通过软件描述大学时,我遇到了一个身份验证问题。
以前我只有一个Headmaster
角色,它可以做和访问任何东西。但是现在,我需要集成一个Teacher
角色。
Teacher
角色应该具有访问某些功能的选项,这些功能很容易受到Authorize
属性的限制。但在某些情况下,我想减少这个角色允许访问的数据数量,例如,不是所有宇宙的学生,而是那些研究Teacher's
Subject
的学生。
所有这些都已经在EF中描述过了(例如,教师-主体,主体-学生关系)。但现在我很难拒绝(返回403) Teacher
不允许访问的科目或学生的请求。
我为我的服务考虑了规范模式的用法,因此最终的数据将通过规范的筛选器减少,因为它有助于减少数据量,有时减少到无数据,但无助于完全拒绝请求。
您能为我提供一个链接或架构想法来满足上面指定的两种用例的期望吗?
// entity models
class Subject {
...
public Teacher Teacher { get; set; }
public List<Students> { get; set; }
...
}
class Teacher {
...
public List<Subject> Subjects { get; set; }
...
}
class Student {
...
public List<Subject> StudiedSubjects {get; set; }
...
}
// first use-case I want to solve
public ActionResult<List<Student>> GetStudent()
{
// previously I just did
return Ok(_studentsService.GetStudents());
// but as for now in case of Teacher role accessed the method I want to
// reduce the number of returned students
}
// second use-case I want to solve
public ActionResult<Subject> GetSubjectDetails(int subjectId)
{
// previously I just did
return Ok(_subjectService.GetSubject(subjectId);
// but as for now in case of Teacher role I need to check whether its
// allowed to get the subject and return Access denied in case its not
}
https://stackoverflow.com/questions/56324892
复制相似问题