C# 全过程用户权限实现策论 (3.权限与代码安全访问)

/// <summary>
/// 表示权限的位
/// </summary>
[Flags, Serializable]
public enum PermissionAction
{
None = 0,

/// <summary>
/// 显示权限
/// </summary>
Show = 1,

/// <summary>
/// 添加权限
/// </summary>
Add = 2,

/// <summary>
/// 编辑权限
/// </summary>
Edit = 4,

/// <summary>
/// 删除权限
/// </summary>
Delete = 8,

/// <summary>
/// 查询权限
/// </summary>
Query = 16,

/// <summary>
/// 扩展权限
/// </summary>
Extend = 32,

/// <summary>
/// 所有权限的访问
/// </summary>
All = Show | Add | Edit | Delete | Query | Extend

}

[Serializable]
public class RolePermission : IPermission, IUnrestrictedPermission
{
public RolePermission()
: this(PermissionAction.None)
{
}

public RolePermission(PermissionState state)
{
if (state == PermissionState.None)
this.Action = PermissionAction.None;
else if (state == PermissionState.Unrestricted)
this.Action = PermissionAction.All;
else
throw new ArgumentException("state");
}

public RolePermission(PermissionAction action)
{
this.Action = action;
}

#region IPermission接口
public void Demand()
{
bool bHasMembershipConfig = false;
//System.Threading.Thread.CurrentPrincipal
//成员资格如果不存在配置,则此属性为GenericPrincipal类型
if (System.Threading.Thread.CurrentPrincipal.GetType() == typeof(GenericPrincipal))
{
Assembly[] asms = AppDomain.CurrentDomain.GetAssemblies();
foreach (Assembly asm in asms)
{
if (!asm.FullName.ToLower().StartsWith("nxdo.winui.v2011")) continue;

//成员资格不存在配置,则放弃权限检查
MethodInfo method = asm.GetType("NXDO.WinUI.User.DbMembershipProvider").GetMethod("HasConfig",BindingFlags.NonPublic |

BindingFlags.Static | BindingFlags.DeclaredOnly);
object objVal = method.Invoke(null, new object[] { });
bHasMembershipConfig = Convert.ToBoolean(objVal);
if (!bHasMembershipConfig)
return;
}
}

if (bHasMembershipConfig && !System.Threading.Thread.CurrentPrincipal.Identity.IsAuthenticated)
throw new SecurityException("运行线程当前成员资格没有执行验证.");

if (!(System.Threading.Thread.CurrentPrincipal is IMemberPrincipal))
throw new SecurityException("运行线程当前成员资格不是有效的MemberPrincipal类型");

IMemberPrincipal mbmPrincipal = System.Threading.Thread.CurrentPrincipal as IMemberPrincipal;
if (mbmPrincipal.IsAdministrator) return ;

if (!mbmPrincipal.Demand(this.Action))
throw new SecurityException("你可能不具备操作当前功能的权限.");
}

/// <summary>
/// 权限复制
/// </summary>
/// <returns></returns>
public IPermission Copy()
{
return new RolePermission(this.Action);
}

/// <summary>
/// 得到两个权限的逻缉交集
/// </summary>
/// <param name="target">权限定义对象</param>
/// <returns>逻缉交集</returns>
public IPermission Intersect(IPermission target)
{
if (target == null)
return null;

if (!(target is RolePermission))
throw new ArgumentException("target不是有效的RolePermission对象.");

RolePermission rp = target as RolePermission;
PermissionAction act = this.Action & rp.Action;
return new RolePermission(act);
}

/// <summary>
/// 当前权限对象是否为另一权限对象的子集
/// </summary>
/// <param name="target">权限定义对象</param>
/// <returns>true:是子集,反之亦然</returns>
public bool IsSubsetOf(IPermission target)
{
if (target == null)
return false;

if (!(target is RolePermission))
throw new ArgumentException("target不是有效的RolePermission对象.");

RolePermission rp = target as RolePermission;
return (this.Action & (~rp.Action)) == 0;
}

/// <summary>
/// 得到两个权限的逻缉并集
/// </summary>
/// <param name="other"></param>
/// <returns></returns>
public IPermission Union(IPermission other)
{
if (other == null)
return null;

if (!(other is RolePermission))
throw new ArgumentException("other不是有效的RolePermission对象.");

RolePermission rp = other as RolePermission;
PermissionAction act = this.Action | rp.Action;
return new RolePermission(act);
}

/// <summary>
/// 用 XML 编码重新构造具有指定状态的安全对象
/// </summary>
/// <param name="elem">用于重新构造安全对象的 XML 编码</param>
public void FromXml(SecurityElement elem)
{
if (elem == null)
throw new ArgumentNullException("elem为空引用.");
if (elem.Tag.CompareTo("IPermission") != 0)
throw new ArgumentException("元素名称必须是IPermission.");

SecurityElement se = elem;
if (se.Attribute("unrestricted") == Boolean.TrueString)
this.Action = PermissionAction.All;
else
{
this.Action = PermissionAction.None;
if (se.Attribute("show") == Boolean.TrueString)
this.Action = this.Action | PermissionAction.Show;
if (se.Attribute("add") == Boolean.TrueString)
this.Action = this.Action | PermissionAction.Add;
if (se.Attribute("edit") == Boolean.TrueString)
this.Action = this.Action | PermissionAction.Edit;
if (se.Attribute("delete") == Boolean.TrueString)
this.Action = this.Action | PermissionAction.Delete;
if (se.Attribute("query") == Boolean.TrueString)
this.Action = this.Action | PermissionAction.Query;
if (se.Attribute("extend") == Boolean.TrueString)
this.Action = this.Action | PermissionAction.Extend;
}
}

/// <summary>
/// 创建安全对象及其当前状态的 XML 编码
/// </summary>
/// <returns>安全对象的 XML 编码，包括任何状态信息</returns>
public SecurityElement ToXml()
{
SecurityElement se = new SecurityElement("IPermission");
se.AddAttribute("class", this.GetType().AssemblyQualifiedName);
se.AddAttribute("version", this.GetType().Assembly.GetName().Version.ToString());
if (this.IsUnrestricted())
se.AddAttribute("unrestricted", Boolean.TrueString);
else
{
if ((this.Action & PermissionAction.Show) == PermissionAction.Show)
se.AddAttribute("show", Boolean.TrueString);
if ((this.Action & PermissionAction.Add) == PermissionAction.Add)
se.AddAttribute("add", Boolean.TrueString);
if ((this.Action & PermissionAction.Edit) == PermissionAction.Edit)
se.AddAttribute("edit", Boolean.TrueString);
if ((this.Action & PermissionAction.Delete) == PermissionAction.Delete)
se.AddAttribute("delete", Boolean.TrueString);
if ((this.Action & PermissionAction.Query) == PermissionAction.Query)
se.AddAttribute("query", Boolean.TrueString);
if ((this.Action & PermissionAction.Extend) == PermissionAction.Extend)
se.AddAttribute("extend", Boolean.TrueString);
}
return se;
}
#endregion

#region 接口 IUnrestrictedPermission
/// <summary>
/// 当前权限的限制状态
/// </summary>
/// <returns>true:无限制(具有所有权限操作),false:有限制</returns>
public bool IsUnrestricted()
{
return this.Action == PermissionAction.All;
}
#endregion

/// <summary>
/// 权限标识位对象
/// </summary>
public PermissionAction Action { get; internal set; }

#region 属性
/// <summary>
/// UI界面访问控制的基本数据
/// </summary>
public IUIControlAccess UIControlAccess
{
get;
set;
}
#endregion

#region 扩展权限定义
/// <summary>
/// 扩展权限定义
/// </summary>
public List<RolePermission> DataExtends
{
get
{
if (_DataExtends == null)
_DataExtends = new List<RolePermission>();
return _DataExtends;
}
}List<RolePermission> _DataExtends;
#endregion

#region 数据集对象的支持
internal void CreateDataRow(DataTable dataTable)
{
if (UIControlAccess == null)
throw new ArgumentNullException("UIControlAccess属性不能为空对象。");

DataRow dRow = dataTable.Rows.Add
(
this,
UIControlAccess.Name,
UIControlAccess.Image,
UIControlAccess.Text,
UIControlAccess.Description,
(this.Action & PermissionAction.Show) == PermissionAction.Show,  //show
(this.Action & PermissionAction.Add) == PermissionAction.Add,  //add
(this.Action & PermissionAction.Edit) == PermissionAction.Edit,  //edit
(this.Action & PermissionAction.Delete) == PermissionAction.Delete,  //delete
(this.Action & PermissionAction.Query) == PermissionAction.Query,  //query
(this.Action & PermissionAction.Extend) == PermissionAction.Extend   //extend
);
}

#endregion

[Serializable,
AttributeUsage(AttributeTargets.Method | AttributeTargets.Assembly | AttributeTargets.Class | AttributeTargets.Property,
AllowMultiple = true,
Inherited = false)]
public sealed class RolePermissionAttribute : CodeAccessSecurityAttribute
{
/// <summary>
/// 角色权限属性初始化
/// </summary>
/// <param name="action">安全操作</param>
public RolePermissionAttribute(SecurityAction action)
: base(action)
{
}

/// <summary>
/// 权限
/// </summary>
public PermissionAction PermissionAction
{
get;
set;
}

/// <summary>
/// 建立权限对象
/// </summary>
/// <returns></returns>
public override IPermission CreatePermission()
{
if (this.Unrestricted)
return new RolePermission(PermissionState.Unrestricted);
return new RolePermission(this.PermissionAction);
}
}