public override void OnAuthorization(HttpActionContext actionContext)
{
base.OnAuthorization(actionContext);
//do not continue if there's already a response.
if (actionContext.Response == null)
{
//add our DB here.
TechDispatchContext db = new TechDispatchContext();
ClaimsIdentity user = HttpContext.Current.User.Identity as ClaimsIdentity;
//find a user that matches both ID and auth ID. Otherwise, fail.
//grab the string that holds the current auth ID so we can compare it.
Claim _authId = user.Claims.DefaultIfEmpty(null).FirstOrDefault(x => x.Type == "AuthId");
int AuthId;
if (_authId == null || !Int32.TryParse(_authId.Value, out AuthId))
{
//missing a value here, refuse access.
actionContext.Response = new System.Net.Http.HttpResponseMessage(System.Net.HttpStatusCode.Forbidden);
return;
}
string Email = user.Claims.FirstOrDefault(x => x.Type == "Email").Value;
ApplicationUser target = db.Users.DefaultIfEmpty(null).FirstOrDefault(x => x.Email == Email && x.AuthId == AuthId);
if (target == null)
{
//refuse access.
actionContext.Response = new System.Net.Http.HttpResponseMessage(System.Net.HttpStatusCode.Forbidden);
}
}
}
