ServiceStack RequiredPermission未验证我的用户
本文关键字:我的 用户 验证 RequiredPermission ServiceStack | 更新日期: 2023-09-27 18:34:32
我似乎无法让我们的测试通过我们的ServiceStack服务上的RequiredPermission
属性。有人可以帮我找出我在这里出错的地方吗?
假设RequiredPermission
使用session.Permissions
列表。
我们的UserViewModel
设置如下
public class UserViewModel : ViewModelBase
{
public UserViewModel()
{
Groups = new List<GroupModel>();
}
public string FirstName { get; set; }
public string LastName { get; set; }
public string Email { get; set; }
public string Password { get; set; } // This should never be populated on the way out.
public IList<GroupModel> Groups { get; set; }
}
GroupModel 与其中的SecuritySettings
列表类似。每次调用服务层都会返回一个完全水合的 UserViewModel,其中包含组列表,每个组都包含安全设置列表。
当用户进行身份验证时,我们将运行此程序
public override void OnAuthenticated ( IServiceBase authService,
IAuthSession session,
IOAuthTokens tokens,
Dictionary<string, string> authInfo )
{
session.Id = _userViewModel.Id.ToString();
session.UserName = _userViewModel.Email;
session.FirstName = _userViewModel.FirstName;
session.DisplayName = string.Format( "{0} {1}", _userViewModel.FirstName, _userViewModel.LastName );
session.Roles = new List<string>();
session.Permissions = new List<string>();
if ( _userViewModel.Groups != null )
{
foreach ( var group in _userViewModel.Groups )
{
// Add user Groups to "Roles"
session.Roles.Add( group.Name );
if ( @group.SecuritySettings == null ) continue;
foreach ( var securitySetting in @group.SecuritySettings )
{
// Add group SecuritySettings to "Permissions"
session.Permissions.Add( securitySetting.Name );
}
}
}
var mapper = new AutoMapper<UserModel>();
_container.Register( mapper.BuildFrom( _userViewModel ) );
//Important: You need to save the session!
authService.SaveSession( session, SessionExpiry );
}
我遇到的问题是我的测试仍然在我的用户服务接口方法上返回"未经授权">
[RequiredPermission("Read User")]
public object Get( UserRequest request )
{
return new UserResponse { User = _userService.GetById( request.Id ) };
}
我可以确认UserViewModel.Groups[0].SecuritySettings[0].Name == "Read User"
.
此问题
的解决方案是在 CustomCredentialsAuthProvider.OnAuthenticated 方法的末尾调用 base.OnAuthenticated
方法。
public override void OnAuthenticated ( IServiceBase authService,
IAuthSession session,
IOAuthTokens tokens,
Dictionary<string, string> authInfo )
{
// truncated for brevity
//Important: You need to save the session!s
authService.SaveSession( session, SessionExpiry );
// THIS ENSURES THE SESSION IS ACCESSABLE BY THE APP
base.OnAuthenticated(authService, session, tokens, authInfo);
}
下面是 RequiredPermissionAttribute 的实现:
public bool HasAllPermissions(IAuthSession session)
{
return this.RequiredPermissions
.All(requiredPermission => session != null
&& session.HasPermission(requiredPermission));
}
其默认实现仅检查AuthUserSession.HasPermission((,即:
public virtual bool HasPermission(string permission)
{
return this.Permissions != null && this.Permissions.Contains(permission);
}
如果您使用的是自定义身份验证会话,则可以覆盖。我建议覆盖HasPermission()
并放置断点,以便您可以自检会话实例 - 因为当前行为仅在会话没有所需权限时失败。