yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added method to WebSecurity to validate members, updated routes for umbraco api controllers

Browse Source
This commit is contained in:
Shannon Deminick
2013-02-27 00:19:48 +06:00
parent bcfc7b2507
commit cc55107da3
5 changed files with 111 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
src/Umbraco.Web/Mvc/AreaRegistrationExtensions.cs
View File

@@ -9,26 +9,28 @@ namespace Umbraco.Web.Mvc
{
internal static class AreaRegistrationExtensions
{
/// <summary>
/// Creates a custom individual route for the specified controller plugin. Individual routes
/// are required by controller plugins to map to a unique URL based on ID.
/// </summary>
/// <param name="controllerName"></param>
/// <param name="controllerType"></param>
/// <param name="routes">An existing route collection</param>
/// <param name="controllerSuffixName">
/// The suffix name that the controller name must end in before the "Controller" string for example:
/// ContentTreeController has a controllerSuffixName of "Tree", this is used for route constraints.
/// </param>
/// <param name="defaultAction"></param>
/// <param name="defaultId"></param>
/// <param name="area"></param>
/// <param name="umbracoTokenValue">The DataToken value to set for the 'umbraco' key, this defaults to 'backoffice' </param>
/// <remarks>
/// </remarks>
internal static Route RouteControllerPlugin(this AreaRegistration area, string controllerName, Type controllerType, RouteCollection routes,
/// <summary>
/// Creates a custom individual route for the specified controller plugin. Individual routes
/// are required by controller plugins to map to a unique URL based on ID.
/// </summary>
/// <param name="controllerName"></param>
/// <param name="controllerType"></param>
/// <param name="routes">An existing route collection</param>
/// <param name="controllerSuffixName">
/// The suffix name that the controller name must end in before the "Controller" string for example:
/// ContentTreeController has a controllerSuffixName of "Tree", this is used for route constraints.
/// </param>
/// <param name="defaultAction"></param>
/// <param name="defaultId"></param>
/// <param name="area"></param>
/// <param name="umbracoTokenValue">The DataToken value to set for the 'umbraco' key, this defaults to 'backoffice' </param>
/// <param name="routeTokens">By default this value is just {action}/{id} but can be modified for things like web api routes</param>
/// <remarks>
/// </remarks>
internal static Route RouteControllerPlugin(this AreaRegistration area, string controllerName, Type controllerType, RouteCollection routes,
string controllerSuffixName, string defaultAction, object defaultId,
string umbracoTokenValue = "backoffice")
string umbracoTokenValue = "backoffice",
string routeTokens = "{action}/{id}")
{
Mandate.ParameterNotNullOrEmpty(controllerName, "controllerName");
Mandate.ParameterNotNullOrEmpty(controllerSuffixName, "controllerSuffixName");
@@ -40,7 +42,7 @@ namespace Umbraco.Web.Mvc
var umbracoArea = GlobalSettings.UmbracoMvcArea;
//routes are explicitly name with controller names and IDs
var url = umbracoArea + "/" + area.AreaName + "/" + controllerName + "/{action}/{id}";
var url = umbracoArea + "/" + area.AreaName + "/" + controllerName + "/" + routeTokens;
//create a new route with custom name, specified url, and the namespace of the controller plugin
var controllerPluginRoute = routes.MapRoute(

49
src/Umbraco.Web/Mvc/MemberAuthorizeAttribute.cs
View File

@@ -1,7 +1,9 @@
using System.Linq;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
using System.Web.Security;
using Umbraco.Web.Security;
using umbraco.cms.businesslogic.member;
using AuthorizeAttribute = System.Web.Mvc.AuthorizeAttribute;
@@ -38,45 +40,20 @@ namespace Umbraco.Web.Mvc
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
// Allow by default
var allowAction = true;
// If not set to allow all, need to check current loggined in member
if (!AllowAll)
var members = new List<int>();
foreach (var s in AllowMembers.Split(','))
{
// Get member details
var member = Member.GetCurrentMember();
if (member == null)
int id;
if (int.TryParse(s, out id))
{
// If not logged on, not allowed
allowAction = false;
}
else
{
// If types defined, check member is of one of those types
if (!string.IsNullOrEmpty(AllowType))
{
// Allow only if member's type is in list
allowAction = AllowType.ToLower().Split(',').Contains(member.ContentType.Alias.ToLower());
}
// If groups defined, check member is of one of those groups
if (allowAction && !string.IsNullOrEmpty(AllowGroup))
{
// Allow only if member's type is in list
var groups = System.Web.Security.Roles.GetRolesForUser(member.LoginName);
allowAction = groups.Select(s => s.ToLower()).Intersect(AllowGroup.ToLower().Split(',')).Any();
}
// If specific members defined, check member is of one of those
if (allowAction && !string.IsNullOrEmpty(AllowMembers))
{
// Allow only if member's type is in list
allowAction = AllowMembers.ToLower().Split(',').Contains(member.Id.ToString());
}
members.Add(id);
}
}
return allowAction;
return WebSecurity.IsMemberAuthorized(AllowAll,
AllowType.Split(','),
AllowGroup.Split(','),
members);
}
/// <summary>

2
src/Umbraco.Web/Mvc/PluginControllerArea.cs
View File

@@ -85,7 +85,7 @@ namespace Umbraco.Web.Mvc
{
foreach (var s in apiControllers)
{
this.RouteControllerPlugin(s.ControllerName, s.ControllerType, routes, "Api", "Index", UrlParameter.Optional, "api");
this.RouteControllerPlugin(s.ControllerName, s.ControllerType, routes, "Api", "Index", UrlParameter.Optional, "api", "{id}");
}
}
}

62
src/Umbraco.Web/Security/WebSecurity.cs
View File

@@ -10,6 +10,7 @@ using Umbraco.Web.UI.Pages;
using umbraco;
using umbraco.BusinessLogic;
using umbraco.DataLayer;
using umbraco.cms.businesslogic.member;
namespace Umbraco.Web.Security
{
@@ -19,6 +20,67 @@ namespace Umbraco.Web.Security
/// </summary>
public static class WebSecurity
{
/// <summary>
/// Returns true or false if the currently logged in member is authorized based on the parameters provided
/// </summary>
/// <param name="allowAll"></param>
/// <param name="allowTypes"></param>
/// <param name="allowGroups"></param>
/// <param name="allowMembers"></param>
/// <returns></returns>
public static bool IsMemberAuthorized(
bool allowAll = false,
IEnumerable<string> allowTypes = null,
IEnumerable<string> allowGroups = null,
IEnumerable<int> allowMembers = null)
{
if (allowTypes == null)
allowTypes = Enumerable.Empty<string>();
if (allowGroups == null)
allowGroups = Enumerable.Empty<string>();
if (allowMembers == null)
allowMembers = Enumerable.Empty<int>();
// Allow by default
var allowAction = true;
// If not set to allow all, need to check current loggined in member
if (!allowAll)
{
// Get member details
var member = Member.GetCurrentMember();
if (member == null)
{
// If not logged on, not allowed
allowAction = false;
}
else
{
// If types defined, check member is of one of those types
if (allowTypes.Any())
{
// Allow only if member's type is in list
allowAction = allowTypes.Select(x => x.ToLowerInvariant()).Contains(member.ContentType.Alias.ToLowerInvariant());
}
// If groups defined, check member is of one of those groups
if (allowAction && allowGroups.Any())
{
// Allow only if member's type is in list
var groups = System.Web.Security.Roles.GetRolesForUser(member.LoginName);
allowAction = groups.Select(s => s.ToLower()).Intersect(allowGroups).Any();
}
// If specific members defined, check member is of one of those
if (allowAction && allowMembers.Any())
{
// Allow only if member's type is in list
allowAction = allowMembers.Contains(member.Id);
}
}
}
return allowAction;
}
/// <summary>
/// Gets the SQL helper.

49
src/Umbraco.Web/WebApi/MemberAuthorizeAttribute.cs
View File

@@ -1,6 +1,8 @@
using System.Linq;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Http;
using Umbraco.Web.Security;
using umbraco.cms.businesslogic.member;
namespace Umbraco.Web.WebApi
@@ -36,45 +38,20 @@ namespace Umbraco.Web.WebApi
protected override bool IsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext)
{
// Allow by default
var allowAction = true;
// If not set to allow all, need to check current loggined in member
if (!AllowAll)
var members = new List<int>();
foreach (var s in AllowMembers.Split(','))
{
// Get member details
var member = Member.GetCurrentMember();
if (member == null)
int id;
if (int.TryParse(s, out id))
{
// If not logged on, not allowed
allowAction = false;
}
else
{
// If types defined, check member is of one of those types
if (!string.IsNullOrEmpty(AllowType))
{
// Allow only if member's type is in list
allowAction = AllowType.ToLower().Split(',').Contains(member.ContentType.Alias.ToLower());
}
// If groups defined, check member is of one of those groups
if (allowAction && !string.IsNullOrEmpty(AllowGroup))
{
// Allow only if member's type is in list
var groups = System.Web.Security.Roles.GetRolesForUser(member.LoginName);
allowAction = groups.Select(s => s.ToLower()).Intersect(AllowGroup.ToLower().Split(',')).Any();
}
// If specific members defined, check member is of one of those
if (allowAction && !string.IsNullOrEmpty(AllowMembers))
{
// Allow only if member's type is in list
allowAction = AllowMembers.ToLower().Split(',').Contains(member.Id.ToString());
}
members.Add(id);
}
}
return allowAction;
return WebSecurity.IsMemberAuthorized(AllowAll,
AllowType.Split(','),
AllowGroup.Split(','),
members);
}
}