private static bool CanShowToNetwork(RestrictAttribute restrictTo, RequestAttributes reqAttrs) { if (reqAttrs.IsLocalhost()) { return(restrictTo.CanShowTo(RequestAttributes.Localhost) || restrictTo.CanShowTo(RequestAttributes.LocalSubnet)); } return(restrictTo.CanShowTo( reqAttrs.IsLocalSubnet() ? RequestAttributes.LocalSubnet : RequestAttributes.External)); }
[Bypass(true)] // don't require user privileges to edit, if self only public IHttpActionResult UpdatePassword([FromBody] UpdatePasswordParams upp) { if (upp == null || upp.AuthUserId == 0) { return(BadRequest()); } // this one is tricky. make sure that the user is editing self, or that // they have claims. Can't really force one or the other on the route itself since we're // not passing in (or guaranteed to pass in) the userId that matches authUser, so this method // should be bypassed from claims attributes check and manually inspected here. int tokenAuthId = int.Parse(this.GetAuthUserId()); bool ok = tokenAuthId == upp.AuthUserId; // see if editing self if (!ok) // not editing self: check permission / claims { var requestUser = (ClaimsPrincipal)this.GetOwinResolver().GetOwinContext().Request.User; ok = RestrictAttribute.CheckClaim(requestUser, ClaimTypes.Users, ClaimValues.FullAccess); } return(ok ? _UpdatePassword(upp) : Unauthorized()); }
private static bool CanShowToNetwork(RestrictAttribute restrictTo, RequestAttributes reqAttrs) { if (reqAttrs.IsLocalhost()) return restrictTo.CanShowTo(RequestAttributes.Localhost) || restrictTo.CanShowTo(RequestAttributes.LocalSubnet); return restrictTo.CanShowTo( reqAttrs.IsLocalSubnet() ? RequestAttributes.LocalSubnet : RequestAttributes.External); }