asp.net-mvc – MVC 3 – 仅限特定用户访问

Any attribute that I could use for the whole controller?

是的,您可以使用自定义属性扩展Authorize属性：

public class AuthorizeAuthorAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var isAuthorized = base.AuthorizeCore(httpContext);
        if (!isAuthorized)
        {
            // the user is either not authenticated or
            // not in roles => no need to continue any further
            return false;
        }

        // get the currently logged on user
        var username = httpContext.User.Identity.Name;

        // get the id of the article that he is trying to manipulate
        // from the route data (this assumes that the id is passed as a route
        // data parameter: /foo/edit/123). If this is not the case and you 
        // are using query string parameters you could fetch the id using the Request
        var id = httpContext.Request.RequestContext.RouteData.Values["id"] as string;

        // Now that we have the current user and the id of the article he
        // is trying to manipualte all that's left is go ahead and look in 
        // our database to see if this user is the owner of the article
        return IsUserOwnerOfArticle(username,id);
    }

    private bool IsUserOwnerOfArticle(string username,string articleId)
    {
        throw new NotImplementedException();
    }
}

然后：

[HttpPost]
[AuthorizeAuthor]
public ActionResult Edit(int id)
{
    ... perform the edit
}