public User MapUserDTO(UserDTO input)
{
User output = new User();
output.IsActive = input.IsActive;
output.IsAdmin = input.IsAdmin;
output.UserId = input.UserId;
output.Username = input.Username;
return output;
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
bool disableAuthentication = false;
GenericIdentity identity;
GenericPrincipal principal;
string[] roles;
#if DEBUG
disableAuthentication = true;
#endif
if (disableAuthentication)
{
// Create a fake user and use this in debugging to disable authentication.
identity = new GenericIdentity("alongoria");
roles = new string[] { "admin" };
principal = new GenericPrincipal(identity, roles);
httpContext.User = principal;
}
else
{
HttpCookie authCookie = httpContext.Request.Cookies[FormsAuthentication.FormsCookieName];
if (authCookie != null)
{
FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
string username = authTicket.Name;
// According to many articles and Ninject docs like:
// https://github.com/ninject/Ninject.Web.Mvc/wiki/Filters-and-Scoped,
// https://www.cuttingedge.it/blogs/steven/pivot/entry.php?id=98,
// https://stackoverflow.com/questions/29915192/unity-property-injection-on-authorizeattribute
// MVC caches filters, which means dependency injection with .InRequestScope() does not work.
// If we try to inject the _authorizationFilter with Ninject, there is a runtime error saying the DbContext has been disposed
// on the second and all subsequent requests (works fine on the first request).
using (_userService = new UserService())
{
User user = _userService.GetByUsername(username);
if (user == null)
{
// The user has a cookie, so they are in the Active Directory.
// But they aren't in our local database (new employee, probably), so add them.
User newUser = new User()
{
Username = username,
IsActive = true,
IsAdmin = false
};
HttpCookie initialsCookie = httpContext.Request.Cookies[Configuration.GetAppSetting("UserInitialsCookieName")];
if (initialsCookie != null && !string.IsNullOrWhiteSpace(initialsCookie.Value))
{
newUser.Initials = initialsCookie.Value;
}
else
{
if (username.Length > 1)
newUser.Initials = username.Substring(0, 2);
else
newUser.Initials = "xx";
}
_userService.Insert(newUser);
user = _userService.GetByUsername(username);
using (var log = new LoggerConfiguration().ReadFrom.AppSettings().CreateLogger())
{
log.Information("A new user was added to the application: {0}", username);
}
} // End inserting new User and pulling it from the db.
else
{
// If there's a cookie with initials, check its value to make sure our db value isn't out of date.
HttpCookie initialsCookie = httpContext.Request.Cookies[Configuration.GetAppSetting("UserInitialsCookieName")];
if (initialsCookie != null && !string.IsNullOrWhiteSpace(initialsCookie.Value))
{
if (!initialsCookie.Value.Equals(user.Initials, System.StringComparison.CurrentCultureIgnoreCase))
{
user.Initials = initialsCookie.Value;
_userService.Update(user);
}
}
}
if (!user.IsActive)
{
using (var log = new LoggerConfiguration().ReadFrom.AppSettings().CreateLogger())
{
log.Warning("A user whose account was disabled attempted to log on to the application: {0}", username);
}
throw new HttpException(500, string.Format("The {0} account has been disabled.", authTicket.Name));
}
if (user.IsAdmin)
roles = new string[] { "admin" };
else
roles = null;
}
identity = new GenericIdentity(username, "Forms");
principal = new GenericPrincipal(identity, roles);
httpContext.User = principal;
}
}
// Now that we have set httpContext.User appropriately, do the authorization check which will make sure user is in the proper Role.
return base.AuthorizeCore(httpContext);
}
