthRequirement requirement, out string errorMessage)
{
// 要求主租户,但用户不属于主租户
if (requirement.RequireMasterTenant &&
(user == null || !user.OwnerTenant.IsMaster))
{
errorMessage = new T("Action require user under master tenant");
return(false);
}
// 用户类型不匹配
if (requirement.RequireUserType != null &&
(user == null || !HasUserType(user, requirement.RequireUserType)))
{
errorMessage = new T(
"Action require user to be '{0}'",
new T(requirement.RequireUserType.Name));
return(false);
}
// 未拥有所有要求的权限
if (requirement.RequirePrivileges != null &&
(user == null || !HasPrivileges(user, requirement.RequirePrivileges)))
{
var translator = ZKWeb.Application.Ioc.Resolve <IPrivilegeTranslator>();
errorMessage = new T("Action require user to be '{0}', and have privileges '{1}'",
new T(requirement.RequireUserType?.Name),
string.Join(",", requirement.RequirePrivileges.Select(p => translator.Translate(p))));
return(false);
}
errorMessage = null;
return(true);
}
/// <summary>
/// 检查当前用户是否满足指定的权限要求
/// 不满足时抛出403例外
/// </summary>
/// <param name="userType">用户类型,例如typeof(IAmAdmin)</param>
/// <param name="privileges">要求的权限列表</param>
public virtual void Check(AuthRequirement requirement)
{
var sessionManager = ZKWeb.Application.Ioc.Resolve <SessionManager>();
var user = sessionManager.GetSession().GetUser();
string errorMessage;
if (!IsAuthorized(user, requirement, out errorMessage))
{
throw new ForbiddenException(errorMessage);
}
}
protected void CheckSystemAccess(Dictionary <string, string[]> groupsAllowedAccess)
{
string error = "";
if (_config.systemAccessRequirements != null && _config.systemAccessRequirements.Count > 0)
{
if (!AuthRequirement.EvaluateOr(groupsAllowedAccess, _config.systemAccessRequirements, ref error))
{
throw new Exception(string.Format("User does not meet system access requirements! ({0})", error));
}
}
}
/// <summary>
/// 执行前检查权限
/// </summary>
public override Func <IActionResult> Filter(Func <IActionResult> action)
{
return(() =>
{
if (string.IsNullOrEmpty(HttpMethod) ||
HttpMethod.Equals(
HttpManager.CurrentContext.Request.Method,
StringComparison.OrdinalIgnoreCase))
{
var requirement = new AuthRequirement(
RequireMasterTenant,
RequireUserType,
RequirePrivileges);
var privilegeManager = ZKWeb.Application.Ioc.Resolve <PrivilegeManager>();
privilegeManager.Check(requirement);
}
return action();
});
}
