public static bool AuthenticateTicket() {
// see http://issues.umbraco.org/issue/U4-6342#comment=67-19466 (from http://issues.umbraco.org/issue/U4-6332)
var http = new HttpContextWrapper(HttpContext.Current);
var ticket = http.GetUmbracoAuthTicket();
if (ticket != null)
{
return http.AuthenticateCurrentRequest(ticket, true);
}
return false;
}
protected override void OnPreInit(EventArgs e) {
base.OnPreInit(e);
if (PackageHelpers.UmbracoVersion != "7.2.2") return;
// Handle authentication stuff to counteract bug in Umbraco 7.2.2 (see U4-6342)
HttpContextWrapper http = new HttpContextWrapper(Context);
FormsAuthenticationTicket ticket = http.GetUmbracoAuthTicket();
http.AuthenticateCurrentRequest(ticket, true);
}
/// <summary>
/// Authenticates the request by reading the FormsAuthentication cookie and setting the
/// context and thread principle object
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
static void AuthenticateRequest(object sender, EventArgs e)
{
var app = (HttpApplication) sender;
var http = new HttpContextWrapper(app.Context);
//we need to determine if the path being requested is an umbraco path, if not don't do anything
var settings = UmbracoSettings.GetSettings();
var backOfficeRoutePath = string.Concat(settings.UmbracoPaths.BackOfficePath, "/");
var installerRoutePath = string.Concat("Install", "/");
var routeUrl = "";
var routeData = RouteTable.Routes.GetRouteData(http);
if (routeData != null)
{
var route = routeData.Route as Route;
if (route != null)
{
routeUrl = route.Url;
}
}
if (routeUrl.StartsWith(installerRoutePath, StringComparison.InvariantCultureIgnoreCase) ||
routeUrl.StartsWith(backOfficeRoutePath, StringComparison.InvariantCultureIgnoreCase))
{
if (app.Context.User == null)
{
if (app.User != null)
{
//set the principal object
app.Context.User = app.User;
Thread.CurrentPrincipal = app.User;
}
else
{
var ticket = http.GetUmbracoAuthTicket();
if (ticket != null && !ticket.Expired && http.RenewUmbracoAuthTicket())
{
//create the Umbraco user identity
var identity = new UmbracoBackOfficeIdentity(ticket);
//set the principal object
var principal = new GenericPrincipal(identity, identity.Roles);
app.Context.User = principal;
Thread.CurrentPrincipal = principal;
}
}
}
}
}
/// <summary>
/// Checks if the request is authenticated, if it is it sets the thread culture to the currently logged in user
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
static void AuthenticateRequest(object sender, EventArgs e)
{
var app = (HttpApplication)sender;
var http = new HttpContextWrapper(app.Context);
// do not process if client-side request
if (http.Request.Url.IsClientSideRequest())
return;
if (app.Request.Url.IsBackOfficeRequest() || app.Request.Url.IsInstallerRequest())
{
var ticket = http.GetUmbracoAuthTicket();
if (ticket != null)
{
//create the Umbraco user identity
var identity = ticket.CreateUmbracoIdentity();
if (identity != null)
{
//We'll leave setting custom identies/principals for 6.2, for now we'll just ensure that the cultures, etc.. are set
////set the principal object
////now we need to see if their session is still valid
//var timeout = BasePage.GetTimeout(identity.UserContextId);
//if (timeout > DateTime.Now.Ticks)
//{
//var principal = new GenericPrincipal(identity, identity.Roles);
////It is actually not good enough to set this on the current app Context and the thread, it also needs
//// to be set explicitly on the HttpContext.Current !! This is a strange web api thing that is actually
//// an underlying fault of asp.net not propogating the User correctly.
//if (HttpContext.Current != null)
//{
// HttpContext.Current.User = principal;
//}
//app.Context.User = principal;
//Thread.CurrentPrincipal = principal;
//}
//This is a back office/installer request, we will also set the culture/ui culture
Thread.CurrentThread.CurrentCulture =
Thread.CurrentThread.CurrentUICulture =
new System.Globalization.CultureInfo(identity.Culture);
}
}
}
}
/// <summary>
/// Gets the URL of the file in the upload field with the given property alias on the given TypedEntity at the specific size
/// </summary>
/// <param name="url">The URL.</param>
/// <param name="entity">The entity.</param>
/// <param name="propertyAlias">The property alias.</param>
/// <param name="size">The size (must be a prevalue on the upload property editor).</param>
/// <returns></returns>
public static string GetMediaUrl(this UrlHelper url, TypedEntity entity, string propertyAlias, int size)
{
//TODO: There is a lot of duplication between this and the MediaProxyController (with slight differences). Need to find a way to reuse code.
var appContext = DependencyResolver.Current.GetService<IUmbracoApplicationContext>();
using (var securityUow = appContext.Hive.OpenReader<ISecurityStore>())
{
// Check to see if anonymous view is allowed
var anonymousViewAllowed = !appContext.Security.PublicAccess.IsProtected(entity.Id);
// Get upload property
var prop = propertyAlias.IsNullOrWhiteSpace()
? entity.Attributes.SingleOrDefault(x => x.AttributeDefinition.AttributeType.RenderTypeProvider.InvariantEquals(CorePluginConstants.FileUploadPropertyEditorId))
: entity.Attributes.SingleOrDefault(x => x.AttributeDefinition.Alias == propertyAlias);
if (prop == null || !prop.Values.ContainsKey("MediaId"))
return null; // Couldn't find property so return null
var mediaId = prop.Values["MediaId"].ToString();
var fileId = new HiveId(prop.Values["Value"].ToString());
// Get the file
using (var fileUow = appContext.Hive.OpenReader<IFileStore>(fileId.ToUri()))
{
var file = fileUow.Repositories.Get<File>(fileId);
if (file == null)
return null; // Couldn't find file so return null
// Fetch the thumbnail
if (size > 0)
{
var relation = fileUow.Repositories.GetLazyChildRelations(fileId, FixedRelationTypes.ThumbnailRelationType)
.SingleOrDefault(x => x.MetaData.Single(y => y.Key == "size").Value == size.ToString());
file = (relation != null && relation.Destination != null)
? (File)relation.Destination
: null;
}
if (file == null)
return null; // Couldn't find file so return null
if (anonymousViewAllowed && !file.PublicUrl.StartsWith("~/App_Data/")) // Don't proxy
{
return url.Content(file.PublicUrl);
}
else // Proxy
{
//NOTE: THIS IS TEMPORARY CODE UNTIL MEMBER PERMISSIONS IS DONE
//if (anonymousViewAllowed)
//{
// // If they are anonymous, but media happens to be in app_data folder proxy
// return url.Action("Proxy", "MediaProxy", new { area = "", propertyAlias = prop.AttributeDefinition.Alias, mediaId, size, fileName = file.Name });
//}
//return null;
// Check permissions
//var authAttr = new UmbracoAuthorizeAttribute {AllowAnonymous = true, Permissions = new [] { FixedPermissionIds.View }};
//var authorized = authAttr.IsAuthorized(url.RequestContext.HttpContext, entity.Id);
//if (!authorized)
// return null; // Not authorized so return null
var member = appContext.Security.Members.GetCurrent();
if (member == null || !appContext.Security.PublicAccess.GetPublicAccessStatus(member.Id, entity.Id).CanAccess)
{
// Member can't access, but check to see if logged in identiy is a User, if so, just allow access
var wrapper = new HttpContextWrapper(HttpContext.Current);
var ticket = wrapper.GetUmbracoAuthTicket();
if (ticket == null || ticket.Expired)
{
return null;
}
}
return url.Action("Proxy", "MediaProxy", new { area = "", propertyAlias = prop.AttributeDefinition.Alias, mediaId, size, fileName = file.Name });
}
}
}
}
/// <summary>
/// Authenticates the request by reading the FormsAuthentication cookie and setting the
/// context and thread principle object
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
/// <remarks>
/// We will set the identity, culture, etc... for any request that is:
/// * A back office request
/// * An installer request
/// * A /base request (since these can be back office web service requests)
/// </remarks>
static void AuthenticateRequest(object sender, EventArgs e)
{
var app = (HttpApplication)sender;
var http = new HttpContextWrapper(app.Context);
// do not process if client-side request
if (http.Request.Url.IsClientSideRequest())
return;
var req = new HttpRequestWrapper(app.Request);
if (ShouldAuthenticateRequest(req, UmbracoContext.Current.OriginalRequestUrl))
{
var ticket = http.GetUmbracoAuthTicket();
http.AuthenticateCurrentRequest(ticket, ShouldIgnoreTicketRenew(UmbracoContext.Current.OriginalRequestUrl, http) == false);
}
}