private static bool CanShowToNetwork(RestrictAttribute restrictTo, RequestAttributes reqAttrs)
{
if (reqAttrs.IsLocalhost())
{
return(restrictTo.CanShowTo(RequestAttributes.Localhost) ||
restrictTo.CanShowTo(RequestAttributes.LocalSubnet));
}
return(restrictTo.CanShowTo(
reqAttrs.IsLocalSubnet()
? RequestAttributes.LocalSubnet
: RequestAttributes.External));
}
[Bypass(true)] // don't require user privileges to edit, if self only
public IHttpActionResult UpdatePassword([FromBody] UpdatePasswordParams upp)
{
if (upp == null || upp.AuthUserId == 0)
{
return(BadRequest());
}
// this one is tricky. make sure that the user is editing self, or that
// they have claims. Can't really force one or the other on the route itself since we're
// not passing in (or guaranteed to pass in) the userId that matches authUser, so this method
// should be bypassed from claims attributes check and manually inspected here.
int tokenAuthId = int.Parse(this.GetAuthUserId());
bool ok = tokenAuthId == upp.AuthUserId; // see if editing self
if (!ok) // not editing self: check permission / claims
{
var requestUser = (ClaimsPrincipal)this.GetOwinResolver().GetOwinContext().Request.User;
ok = RestrictAttribute.CheckClaim(requestUser, ClaimTypes.Users, ClaimValues.FullAccess);
}
return(ok ? _UpdatePassword(upp) : Unauthorized());
}
private static bool CanShowToNetwork(RestrictAttribute restrictTo, RequestAttributes reqAttrs)
{
if (reqAttrs.IsLocalhost())
return restrictTo.CanShowTo(RequestAttributes.Localhost)
|| restrictTo.CanShowTo(RequestAttributes.LocalSubnet);
return restrictTo.CanShowTo(
reqAttrs.IsLocalSubnet()
? RequestAttributes.LocalSubnet
: RequestAttributes.External);
}
