// GET: Error/ReLogin public virtual ActionResult ReLogin() { var currentUser = WebUtilities.GetCurrentlyLoggedInUser(); if (currentUser == null) { return(RedirectToAction("Login", "Account", new { area = "", institution = WebUtilities.InstitutionCode })); } var model = new ReLoginModel { Username = currentUser.UserName }; return(View(ReLoginViewName, model)); }
/// <summary> /// /// </summary> /// <param name="filterContext"></param> public override void OnAuthorization(AuthorizationContext filterContext) { if (filterContext == null) { throw new ArgumentNullException("filterContext"); } var actionDescriptor = filterContext.ActionDescriptor; #region Check whether it's an anonymous action if (actionDescriptor.ControllerDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true) || actionDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true)) { //Allow Anonymous return; } #endregion var values = filterContext.RouteData.Values; var instCode = Convert.ToString(values["institution"]); // If user is not logged in (authenticated) yet, var IdentityUser = WebUtilities.GetCurrentlyLoggedInUser(filterContext.HttpContext.Session); //if (!filterContext.HttpContext.Request.IsAuthenticated) if (IdentityUser == null || filterContext.HttpContext.Session?.IsNewSession == true) { // It's not anonymous, so force user to login WebUtilities.LogOut(); filterContext.Result = MvcUtility.GetLoginPageResult(instCode); return; } var area = values["area"]; string privilegeName = string.Format("{0}-{1}-{2}", actionDescriptor.ActionName, actionDescriptor.ControllerDescriptor.ControllerName, area); if (Utilities.INST_DEFAULT_CODE.Equals(instCode, StringComparison.OrdinalIgnoreCase)) { #region Check whether to allow Core access the action if (!actionDescriptor.ControllerDescriptor.IsDefined(typeof(AllowAccessToParentAttribute), true) && !actionDescriptor.IsDefined(typeof(AllowAccessToParentAttribute), true)) { // bounce filterContext.Result = MvcUtility.GetPageResult("TenantsOnlyAllowed", "Error", "", instCode, new Dictionary <string, object> { { "actionAttempted", filterContext.HttpContext.Request.Url.AbsoluteUri } }); return; } #endregion } // At this point, we have established that we have a logged-in user. So... #region Authorize at Privilege level var userPrivList = WebUtilities.LoggedInUsersPrivilegesDict; //This should never be true under normal circumstances, 'cos a properly logged-in user // should have at least one user privllege if (userPrivList == null) { WebUtilities.LogOut(); filterContext.Result = MvcUtility.GetLoginPageResult(instCode); return; } // OK. So the user has some privileges. So... if (!userPrivList.ContainsKey(privilegeName)) { //The generalized case of the above 'GetData' trick var point = actionDescriptor.GetCustomAttributes(typeof(ValidateUsingPrivilegeForActionAttribute), true) .Cast <ValidateUsingPrivilegeForActionAttribute>().FirstOrDefault(); if (point != null) { foreach (var actionName in point.ActionNames) { if (userPrivList.ContainsKey(string.Format("{0}-{1}-{2}", actionName, actionDescriptor.ControllerDescriptor.ControllerName, area))) { return; } } } filterContext.Result = MvcUtility.GetPageResult("DenyAccess", "Error", "", instCode, new System.Collections.Generic.Dictionary <string, object> { { "actionAttempted", privilegeName } }); return; } #endregion // If we get to this point, then the user authorized to access this action }