/// <summary>
/// Gets the Guid for the RestController that has the specified Id
/// </summary>
/// <param name="id">The identifier.</param>
/// <returns></returns>
public override Guid?GetGuid(int id)
{
var cacheItem = RestControllerCache.Get(id);
if (cacheItem != null)
{
return(cacheItem.Guid);
}
return(null);
}
/// <summary>
/// Occurs before the action method is invoked.
/// </summary>
/// <param name="actionContext">The action context.</param>
public override void OnActionExecuting(HttpActionContext actionContext)
{
var reflectedHttpActionDescriptor = ( ReflectedHttpActionDescriptor )actionContext.ActionDescriptor;
var controller = actionContext.ActionDescriptor.ControllerDescriptor;
string controllerClassName = controller.ControllerType.FullName;
string actionMethod = actionContext.Request.Method.Method;
var apiId = RestControllerService.GetApiId(reflectedHttpActionDescriptor.MethodInfo, actionMethod, controller.ControllerName);
ISecured item = RestActionCache.Get(apiId);
if (item == null)
{
// if there isn't a RestAction in the database, use the Controller as the secured item
item = RestControllerCache.Get(controllerClassName);
if (item == null)
{
item = new RestController();
}
}
Person person = null;
if (actionContext.Request.Properties.Keys.Contains("Person"))
{
person = actionContext.Request.Properties["Person"] as Person;
}
else
{
var principal = actionContext.Request.GetUserPrincipal();
if (principal != null && principal.Identity != null)
{
using (var rockContext = new RockContext())
{
string userName = principal.Identity.Name;
UserLogin userLogin = null;
if (userName.StartsWith("rckipid="))
{
Rock.Model.PersonService personService = new Model.PersonService(rockContext);
Rock.Model.Person impersonatedPerson = personService.GetByImpersonationToken(userName.Substring(8));
if (impersonatedPerson != null)
{
userLogin = impersonatedPerson.GetImpersonatedUser();
}
}
else
{
var userLoginService = new Rock.Model.UserLoginService(rockContext);
userLogin = userLoginService.GetByUserName(userName);
}
if (userLogin != null)
{
person = userLogin.Person;
actionContext.Request.Properties.Add("Person", person);
/* 12/12/2019 BJW
*
* Setting this current person item was only done in put, post, and patch in the ApiController
* class. Set it here so that it is always set for all methods, including delete. This enhances
* history logging done in the pre and post save model hooks (when the pre-save event is called
* we can access DbContext.GetCurrentPersonAlias and log who deleted the record).
*
* Task: https://app.asana.com/0/1120115219297347/1153140643799337/f
*/
System.Web.HttpContext.Current.AddOrReplaceItem("CurrentPerson", person);
}
}
}
}
string action = actionMethod.Equals("GET", StringComparison.OrdinalIgnoreCase) ?
Rock.Security.Authorization.VIEW : Rock.Security.Authorization.EDIT;
if (!item.IsAuthorized(action, person))
{
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
}
}
/// <summary>
/// Updates any Cache Objects that are associated with this entity
/// </summary>
/// <param name="entityState">State of the entity.</param>
/// <param name="dbContext">The database context.</param>
public void UpdateCache(EntityState entityState, Rock.Data.DbContext dbContext)
{
RestControllerCache.UpdateCachedEntity(this.Id, entityState);
}
/// <summary>
/// Gets the cache object associated with this Entity
/// </summary>
/// <returns></returns>
public IEntityCache GetCacheObject()
{
return(RestControllerCache.Get(this.Id));
}
/// <summary>
/// Occurs before the action method is invoked.
/// </summary>
/// <param name="actionContext">The action context.</param>
public override void OnActionExecuting(HttpActionContext actionContext)
{
var controller = actionContext.ActionDescriptor.ControllerDescriptor;
string controllerClassName = controller.ControllerType.FullName;
string actionMethod = actionContext.Request.Method.Method;
string actionPath = actionContext.Request.GetRouteData().Route.RouteTemplate.Replace("{controller}", controller.ControllerName);
//// find any additional arguments that aren't part of the RouteTemplate that qualified the action method
//// for example: ~/person/search?name={name}&includeHtml={includeHtml}&includeDetails={includeDetails}&includeBusinesses={includeBusinesses}
//// is a different action method than ~/person/search?name={name}
var routeQueryParams = actionContext.ActionArguments.Where(a => !actionPath.Contains("{" + a.Key + "}"));
if (routeQueryParams.Any())
{
var actionPathQueryString = routeQueryParams.Select(a => string.Format("{0}={{{0}}}", a.Key)).ToList().AsDelimited("&");
actionPath += "?" + actionPathQueryString;
}
ISecured item = RestActionCache.Get(actionMethod + actionPath);
if (item == null)
{
item = RestControllerCache.Get(controllerClassName);
if (item == null)
{
item = new RestController();
}
}
Person person = null;
if (actionContext.Request.Properties.Keys.Contains("Person"))
{
person = actionContext.Request.Properties["Person"] as Person;
}
else
{
var principal = actionContext.Request.GetUserPrincipal();
if (principal != null && principal.Identity != null)
{
using (var rockContext = new RockContext())
{
string userName = principal.Identity.Name;
UserLogin userLogin = null;
if (userName.StartsWith("rckipid="))
{
Rock.Model.PersonService personService = new Model.PersonService(rockContext);
Rock.Model.Person impersonatedPerson = personService.GetByImpersonationToken(userName.Substring(8), false, null);
if (impersonatedPerson != null)
{
userLogin = impersonatedPerson.GetImpersonatedUser();
}
}
else
{
var userLoginService = new Rock.Model.UserLoginService(rockContext);
userLogin = userLoginService.GetByUserName(userName);
}
if (userLogin != null)
{
person = userLogin.Person;
actionContext.Request.Properties.Add("Person", person);
}
}
}
}
string action = actionMethod.Equals("GET", StringComparison.OrdinalIgnoreCase) ?
Rock.Security.Authorization.VIEW : Rock.Security.Authorization.EDIT;
if (!item.IsAuthorized(action, person))
{
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
}
}
/// <summary>
/// Occurs before the action method is invoked.
/// </summary>
/// <param name="actionContext">The action context.</param>
public override void OnActionExecuting(HttpActionContext actionContext)
{
var principal = actionContext.Request.GetUserPrincipal();
Person person = null;
if (principal != null && principal.Identity != null)
{
using (var rockContext = new RockContext())
{
string userName = principal.Identity.Name;
UserLogin userLogin = null;
if (userName.StartsWith("rckipid="))
{
var personService = new PersonService(rockContext);
var impersonatedPerson = personService.GetByImpersonationToken(userName.Substring(8));
if (impersonatedPerson != null)
{
userLogin = impersonatedPerson.GetImpersonatedUser();
}
}
else
{
var userLoginService = new UserLoginService(rockContext);
userLogin = userLoginService.GetByUserName(userName);
}
if (userLogin != null)
{
person = userLogin.Person;
var pinAuthentication = AuthenticationContainer.GetComponent(typeof(Security.Authentication.PINAuthentication).FullName);
// Don't allow PIN authentications.
if (userLogin.EntityTypeId != null)
{
var userLoginEntityType = EntityTypeCache.Get(userLogin.EntityTypeId.Value);
if (userLoginEntityType != null && userLoginEntityType.Id == pinAuthentication.EntityType.Id)
{
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
return;
}
}
}
}
}
var reflectedHttpActionDescriptor = ( ReflectedHttpActionDescriptor )actionContext.ActionDescriptor;
var controller = actionContext.ActionDescriptor.ControllerDescriptor;
var controllerClassName = controller.ControllerType.FullName;
var actionMethod = actionContext.Request.Method.Method;
var apiId = RestControllerService.GetApiId(reflectedHttpActionDescriptor.MethodInfo, actionMethod, controller.ControllerName);
ISecured item = RestActionCache.Get(apiId);
if (item == null)
{
// if there isn't a RestAction in the database, use the Controller as the secured item
item = RestControllerCache.Get(controllerClassName);
if (item == null)
{
item = new RestController();
}
}
if (actionContext.Request.Properties.Keys.Contains("Person"))
{
person = actionContext.Request.Properties["Person"] as Person;
}
else
{
actionContext.Request.Properties.Add("Person", person);
/* 12/12/2019 BJW
*
* Setting this current person item was only done in put, post, and patch in the ApiController
* class. Set it here so that it is always set for all methods, including delete. This enhances
* history logging done in the pre and post save model hooks (when the pre-save event is called
* we can access DbContext.GetCurrentPersonAlias and log who deleted the record).
*
* Task: https://app.asana.com/0/1120115219297347/1153140643799337/f
*/
System.Web.HttpContext.Current.AddOrReplaceItem("CurrentPerson", person);
}
string action = actionMethod.Equals("GET", StringComparison.OrdinalIgnoreCase) ?
Security.Authorization.VIEW : Security.Authorization.EDIT;
bool authorized = false;
if (item.IsAuthorized(action, person))
{
authorized = true;
}
else if (actionContext.Request.Headers.Contains("X-Rock-App-Id") && actionContext.Request.Headers.Contains("X-Rock-Mobile-Api-Key"))
{
// Normal authorization failed, but this is a Mobile App request so check
// if the application itself has been given permission.
var appId = actionContext.Request.Headers.GetValues("X-Rock-App-Id").First().AsIntegerOrNull();
var mobileApiKey = actionContext.Request.Headers.GetValues("X-Rock-Mobile-Api-Key").First();
if (appId.HasValue)
{
using (var rockContext = new RockContext())
{
var appUser = Mobile.MobileHelper.GetMobileApplicationUser(appId.Value, mobileApiKey, rockContext);
if (appUser != null && item.IsAuthorized(action, appUser.Person))
{
authorized = true;
}
}
}
}
if (!authorized)
{
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
}
}
