renamed to MemberAuthorizeAttribute and changed it to inherit from a AuthorizeAttribute as this happens much further up the chain than
the filter attribute and also contains the correct logic to ensure authorization always happens regardless of if the page is cached. Cleaned up our other authorize attibutes.
This commit is contained in:
Shannon Deminick
@@ -2,6 +2,7 @@ using System;
|
||||
using System.Web;
|
||||
using System.Web.Mvc;
|
||||
using Umbraco.Core;
|
||||
using Umbraco.Web.Security;
|
||||
using umbraco.BasePages;
|
||||
|
||||
namespace Umbraco.Web.Install
|
||||
@@ -33,12 +34,9 @@ namespace Umbraco.Web.Install
|
||||
/// <returns></returns>
|
||||
protected override bool AuthorizeCore(HttpContextBase httpContext)
|
||||
{
|
||||
if (httpContext == null)
|
||||
{
|
||||
throw new ArgumentNullException("httpContext");
|
||||
}
|
||||
if (httpContext == null) throw new ArgumentNullException("httpContext");
|
||||
|
||||
try
|
||||
try
|
||||
{
|
||||
//if its not configured then we can continue
|
||||
if (!_applicationContext.IsConfigured)
|
||||
@@ -47,7 +45,7 @@ namespace Umbraco.Web.Install
|
||||
}
|
||||
|
||||
//otherwise we need to ensure that a user is logged in
|
||||
var isLoggedIn = BasePage.ValidateUserContextID(BasePage.umbracoUserContextID);
|
||||
var isLoggedIn = WebSecurity.ValidateUserContextId(WebSecurity.UmbracoUserContextId);
|
||||
if (isLoggedIn)
|
||||
{
|
||||
return true;
|
||||
@@ -60,30 +58,16 @@ namespace Umbraco.Web.Install
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Override to throw exception instead of returning 401 result
|
||||
/// </summary>
|
||||
/// <param name="filterContext"></param>
|
||||
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
|
||||
{
|
||||
//they aren't authorized but the app has installed
|
||||
throw new HttpException((int)global::System.Net.HttpStatusCode.Unauthorized, "You must login to view this resource.");
|
||||
}
|
||||
|
||||
public override void OnAuthorization(AuthorizationContext filterContext)
|
||||
{
|
||||
Mandate.ParameterNotNull(filterContext, "filterContext");
|
||||
if (OutputCacheAttribute.IsChildActionCacheActive(filterContext))
|
||||
throw new InvalidOperationException("Cannot use UmbracoInstallAuthorizeAttribute on a child action");
|
||||
if (AuthorizeCore(filterContext.HttpContext))
|
||||
{
|
||||
//with a little help from dotPeek... this is what it normally would do
|
||||
var cache = filterContext.HttpContext.Response.Cache;
|
||||
cache.SetProxyMaxAge(new TimeSpan(0L));
|
||||
cache.AddValidationCallback(CacheValidateHandler, null);
|
||||
}
|
||||
else
|
||||
{
|
||||
//they aren't authorized but the app has installed
|
||||
throw new HttpException((int)global::System.Net.HttpStatusCode.Unauthorized,
|
||||
"You must login to view this resource.");
|
||||
}
|
||||
}
|
||||
|
||||
private void CacheValidateHandler(HttpContext context, object data, ref HttpValidationStatus validationStatus)
|
||||
{
|
||||
validationStatus = OnCacheAuthorization(new HttpContextWrapper(context));
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user