private static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new RequestCultureAttribute());
filters.Add(new ElmahHandleErrorAttribute());
FacebookMode webMode = Settings.Default.Mode;
IEnumerable <Func <ControllerContext, ActionDescriptor, object> > conditions =
new Func <ControllerContext, ActionDescriptor, object>[]
{
(context, action) =>
webMode == FacebookMode.Mobile &&
!(context.Controller.GetType() == typeof(HomeController) &&
action.ActionName == "LogOn")
? new FacebookAuthorizeAttribute {
LoginUrl = "Home/LogOn"
}
: null,
(context, action) =>
webMode == FacebookMode.Canvas
? new CanvasAuthorizeAttribute {
Permissions = "publish_stream,offline_access"
}
: null
};
ConditionalFilterProvider provider = new ConditionalFilterProvider(conditions);
FilterProviders.Providers.Add(provider);
}
public void ConditionalFilterProvider_ApplySecurity_FiltersContainSecurity()
{
var controller = new TestController();
var mockHttpContext = new Mock <HttpContextBase>();
var controllerContext = new ControllerContext(mockHttpContext.Object, new RouteData(), controller);
ControllerDescriptor controllerDescriptor = new ReflectedControllerDescriptor(typeof(TestController));
var mockActionMethodInfo = controller.GetType().GetMethods().Where(x => x.Name.Equals("PostAction")).FirstOrDefault();
ActionDescriptor actionDescriptor = new ReflectedActionDescriptor(mockActionMethodInfo, "PostAction", controllerDescriptor);
var conditions = new Func <ControllerContext, ActionDescriptor, object>[]
{
// Apply [SecurityAttribute] to all actions that don't already have the attribute but only if their controller also doesn't have the attribute (this will ensure the OnAuthorization will be run for all actions)
(c, a) =>
{
var controllerSecurity = a.ControllerDescriptor.GetCustomAttributes(true).OfType <SecurityAttribute>().FirstOrDefault();
var actionSecurity = a.GetCustomAttributes(true).OfType <SecurityAttribute>().FirstOrDefault();
return(controllerSecurity == null && actionSecurity == null ? new SecurityAttribute() : null);
}
};
var conditionalProvider = new ConditionalFilterProvider(conditions);
var filters = conditionalProvider.GetFilters(controllerContext, actionDescriptor);
Assert.IsTrue(filters.Any(f => f.Instance.GetType() == typeof(SecurityAttribute)));
}
public void ConditionalFilterProvider_ApplyValidateAntiForgeryToken_FiltersContainValidateAntiForgeryToken()
{
var controller = new TestController();
var mockHttpContext = new Mock <HttpContextBase>();
var controllerContext = new ControllerContext(mockHttpContext.Object, new RouteData(), controller);
ControllerDescriptor controllerDescriptor = new ReflectedControllerDescriptor(typeof(TestController));
var mockActionMethodInfo = controller.GetType().GetMethods().Where(x => x.Name.Equals("PostAction")).FirstOrDefault();
ActionDescriptor actionDescriptor = new ReflectedActionDescriptor(mockActionMethodInfo, "PostAction", controllerDescriptor);
var conditions = new Func <ControllerContext, ActionDescriptor, object>[]
{
// Apply [ValidateAntiForgeryTokenAttribute] to all actions with [HttpPost] that don't already have [ValidateAntiForgeryTokenAttribute]
(c, a) => a.GetCustomAttributes(true).OfType <HttpPostAttribute>().FirstOrDefault() != null && a.GetCustomAttributes(true).OfType <ValidateAntiForgeryTokenAttribute>().FirstOrDefault() == null ? new ValidateAntiForgeryTokenAttribute() : null,
};
var conditionalProvider = new ConditionalFilterProvider(conditions);
var filters = conditionalProvider.GetFilters(controllerContext, actionDescriptor);
Assert.IsTrue(filters.Any(f => f.Instance.GetType() == typeof(ValidateAntiForgeryTokenAttribute)));
}
/// <summary>
/// Register filter providers.
/// </summary>
public void Register()
{
// Prepare conditional filters
var conditions = new Func <ControllerContext, ActionDescriptor, object>[]
{
// Reason to comment out: Token generation will be modified to generate token based on session and not on request.
// Apply [ValidateAntiForgeryTokenAttribute] to all actions with [HttpPost] that don't already have [ValidateAntiForgeryTokenAttribute]
//(c, a) => a.GetCustomAttributes(true).OfType<HttpPostAttribute>().FirstOrDefault() != null && a.GetCustomAttributes(true).OfType<ValidateAntiForgeryTokenAttribute>().FirstOrDefault() == null ? new ValidateAntiForgeryTokenAttribute() : null,
// Apply [ValidateAntiDuplicateSubmitTokenAttribute] to all actions with [HttpPost] that don't already have [ValidateAntiDuplicateSubmitTokenAttribute]
(c, a) => a.GetCustomAttributes(true).OfType <HttpPostAttribute>().FirstOrDefault() != null && a.GetCustomAttributes(true).OfType <ValidateAntiDuplicateSubmitTokenAttribute>().FirstOrDefault() == null ? new ValidateAntiDuplicateSubmitTokenAttribute() : null,
// Apply [SecurityAttribute] to all actions that don't already have the attribute but only if their controller also doesn't have the attribute (this will ensure the OnAuthorization will be run for all actions)
(c, a) =>
{
var controllerSecurity = a.ControllerDescriptor.GetCustomAttributes(true).OfType <SecurityAttribute>().FirstOrDefault();
var actionSecurity = a.GetCustomAttributes(true).OfType <SecurityAttribute>().FirstOrDefault();
return(controllerSecurity == null && actionSecurity == null ? new SecurityAttribute() : null);
},
// Apply [PersistModelStateAttribute] to all actions so ModelState can be persisted after a redirect (unless it already has the attribute).
(c, a) => a.GetCustomAttributes(true).OfType <PersistModelStateAttribute>().FirstOrDefault() == null ? new PersistModelStateAttribute(true) : null,
};
var conditionalProvider = new ConditionalFilterProvider(conditions);
// Add the conditional filter provider
System.Web.Mvc.FilterProviders.Providers.Add(conditionalProvider);
}
public static void RegisterGlobalFilters(GlobalFilterCollection filters, IDependencyResolver dependencyResolver)
{
filters.Add(new RequestCultureAttribute());
filters.Add(new ElmahHandleErrorAttribute());
IFilterProvider provider = new ConditionalFilterProvider(
new Func <ControllerContext, ActionDescriptor, object>[]
{
(controller, action) =>
controller.Controller.GetType() != typeof(AccountController)
? dependencyResolver.GetService <AuthorizeAttribute>()
: null
});
FilterProviders.Providers.Add(provider);
}
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
WebApiConfig.Register(GlobalConfiguration.Configuration);
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
AutomapperConfig.RegisterMappings();
IEnumerable <Func <ControllerContext, ActionDescriptor, object> > conditions =
new Func <ControllerContext, ActionDescriptor, object>[] {
// Ensure all POST actions are automatically
// decorated with the ValidateAntiForgeryTokenAttribute.
(c, a) => string.Equals(c.HttpContext.Request.HttpMethod, "POST",
StringComparison.OrdinalIgnoreCase) ?
new ValidateAntiForgeryTokenAttribute() : null
};
var provider = new ConditionalFilterProvider(conditions);
// This line adds the filter we created above
FilterProviders.Providers.Add(provider);
}