private bool AllowAnonymousAccess(HttpApplication app)
{
// for non-RestNet requests - aspx, images, etc. bypass security by always allowing
if (!IsRestNetRequest(app))
{
return(true);
}
IPrincipal prevUser = app.Context.User;
IPrincipal prevPrincipal = _userPrincipal;
try
{
// Create temporary anonymous user so all our security methods work
RestNetUser user = new RestNetUser("Anonymous", string.Empty, "Restnet.RestNetUser", false, new string[] { });
_userPrincipal = new GenericPrincipal(user, new string[] { });
app.Context.User = _userPrincipal;
string resourceName = app.Context.Request.QueryString["resourceName"];
if (resourceName == null)
{
resourceName = GetResourceNameFromUrl(app.Request);
}
bool allowAnonymous = RestNet.AuthUtils.UserHasRightsToThisMethod(resourceName, app.Context.Request.HttpMethod, new HttpContextWrapper(app.Context));
return(allowAnonymous);
}
catch
{
throw;
}
finally
{
// restore previous user
_userPrincipal = prevPrincipal;
app.Context.User = prevUser;
}
}
public static bool IsUserInRole(string securityType, string roleKey, System.Web.HttpContextBase context)
{
// anonymous user
if (context.User == null)
{
return(false);
}
switch (securityType)
{
case "role":
return(ResourceBase.IsUserInRole(context.User, roleKey) || context.User.IsInRole(roleKey));
case "group":
RestNetUser rUser = (RestNetUser)context.User.Identity;
return(rUser.isInRole(roleKey));
case "none":
return(true);
default:
throw ErrorHandler.HttpConfigurationError("The RestNetSecurityType setting in web.config contains an unknown value. Valid values are 'role', 'group', or 'none'");
}
}
