public override bool IsAuthorized(AuthFilterContext context) { Requires.NotNull("context", context); var principal = Thread.CurrentPrincipal; if (!principal.Identity.IsAuthenticated) { return(false); } var currentPortal = TestablePortalController.Instance.GetCurrentPortalSettings(); bool isAdminUser = currentPortal.UserInfo.IsSuperUser || PortalSecurity.IsInRole(currentPortal.AdministratorRoleName); if (isAdminUser) { return(true); } bool isPageEditor = TabPermissionController.HasTabPermission("EDIT,CONTENT,MANAGE") || IsModuleAdmin(((DnnApiController)context.ActionContext.ControllerContext.Controller).PortalSettings); if (isPageEditor) { return(true); } return(false); }
public override bool IsAuthorized(AuthFilterContext context) { if (base.IsAuthorized(context)) { return(true); } context.AuthFailureMessage = null; try { var queryString = context.ActionContext.Request.GetQueryNameValuePairs(); var token = string.Empty; foreach (var kvp in queryString) { if (kvp.Key == "__RequestVerificationToken") { token = kvp.Value; break; } } string cookieValue = GetAntiForgeryCookieValue(context); AntiForgery.Instance.Validate(cookieValue, token); } catch (Exception e) { context.AuthFailureMessage = e.Message; return(false); } return(true); }
public void LocatesCookie(string cookieFormat, string cookieName, string cookieValue) { // Arrange var request = new HttpRequestMessage(HttpMethod.Get, "http://localhost/"); request.Headers.Add("Cookie", string.Format(cookieFormat, cookieName, cookieValue)); request.Headers.Add("RequestVerificationToken", "anything_is_fine"); var config = new HttpConfiguration(); var controllerContext = new HttpControllerContext(config, new HttpRouteData(new HttpRoute()), request); var actionContext = new HttpActionContext(controllerContext, new Mock <HttpActionDescriptor>().Object); var authFilterContext = new AuthFilterContext(actionContext, string.Empty); var mockAntiForgery = new Mock <IAntiForgery>(); mockAntiForgery.Setup(x => x.CookieName).Returns(cookieName); AntiForgery.SetTestableInstance(mockAntiForgery.Object); // Act var vaft = new ValidateAntiForgeryTokenAttribute(); // Assert.IsTrue(ValidateAntiForgeryTokenAttribute.IsAuthorized(authFilterContext)); Assert.DoesNotThrow(() => { vaft.OnActionExecuting(authFilterContext.ActionContext); }); // Assert mockAntiForgery.Verify(x => x.Validate(cookieValue, It.IsAny <string>()), Times.Once()); }
public override bool IsAuthorized(AuthFilterContext context) { var principal = Thread.CurrentPrincipal; return(principal.Identity.IsAuthenticated && ServiceLocatorFactory.Instance.ConfigService.IsAllowed(PortalController.Instance.GetCurrentPortalSettings().UserInfo)); }
public override bool IsAuthorized(AuthFilterContext context) { if (DomainUtility.IsTestEnvironment) { return(true); } using (APIAccessService apiAccessService = new APIAccessService()) { //when a client is calling main api ,they have to put token,which is password, in header named token if (context.ActionContext.Request.Headers.Contains("token")) { return(apiAccessService.HasAccess(ApiUtility.GetIPAddress(), context.ActionContext.Request.Headers.GetValues("token").FirstOrDefault())); } else { if (AccessUtility.CalledByLocalSA(HttpContext.Current.Request)) { //it is called from single action module in same server with same ip. return(true); } else { //when bpms user panel is calling engine api,every request should have formToken in its parameters. string formToken = context.ActionContext.RequestContext.Url.Request.GetHttpContext().Request.QueryString[FormTokenUtility.FormToken]; return(FormTokenUtility.ValidateFormToken(formToken, HttpContext.Current.Session.SessionID)); } } } }
public override bool IsAuthorized(AuthFilterContext context) { if (base.IsAuthorized(context)) return true; context.AuthFailureMessage = null; try { var queryString = context.ActionContext.Request.GetQueryNameValuePairs(); var token = string.Empty; foreach(var kvp in queryString) { if (kvp.Key == "__RequestVerificationToken"){ token = kvp.Value; break; } } string cookieValue = GetAntiForgeryCookieValue(context); AntiForgery.Instance.Validate(cookieValue, token ); } catch (Exception e) { context.AuthFailureMessage = e.Message; return false; } return true; }
public override bool IsAuthorized(AuthFilterContext context) { Requires.NotNull("context", context); if (!JwtAuthHelper.IsAuthenticated()) { return(false); } if (_denyRolesSplit.Any()) { var currentUser = PortalController.Instance.GetCurrentPortalSettings().UserInfo; if (!currentUser.IsSuperUser && _denyRolesSplit.Any(currentUser.IsInRole)) { return(false); } } if (_staticRolesSplit.Any()) { var currentUser = PortalController.Instance.GetCurrentPortalSettings().UserInfo; if (!_staticRolesSplit.Any(currentUser.IsInRole)) { return(false); } } return(true); }
public override bool IsAuthorized(AuthFilterContext context) { if (SecurityLevel == SecurityAccessLevel.Anonymous) { return(true); } User = HttpContextSource.Current.Request.IsAuthenticated ? UserController.Instance.GetCurrentUserInfo() : new UserInfo(); ContextSecurity security = new ContextSecurity(context.ActionContext.Request.FindModuleInfo()); switch (SecurityLevel) { case SecurityAccessLevel.Authenticated: return(User.UserID != -1); case SecurityAccessLevel.Host: return(User.IsSuperUser); case SecurityAccessLevel.Admin: return(security.IsAdmin); case SecurityAccessLevel.Edit: return(security.CanEdit); case SecurityAccessLevel.View: return(security.CanView); case SecurityAccessLevel.Traveller: return(security.IsTraveller); } return(false); }
public override bool IsAuthorized(AuthFilterContext context) { var principal = Thread.CurrentPrincipal; return(principal.Identity.IsAuthenticated && PortalController.Instance.GetCurrentPortalSettings().UserInfo.IsSuperUser); }
public override bool IsAuthorized(AuthFilterContext context) { Requires.NotNull("context", context); return PagePermissionsAttributesHelper.HasTabPermission("EDIT,CONTENT,MANAGE") || IsModuleAdmin(((DnnApiController)context.ActionContext.ControllerContext.Controller).PortalSettings); }
public override bool IsAuthorized(AuthFilterContext context) { using (APIAccessService apiAccessService = new APIAccessService()) { return(DomainUtility.IsTestEnvironment ? true : FormTokenUtility.ValidateFormToken(context.ActionContext.RequestContext.Url.Request.GetHttpContext().Request.QueryString[FormTokenUtility.FormToken], HttpContext.Current.Session.SessionID)); } }
public override bool IsAuthorized(AuthFilterContext context) { if (context != null) { DotNetNuke.Entities.Users.UserInfo UserInfo = ((DnnApiController)context.ActionContext.ControllerContext.Controller).UserInfo; if (UserInfo != null) { return(UserInfo.IsInRole("Administrators")); } } return(false); }
public override bool IsAuthorized(AuthFilterContext context) { var menuItem = GetMenuByIdentifier(); var portalSettings = PortalSettings.Current; if (menuItem == null || portalSettings == null) { return(false); } return(MenuPermissionController.HasMenuPermission(portalSettings.PortalId, menuItem, Permission)); }
public override bool IsAuthorized(AuthFilterContext context) { if (!Thread.CurrentPrincipal.Identity.IsAuthenticated) { return(false); } var hccController = context.ActionContext.ControllerContext.Controller as HccApiController; var hccApp = hccController.HccApp; var mobileRole = hccApp.CurrentStore.Settings.AdminRoles.RoleMobileAccess; var user = UserController.Instance.GetCurrentUserInfo(); return(user.IsInRole(mobileRole)); }
public override bool IsAuthorized(AuthFilterContext context) { using (APIAccessService apiAccessService = new APIAccessService()) { if (DomainUtility.IsTestEnvironment) { return(true); } else { ModuleController mc = new ModuleController(); ModuleInfo mi = mc.GetModuleByDefinition(PortalController.Instance.GetCurrentPortalSettings().PortalId, AuthModuleFriendlyName); return(ModulePermissionController.CanViewModule(mi)); } } }
public override bool IsAuthorized(AuthFilterContext context) { var menuItem = GetMenuByIdentifier(); var portalSettings = PortalSettings.Current; if (menuItem == null || portalSettings == null) { return(false); } if (!CheckPermissionForAdmin && PortalSecurity.IsInRole(Constants.AdminsRoleName)) { return(true); } //Permissions seperated by & should be treated with AND operand. //Permissions seperated by , are internally treated with OR operand. var allPermissionGroups = Permission.Split(new[] { '&' }, StringSplitOptions.RemoveEmptyEntries); return(allPermissionGroups.All(allPermissions => MenuPermissionController.HasMenuPermission(portalSettings.PortalId, menuItem, allPermissions))); }
public override bool IsAuthorized(AuthFilterContext context) { Requires.NotNull("context", context); var principal = Thread.CurrentPrincipal; if(!principal.Identity.IsAuthenticated) { return false; } var currentPortal = TestablePortalController.Instance.GetCurrentPortalSettings(); bool isAdminUser = currentPortal.UserInfo.IsSuperUser || PortalSecurity.IsInRole(currentPortal.AdministratorRoleName); if (isAdminUser) return true; bool isPageEditor = TabPermissionController.HasTabPermission("EDIT,CONTENT,MANAGE") || IsModuleAdmin(((DnnApiController)context.ActionContext.ControllerContext.Controller).PortalSettings); if (isPageEditor) return true; return false; }
public void MissingTokenDoesnotPassValidationTest(string cookieFormat, string cookieName, string cookieValue) { //Arrange var request = new HttpRequestMessage(HttpMethod.Get, "http://localhost/"); request.Headers.Add("Cookie", string.Format(cookieFormat, cookieName, cookieValue)); var config = new HttpConfiguration(); var controllerContext = new HttpControllerContext(config, new HttpRouteData(new HttpRoute()), request); var actionContext = new HttpActionContext(controllerContext, new Mock <HttpActionDescriptor>().Object); var authFilterContext = new AuthFilterContext(actionContext, ""); var mockAntiForgery = new Mock <IAntiForgery>(); mockAntiForgery.Setup(x => x.CookieName).Returns(cookieName); AntiForgery.SetTestableInstance(mockAntiForgery.Object); //Act, Assert var vaft = new ValidateAntiForgeryTokenAttribute(); Assert.IsFalse(vaft.IsAuthorized(authFilterContext)); }
public override bool IsAuthorized(AuthFilterContext context) { Requires.NotNull("context", context); return(PagePermissionsAttributesHelper.HasTabPermission(PermissionKey)); }
public override bool IsAuthorized(AuthFilterContext context) { var authenticated = Thread.CurrentPrincipal.Identity.IsAuthenticated; var portalSettings = PortalSettings.Current; var currentUser = UserController.Instance.GetCurrentUserInfo(); var administratorRoleName = Constants.AdminsRoleName; if (portalSettings != null) { administratorRoleName = portalSettings.AdministratorRoleName; } var isHost = currentUser.IsSuperUser; var isAdmin = currentUser.IsInRole(administratorRoleName); var isRegular = currentUser.UserID > 0; if (authenticated && isHost) { return(true); } //when there have excluded roles defined, and current user in the role. the service call will failed. if (!string.IsNullOrEmpty(Exclude)) { foreach (var roleName in Exclude.Split(';')) { var cleanRoleName = roleName.Trim(); if (!string.IsNullOrEmpty(cleanRoleName)) { if (currentUser.IsInRole(cleanRoleName)) { return(false); } } } } //if menu identifier defined, then will check the menu permission, multiple identifier should split with ",". if (!string.IsNullOrEmpty(MenuName)) { if (isAdmin) { return(true); } var hasPermission = false; MenuName.Split(',').ForEach(menuName => { if (!hasPermission) { var menuItem = GetMenuByIdentifier(menuName); if (menuItem != null && portalSettings != null) { hasPermission = PersonaBarController.Instance.IsVisible(portalSettings, portalSettings.UserInfo, menuItem); } } }); return(hasPermission); } //when menu identifier not defined, will check the service scope permission. switch (Scope) { case ServiceScope.Admin: return(authenticated && isAdmin); case ServiceScope.Regular: if (portalSettings != null) { //if user have ability on any persona bar menus, then need allow to request api. return(PersonaBarController.Instance.GetMenu(portalSettings, portalSettings.UserInfo).AllItems.Count > 0); } return(isAdmin || isRegular); default: return(false); } }
public override bool IsAuthorized(AuthFilterContext context) { // Some Logic }
public override bool IsAuthorized(AuthFilterContext context) { base.IsAuthorized(); // call the IsAuthorized of SupportedModuleAttribute class }
public abstract bool IsAuthorized(AuthFilterContext context); // This method is overrided in both the subclass
public override bool IsAuthorized(AuthFilterContext context) { string AllowedAccessRoles = AccessRoles; dynamic Controller = context.ActionContext.ControllerContext.Controller; if (context.ActionContext.ActionDescriptor.ActionBinding.ActionDescriptor != null) { ReflectedHttpActionDescriptor reflectedHttpActionDescriptor = context.ActionContext.ActionDescriptor.ActionBinding.ActionDescriptor as ReflectedHttpActionDescriptor; if (reflectedHttpActionDescriptor != null && reflectedHttpActionDescriptor.MethodInfo != null && reflectedHttpActionDescriptor.MethodInfo.CustomAttributes != null) { System.Reflection.CustomAttributeData MethodAuthorizeAccessRolesAttribute = reflectedHttpActionDescriptor.MethodInfo.CustomAttributes.Where(a => a.AttributeType.Name == "AuthorizeAccessRolesAttribute").FirstOrDefault(); if (MethodAuthorizeAccessRolesAttribute != null) { AllowedAccessRoles = MethodAuthorizeAccessRolesAttribute.NamedArguments[0].TypedValue.Value.ToString(); } } } try { //There are no explictly specifiled roles in attribute if (string.IsNullOrEmpty(AllowedAccessRoles)) { NameValueCollection QueryString = HttpUtility.ParseQueryString(context.ActionContext.Request.RequestUri.Query); if (PortalSettings.Current.UserInfo.IsSuperUser) { return(true); } if (!string.IsNullOrEmpty(QueryString["identifier"]) && QueryString["identifier"] == "common_controls_editorconfig" && (PortalSettings.Current.UserInfo.IsInRole("Administrators") || ModulePermissionController.CanEditModuleContent(Controller.ModuleInfo()))) { return(true); } if (QueryString != null && !string.IsNullOrEmpty(QueryString["identifier"])) { AllowedAccessRoles = Controller.AllowedAccessRoles(QueryString["identifier"]); } if (!string.IsNullOrEmpty(AllowedAccessRoles) && !string.IsNullOrEmpty(context.ActionContext.ActionDescriptor.ActionName) && context.ActionContext.ActionDescriptor.ActionName.ToLower() == "updatedata") { List <string> AllowedAccessRolesRolesArray = AllowedAccessRoles.Split(',').Distinct().ToList(); AllowedAccessRolesRolesArray.Remove("user"); AllowedAccessRolesRolesArray.Remove("anonymous"); AllowedAccessRoles = string.Join(",", AllowedAccessRolesRolesArray.Distinct()); } } if (!string.IsNullOrEmpty(AllowedAccessRoles)) { string InRoles = Controller.AccessRoles(); string[] AllowedAccessRolesRolesArray = AllowedAccessRoles.Split(','); if (!string.IsNullOrEmpty(InRoles)) { foreach (string role in InRoles.Split(',')) { if (AllowedAccessRolesRolesArray.Where(a => a == role).SingleOrDefault() != null) { return(true); } } } } } catch (Exception ex) { DotNetNuke.Services.Exceptions.Exceptions.LogException(ex); } return(false); }
public override bool IsAuthorized(AuthFilterContext context) { Requires.NotNull("context", context); return(PagePermissionsAttributesHelper.HasTabPermission("EDIT,CONTENT,MANAGE") || IsModuleAdmin(((DnnApiController)context.ActionContext.ControllerContext.Controller).PortalSettings)); }
public override bool IsAuthorized(AuthFilterContext context) { Logger.Trace("IsAuthorized"); if (SecurityLevel == SecurityAccessLevel.Anonymous) { Logger.Trace("Anonymous"); return(true); } User = HttpContextSource.Current.Request.IsAuthenticated ? UserController.Instance.GetCurrentUserInfo() : new UserInfo(); Logger.Trace("UserId " + User.UserID.ToString()); if (AllowApiKeyAccess && User.UserID == -1 && HttpContextSource.Current.Request.Params["apikey"] != null) { Logger.Trace("Using API key"); var conferenceId = int.Parse(HttpContextSource.Current.Request.Params["conferenceid"]); var apiKey = Connect.Conference.Core.Repositories.ApiKeyRepository.Instance.GetApiKey(HttpContextSource.Current.Request.Params["apikey"]); if (apiKey != null && apiKey.Expires != null && apiKey.Expires < System.DateTime.Now) { Connect.Conference.Core.Repositories.ApiKeyRepository.Instance.DeleteApiKey(apiKey.GetApiKeyBase()); apiKey = null; } if (apiKey != null && apiKey.ConferenceId == conferenceId) { User = UserController.Instance.GetUserById(PortalSettings.Current.PortalId, apiKey.CreatedByUserID); HttpContextSource.Current.Items["UserInfo"] = User; // Set thread user - this will expire after the request! } } ContextSecurity security = new ContextSecurity(context.ActionContext.Request.FindModuleInfo()); Logger.Trace(security.ToString()); switch (SecurityLevel) { case SecurityAccessLevel.Authenticated: return(User.UserID != -1); case SecurityAccessLevel.Host: return(User.IsSuperUser); case SecurityAccessLevel.Admin: return(security.IsAdmin); case SecurityAccessLevel.Edit: return(security.CanEdit); case SecurityAccessLevel.View: return(security.CanView); case SecurityAccessLevel.SessionSubmit: return(security.CanSubmitSessions); case SecurityAccessLevel.AttendConference: return(security.CanAttend); case SecurityAccessLevel.ManageConference: return(security.CanManage); case SecurityAccessLevel.AttendsConference: var conferenceId = int.Parse(HttpContextSource.Current.Request.Params["conferenceid"]); return(Connect.Conference.Core.Repositories.AttendeeRepository.Instance.GetAttendee(conferenceId, security.UserId) != null); } return(false); }
public override bool IsAuthorized(AuthFilterContext context) { Requires.NotNull("context", context); return PagePermissionsAttributesHelper.HasTabPermission(PermissionKey); }