是的,這可以通過自定義操作過濾器來實現。您可以從AuthorizeAttribute
延伸,最基本的實施是這樣的:
public class OwnImageAuthorizeAttribute : AuthorizeAttribute {
public string ImageIdKey { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext) {
bool authorized = false;
// Get the current user
var currentUser = ...;
// Get the image ID, whether it is in the route or querystring
int imageId
if(int.TryParse(httpContext.RouteData.Values(ImageIdKey), out imageId)) {
// From querystring: httpContext.Request.Querystring[ImageIdKey]
// Authorize the user
authorized = YourMethodToCheckIfUserIsOwner(currentUser, imageId);
}
return authorized;
}
然後,裝點您的方法:
[OwnImageAuthorize(ImageIdKey = "imageId")]
public ActionResult MyAction() { }
你可以找到一些更細節here。
也Ninject-mvc3可以做注射。我認爲你是對的,這已經進入商業邏輯。 – xandy 2011-03-05 02:42:34