當使用 asp.net 2.0 的 siteMap 功能,且加強 roles 的檢查時,的確很好用,
但如果使用者登入後,再以瀏覽器的網址方式輸入禁止使用的 url 時,卻仍然可以使用?
這一點,可以用 IHttpModule 加強。
程式碼如下
using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
/// <summary>
/// Summary description for SiteMapHttpModule
/// </summary>
public class SiteMapHttpModule : IHttpModule
{
public SiteMapHttpModule()
{
//
// TODO: Add constructor logic here
//
}
#region IHttpModule Members
public void Dispose()
{
}
public void Init(HttpApplication context)
{
context.AuthenticateRequest += new EventHandler(context_AuthenticateRequest);
}
void context_AuthenticateRequest(object sender, EventArgs e)
{
HttpApplication application = sender as HttpApplication;
HttpResponse response = application.Context.Response;
HttpRequest request = application.Context.Request;
//check for url
//if url equal login url, the ok
if (request.Url.AbsolutePath.ToLower() == FormsAuthentication.LoginUrl.ToLower())
return;
if (SiteMap.CurrentNode == null) return;
if (SiteMap.CurrentNode.Roles.Count == 0) return;
foreach (string role in SiteMap.CurrentNode.Roles)
{
if (role == "*") return;
if (Roles.IsUserInRole(role))
{
return;
}
}
FormsAuthentication.RedirectToLoginPage(request.QueryString.ToString());
}
沒有留言:
張貼留言