public User MapUserDTO(UserDTO input) { User output = new User(); output.IsActive = input.IsActive; output.IsAdmin = input.IsAdmin; output.UserId = input.UserId; output.Username = input.Username; return output; }
protected override bool AuthorizeCore(HttpContextBase httpContext) { bool disableAuthentication = false; GenericIdentity identity; GenericPrincipal principal; string[] roles; #if DEBUG disableAuthentication = true; #endif if (disableAuthentication) { // Create a fake user and use this in debugging to disable authentication. identity = new GenericIdentity("alongoria"); roles = new string[] { "admin" }; principal = new GenericPrincipal(identity, roles); httpContext.User = principal; } else { HttpCookie authCookie = httpContext.Request.Cookies[FormsAuthentication.FormsCookieName]; if (authCookie != null) { FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value); string username = authTicket.Name; // According to many articles and Ninject docs like: // https://github.com/ninject/Ninject.Web.Mvc/wiki/Filters-and-Scoped, // https://www.cuttingedge.it/blogs/steven/pivot/entry.php?id=98, // https://stackoverflow.com/questions/29915192/unity-property-injection-on-authorizeattribute // MVC caches filters, which means dependency injection with .InRequestScope() does not work. // If we try to inject the _authorizationFilter with Ninject, there is a runtime error saying the DbContext has been disposed // on the second and all subsequent requests (works fine on the first request). using (_userService = new UserService()) { User user = _userService.GetByUsername(username); if (user == null) { // The user has a cookie, so they are in the Active Directory. // But they aren't in our local database (new employee, probably), so add them. User newUser = new User() { Username = username, IsActive = true, IsAdmin = false }; HttpCookie initialsCookie = httpContext.Request.Cookies[Configuration.GetAppSetting("UserInitialsCookieName")]; if (initialsCookie != null && !string.IsNullOrWhiteSpace(initialsCookie.Value)) { newUser.Initials = initialsCookie.Value; } else { if (username.Length > 1) newUser.Initials = username.Substring(0, 2); else newUser.Initials = "xx"; } _userService.Insert(newUser); user = _userService.GetByUsername(username); using (var log = new LoggerConfiguration().ReadFrom.AppSettings().CreateLogger()) { log.Information("A new user was added to the application: {0}", username); } } // End inserting new User and pulling it from the db. else { // If there's a cookie with initials, check its value to make sure our db value isn't out of date. HttpCookie initialsCookie = httpContext.Request.Cookies[Configuration.GetAppSetting("UserInitialsCookieName")]; if (initialsCookie != null && !string.IsNullOrWhiteSpace(initialsCookie.Value)) { if (!initialsCookie.Value.Equals(user.Initials, System.StringComparison.CurrentCultureIgnoreCase)) { user.Initials = initialsCookie.Value; _userService.Update(user); } } } if (!user.IsActive) { using (var log = new LoggerConfiguration().ReadFrom.AppSettings().CreateLogger()) { log.Warning("A user whose account was disabled attempted to log on to the application: {0}", username); } throw new HttpException(500, string.Format("The {0} account has been disabled.", authTicket.Name)); } if (user.IsAdmin) roles = new string[] { "admin" }; else roles = null; } identity = new GenericIdentity(username, "Forms"); principal = new GenericPrincipal(identity, roles); httpContext.User = principal; } } // Now that we have set httpContext.User appropriately, do the authorization check which will make sure user is in the proper Role. return base.AuthorizeCore(httpContext); }