Example #1
0
        /// <summary>
        /// Gets the Guid for the RestController that has the specified Id
        /// </summary>
        /// <param name="id">The identifier.</param>
        /// <returns></returns>
        public override Guid?GetGuid(int id)
        {
            var cacheItem = RestControllerCache.Get(id);

            if (cacheItem != null)
            {
                return(cacheItem.Guid);
            }

            return(null);
        }
Example #2
0
        /// <summary>
        /// Occurs before the action method is invoked.
        /// </summary>
        /// <param name="actionContext">The action context.</param>
        public override void OnActionExecuting(HttpActionContext actionContext)
        {
            var reflectedHttpActionDescriptor = ( ReflectedHttpActionDescriptor )actionContext.ActionDescriptor;

            var    controller          = actionContext.ActionDescriptor.ControllerDescriptor;
            string controllerClassName = controller.ControllerType.FullName;
            string actionMethod        = actionContext.Request.Method.Method;

            var      apiId = RestControllerService.GetApiId(reflectedHttpActionDescriptor.MethodInfo, actionMethod, controller.ControllerName);
            ISecured item  = RestActionCache.Get(apiId);

            if (item == null)
            {
                // if there isn't a RestAction in the database, use the Controller as the secured item
                item = RestControllerCache.Get(controllerClassName);
                if (item == null)
                {
                    item = new RestController();
                }
            }

            Person person = null;

            if (actionContext.Request.Properties.Keys.Contains("Person"))
            {
                person = actionContext.Request.Properties["Person"] as Person;
            }
            else
            {
                var principal = actionContext.Request.GetUserPrincipal();
                if (principal != null && principal.Identity != null)
                {
                    using (var rockContext = new RockContext())
                    {
                        string    userName  = principal.Identity.Name;
                        UserLogin userLogin = null;
                        if (userName.StartsWith("rckipid="))
                        {
                            Rock.Model.PersonService personService      = new Model.PersonService(rockContext);
                            Rock.Model.Person        impersonatedPerson = personService.GetByImpersonationToken(userName.Substring(8));
                            if (impersonatedPerson != null)
                            {
                                userLogin = impersonatedPerson.GetImpersonatedUser();
                            }
                        }
                        else
                        {
                            var userLoginService = new Rock.Model.UserLoginService(rockContext);
                            userLogin = userLoginService.GetByUserName(userName);
                        }

                        if (userLogin != null)
                        {
                            person = userLogin.Person;
                            actionContext.Request.Properties.Add("Person", person);

                            /* 12/12/2019 BJW
                             *
                             * Setting this current person item was only done in put, post, and patch in the ApiController
                             * class. Set it here so that it is always set for all methods, including delete. This enhances
                             * history logging done in the pre and post save model hooks (when the pre-save event is called
                             * we can access DbContext.GetCurrentPersonAlias and log who deleted the record).
                             *
                             * Task: https://app.asana.com/0/1120115219297347/1153140643799337/f
                             */
                            System.Web.HttpContext.Current.AddOrReplaceItem("CurrentPerson", person);
                        }
                    }
                }
            }

            string action = actionMethod.Equals("GET", StringComparison.OrdinalIgnoreCase) ?
                            Rock.Security.Authorization.VIEW : Rock.Security.Authorization.EDIT;

            if (!item.IsAuthorized(action, person))
            {
                actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
            }
        }
 /// <summary>
 /// Updates any Cache Objects that are associated with this entity
 /// </summary>
 /// <param name="entityState">State of the entity.</param>
 /// <param name="dbContext">The database context.</param>
 public void UpdateCache(EntityState entityState, Rock.Data.DbContext dbContext)
 {
     RestControllerCache.UpdateCachedEntity(this.Id, entityState);
 }
 /// <summary>
 /// Gets the cache object associated with this Entity
 /// </summary>
 /// <returns></returns>
 public IEntityCache GetCacheObject()
 {
     return(RestControllerCache.Get(this.Id));
 }
Example #5
0
        /// <summary>
        /// Occurs before the action method is invoked.
        /// </summary>
        /// <param name="actionContext">The action context.</param>
        public override void OnActionExecuting(HttpActionContext actionContext)
        {
            var    controller          = actionContext.ActionDescriptor.ControllerDescriptor;
            string controllerClassName = controller.ControllerType.FullName;
            string actionMethod        = actionContext.Request.Method.Method;
            string actionPath          = actionContext.Request.GetRouteData().Route.RouteTemplate.Replace("{controller}", controller.ControllerName);

            //// find any additional arguments that aren't part of the RouteTemplate that qualified the action method
            //// for example: ~/person/search?name={name}&includeHtml={includeHtml}&includeDetails={includeDetails}&includeBusinesses={includeBusinesses}
            //// is a different action method than ~/person/search?name={name}
            var routeQueryParams = actionContext.ActionArguments.Where(a => !actionPath.Contains("{" + a.Key + "}"));

            if (routeQueryParams.Any())
            {
                var actionPathQueryString = routeQueryParams.Select(a => string.Format("{0}={{{0}}}", a.Key)).ToList().AsDelimited("&");
                actionPath += "?" + actionPathQueryString;
            }

            ISecured item = RestActionCache.Get(actionMethod + actionPath);

            if (item == null)
            {
                item = RestControllerCache.Get(controllerClassName);
                if (item == null)
                {
                    item = new RestController();
                }
            }

            Person person = null;

            if (actionContext.Request.Properties.Keys.Contains("Person"))
            {
                person = actionContext.Request.Properties["Person"] as Person;
            }
            else
            {
                var principal = actionContext.Request.GetUserPrincipal();
                if (principal != null && principal.Identity != null)
                {
                    using (var rockContext = new RockContext())
                    {
                        string    userName  = principal.Identity.Name;
                        UserLogin userLogin = null;
                        if (userName.StartsWith("rckipid="))
                        {
                            Rock.Model.PersonService personService      = new Model.PersonService(rockContext);
                            Rock.Model.Person        impersonatedPerson = personService.GetByImpersonationToken(userName.Substring(8), false, null);
                            if (impersonatedPerson != null)
                            {
                                userLogin = impersonatedPerson.GetImpersonatedUser();
                            }
                        }
                        else
                        {
                            var userLoginService = new Rock.Model.UserLoginService(rockContext);
                            userLogin = userLoginService.GetByUserName(userName);
                        }

                        if (userLogin != null)
                        {
                            person = userLogin.Person;
                            actionContext.Request.Properties.Add("Person", person);
                        }
                    }
                }
            }

            string action = actionMethod.Equals("GET", StringComparison.OrdinalIgnoreCase) ?
                            Rock.Security.Authorization.VIEW : Rock.Security.Authorization.EDIT;

            if (!item.IsAuthorized(action, person))
            {
                actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
            }
        }
Example #6
0
        /// <summary>
        /// Occurs before the action method is invoked.
        /// </summary>
        /// <param name="actionContext">The action context.</param>
        public override void OnActionExecuting(HttpActionContext actionContext)
        {
            var    principal = actionContext.Request.GetUserPrincipal();
            Person person    = null;

            if (principal != null && principal.Identity != null)
            {
                using (var rockContext = new RockContext())
                {
                    string    userName  = principal.Identity.Name;
                    UserLogin userLogin = null;
                    if (userName.StartsWith("rckipid="))
                    {
                        var personService      = new PersonService(rockContext);
                        var impersonatedPerson = personService.GetByImpersonationToken(userName.Substring(8));
                        if (impersonatedPerson != null)
                        {
                            userLogin = impersonatedPerson.GetImpersonatedUser();
                        }
                    }
                    else
                    {
                        var userLoginService = new UserLoginService(rockContext);
                        userLogin = userLoginService.GetByUserName(userName);
                    }

                    if (userLogin != null)
                    {
                        person = userLogin.Person;
                        var pinAuthentication = AuthenticationContainer.GetComponent(typeof(Security.Authentication.PINAuthentication).FullName);

                        // Don't allow PIN authentications.
                        if (userLogin.EntityTypeId != null)
                        {
                            var userLoginEntityType = EntityTypeCache.Get(userLogin.EntityTypeId.Value);
                            if (userLoginEntityType != null && userLoginEntityType.Id == pinAuthentication.EntityType.Id)
                            {
                                actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
                                return;
                            }
                        }
                    }
                }
            }

            var reflectedHttpActionDescriptor = ( ReflectedHttpActionDescriptor )actionContext.ActionDescriptor;

            var controller          = actionContext.ActionDescriptor.ControllerDescriptor;
            var controllerClassName = controller.ControllerType.FullName;
            var actionMethod        = actionContext.Request.Method.Method;

            var      apiId = RestControllerService.GetApiId(reflectedHttpActionDescriptor.MethodInfo, actionMethod, controller.ControllerName);
            ISecured item  = RestActionCache.Get(apiId);

            if (item == null)
            {
                // if there isn't a RestAction in the database, use the Controller as the secured item
                item = RestControllerCache.Get(controllerClassName);
                if (item == null)
                {
                    item = new RestController();
                }
            }

            if (actionContext.Request.Properties.Keys.Contains("Person"))
            {
                person = actionContext.Request.Properties["Person"] as Person;
            }
            else
            {
                actionContext.Request.Properties.Add("Person", person);

                /* 12/12/2019 BJW
                 *
                 * Setting this current person item was only done in put, post, and patch in the ApiController
                 * class. Set it here so that it is always set for all methods, including delete. This enhances
                 * history logging done in the pre and post save model hooks (when the pre-save event is called
                 * we can access DbContext.GetCurrentPersonAlias and log who deleted the record).
                 *
                 * Task: https://app.asana.com/0/1120115219297347/1153140643799337/f
                 */
                System.Web.HttpContext.Current.AddOrReplaceItem("CurrentPerson", person);
            }

            string action = actionMethod.Equals("GET", StringComparison.OrdinalIgnoreCase) ?
                            Security.Authorization.VIEW : Security.Authorization.EDIT;

            bool authorized = false;

            if (item.IsAuthorized(action, person))
            {
                authorized = true;
            }
            else if (actionContext.Request.Headers.Contains("X-Rock-App-Id") && actionContext.Request.Headers.Contains("X-Rock-Mobile-Api-Key"))
            {
                // Normal authorization failed, but this is a Mobile App request so check
                // if the application itself has been given permission.
                var appId        = actionContext.Request.Headers.GetValues("X-Rock-App-Id").First().AsIntegerOrNull();
                var mobileApiKey = actionContext.Request.Headers.GetValues("X-Rock-Mobile-Api-Key").First();

                if (appId.HasValue)
                {
                    using (var rockContext = new RockContext())
                    {
                        var appUser = Mobile.MobileHelper.GetMobileApplicationUser(appId.Value, mobileApiKey, rockContext);

                        if (appUser != null && item.IsAuthorized(action, appUser.Person))
                        {
                            authorized = true;
                        }
                    }
                }
            }

            if (!authorized)
            {
                actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
            }
        }