OrganizationDatabase IOrganizationApiController <TDbContext> .GetOrganizationDatabase(string dbIdentifier) => OrganizationContextActionFilterAttribute.GetOrganisationDatabase(HttpContext, string.IsNullOrWhiteSpace(dbIdentifier) ? DbIdentifier : dbIdentifier);
/// <summary> /// Resets organization context forcing the api to refresh it for the subsequent calls /// </summary> /// <param name="orgId"></param> protected void ResetOrganizationContext(Guid orgId) => OrganizationContextActionFilterAttribute.ResetOrganizationContext(orgId);
/// <summary> /// Organization database object from GetOrganizationDatabasesbActionFilterAttribute action filter /// </summary> protected OrganizationDatabase GetOrganizationDatabase(string dbIdentifier = null) => OrganizationContextActionFilterAttribute.GetOrganisationDatabase(HttpContext, string.IsNullOrWhiteSpace(dbIdentifier) ? DbIdentifier : dbIdentifier);
/// <summary>
/// Whether or now the action is allowed via user config
/// </summary>
/// <param name="actionContext"></param>
/// <param name="failureReason"></param>
/// <returns></returns>
protected static bool AllowViaUserConfig(ActionExecutingContext actionContext, out string failureReason)
{
failureReason = null;
var userCfg = GetUserConfiguration(actionContext);
if (userCfg == null)
{
return(false);
}
//Note:
//possible improvement - work out a way of caching output of this method.
//the problem though is the very same userCfg may be valid for some requests but invalid for some others
//all depends on context
//maybe a combination of url, referrer & authorization header attribute???
//though with not full url, but rather a path with no attributes, so can efficiently use cache with
//apis such as search api - tons of requests in order to get the suggestions
//if access is via token make sure to check referrers
if (userCfg.IsToken && !userCfg.Token.CanIgnoreReferrer)
{
var referrer = actionContext.HttpContext.ExtractReferrerHeader();
if (referrer == null)
{
//cannot ignore referrer, need to fail!
failureReason = $"Token '{userCfg.Token.Uuid}' requires a referrer but it has not been provided";
return(false);
}
if (userCfg.Token.Referrers == null || !userCfg.Token.Referrers.Contains(referrer.Host))
{
failureReason = $"Token '{userCfg.Token.Uuid}' requires a referrer but the actual one {referrer.Host} is not allowed. ";
#if DEBUG
failureReason +=
$"Allowed referers for this token are: {string.Join(", ", userCfg?.Token?.Referrers?.ToArray() ?? new[] { "referrers not defined" })}";
#endif
return(false);
}
}
//org uuid if any - in such case access is via org api: organizations/orgUuid/controller
Organization org = null;
if (CheckAttributePresence <OrganizationContextActionFilterAttribute>(actionContext))
{
//this throws when org uuid is not known, but since the controller is tagged with the org ctx attribute
//this should not be the case because a non-guid route would not let the request through
var orgId = OrganizationContextActionFilterAttribute.GetOrganizationId(actionContext.HttpContext);
//check the org to work out the context for
org = userCfg.Orgs.FirstOrDefault(o => o.Uuid == orgId);
//if org does not exist in the collection then neither user nor token grants the access to it
if (org == null)
{
failureReason = $"Token / User does not have access to organization '{orgId}'.";
return(false);
}
}
//if org is not null, then this is an 'organization' controller - the access should be checked for this very org
//otherwise the api does not know about the organization context and therefore needs to check if any of the orgs
//have access to the apps served by this controller.
var appNames = GetAppNames();
var orgs = org != null ? new[] { org } : (userCfg.Orgs?.ToArray() ?? new Organization[0]);
//if any app withn an org(s) is the app representing this api, then can use it
var ok = orgs.Any(o => o?.Applications?.Any(a => appNames.Contains(a.ShortName)) ?? false);
if (!ok)
{
failureReason = $"Org(s): '{string.Join(",", orgs.AsEnumerable().Select(o=>o.Slug))}' have no access to the '{string.Join(", ", appNames)}' app(s) granted.";
}
return(ok);
}
