好吧,讓我們打破這:
驗證用戶可以寫入表(這如果是真的,如果不返回1,0):
SELECT isnull(has_perms_by_name('MyDb.dbo.MyTable', 'OBJECT', 'INSERT'), 0)
驗證用戶可以編寫該發佈商:
SELECT count(*) FROM UserPermissions WHERE
UserName = 'username' AND Publisher = 'publisher'
現在,這是SQL的那些,而不是實際的C#。爲了獲取值在C#:
SqlConnection SqlConn = new SqlConnection("connection_string_goes_here");
SqlCommand SqlCmd = new SqlCommand();
SqlConn.Open();
SqlCmd.Connection = SqlConn;
SqlCmd.CommandText = "SELECT isnull(has_perms_by_name('MyDb.dbo.MyTable', " +
"'OBJECT', 'INSERT'), 0)"
if (SqlCmd.ExecuteScalar())
{
SqlCmd.CommandText =
"SELECT count(*) FROM UserPermissions WHERE " +
"Username = " + System.Environment.UserDomainName + "\" +
System.Environment.UserName + " " +
AND Publisher = @Publisher";
SqlCmd.Parameters.Add("@Publisher", SqlDbType.NVarChar);
SqlCmd.Parameters("@Publisher").Value = PublisherInput;
if(SqlCmd.ExecuteScalar())
{
SqlCmd.Parameters.Clear();
SqlCmd.CommandText = "INSERT INTO Books (Title, Publisher) VALUES " +
"(@Title, @Publisher)";
SqlCmd.Parameters.Add("@Title", SqlDbType.NVarChar);
SqlCmd.Parameters.Add("@Publisher", SqlDbType.NVarChar);
SqlCmd.Parameters("@Title").Value = TitleInput;
SqlCmd.Parameters("@Publisher").Value = PublisherInput;
SqlCmd.ExecuteNonQuery();
}
}
SqlCmd.Dispose();
SqlConn.Close();
SqlConn.Dispose();
最後一點,清洗你輸入。在您的應用程序中使用參數,並且不相信任何用戶,即使是內部用戶。我無法強調這一點。
編輯:因爲有不止一種方法更對皮膚一隻貓,我覺得我的愚蠢到不包括LINQ to SQL解決方案(至少計數問題):
int PermsAvailable = (from up in db.UserPermissions
where up.Username ==
System.Environment.UserDomainName + "\" +
System.Environment.UserName
&& up.Publisher == PublisherInput
select up).Count();
if(PermsAvailable)
{
var NewBook = New Book with {.Title = TitleInput, .Publisher = PublisherInput};
db.Books.Add(NewBook);
}
您需要直接查詢SQL Server權限元數據。有一些可以調用的存儲過程會執行此操作,但我似乎記得這不是一項簡單的任務。 – 2009-06-07 18:34:52