public static bool AuthenticateTicket() { // see http://issues.umbraco.org/issue/U4-6342#comment=67-19466 (from http://issues.umbraco.org/issue/U4-6332) var http = new HttpContextWrapper(HttpContext.Current); var ticket = http.GetUmbracoAuthTicket(); if (ticket != null) { return http.AuthenticateCurrentRequest(ticket, true); } return false; }
protected override void OnPreInit(EventArgs e) { base.OnPreInit(e); if (PackageHelpers.UmbracoVersion != "7.2.2") return; // Handle authentication stuff to counteract bug in Umbraco 7.2.2 (see U4-6342) HttpContextWrapper http = new HttpContextWrapper(Context); FormsAuthenticationTicket ticket = http.GetUmbracoAuthTicket(); http.AuthenticateCurrentRequest(ticket, true); }
/// <summary> /// Authenticates the request by reading the FormsAuthentication cookie and setting the /// context and thread principle object /// </summary> /// <param name="sender"></param> /// <param name="e"></param> static void AuthenticateRequest(object sender, EventArgs e) { var app = (HttpApplication) sender; var http = new HttpContextWrapper(app.Context); //we need to determine if the path being requested is an umbraco path, if not don't do anything var settings = UmbracoSettings.GetSettings(); var backOfficeRoutePath = string.Concat(settings.UmbracoPaths.BackOfficePath, "/"); var installerRoutePath = string.Concat("Install", "/"); var routeUrl = ""; var routeData = RouteTable.Routes.GetRouteData(http); if (routeData != null) { var route = routeData.Route as Route; if (route != null) { routeUrl = route.Url; } } if (routeUrl.StartsWith(installerRoutePath, StringComparison.InvariantCultureIgnoreCase) || routeUrl.StartsWith(backOfficeRoutePath, StringComparison.InvariantCultureIgnoreCase)) { if (app.Context.User == null) { if (app.User != null) { //set the principal object app.Context.User = app.User; Thread.CurrentPrincipal = app.User; } else { var ticket = http.GetUmbracoAuthTicket(); if (ticket != null && !ticket.Expired && http.RenewUmbracoAuthTicket()) { //create the Umbraco user identity var identity = new UmbracoBackOfficeIdentity(ticket); //set the principal object var principal = new GenericPrincipal(identity, identity.Roles); app.Context.User = principal; Thread.CurrentPrincipal = principal; } } } } }
/// <summary> /// Checks if the request is authenticated, if it is it sets the thread culture to the currently logged in user /// </summary> /// <param name="sender"></param> /// <param name="e"></param> static void AuthenticateRequest(object sender, EventArgs e) { var app = (HttpApplication)sender; var http = new HttpContextWrapper(app.Context); // do not process if client-side request if (http.Request.Url.IsClientSideRequest()) return; if (app.Request.Url.IsBackOfficeRequest() || app.Request.Url.IsInstallerRequest()) { var ticket = http.GetUmbracoAuthTicket(); if (ticket != null) { //create the Umbraco user identity var identity = ticket.CreateUmbracoIdentity(); if (identity != null) { //We'll leave setting custom identies/principals for 6.2, for now we'll just ensure that the cultures, etc.. are set ////set the principal object ////now we need to see if their session is still valid //var timeout = BasePage.GetTimeout(identity.UserContextId); //if (timeout > DateTime.Now.Ticks) //{ //var principal = new GenericPrincipal(identity, identity.Roles); ////It is actually not good enough to set this on the current app Context and the thread, it also needs //// to be set explicitly on the HttpContext.Current !! This is a strange web api thing that is actually //// an underlying fault of asp.net not propogating the User correctly. //if (HttpContext.Current != null) //{ // HttpContext.Current.User = principal; //} //app.Context.User = principal; //Thread.CurrentPrincipal = principal; //} //This is a back office/installer request, we will also set the culture/ui culture Thread.CurrentThread.CurrentCulture = Thread.CurrentThread.CurrentUICulture = new System.Globalization.CultureInfo(identity.Culture); } } } }
/// <summary> /// Gets the URL of the file in the upload field with the given property alias on the given TypedEntity at the specific size /// </summary> /// <param name="url">The URL.</param> /// <param name="entity">The entity.</param> /// <param name="propertyAlias">The property alias.</param> /// <param name="size">The size (must be a prevalue on the upload property editor).</param> /// <returns></returns> public static string GetMediaUrl(this UrlHelper url, TypedEntity entity, string propertyAlias, int size) { //TODO: There is a lot of duplication between this and the MediaProxyController (with slight differences). Need to find a way to reuse code. var appContext = DependencyResolver.Current.GetService<IUmbracoApplicationContext>(); using (var securityUow = appContext.Hive.OpenReader<ISecurityStore>()) { // Check to see if anonymous view is allowed var anonymousViewAllowed = !appContext.Security.PublicAccess.IsProtected(entity.Id); // Get upload property var prop = propertyAlias.IsNullOrWhiteSpace() ? entity.Attributes.SingleOrDefault(x => x.AttributeDefinition.AttributeType.RenderTypeProvider.InvariantEquals(CorePluginConstants.FileUploadPropertyEditorId)) : entity.Attributes.SingleOrDefault(x => x.AttributeDefinition.Alias == propertyAlias); if (prop == null || !prop.Values.ContainsKey("MediaId")) return null; // Couldn't find property so return null var mediaId = prop.Values["MediaId"].ToString(); var fileId = new HiveId(prop.Values["Value"].ToString()); // Get the file using (var fileUow = appContext.Hive.OpenReader<IFileStore>(fileId.ToUri())) { var file = fileUow.Repositories.Get<File>(fileId); if (file == null) return null; // Couldn't find file so return null // Fetch the thumbnail if (size > 0) { var relation = fileUow.Repositories.GetLazyChildRelations(fileId, FixedRelationTypes.ThumbnailRelationType) .SingleOrDefault(x => x.MetaData.Single(y => y.Key == "size").Value == size.ToString()); file = (relation != null && relation.Destination != null) ? (File)relation.Destination : null; } if (file == null) return null; // Couldn't find file so return null if (anonymousViewAllowed && !file.PublicUrl.StartsWith("~/App_Data/")) // Don't proxy { return url.Content(file.PublicUrl); } else // Proxy { //NOTE: THIS IS TEMPORARY CODE UNTIL MEMBER PERMISSIONS IS DONE //if (anonymousViewAllowed) //{ // // If they are anonymous, but media happens to be in app_data folder proxy // return url.Action("Proxy", "MediaProxy", new { area = "", propertyAlias = prop.AttributeDefinition.Alias, mediaId, size, fileName = file.Name }); //} //return null; // Check permissions //var authAttr = new UmbracoAuthorizeAttribute {AllowAnonymous = true, Permissions = new [] { FixedPermissionIds.View }}; //var authorized = authAttr.IsAuthorized(url.RequestContext.HttpContext, entity.Id); //if (!authorized) // return null; // Not authorized so return null var member = appContext.Security.Members.GetCurrent(); if (member == null || !appContext.Security.PublicAccess.GetPublicAccessStatus(member.Id, entity.Id).CanAccess) { // Member can't access, but check to see if logged in identiy is a User, if so, just allow access var wrapper = new HttpContextWrapper(HttpContext.Current); var ticket = wrapper.GetUmbracoAuthTicket(); if (ticket == null || ticket.Expired) { return null; } } return url.Action("Proxy", "MediaProxy", new { area = "", propertyAlias = prop.AttributeDefinition.Alias, mediaId, size, fileName = file.Name }); } } } }
/// <summary> /// Authenticates the request by reading the FormsAuthentication cookie and setting the /// context and thread principle object /// </summary> /// <param name="sender"></param> /// <param name="e"></param> /// <remarks> /// We will set the identity, culture, etc... for any request that is: /// * A back office request /// * An installer request /// * A /base request (since these can be back office web service requests) /// </remarks> static void AuthenticateRequest(object sender, EventArgs e) { var app = (HttpApplication)sender; var http = new HttpContextWrapper(app.Context); // do not process if client-side request if (http.Request.Url.IsClientSideRequest()) return; var req = new HttpRequestWrapper(app.Request); if (ShouldAuthenticateRequest(req, UmbracoContext.Current.OriginalRequestUrl)) { var ticket = http.GetUmbracoAuthTicket(); http.AuthenticateCurrentRequest(ticket, ShouldIgnoreTicketRenew(UmbracoContext.Current.OriginalRequestUrl, http) == false); } }