/// <summary> /// Determines whether node is accessible to user. /// </summary> /// <param name="controllerTypeResolver">The controller type resolver.</param> /// <param name="provider">The provider.</param> /// <param name="context">The context.</param> /// <param name="node">The node.</param> /// <returns> /// <c>true</c> if accessible to user; otherwise, <c>false</c>. /// </returns> public virtual bool IsAccessibleToUser(IControllerTypeResolver controllerTypeResolver, DefaultSiteMapProvider provider, HttpContext context, SiteMapNode node) { // Is security trimming enabled? if (!provider.SecurityTrimmingEnabled) { return true; } // Use child modules bool result = true; foreach (var module in ChildModules) { try { result &= module.IsAccessibleToUser(controllerTypeResolver, provider, context, node); } catch (AclModuleNotSupportedException) { result &= true; // Convention throughout the provider: if the IAclModule can not authenticate a user, true is returned. } if (result == false) { return false; } } // Return return result; }
public bool IsAccessibleToUser(IControllerTypeResolver controllerTypeResolver, DefaultSiteMapProvider provider, HttpContext context, SiteMapNode node) { Ensure.ThatTypeFor(() => node).IsOfType<MvcSiteMapNode>(); HttpContextBase contextBase = context.Wrap(); MvcSiteMapNode mvc = (MvcSiteMapNode)node; string controller = mvc.Controller; string action = mvc.Action; bool accessible = IsActionAccessibleToUser(controllerTypeResolver, contextBase, controller, action); return accessible; }
/// <summary> /// Determines whether node is accessible to user. /// </summary> /// <param name="controllerTypeResolver">The controller type resolver.</param> /// <param name="provider">The provider.</param> /// <param name="context">The context.</param> /// <param name="node">The node.</param> /// <returns> /// <c>true</c> if accessible to user; otherwise, <c>false</c>. /// </returns> public bool IsAccessibleToUser(IControllerTypeResolver controllerTypeResolver, DefaultSiteMapProvider provider, HttpContext context, SiteMapNode node) { // Is security trimming enabled? if (!provider.SecurityTrimmingEnabled) { return true; } // Is it a regular node? var mvcNode = node as MvcSiteMapNode; if (mvcNode == null) { if (provider.ParentProvider != null) { return provider.ParentProvider.IsAccessibleToUser(context, node); } } // If we have roles assigned, check them against the roles defined in the sitemap if (node.Roles != null && node.Roles.Count > 0) { // if there is an authenticated user and the role allows anyone authenticated ("*"), show it if ((context.User.Identity.IsAuthenticated) && node.Roles.Contains("*")) { return true; } // if there is no user, but the role allows unauthenticated users ("?"), show it if ((!context.User.Identity.IsAuthenticated) && node.Roles.Contains("?")) { return true; } // if the user is in one of the listed roles, show it if (node.Roles.OfType<string>().Any(role => context.User.IsInRole(role))) { return true; } // if we got this far, deny showing return false; } // Everything seems OK... return true; }
/// <summary> /// Determines whether node is accessible to user. /// </summary> /// <param name="controllerTypeResolver">The controller type resolver.</param> /// <param name="provider">The provider.</param> /// <param name="context">The context.</param> /// <param name="node">The node.</param> /// <returns> /// <c>true</c> if accessible to user; otherwise, <c>false</c>. /// </returns> public bool IsAccessibleToUser(IControllerTypeResolver controllerTypeResolver, DefaultSiteMapProvider provider, HttpContext context, SiteMapNode node) { // Is security trimming enabled? if (!provider.SecurityTrimmingEnabled) { return true; } // Is it an external node? var nodeUrl = node.Url; if (nodeUrl.StartsWith("http") || nodeUrl.StartsWith("ftp")) { return true; } // Is it a regular node? var mvcNode = node as MvcSiteMapNode; if (mvcNode == null) { throw new AclModuleNotSupportedException( Resources.Messages.AclModuleDoesNotSupportRegularSiteMapNodes); } // Clickable? Always accessible. if (mvcNode.Clickable == false) { return true; } // Time to delve into the AuthorizeAttribute defined on the node. // Let's start by getting all metadata for the controller... var controllerType = controllerTypeResolver.ResolveControllerType(mvcNode.Area, mvcNode.Controller); if (controllerType == null) { return false; } // Find routes for the sitemap node's url HttpContextBase httpContext = new HttpContextWrapper(context); string originalPath = httpContext.Request.Path; var originalRoutes = RouteTable.Routes.GetRouteData(httpContext); httpContext.RewritePath(nodeUrl, true); HttpContextBase httpContext2 = new HttpContext2(context); RouteData routes = mvcNode.GetRouteData(httpContext2); if (routes == null) { return true; // Static URL's will have no route data, therefore return true. } foreach (var routeValue in mvcNode.RouteValues) { routes.Values[routeValue.Key] = routeValue.Value; } if (!routes.Route.Equals(originalRoutes.Route) || originalPath != nodeUrl || mvcNode.Area == String.Empty) { routes.DataTokens.Remove("area"); //routes.DataTokens.Remove("Namespaces"); //routes.Values.Remove("area"); } var requestContext = new RequestContext(httpContext, routes); // Create controller context var controllerContext = new ControllerContext(); controllerContext.RequestContext = requestContext; try { string controllerName = requestContext.RouteData.GetRequiredString("controller"); controllerContext.Controller = ControllerBuilder.Current.GetControllerFactory().CreateController(requestContext, controllerName) as ControllerBase; } catch { try { controllerContext.Controller = Activator.CreateInstance(controllerType) as ControllerBase; } catch { } } ControllerDescriptor controllerDescriptor = null; if (typeof(IController).IsAssignableFrom(controllerType)) { controllerDescriptor = new ReflectedControllerDescriptor(controllerType); } else if (typeof(IAsyncController).IsAssignableFrom(controllerType)) { controllerDescriptor = new ReflectedAsyncControllerDescriptor(controllerType); } ActionDescriptor actionDescriptor = null; try { actionDescriptor = controllerDescriptor.FindAction(controllerContext, mvcNode.Action); } catch { } if (actionDescriptor == null) { actionDescriptor = controllerDescriptor.GetCanonicalActions().Where(a => a.ActionName == mvcNode.Action).FirstOrDefault(); } // Verify security try { if (actionDescriptor != null) { #if NET35 IEnumerable<AuthorizeAttribute> authorizeAttributesToCheck = actionDescriptor.GetCustomAttributes(typeof(AuthorizeAttribute), true).OfType <AuthorizeAttribute>().ToList() .Union( controllerDescriptor.GetCustomAttributes(typeof(AuthorizeAttribute), true).OfType <AuthorizeAttribute>().ToList()); #else IEnumerable<AuthorizeAttribute> authorizeAttributesToCheck = FilterProviders.Providers.GetFilters(controllerContext, actionDescriptor) .Where(f => typeof(AuthorizeAttribute).IsAssignableFrom(f.Instance.GetType())) .Select(f => f.Instance as AuthorizeAttribute); #endif // Verify all attributes foreach (var authorizeAttribute in authorizeAttributesToCheck) { try { var currentAuthorizationAttributeType = authorizeAttribute.GetType(); var builder = new AuthorizeAttributeBuilder(); var subclassedAttribute = currentAuthorizationAttributeType == typeof(AuthorizeAttribute) ? new InternalAuthorize(authorizeAttribute) : // No need to use Reflection.Emit when ASP.NET MVC built-in attribute is used (IAuthorizeAttribute)builder.Build(currentAuthorizationAttributeType).Invoke(null); // Copy all properties ObjectCopier.Copy(authorizeAttribute, subclassedAttribute); if (!subclassedAttribute.IsAuthorized(controllerContext.HttpContext)) { return false; } } catch { // do not allow on exception return false; } } } // No objection. return true; } finally { // Restore HttpContext httpContext.RewritePath(originalPath, true); } }
public bool IsAccessibleToUser(IControllerTypeResolver controllerTypeResolver, DefaultSiteMapProvider provider, HttpContext context, SiteMapNode node) { // is security trimming enabled? if (!provider.SecurityTrimmingEnabled) { return true; } // external nodes var nodeUrl = node.Url; if (nodeUrl.StartsWith("http") || nodeUrl.StartsWith("ftp")) { return true; } // Is it a regular node? var mvcNode = node as MvcSiteMapNode; if (mvcNode == null) { return true; } var controllerType = controllerTypeResolver.ResolveControllerType(mvcNode.Area, mvcNode.Controller); if (controllerType == null) { return false; } // Find routes for the sitemap node's url HttpContextBase httpContext = new HttpContextMethodOverrider(context, null); string originalPath = httpContext.Request.Path; var originalRoutes = RouteTable.Routes.GetRouteData(httpContext); httpContext.RewritePath(nodeUrl, true); HttpContextBase httpContext2 = new HttpContext2(context); RouteData routes = mvcNode.GetRouteData(httpContext2); if (routes == null) { return true; // Static URL's will have no route data, therefore return true. } foreach (var routeValue in mvcNode.RouteValues) { routes.Values[routeValue.Key] = routeValue.Value; } if (originalRoutes != null && (!routes.Route.Equals(originalRoutes.Route) || originalPath != nodeUrl || mvcNode.Area == String.Empty)) { routes.DataTokens.Remove("area"); //routes.DataTokens.Remove("Namespaces"); //routes.Values.Remove("area"); } var requestContext = new RequestContext(httpContext, routes); // Create controller context var controllerContext = new ControllerContext(); controllerContext.RequestContext = requestContext; // Whether controller is built by the ControllerFactory (or otherwise by Activator) bool factoryBuiltController = false; try { string controllerName = requestContext.RouteData.GetRequiredString("controller"); controllerContext.Controller = ControllerBuilder.Current.GetControllerFactory().CreateController(requestContext, controllerName) as ControllerBase; factoryBuiltController = true; } catch { try { controllerContext.Controller = Activator.CreateInstance(controllerType) as ControllerBase; } catch { } } ControllerDescriptor controllerDescriptor = null; if (typeof(IController).IsAssignableFrom(controllerType)) { controllerDescriptor = new ReflectedControllerDescriptor(controllerType); } else if (typeof(IAsyncController).IsAssignableFrom(controllerType)) { controllerDescriptor = new ReflectedAsyncControllerDescriptor(controllerType); } ActionDescriptor actionDescriptor = null; try { actionDescriptor = controllerDescriptor.FindAction(controllerContext, mvcNode.Action); } catch { } if (actionDescriptor == null) { actionDescriptor = controllerDescriptor.GetCanonicalActions().FirstOrDefault(a => a.ActionName == mvcNode.Action); } // Verify security try { if (actionDescriptor != null) { // fixes #130 - Check whether we have an AllowAnonymous Attribute var ignoreAuthorization = actionDescriptor.HasAttribute<AllowAnonymousAttribute>(); if (ignoreAuthorization) return true; if (actionDescriptor.HasAttribute<OnlyAnonymousAttribute>()) return !requestContext.HttpContext.Request.IsAuthenticated; IFilterProvider filterProvider = ResolveFilterProvider(); IEnumerable<Filter> filters; // If depencency resolver has an IFilterProvider registered, use it if (filterProvider != null) { filters = filterProvider.GetFilters(controllerContext, actionDescriptor); } // Otherwise use FilterProviders.Providers else { filters = FilterProviders.Providers.GetFilters(controllerContext, actionDescriptor); } IEnumerable<AuthorizeAttribute> authorizeAttributesToCheck = filters .Where(f => f.Instance is AuthorizeAttribute) .Select(f => f.Instance as AuthorizeAttribute); // Verify all attributes foreach (var authorizeAttribute in authorizeAttributesToCheck) { try { var currentAuthorizationAttributeType = authorizeAttribute.GetType(); var builder = new AuthorizeAttributeBuilder(); var subclassedAttribute = currentAuthorizationAttributeType == typeof(AuthorizeAttribute) ? new InternalAuthorize(authorizeAttribute) : // No need to use Reflection.Emit when ASP.NET MVC built-in attribute is used (IAuthorizeAttribute)builder.Build(currentAuthorizationAttributeType).Invoke(null); // Copy all properties ObjectCopier.Copy(authorizeAttribute, subclassedAttribute); if (!subclassedAttribute.IsAuthorized(controllerContext.HttpContext)) { return false; } } catch { // do not allow on exception return false; } } } // No objection. return true; } finally { // Restore HttpContext httpContext.RewritePath(originalPath, true); // Release controller if (factoryBuiltController) ControllerBuilder.Current.GetControllerFactory().ReleaseController(controllerContext.Controller); } }