使用数据库的MVC3操作筛选器(EF 4.1 DBContext,Ninject)



I'm trying to setup an 'Authorization' Filter on an Action, creating my own ActionFilterAttribute where I do a database lookup to determine if a user has access to a certain resource.


On my class inheriting from ActionFilterAttribute, I have created an Injected(Ninject) property to hold the service that I am using for the database access. I have a parameterless constructor so that I can use this as an attribute on my actions. In the 'OnActionExecuting' Method, I am able to gain access to the Injected property (it's not null), but the base DBCotext that it is using is closed.


This working fine, up until the RTM of MVC3, where the Release Notes stated:

重大更改: 在ASP.NET MVC的早期版本中,操作过滤器是按以下方式创建的 要求,但在少数情况下除外.这 行为永远无法保证 行为,但仅仅是一个实现 过滤器的详细信息和合同 认为他们是无国籍的.在 ASP.NET MVC 3,过滤器被更多地缓存 积极地.因此,任何习惯 动作过滤器存储不当 实例状态可能已损坏.

Breaking Changes: In previous versions of ASP.NET MVC, action filters are create per request except in a few cases. This behavior was never a guaranteed behavior but merely an implementation detail and the contract for filters was to consider them stateless. In ASP.NET MVC 3, filters are cached more aggressively. Therefore, any custom action filters which improperly store instance state might be broken.


The first time I use this filter, it works as expected, but if I refresh the page or another user access this filter, I get the error:

操作无法完成 因为DbContext已经 处置.

The operation cannot be completed because the DbContext has been disposed.


which is what I guess I should expect given the breaking changes notes.


My question is this, what would be the preferred/recommended way of accomplishing what I need to do? Should this be in an ActionFilterAttribute, or should this 'authorization' be done somewhere else?


I'd do authentication in Application_AuthenticateRequest and authorization in your attribute using Thread.CurrentPrincipal, but your method should work too. You just need to count with fact that DbContext will be different for each request but your attribute won't. Something like this should do the trick (I'm assuming you are using DependencyResolver):

public class MyMightyAttribute : ActionFilterAttribute
    public override void OnActionExecuting(ActionExecutingContext filterContext)
        var context = (DbContext)DependencyResolver.Current.GetService(typeof(DbContext))
        // authenticate, authorize, whatever