/// <summary> /// Overrides the default behaviour to return an instance of ActiveDirectoryUser /// based on the current user in the context if a UserPart hasn't been created for /// the active directory user yet. /// </summary> /// <returns></returns> public IUser GetAuthenticatedUser() { // attempts to get the user from the UserPart data store. var user = _membershipService.GetUser(HttpContext.Current.User.Identity.Name); // if the user doesn't exist in the UserPart data store, then the // current active directory user is returned instead. if (user == null) user = new ActiveDirectoryUser(); return user; }
/// <summary> /// Overrides the default behaviour to return an instance of ActiveDirectoryUser /// based on the current user in the context if a UserPart hasn't been created for /// the active directory user yet. /// </summary> /// <returns></returns> public IUser GetAuthenticatedUser() { IUser user = null; //I noticed thousands of errors in the log due to the Context being null, when indexing services are running. if (HttpContext.Current != null) { // attempts to get the user from the UserPart data store. var user = _membershipService.GetUser(HttpContext.Current.User.Identity.Name); // if the user doesn't exist in the UserPart data store, then the // current active directory user is returned instead. if (user == null) user = new ActiveDirectoryUser(); } return user; }
public bool Authorize(Permission permission, IContent content, LocalizedString message) { // gets the current active directory user. var user = new ActiveDirectoryUser(); // attempts to authorize the active directory user based on their roles // and the permissions that their associated roles have. if (_authorizationService.TryCheckAccess(permission, user, content)) { if (!_attemptedToSaveUser) CreateUserForActiveDirectoryUserIfNotExists(user); return true; } if (message != null) { _notifier.Error(T("{0}. Current user, {2}, does not have {1} permission.", message, permission.Name, user.UserName)); } return false; }
/// <summary> /// Makes an attempt to communicate with LDAP to retrieve the email /// of the active directory user. /// </summary> /// <param name="activeDiretoryUser">Currently logged in active directory user.</param> /// <returns>Email address of active directory user if connection can be /// made to LDAP, otherwise an empty string is returned.</returns> private string GetEmail(ActiveDirectoryUser activeDirectoryUser) { var domainAndUserName = activeDirectoryUser.UserName.Split('\\'); var email = ""; if (domainAndUserName.Length == 2) { try { var ctx = new PrincipalContext(ContextType.Domain, domainAndUserName[0]); var up = UserPrincipal.FindByIdentity(ctx, activeDirectoryUser.UserName); if (up != null && up.EmailAddress != null) email = up.EmailAddress.ToLowerInvariant(); } catch { } } return email; }
/// <summary> /// Does a check to see if there is an Orchard user that represents the active directory user. /// If there isn't then one is created with the username from the active directory user. /// </summary> /// <param name="activeDirectoryUser">Currently logged in active directory user.</param> /// <returns>Returns the user that was created, or if one wasn't created then the /// UserPart that is already in the database is returned.</returns> private IUser CreateUserForActiveDirectoryUserIfNotExists(ActiveDirectoryUser activeDirectoryUser) { var user = GetUser(activeDirectoryUser.UserName); if (user == null && !String.IsNullOrEmpty(activeDirectoryUser.UserName)) { user = CreateUser(new CreateUserParams(activeDirectoryUser.UserName, "password", GetEmail(activeDirectoryUser), String.Empty, String.Empty, true)); CreateUserRoles(user, activeDirectoryUser.Roles); } return user; }
public bool TryCheckAccess(Permission permission, IUser user, IContent content) { user = new ActiveDirectoryUser(); var context = new CheckAccessContext { Permission = permission, User = user, Content = content }; _authorizationServiceEventHandler.Checking(context); for (var adjustmentLimiter = 0; adjustmentLimiter != 3; ++adjustmentLimiter) { if (!context.Granted && context.User != null) { if (!String.IsNullOrEmpty(_workContextAccessor.GetContext().CurrentSite.SuperUser) && String.Equals(context.User.UserName, _workContextAccessor.GetContext().CurrentSite.SuperUser, StringComparison.Ordinal)) { context.Granted = true; } } if (!context.Granted) { // determine which set of permissions would satisfy the access check var grantingNames = PermissionNames(context.Permission, Enumerable.Empty<string>()).Distinct().ToArray(); // determine what set of roles should be examined by the access check IEnumerable<string> rolesToExamine; if (context.User == null) { rolesToExamine = AnonymousRole; } else { //retrieve the UserPart record for the user from the DB (if there is one) UserPart dbUser = null; if (!string.IsNullOrWhiteSpace(context.User.UserName)) { dbUser = _contentManager.Query<UserPart, UserPartRecord>().Where(x => x.NormalizedUserName == context.User.UserName.ToLowerInvariant()).List().FirstOrDefault(); } // This line has been changed from the core implementation of IAuthorizationService, // because our ActiveDirectoryUser implements the IUserRoles interface instead of having // an UserRolesPart included on the content. rolesToExamine = (context.User as IUserRoles).Roles; //Also adding all the Roles from the UserRolePart, incase We want to use role management that is not part of AD.. if (dbUser != null && dbUser.As<IUserRoles>() != null && dbUser.As<IUserRoles>().Roles != null) rolesToExamine = rolesToExamine.Union(dbUser.As<IUserRoles>().Roles); // when it is a simulated anonymous user in the admin if (!rolesToExamine.Contains(AnonymousRole[0])) { rolesToExamine = rolesToExamine.Concat(AuthenticatedRole); } } foreach (var role in rolesToExamine) { foreach (var permissionName in _roleService.GetPermissionsForRoleByName(role)) { string possessedName = permissionName; if (grantingNames.Any(grantingName => String.Equals(possessedName, grantingName, StringComparison.OrdinalIgnoreCase))) { context.Granted = true; } if (context.Granted) break; } if (context.Granted) break; } } context.Adjusted = false; _authorizationServiceEventHandler.Adjust(context); if (!context.Adjusted) break; } _authorizationServiceEventHandler.Complete(context); return context.Granted; }
public bool TryCheckAccess(Permission permission, IUser user, IContent content) { user = new ActiveDirectoryUser(); var context = new CheckAccessContext { Permission = permission, User = user, Content = content }; _authorizationServiceEventHandler.Checking(context); for (var adjustmentLimiter = 0; adjustmentLimiter != 3; ++adjustmentLimiter) { if (!context.Granted && context.User != null) { if (!String.IsNullOrEmpty(_workContextAccessor.GetContext().CurrentSite.SuperUser) && String.Equals(context.User.UserName, _workContextAccessor.GetContext().CurrentSite.SuperUser, StringComparison.Ordinal)) { context.Granted = true; } } if (!context.Granted) { // determine which set of permissions would satisfy the access check var grantingNames = PermissionNames(context.Permission, Enumerable.Empty<string>()).Distinct().ToArray(); // determine what set of roles should be examined by the access check IEnumerable<string> rolesToExamine; if (context.User == null) { rolesToExamine = AnonymousRole; } else { // the current user is not null, so get his roles and add "Authenticated" to it. // This line has been changed from the core implementation of IAuthorizationService, // because our ActiveDirectoryUser implements the IUserRoles interface instead of having // an UserRolesPart included on the content. rolesToExamine = (context.User as IUserRoles).Roles; // when it is a simulated anonymous user in the admin if (!rolesToExamine.Contains(AnonymousRole[0])) { rolesToExamine = rolesToExamine.Concat(AuthenticatedRole); } } foreach (var role in rolesToExamine) { foreach (var permissionName in _roleService.GetPermissionsForRoleByName(role)) { string possessedName = permissionName; if (grantingNames.Any(grantingName => String.Equals(possessedName, grantingName, StringComparison.OrdinalIgnoreCase))) { context.Granted = true; } if (context.Granted) break; } if (context.Granted) break; } } context.Adjusted = false; _authorizationServiceEventHandler.Adjust(context); if (!context.Adjusted) break; } _authorizationServiceEventHandler.Complete(context); return context.Granted; }