我们最近在我们的数据库中添加了审计。一位同事使用触发器实现了它,并要求我在登录网站时调用存储过程。存储过程将当前用户名和当前 oracle 会话 ID 插入表中,以便触发器可以将会话 ID 映射到用户名。问题是(或曾经是)他假设用户的互联网会话映射到数据库会话。事实并非如此,我们使用连接池,因此 oracle 会话 ID 可以映射到许多用户,不一定是登录该会话的用户。所以我在我的数据访问层创建了一个实用方法,在每次插入、更新和删除时调用他的过程(确保它在同一个事务中):
/// <summary>
/// Performs an insert, update or delete against the database
/// </summary>
/// <param name="transaction"></param>
/// <param name="command">The command.</param>
/// <param name="transaction">A transaction, can be null.
/// No override provided without a transaction, to remind developer to always consider transaction for inserts, updates and deletes</param>
/// <returns>The number of rows affected by the operation</returns>
public static int InsertUpdateDelete(OracleCommand command, OracleTransaction transaction)
{
if (command == null)
throw new ArgumentNullException("command", "command is null.");
OracleConnection connection = null;
bool doCommit = false;
try
{
if (transaction == null)
{
//We always need a transaction for the audit insert
connection = GetOpenConnection();
transaction = connection.BeginTransaction();
doCommit = true;
}
command.Transaction = transaction;
command.Connection = transaction.Connection;
//TODO HttpContext requires that presentation layer is a website. So this call should NOT be in the data access layer.
string username = HttpContext.Current.User.Identity.Name;
if (!String.IsNullOrEmpty(username))
pInsertCurrentUserForAudit(username, command.Transaction);
int recordsAffected = command.ExecuteNonQuery();
if (doCommit)
transaction.Commit();
return recordsAffected;
}
finally
{
if (doCommit)
{
if (transaction != null)
transaction.Dispose();
if (connection != null)
connection.Dispose();
}
}
}
这有效,审计现在按要求工作。但是,我不喜欢对 HttpContext 的调用:
string username = HttpContext.Current.User.Identity.Name;
这是实现任务的最快方式,但我认为它不应该在数据访问层中。如果在未来某个未知时间我想使用表单应用程序访问数据库怎么办?访问 HttpContext 时会出错吗?有没有更好的方法来获取正确区分关注点的用户名?将用户名作为参数传递给每个插入、更新和删除是一种选择,但这将是一项漫长的任务,我想知道是否有更优雅的方法来做这件事。