The next generation of the Teknik Services. Written in ASP.NET. https://www.teknik.io/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

TeknikAuthorizeAttribute.cs 4.5KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101
  1. using System;
  2. using System.Collections.Generic;
  3. using System.Linq;
  4. using System.Web;
  5. using System.Web.Mvc;
  6. using System.Web.Routing;
  7. using Teknik.Areas.Error.Controllers;
  8. using Teknik.Helpers;
  9. using Teknik.Areas.Users.Controllers;
  10. namespace Teknik.Attributes
  11. {
  12. [AttributeUsage(AttributeTargets.All, AllowMultiple = false)]
  13. public class TeknikAuthorizeAttribute : AuthorizeAttribute
  14. {
  15. public override void OnAuthorization(AuthorizationContext filterContext)
  16. {
  17. if (filterContext == null)
  18. {
  19. throw new ArgumentNullException("filterContext");
  20. }
  21. if (OutputCacheAttribute.IsChildActionCacheActive(filterContext))
  22. {
  23. // If a child action cache block is active, we need to fail immediately, even if authorization
  24. // would have succeeded. The reason is that there's no way to hook a callback to rerun
  25. // authorization before the fragment is served from the cache, so we can't guarantee that this
  26. // filter will be re-run on subsequent requests.
  27. throw new InvalidOperationException("AuthorizeAttribute cannot be used within a child action caching block.");
  28. }
  29. // Check to see if we want to skip Authentication Check
  30. bool skipAuthorization = filterContext.ActionDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true)
  31. || filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(typeof(AllowAnonymousAttribute), true);
  32. if (skipAuthorization)
  33. return;
  34. // Check the users auth
  35. if (base.AuthorizeCore(filterContext.HttpContext))
  36. {
  37. // ** IMPORTANT **
  38. // Since we're performing authorization at the action level, the authorization code runs
  39. // after the output caching module. In the worst case this could allow an authorized user
  40. // to cause the page to be cached, then an unauthorized user would later be served the
  41. // cached page. We work around this by telling proxies not to cache the sensitive page,
  42. // then we hook our custom authorization code into the caching mechanism so that we have
  43. // the final say on whether a page should be served from the cache.
  44. HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache;
  45. cachePolicy.SetProxyMaxAge(new TimeSpan(0));
  46. cachePolicy.AddValidationCallback(CacheValidateHandler, null /* data */);
  47. return;
  48. }
  49. else if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
  50. {
  51. this.HandleUnauthorizedRequest(filterContext);
  52. }
  53. else
  54. {
  55. // uh oh, they are authorized, but don't have access. ABORT ABORT ABORT
  56. HandleInvalidAuthRequest(filterContext);
  57. }
  58. }
  59. protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
  60. {
  61. // auth failed, redirect to login page
  62. var request = filterContext.HttpContext.Request;
  63. string redirectUrl = (request.Url != null) ? filterContext.HttpContext.Request.Url.AbsoluteUri.ToString() : string.Empty;
  64. var userController = new UserController();
  65. if (userController != null)
  66. {
  67. filterContext.Result = userController.Login(redirectUrl);
  68. return;
  69. }
  70. filterContext.Result = new HttpUnauthorizedResult();
  71. }
  72. protected void HandleInvalidAuthRequest(AuthorizationContext filterContext)
  73. {
  74. // auth failed, redirect to login page
  75. var request = filterContext.HttpContext.Request;
  76. string redirectUrl = (request.Url != null) ? filterContext.HttpContext.Request.Url.AbsoluteUri.ToString() : string.Empty;
  77. var errorController = new ErrorController();
  78. if (errorController != null)
  79. {
  80. filterContext.Result = errorController.Http403(new Exception("Not Authorized"));
  81. return;
  82. }
  83. filterContext.Result = new HttpUnauthorizedResult();
  84. }
  85. private void CacheValidateHandler(HttpContext context, object data, ref HttpValidationStatus validationStatus)
  86. {
  87. validationStatus = base.OnCacheAuthorization(new HttpContextWrapper(context));
  88. }
  89. }
  90. }