public override bool IsAuthorized(AuthFilterContext context)
{
Requires.NotNull("context", context);
var principal = Thread.CurrentPrincipal;
if (!principal.Identity.IsAuthenticated)
{
return(false);
}
var currentPortal = TestablePortalController.Instance.GetCurrentPortalSettings();
bool isAdminUser = currentPortal.UserInfo.IsSuperUser || PortalSecurity.IsInRole(currentPortal.AdministratorRoleName);
if (isAdminUser)
{
return(true);
}
bool isPageEditor = TabPermissionController.HasTabPermission("EDIT,CONTENT,MANAGE") || IsModuleAdmin(((DnnApiController)context.ActionContext.ControllerContext.Controller).PortalSettings);
if (isPageEditor)
{
return(true);
}
return(false);
}
public override bool IsAuthorized(AuthFilterContext context)
{
if (base.IsAuthorized(context))
{
return(true);
}
context.AuthFailureMessage = null;
try
{
var queryString = context.ActionContext.Request.GetQueryNameValuePairs();
var token = string.Empty;
foreach (var kvp in queryString)
{
if (kvp.Key == "__RequestVerificationToken")
{
token = kvp.Value;
break;
}
}
string cookieValue = GetAntiForgeryCookieValue(context);
AntiForgery.Instance.Validate(cookieValue, token);
}
catch (Exception e)
{
context.AuthFailureMessage = e.Message;
return(false);
}
return(true);
}
public void LocatesCookie(string cookieFormat, string cookieName, string cookieValue)
{
// Arrange
var request = new HttpRequestMessage(HttpMethod.Get, "http://localhost/");
request.Headers.Add("Cookie", string.Format(cookieFormat, cookieName, cookieValue));
request.Headers.Add("RequestVerificationToken", "anything_is_fine");
var config = new HttpConfiguration();
var controllerContext = new HttpControllerContext(config, new HttpRouteData(new HttpRoute()), request);
var actionContext = new HttpActionContext(controllerContext, new Mock <HttpActionDescriptor>().Object);
var authFilterContext = new AuthFilterContext(actionContext, string.Empty);
var mockAntiForgery = new Mock <IAntiForgery>();
mockAntiForgery.Setup(x => x.CookieName).Returns(cookieName);
AntiForgery.SetTestableInstance(mockAntiForgery.Object);
// Act
var vaft = new ValidateAntiForgeryTokenAttribute();
// Assert.IsTrue(ValidateAntiForgeryTokenAttribute.IsAuthorized(authFilterContext));
Assert.DoesNotThrow(() => { vaft.OnActionExecuting(authFilterContext.ActionContext); });
// Assert
mockAntiForgery.Verify(x => x.Validate(cookieValue, It.IsAny <string>()), Times.Once());
}
public override bool IsAuthorized(AuthFilterContext context)
{
var principal = Thread.CurrentPrincipal;
return(principal.Identity.IsAuthenticated &&
ServiceLocatorFactory.Instance.ConfigService.IsAllowed(PortalController.Instance.GetCurrentPortalSettings().UserInfo));
}
public override bool IsAuthorized(AuthFilterContext context)
{
if (DomainUtility.IsTestEnvironment)
{
return(true);
}
using (APIAccessService apiAccessService = new APIAccessService())
{
//when a client is calling main api ,they have to put token,which is password, in header named token
if (context.ActionContext.Request.Headers.Contains("token"))
{
return(apiAccessService.HasAccess(ApiUtility.GetIPAddress(), context.ActionContext.Request.Headers.GetValues("token").FirstOrDefault()));
}
else
{
if (AccessUtility.CalledByLocalSA(HttpContext.Current.Request))
{
//it is called from single action module in same server with same ip.
return(true);
}
else
{
//when bpms user panel is calling engine api,every request should have formToken in its parameters.
string formToken = context.ActionContext.RequestContext.Url.Request.GetHttpContext().Request.QueryString[FormTokenUtility.FormToken];
return(FormTokenUtility.ValidateFormToken(formToken, HttpContext.Current.Session.SessionID));
}
}
}
}
public override bool IsAuthorized(AuthFilterContext context)
{
if (base.IsAuthorized(context)) return true;
context.AuthFailureMessage = null;
try
{
var queryString = context.ActionContext.Request.GetQueryNameValuePairs();
var token = string.Empty;
foreach(var kvp in queryString)
{
if (kvp.Key == "__RequestVerificationToken"){
token = kvp.Value;
break;
}
}
string cookieValue = GetAntiForgeryCookieValue(context);
AntiForgery.Instance.Validate(cookieValue, token );
}
catch (Exception e)
{
context.AuthFailureMessage = e.Message;
return false;
}
return true;
}
public override bool IsAuthorized(AuthFilterContext context)
{
Requires.NotNull("context", context);
if (!JwtAuthHelper.IsAuthenticated())
{
return(false);
}
if (_denyRolesSplit.Any())
{
var currentUser = PortalController.Instance.GetCurrentPortalSettings().UserInfo;
if (!currentUser.IsSuperUser && _denyRolesSplit.Any(currentUser.IsInRole))
{
return(false);
}
}
if (_staticRolesSplit.Any())
{
var currentUser = PortalController.Instance.GetCurrentPortalSettings().UserInfo;
if (!_staticRolesSplit.Any(currentUser.IsInRole))
{
return(false);
}
}
return(true);
}
public override bool IsAuthorized(AuthFilterContext context)
{
if (SecurityLevel == SecurityAccessLevel.Anonymous)
{
return(true);
}
User = HttpContextSource.Current.Request.IsAuthenticated ? UserController.Instance.GetCurrentUserInfo() : new UserInfo();
ContextSecurity security = new ContextSecurity(context.ActionContext.Request.FindModuleInfo());
switch (SecurityLevel)
{
case SecurityAccessLevel.Authenticated:
return(User.UserID != -1);
case SecurityAccessLevel.Host:
return(User.IsSuperUser);
case SecurityAccessLevel.Admin:
return(security.IsAdmin);
case SecurityAccessLevel.Edit:
return(security.CanEdit);
case SecurityAccessLevel.View:
return(security.CanView);
case SecurityAccessLevel.Traveller:
return(security.IsTraveller);
}
return(false);
}
public override bool IsAuthorized(AuthFilterContext context)
{
var principal = Thread.CurrentPrincipal;
return(principal.Identity.IsAuthenticated &&
PortalController.Instance.GetCurrentPortalSettings().UserInfo.IsSuperUser);
}
public override bool IsAuthorized(AuthFilterContext context)
{
Requires.NotNull("context", context);
return PagePermissionsAttributesHelper.HasTabPermission("EDIT,CONTENT,MANAGE") || IsModuleAdmin(((DnnApiController)context.ActionContext.ControllerContext.Controller).PortalSettings);
}
public override bool IsAuthorized(AuthFilterContext context)
{
using (APIAccessService apiAccessService = new APIAccessService())
{
return(DomainUtility.IsTestEnvironment ? true :
FormTokenUtility.ValidateFormToken(context.ActionContext.RequestContext.Url.Request.GetHttpContext().Request.QueryString[FormTokenUtility.FormToken], HttpContext.Current.Session.SessionID));
}
}
public override bool IsAuthorized(AuthFilterContext context)
{
if (context != null)
{
DotNetNuke.Entities.Users.UserInfo UserInfo = ((DnnApiController)context.ActionContext.ControllerContext.Controller).UserInfo;
if (UserInfo != null)
{
return(UserInfo.IsInRole("Administrators"));
}
}
return(false);
}
public override bool IsAuthorized(AuthFilterContext context)
{
var menuItem = GetMenuByIdentifier();
var portalSettings = PortalSettings.Current;
if (menuItem == null || portalSettings == null)
{
return(false);
}
return(MenuPermissionController.HasMenuPermission(portalSettings.PortalId, menuItem, Permission));
}
public override bool IsAuthorized(AuthFilterContext context)
{
if (!Thread.CurrentPrincipal.Identity.IsAuthenticated)
{
return(false);
}
var hccController = context.ActionContext.ControllerContext.Controller as HccApiController;
var hccApp = hccController.HccApp;
var mobileRole = hccApp.CurrentStore.Settings.AdminRoles.RoleMobileAccess;
var user = UserController.Instance.GetCurrentUserInfo();
return(user.IsInRole(mobileRole));
}
public override bool IsAuthorized(AuthFilterContext context)
{
using (APIAccessService apiAccessService = new APIAccessService())
{
if (DomainUtility.IsTestEnvironment)
{
return(true);
}
else
{
ModuleController mc = new ModuleController();
ModuleInfo mi = mc.GetModuleByDefinition(PortalController.Instance.GetCurrentPortalSettings().PortalId, AuthModuleFriendlyName);
return(ModulePermissionController.CanViewModule(mi));
}
}
}
public override bool IsAuthorized(AuthFilterContext context)
{
var menuItem = GetMenuByIdentifier();
var portalSettings = PortalSettings.Current;
if (menuItem == null || portalSettings == null)
{
return(false);
}
if (!CheckPermissionForAdmin && PortalSecurity.IsInRole(Constants.AdminsRoleName))
{
return(true);
}
//Permissions seperated by & should be treated with AND operand.
//Permissions seperated by , are internally treated with OR operand.
var allPermissionGroups = Permission.Split(new[] { '&' }, StringSplitOptions.RemoveEmptyEntries);
return(allPermissionGroups.All(allPermissions => MenuPermissionController.HasMenuPermission(portalSettings.PortalId, menuItem, allPermissions)));
}
public override bool IsAuthorized(AuthFilterContext context)
{
Requires.NotNull("context", context);
var principal = Thread.CurrentPrincipal;
if(!principal.Identity.IsAuthenticated)
{
return false;
}
var currentPortal = TestablePortalController.Instance.GetCurrentPortalSettings();
bool isAdminUser = currentPortal.UserInfo.IsSuperUser || PortalSecurity.IsInRole(currentPortal.AdministratorRoleName);
if (isAdminUser) return true;
bool isPageEditor = TabPermissionController.HasTabPermission("EDIT,CONTENT,MANAGE") || IsModuleAdmin(((DnnApiController)context.ActionContext.ControllerContext.Controller).PortalSettings);
if (isPageEditor) return true;
return false;
}
public void MissingTokenDoesnotPassValidationTest(string cookieFormat, string cookieName, string cookieValue)
{
//Arrange
var request = new HttpRequestMessage(HttpMethod.Get, "http://localhost/");
request.Headers.Add("Cookie", string.Format(cookieFormat, cookieName, cookieValue));
var config = new HttpConfiguration();
var controllerContext = new HttpControllerContext(config, new HttpRouteData(new HttpRoute()), request);
var actionContext = new HttpActionContext(controllerContext, new Mock <HttpActionDescriptor>().Object);
var authFilterContext = new AuthFilterContext(actionContext, "");
var mockAntiForgery = new Mock <IAntiForgery>();
mockAntiForgery.Setup(x => x.CookieName).Returns(cookieName);
AntiForgery.SetTestableInstance(mockAntiForgery.Object);
//Act, Assert
var vaft = new ValidateAntiForgeryTokenAttribute();
Assert.IsFalse(vaft.IsAuthorized(authFilterContext));
}
public override bool IsAuthorized(AuthFilterContext context)
{
Requires.NotNull("context", context);
return(PagePermissionsAttributesHelper.HasTabPermission(PermissionKey));
}
public override bool IsAuthorized(AuthFilterContext context)
{
var authenticated = Thread.CurrentPrincipal.Identity.IsAuthenticated;
var portalSettings = PortalSettings.Current;
var currentUser = UserController.Instance.GetCurrentUserInfo();
var administratorRoleName = Constants.AdminsRoleName;
if (portalSettings != null)
{
administratorRoleName = portalSettings.AdministratorRoleName;
}
var isHost = currentUser.IsSuperUser;
var isAdmin = currentUser.IsInRole(administratorRoleName);
var isRegular = currentUser.UserID > 0;
if (authenticated && isHost)
{
return(true);
}
//when there have excluded roles defined, and current user in the role. the service call will failed.
if (!string.IsNullOrEmpty(Exclude))
{
foreach (var roleName in Exclude.Split(';'))
{
var cleanRoleName = roleName.Trim();
if (!string.IsNullOrEmpty(cleanRoleName))
{
if (currentUser.IsInRole(cleanRoleName))
{
return(false);
}
}
}
}
//if menu identifier defined, then will check the menu permission, multiple identifier should split with ",".
if (!string.IsNullOrEmpty(MenuName))
{
if (isAdmin)
{
return(true);
}
var hasPermission = false;
MenuName.Split(',').ForEach(menuName =>
{
if (!hasPermission)
{
var menuItem = GetMenuByIdentifier(menuName);
if (menuItem != null && portalSettings != null)
{
hasPermission = PersonaBarController.Instance.IsVisible(portalSettings, portalSettings.UserInfo, menuItem);
}
}
});
return(hasPermission);
}
//when menu identifier not defined, will check the service scope permission.
switch (Scope)
{
case ServiceScope.Admin:
return(authenticated && isAdmin);
case ServiceScope.Regular:
if (portalSettings != null)
{
//if user have ability on any persona bar menus, then need allow to request api.
return(PersonaBarController.Instance.GetMenu(portalSettings, portalSettings.UserInfo).AllItems.Count > 0);
}
return(isAdmin || isRegular);
default:
return(false);
}
}
public override bool IsAuthorized(AuthFilterContext context)
{
// Some Logic
}
public override bool IsAuthorized(AuthFilterContext context)
{
base.IsAuthorized(); // call the IsAuthorized of SupportedModuleAttribute class
}
public abstract bool IsAuthorized(AuthFilterContext context); // This method is overrided in both the subclass
public override bool IsAuthorized(AuthFilterContext context)
{
string AllowedAccessRoles = AccessRoles;
dynamic Controller = context.ActionContext.ControllerContext.Controller;
if (context.ActionContext.ActionDescriptor.ActionBinding.ActionDescriptor != null)
{
ReflectedHttpActionDescriptor reflectedHttpActionDescriptor = context.ActionContext.ActionDescriptor.ActionBinding.ActionDescriptor as ReflectedHttpActionDescriptor;
if (reflectedHttpActionDescriptor != null && reflectedHttpActionDescriptor.MethodInfo != null && reflectedHttpActionDescriptor.MethodInfo.CustomAttributes != null)
{
System.Reflection.CustomAttributeData MethodAuthorizeAccessRolesAttribute = reflectedHttpActionDescriptor.MethodInfo.CustomAttributes.Where(a => a.AttributeType.Name == "AuthorizeAccessRolesAttribute").FirstOrDefault();
if (MethodAuthorizeAccessRolesAttribute != null)
{
AllowedAccessRoles = MethodAuthorizeAccessRolesAttribute.NamedArguments[0].TypedValue.Value.ToString();
}
}
}
try
{
//There are no explictly specifiled roles in attribute
if (string.IsNullOrEmpty(AllowedAccessRoles))
{
NameValueCollection QueryString = HttpUtility.ParseQueryString(context.ActionContext.Request.RequestUri.Query);
if (PortalSettings.Current.UserInfo.IsSuperUser)
{
return(true);
}
if (!string.IsNullOrEmpty(QueryString["identifier"]) && QueryString["identifier"] == "common_controls_editorconfig" && (PortalSettings.Current.UserInfo.IsInRole("Administrators") || ModulePermissionController.CanEditModuleContent(Controller.ModuleInfo())))
{
return(true);
}
if (QueryString != null && !string.IsNullOrEmpty(QueryString["identifier"]))
{
AllowedAccessRoles = Controller.AllowedAccessRoles(QueryString["identifier"]);
}
if (!string.IsNullOrEmpty(AllowedAccessRoles) && !string.IsNullOrEmpty(context.ActionContext.ActionDescriptor.ActionName) && context.ActionContext.ActionDescriptor.ActionName.ToLower() == "updatedata")
{
List <string> AllowedAccessRolesRolesArray = AllowedAccessRoles.Split(',').Distinct().ToList();
AllowedAccessRolesRolesArray.Remove("user");
AllowedAccessRolesRolesArray.Remove("anonymous");
AllowedAccessRoles = string.Join(",", AllowedAccessRolesRolesArray.Distinct());
}
}
if (!string.IsNullOrEmpty(AllowedAccessRoles))
{
string InRoles = Controller.AccessRoles();
string[] AllowedAccessRolesRolesArray = AllowedAccessRoles.Split(',');
if (!string.IsNullOrEmpty(InRoles))
{
foreach (string role in InRoles.Split(','))
{
if (AllowedAccessRolesRolesArray.Where(a => a == role).SingleOrDefault() != null)
{
return(true);
}
}
}
}
}
catch (Exception ex)
{
DotNetNuke.Services.Exceptions.Exceptions.LogException(ex);
}
return(false);
}
public override bool IsAuthorized(AuthFilterContext context)
{
Requires.NotNull("context", context);
return(PagePermissionsAttributesHelper.HasTabPermission("EDIT,CONTENT,MANAGE") || IsModuleAdmin(((DnnApiController)context.ActionContext.ControllerContext.Controller).PortalSettings));
}
public override bool IsAuthorized(AuthFilterContext context)
{
Logger.Trace("IsAuthorized");
if (SecurityLevel == SecurityAccessLevel.Anonymous)
{
Logger.Trace("Anonymous");
return(true);
}
User = HttpContextSource.Current.Request.IsAuthenticated ? UserController.Instance.GetCurrentUserInfo() : new UserInfo();
Logger.Trace("UserId " + User.UserID.ToString());
if (AllowApiKeyAccess && User.UserID == -1 && HttpContextSource.Current.Request.Params["apikey"] != null)
{
Logger.Trace("Using API key");
var conferenceId = int.Parse(HttpContextSource.Current.Request.Params["conferenceid"]);
var apiKey = Connect.Conference.Core.Repositories.ApiKeyRepository.Instance.GetApiKey(HttpContextSource.Current.Request.Params["apikey"]);
if (apiKey != null && apiKey.Expires != null && apiKey.Expires < System.DateTime.Now)
{
Connect.Conference.Core.Repositories.ApiKeyRepository.Instance.DeleteApiKey(apiKey.GetApiKeyBase());
apiKey = null;
}
if (apiKey != null && apiKey.ConferenceId == conferenceId)
{
User = UserController.Instance.GetUserById(PortalSettings.Current.PortalId, apiKey.CreatedByUserID);
HttpContextSource.Current.Items["UserInfo"] = User; // Set thread user - this will expire after the request!
}
}
ContextSecurity security = new ContextSecurity(context.ActionContext.Request.FindModuleInfo());
Logger.Trace(security.ToString());
switch (SecurityLevel)
{
case SecurityAccessLevel.Authenticated:
return(User.UserID != -1);
case SecurityAccessLevel.Host:
return(User.IsSuperUser);
case SecurityAccessLevel.Admin:
return(security.IsAdmin);
case SecurityAccessLevel.Edit:
return(security.CanEdit);
case SecurityAccessLevel.View:
return(security.CanView);
case SecurityAccessLevel.SessionSubmit:
return(security.CanSubmitSessions);
case SecurityAccessLevel.AttendConference:
return(security.CanAttend);
case SecurityAccessLevel.ManageConference:
return(security.CanManage);
case SecurityAccessLevel.AttendsConference:
var conferenceId = int.Parse(HttpContextSource.Current.Request.Params["conferenceid"]);
return(Connect.Conference.Core.Repositories.AttendeeRepository.Instance.GetAttendee(conferenceId, security.UserId) != null);
}
return(false);
}
public override bool IsAuthorized(AuthFilterContext context)
{
Requires.NotNull("context", context);
return PagePermissionsAttributesHelper.HasTabPermission(PermissionKey);
}