public static ClubPoolPrincipal CreateUnauthorizedPrincipal()
{
var principal = new ClubPoolPrincipal();
principal.Identity = new GenericIdentity("");
principal.roles = new string[0];
return principal;
}
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
// We need to set the HttpContext.User property to our own IPrincipal implementation
// so that it uses our role service to satisfy IPrincipal.IsInRole(). The
// Authorize attribute uses this method to determine whether the authenticated user
// is in the requested role
// Extract the forms authentication cookie
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];
if (null == authCookie) {
// There is no authentication cookie.
SetUnauthorizedPrincipal();
return;
}
FormsAuthenticationTicket authTicket = null;
try {
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch (Exception ex) {
SetUnauthorizedPrincipal();
return;
}
if (null == authTicket) {
// Cookie failed to decrypt.
SetUnauthorizedPrincipal();
return;
}
// Create an Identity object
FormsIdentity identity = new FormsIdentity(authTicket);
var repository = DependencyResolver.Current.GetService<IRepository>();
var user = repository.All<User>().Single(u => u.Username.Equals(identity.Name));
// This principal will flow throughout the request.
ClubPoolPrincipal principal = new ClubPoolPrincipal(user, identity);
// Attach the new principal object to the current HttpContext object
Context.User = principal;
}
private EditViewModel BuildEditViewModel(User user, ClubPoolPrincipal currentPrincipal)
{
var model = new EditViewModel {
Id = user.Id,
FirstName = user.FirstName,
LastName = user.LastName,
Email = user.Email,
IsApproved = user.IsApproved,
IsLocked = user.IsLocked,
Username = user.Username,
Version = user.EncodedVersion,
Roles = user.Roles.Select(r => r.Id).ToArray()
};
model.ShowStatus = CanEditUserStatus(currentPrincipal, user);
model.ShowRoles = CanEditUserRoles(currentPrincipal, user);
if (model.ShowRoles) {
model.AvailableRoles = repository.All<Role>().Select(r => new RoleViewModel { Id = r.Id, Name = r.Name }).ToList();
}
model.ShowPassword = CanEditUserPassword(currentPrincipal, user);
return model;
}
protected bool CanEditUserStatus(ClubPoolPrincipal principal, User user)
{
// admins can edit the status of all users, officers can edit the status of
// all other non admins but not themselves, normal users can not edit status
var editorIsAdmin = principal.IsInRole(Roles.Administrators);
if (editorIsAdmin) {
// admins can edit the status of all other users
return true;
}
var editorIsOfficer = principal.IsInRole(Roles.Officers);
if (!editorIsOfficer) {
// if the user is neither admin nor officer, can't edit any status
return false;
}
// if we get here, editor is officer, can edit status of other non-admin
// users but not self
var editingSelf = user.Id == principal.UserId;
var userIsAdmin = user.Roles.Where(r => r.Name.Equals(Roles.Administrators)).Any();
return (!(editingSelf || userIsAdmin));
}
protected bool CanEditUserRoles(ClubPoolPrincipal principal, User user)
{
// only admins can edit roles
return principal.IsInRole(Roles.Administrators);
}
protected bool CanEditUserPassword(ClubPoolPrincipal principal, User user)
{
// admins & self can edit password
return principal.IsInRole(Roles.Administrators) || principal.UserId == user.Id;
}
protected bool CanEditUser(ClubPoolPrincipal principal, User user)
{
// admins & officers can edit the basic properties of all users,
// normal users can edit their own basic properties
var editorIsAdmin = principal.IsInRole(Roles.Administrators);
var editorIsOfficer = principal.IsInRole(Roles.Officers);
var editingSelf = user.Id == principal.UserId;
return editingSelf || editorIsOfficer || editorIsAdmin;
}