/// <summary>
/// Provides an entry point for custom authorization checks.
/// </summary>
/// <param name="httpContext">The HTTP context, which encapsulates all HTTP-specific information about an individual HTTP request.</param>
/// <returns>
/// false if the user is an admin or editor AND the site is private (ispublicsite=false). Otherwise true is returned.
/// </returns>
/// <exception cref="T:System.ArgumentNullException">The <paramref name="httpContext"/> parameter is null.</exception>
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (AuthorizationProvider == null)
{
throw new SecurityException("The OptionalAuthorizationAttribute property has not been set for AdminRequiredAttribute. Has it been injected by the DI?", null);
}
if (!ApplicationSettings.Installed)
{
return(true);
}
// If the site is private then check for a login
if (!ApplicationSettings.IsPublicSite)
{
IPrincipal principal = httpContext.User;
AuthorizationProvider provider = new AuthorizationProvider(ApplicationSettings, UserService);
return(provider.IsAdmin(principal) || provider.IsEditor(principal));
}
else
{
return(true);
}
}
public ActionResult Index(int id = 0)
{
var model = new InquiryViewModel();
// old Dojo logic gets all inquiries if id is not found. so emulate it here.
model.InquiryId = id;
if (id != 0)
{
InquiryProvider inquiryProvider = new InquiryProvider(_dbContext);
InquiriesValidation inquiry = inquiryProvider.Retrieve(id);
if (inquiry == null)
{
model.InquiryId = 0;
}
}
model.UserName = this.User.Identity.Name;
// hack here: for admin role, we set the UserName to 'DelegateDeletion' to allow admin to delete other's inquiry
if (AuthorizationProvider.IsAdmin())
{
model.UserName = "******";
}
return(View(model));
}
public void IsAdmin_Should_Return_True_For_Admin_User()
{
// Arrange
User adminUser = CreateAdminUser();
IdentityStub identity = new IdentityStub()
{
Name = adminUser.Id.ToString(), IsAuthenticated = true
};
PrincipalStub principal = new PrincipalStub()
{
Identity = identity
};
AuthorizationProvider provider = new AuthorizationProvider(_applicationSettings, _userService);
// Act
bool isAuthenticated = provider.IsAdmin(principal);
// Assert
Assert.That(isAuthenticated, Is.True);
}
public void IsAdmin_Should_Return_False_When_No_Identity_Name_Set()
{
// Arrange
User adminUser = CreateAdminUser();
IdentityStub identity = new IdentityStub()
{
Name = "", IsAuthenticated = true
};
PrincipalStub principal = new PrincipalStub()
{
Identity = identity
};
AuthorizationProvider provider = new AuthorizationProvider(_applicationSettings, _userService);
// Act
bool isAuthenticated = provider.IsAdmin(principal);
// Assert
Assert.That(isAuthenticated, Is.False);
}
public void isadmin_should_return_false_when_not_authenticated()
{
// Arrange
User adminUser = CreateAdminUser();
IdentityStub identity = new IdentityStub()
{
Name = adminUser.Id.ToString(), IsAuthenticated = false
};
PrincipalStub principal = new PrincipalStub()
{
Identity = identity
};
AuthorizationProvider provider = new AuthorizationProvider(_applicationSettings, _userService);
// Act
bool isAuthenticated = provider.IsAdmin(principal);
// Assert
Assert.That(isAuthenticated, Is.False);
}
public void isadmin_should_return_true_when_no_admin_role_set()
{
// Arrange
_applicationSettings.AdminRoleName = "";
User adminUser = CreateAdminUser();
IdentityStub identity = new IdentityStub()
{
Name = adminUser.Id.ToString(), IsAuthenticated = true
};
PrincipalStub principal = new PrincipalStub()
{
Identity = identity
};
AuthorizationProvider provider = new AuthorizationProvider(_applicationSettings, _userService);
// Act
bool isAuthenticated = provider.IsAdmin(principal);
// Assert
Assert.That(isAuthenticated, Is.True);
}
