예제 #1
0
        public ActionResult UnAuthorized(string resource, string message)
        {
            //Logger.Log.Warn("Unauthorized attempt to access " + resource + " by " + User.Identity.Name);
            var viewModel = new UnauthorizedViewModel
            {
                Message = message
                //CurrentUser = IsValidatedSession() ? GetSession().CurrentUser : null
            };

            return View(viewModel);
        }
예제 #2
0
        /// <summary>
        /// Check the role authorization
        /// </summary>
        /// <param name="filterContext"></param>
        public virtual void OnAuthorization(AuthorizationContext filterContext)
        {
            if (filterContext == null)
            {
                throw new ArgumentNullException("filterContext");
            }

            //See if the session is active
            HttpContextBase ctx = filterContext.HttpContext;
            if (ctx.Session != null && HttpContext.Current.User.Identity.IsAuthenticated && HttpContext.Current.User.Identity is FormsIdentity)
            {
                FormsIdentity id = (FormsIdentity)HttpContext.Current.User.Identity;
                FormsAuthenticationTicket ticket = id.Ticket;

                if (ctx.Session.IsNewSession && !ticket.IsPersistent)
                {

                    // from:  http://www.tyronedavisjr.com/index.php/2008/11/23/detecting-session-timeouts-using-a-aspnet-mvc-action-filter/
                    // If it says it is a new session, but an existing cookie exists, then it must
                    // have timed out
                    string sessionCookie = ctx.Request.Headers["Cookie"];
                    if ((null != sessionCookie) && (sessionCookie.IndexOf("ASP.NET_SessionId") >= 0))
                    {
                        filterContext.Result = new RedirectToRouteResult(
                              new RouteValueDictionary {
                              { "message", "Session Timed Out" },
                              { "controller", "Login" },
                              { "action", "index" },
                              { "ReturnUrl", filterContext.HttpContext.Request.RawUrl }
                        });
                    }
                }
                else
                {
                    //an existing session...
                    ApplicationState appState = this.GetSession(filterContext.HttpContext);
                    Person user;

                    if (ticket.IsPersistent)
                    {
                        user = new Person(HttpContext.Current.User.Identity.Name);
                        user.Load();
                        user.profile = ProfileService.GetUserProfile(user.profile.UserName, Common.Services.MemberShipServiceSupport.MembershipProviderType.DRCOG);

                        appState.CurrentUser = user;
                    }
                    else
                    {
                        user = appState.CurrentUser;
                        if (user == null || String.IsNullOrEmpty(user.profile.UserName))
                        {
                            user = new Person(HttpContext.Current.User.Identity.Name);
                            user.Load();
                            user.profile = ProfileService.GetUserProfile(user.profile.UserName, Common.Services.MemberShipServiceSupport.MembershipProviderType.DRCOG);

                            appState.CurrentUser = user;
                        }
                    }

                    user.profile.Roles["TripsRoleProvider"] = ProfileService.GetRolesForUser(user.profile.UserName, Common.Services.MemberShipServiceSupport.RoleProviderType.TRIPS);

                    //user.LoadRoles(HttpContext.Current.User);

                    if (user.SponsorsProject())
                    {
                        user.AddRole("Sponsor");
                    }

                    //user.AddRole("Sponsor");

                    //Check if user is in the authorized roles
                    if (_rolesSplit.Length > 0 && !_rolesSplit.Any(user.IsInRole))
                    {
                        //User not in role - unauthorized access attempt (or we messed up and exposed a link to the wrong class of user
                        UnauthorizedViewModel model = new UnauthorizedViewModel();

                        //model.CurrentUser = user;
                        //model.Message = String.Join(",", user.profile.Roles) + " The resource you attempted to access is restricted. This access attempt has been logged.";
                        model.Message = Roles + " The resource you attempted to access is restricted. This access attempt has been logged.";
                        ViewDataDictionary viewData = new ViewDataDictionary(model);
                        filterContext.Result = new ViewResult { ViewName = "~/Views/Error/Unauthorized.aspx", ViewData = viewData };
                        //If the controller is not null, use it's logger!
                        if (filterContext.Controller != null)
                        {
                            DRCOG.Web.Controllers.ControllerBase ctl = filterContext.Controller as DRCOG.Web.Controllers.ControllerBase;
                            //ctl.Logger.Log.Warn("Unauthorized attempt to access " + filterContext.HttpContext.Request.RawUrl + " by " + user.Login);
                        }
                    }
                    else
                    {
                        //User is in the role... let'er rip
                        // ** IMPORTANT ** (Note from the Microsoft AuthorizeAttribute source code
                        // Since we're performing authorization at the action level, the authorization code runs
                        // after the output caching module. In the worst case this could allow an authorized user
                        // to cause the page to be cached, then an unauthorized user would later be served the
                        // cached page. We work around this by telling proxies not to cache the sensitive page,
                        // then we hook our custom authorization code into the caching mechanism so that we have
                        // the final say on whether a page should be served from the cache.
                        HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache;
                        cachePolicy.SetProxyMaxAge(new TimeSpan(0));
                        cachePolicy.AddValidationCallback(CacheValidateHandler, null /* data */);
                    }

                }
            }
            else
            {
                //Null session
                filterContext.Result = new RedirectToRouteResult(
                              new RouteValueDictionary {
                              { "message", "You must login before accessing that page." },
                              { "controller", "Login" },
                              { "action", "index" },
                              { "ReturnUrl", filterContext.HttpContext.Request.RawUrl }
                        });
            }
        }