/// <summary>
/// Applies the ValidateAntiForgeryTokenAttribute to all non-exempt post requests.
/// </summary>
/// <param name="controllerContext"></param>
/// <param name="actionDescriptor"></param>
/// <returns></returns>
public IEnumerable <Filter> GetFilters(ControllerContext controllerContext, ActionDescriptor actionDescriptor)
{
List <Filter> result = new List <Filter>();
string incomingVerb = controllerContext.HttpContext.Request.HttpMethod;
if (String.Equals(incomingVerb, "POST", StringComparison.OrdinalIgnoreCase))
{
if (!actionDescriptor.HasAttribute <AntiForgeryExemptAttribute>())
{
result.Add(new Filter(new ValidateAntiForgeryTokenAttribute(), FilterScope.Global, null));
}
}
return(result);
}
public bool IsAccessibleToUser(IControllerTypeResolver controllerTypeResolver, DefaultSiteMapProvider provider,
HttpContext context, SiteMapNode node)
{
// is security trimming enabled?
if (!provider.SecurityTrimmingEnabled)
{
return(true);
}
// external nodes
var nodeUrl = node.Url;
if (nodeUrl.StartsWith("http") || nodeUrl.StartsWith("ftp"))
{
return(true);
}
// Is it a regular node?
var mvcNode = node as MvcSiteMapNode;
if (mvcNode == null)
{
return(true);
}
var controllerType = controllerTypeResolver.ResolveControllerType(mvcNode.Area, mvcNode.Controller);
if (controllerType == null)
{
return(false);
}
// Find routes for the sitemap node's url
HttpContextBase httpContext = new HttpContextMethodOverrider(context, null);
string originalPath = httpContext.Request.Path;
var originalRoutes = RouteTable.Routes.GetRouteData(httpContext);
httpContext.RewritePath(nodeUrl, true);
HttpContextBase httpContext2 = new HttpContext2(context);
RouteData routes = mvcNode.GetRouteData(httpContext2);
if (routes == null)
{
return(true); // Static URL's will have no route data, therefore return true.
}
foreach (var routeValue in mvcNode.RouteValues)
{
routes.Values[routeValue.Key] = routeValue.Value;
}
if (originalRoutes != null && (!routes.Route.Equals(originalRoutes.Route) || originalPath != nodeUrl || mvcNode.Area == String.Empty))
{
routes.DataTokens.Remove("area");
//routes.DataTokens.Remove("Namespaces");
//routes.Values.Remove("area");
}
var requestContext = new RequestContext(httpContext, routes);
// Create controller context
var controllerContext = new ControllerContext();
controllerContext.RequestContext = requestContext;
// Whether controller is built by the ControllerFactory (or otherwise by Activator)
bool factoryBuiltController = false;
try
{
string controllerName = requestContext.RouteData.GetRequiredString("controller");
controllerContext.Controller = ControllerBuilder.Current.GetControllerFactory().CreateController(requestContext, controllerName) as ControllerBase;
factoryBuiltController = true;
}
catch
{
try
{
controllerContext.Controller = Activator.CreateInstance(controllerType) as ControllerBase;
}
catch
{
}
}
ControllerDescriptor controllerDescriptor = null;
if (typeof(IController).IsAssignableFrom(controllerType))
{
controllerDescriptor = new ReflectedControllerDescriptor(controllerType);
}
else if (typeof(IAsyncController).IsAssignableFrom(controllerType))
{
controllerDescriptor = new ReflectedAsyncControllerDescriptor(controllerType);
}
ActionDescriptor actionDescriptor = null;
try
{
actionDescriptor = controllerDescriptor.FindAction(controllerContext, mvcNode.Action);
}
catch
{
}
if (actionDescriptor == null)
{
actionDescriptor = controllerDescriptor.GetCanonicalActions().FirstOrDefault(a => a.ActionName == mvcNode.Action);
}
// Verify security
try
{
if (actionDescriptor != null)
{
// fixes #130 - Check whether we have an AllowAnonymous Attribute
var ignoreAuthorization = actionDescriptor.HasAttribute <AllowAnonymousAttribute>();
if (ignoreAuthorization)
{
return(true);
}
if (actionDescriptor.HasAttribute <OnlyAnonymousAttribute>())
{
return(!requestContext.HttpContext.Request.IsAuthenticated);
}
IFilterProvider filterProvider = ResolveFilterProvider();
IEnumerable <Filter> filters;
// If depencency resolver has an IFilterProvider registered, use it
if (filterProvider != null)
{
filters = filterProvider.GetFilters(controllerContext, actionDescriptor);
}
// Otherwise use FilterProviders.Providers
else
{
filters = FilterProviders.Providers.GetFilters(controllerContext, actionDescriptor);
}
IEnumerable <AuthorizeAttribute> authorizeAttributesToCheck =
filters
.Where(f => f.Instance is AuthorizeAttribute)
.Select(f => f.Instance as AuthorizeAttribute);
// Verify all attributes
foreach (var authorizeAttribute in authorizeAttributesToCheck)
{
try
{
var currentAuthorizationAttributeType = authorizeAttribute.GetType();
var builder = new AuthorizeAttributeBuilder();
var subclassedAttribute =
currentAuthorizationAttributeType == typeof(AuthorizeAttribute) ?
new InternalAuthorize(authorizeAttribute) : // No need to use Reflection.Emit when ASP.NET MVC built-in attribute is used
(IAuthorizeAttribute)builder.Build(currentAuthorizationAttributeType).Invoke(null);
// Copy all properties
ObjectCopier.Copy(authorizeAttribute, subclassedAttribute);
if (!subclassedAttribute.IsAuthorized(controllerContext.HttpContext))
{
return(false);
}
}
catch
{
// do not allow on exception
return(false);
}
}
}
// No objection.
return(true);
}
finally
{
// Restore HttpContext
httpContext.RewritePath(originalPath, true);
// Release controller
if (factoryBuiltController)
{
ControllerBuilder.Current.GetControllerFactory().ReleaseController(controllerContext.Controller);
}
}
}
public static bool HasAllowAnonymousAttribute(this ActionDescriptor actionDescriptor) => actionDescriptor.HasAttribute <AllowAnonymousAttribute>();
public static bool HasAuthorizeAttribute(this ActionDescriptor actionDescriptor) => actionDescriptor.HasAttribute <AuthorizeAttribute>();
