public override void OnAuthorization(AuthorizationContext filterContext)
{
var featurePermissionManager = new FeaturePermissionManager();
var operationManager = new OperationManager();
var userManager = new UserManager();
try
{
//
// get values from request
var areaName = "Shell";
try
{
areaName = filterContext.RouteData.DataTokens["area"].ToString();
}
catch
{
// ignored
}
var controllerName = filterContext.ActionDescriptor.ControllerDescriptor.ControllerName;
var actionName = filterContext.ActionDescriptor.ActionName;
var userName = string.Empty;
if (filterContext.HttpContext.User.Identity.IsAuthenticated)
{
userName = filterContext.HttpContext.User.Identity.Name;
}
//
// check request
var operation = operationManager.Find(areaName, controllerName, "*");
if (operation == null)
{
filterContext.Result = new RedirectToRouteResult(new
RouteValueDictionary {
{ "action", "AccessDenied" },
{ "controller", "Error" },
{ "Area", string.Empty }
});
return;
}
var feature = operation.Feature;
if (feature == null)
{
return;
}
var result = userManager.FindByNameAsync(userName);
if (featurePermissionManager.HasAccess(result.Result?.Id, feature.Id))
{
return;
}
if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
{
HandleUnauthorizedRequest(filterContext);
}
else
{
filterContext.Result = new RedirectToRouteResult(new
RouteValueDictionary {
{ "action", "AccessDenied" },
{ "controller", "Error" },
{ "Area", string.Empty }
});
}
}
finally
{
featurePermissionManager.Dispose();
operationManager.Dispose();
userManager.Dispose();
}
}
public override void OnAuthorization(HttpActionContext actionContext)
{
var featurePermissionManager = new FeaturePermissionManager();
var operationManager = new OperationManager();
var userManager = new UserManager();
try
{
// Check for HTTPS
//if (actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
//{
// actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden);
// return;
//}
var areaName = "Api";
var controllerName = actionContext.ActionDescriptor.ControllerDescriptor.ControllerName;
var actionName = actionContext.ActionDescriptor.ActionName;
var operation = operationManager.Find(areaName, controllerName, "*");
if (operation == null)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden);
return;
}
var feature = operation.Feature;
if (feature != null && !featurePermissionManager.Exists(null, feature.Id))
{
if (actionContext.Request.Headers.Authorization == null)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden);
return;
}
var token = actionContext.Request.Headers.Authorization?.ToString().Substring("Bearer ".Length).Trim();
// resolve the token to the corresponding user
var users = userManager.Users.Where(u => u.Token == token);
if (users == null || users.Count() != 1)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden);
actionContext.Response.Content = new StringContent("Bearer token not exist.");
return;
}
if (!featurePermissionManager.HasAccess(users.Single().Id, feature.Id))
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden);
actionContext.Response.Content = new StringContent("Token is not valid.");
return;
}
}
}
finally
{
featurePermissionManager.Dispose();
operationManager.Dispose();
userManager.Dispose();
}
}