From d6de99d9a04882ea791658b0b82cbc1872d2662d Mon Sep 17 00:00:00 2001 From: Paul Schneider Date: Fri, 2 Dec 2016 13:22:39 +0100 Subject: [PATCH] estimate view authorization --- Yavsc/ApiControllers/PdfEstimateController.cs | 27 ++++++++++++++----- Yavsc/Controllers/EstimateController.cs | 12 +++++++-- Yavsc/Startup/Startup.cs | 1 + Yavsc/ViewModels/Auth/BlogEditHandler.cs | 19 +++++++++++++ Yavsc/ViewModels/Auth/BlogViewHandler.cs | 3 ++- Yavsc/ViewModels/Auth/EstimateViewHandler.cs | 21 +++++++-------- Yavsc/Views/_ViewImports.cshtml | 16 ++++++----- 7 files changed, 71 insertions(+), 28 deletions(-) create mode 100644 Yavsc/ViewModels/Auth/BlogEditHandler.cs diff --git a/Yavsc/ApiControllers/PdfEstimateController.cs b/Yavsc/ApiControllers/PdfEstimateController.cs index cba15c99..7c940bbc 100644 --- a/Yavsc/ApiControllers/PdfEstimateController.cs +++ b/Yavsc/ApiControllers/PdfEstimateController.cs @@ -2,32 +2,47 @@ using System.IO; using Microsoft.AspNet.Authorization; using Microsoft.AspNet.Mvc; using System.Web.Routing; -using Microsoft.AspNet.Mvc.ViewComponents; namespace Yavsc.ApiControllers { using Models; using Helpers; + using System.Linq; + using Microsoft.Data.Entity; + using System.Threading.Tasks; + using Microsoft.Extensions.Logging; [Route("api/pdfestimate"), Authorize] public class PdfEstimateController : Controller { ApplicationDbContext dbContext; + private IAuthorizationService authorizationService; + + private ILogger logger; public PdfEstimateController( - IViewComponentDescriptorCollectionProvider provider, - IViewComponentSelector selector, - IViewComponentInvokerFactory factory, + IAuthorizationService authorizationService, + ILoggerFactory loggerFactory, ApplicationDbContext context) { - + this.authorizationService = authorizationService; dbContext = context; + logger = loggerFactory.CreateLogger(); } [HttpGet("get/{id}", Name = "Get"), Authorize] - public IActionResult Get(long id) + public async Task Get(long id) { + var estimate = dbContext.Estimates.Include( + e=>e.Query + ).FirstOrDefault(e=>e.Id == id); + logger.LogWarning($"#######ESTIMATE OWNER ID {estimate.OwnerId} ########"); + if (!await authorizationService.AuthorizeAsync(User, estimate, new ViewRequirement())) + { + return new ChallengeResult(); + } + var filename = $"estimate-{id}.pdf"; var cd = new System.Net.Mime.ContentDisposition diff --git a/Yavsc/Controllers/EstimateController.cs b/Yavsc/Controllers/EstimateController.cs index e9aeaefa..f57d3216 100644 --- a/Yavsc/Controllers/EstimateController.cs +++ b/Yavsc/Controllers/EstimateController.cs @@ -3,6 +3,7 @@ using System.IO; using System.Linq; using System.Net.Mime; using System.Security.Claims; +using System.Threading.Tasks; using Microsoft.AspNet.Authorization; using Microsoft.AspNet.Http; using Microsoft.AspNet.Mvc; @@ -21,10 +22,13 @@ namespace Yavsc.Controllers private ApplicationDbContext _context; private SiteSettings _site; - public EstimateController(ApplicationDbContext context, IOptions siteSettings) + IAuthorizationService authorizationService; + + public EstimateController(ApplicationDbContext context, IAuthorizationService authorizationService, IOptions siteSettings) { _context = context; _site = siteSettings.Value; + this.authorizationService = authorizationService; } // GET: Estimate @@ -41,7 +45,7 @@ namespace Yavsc.Controllers } // GET: Estimate/Details/5 - public IActionResult Details(long? id) + public async Task Details(long? id) { var uid = User.GetUserId(); if (id == null) @@ -62,6 +66,10 @@ namespace Yavsc.Controllers { return HttpNotFound(); } + if (!await authorizationService.AuthorizeAsync(User, estimate, new ViewRequirement())) + { + return new ChallengeResult(); + } return View(estimate); } diff --git a/Yavsc/Startup/Startup.cs b/Yavsc/Startup/Startup.cs index ef727716..e5be5a7c 100755 --- a/Yavsc/Startup/Startup.cs +++ b/Yavsc/Startup/Startup.cs @@ -181,6 +181,7 @@ namespace Yavsc services.AddSingleton(); services.AddSingleton(); services.AddSingleton(); + services.AddSingleton(); services.AddMvc(config => { diff --git a/Yavsc/ViewModels/Auth/BlogEditHandler.cs b/Yavsc/ViewModels/Auth/BlogEditHandler.cs new file mode 100644 index 00000000..599d2afa --- /dev/null +++ b/Yavsc/ViewModels/Auth/BlogEditHandler.cs @@ -0,0 +1,19 @@ +using System.Security.Claims; +using Microsoft.AspNet.Authorization; +using Yavsc.Models; + +namespace Yavsc.ViewModels.Auth +{ + public class BlogEditHandler : AuthorizationHandler + { + protected override void Handle(AuthorizationContext context, EditRequirement requirement, Blog resource) + { + if (context.User.IsInRole(Constants.BlogModeratorGroupName)) + context.Succeed(requirement); + else if (context.User.Identity.IsAuthenticated) + if (resource.AuthorId == context.User.GetUserId()) + context.Succeed(requirement); + } + + } +} \ No newline at end of file diff --git a/Yavsc/ViewModels/Auth/BlogViewHandler.cs b/Yavsc/ViewModels/Auth/BlogViewHandler.cs index da4a3a6c..7a3c1dbc 100644 --- a/Yavsc/ViewModels/Auth/BlogViewHandler.cs +++ b/Yavsc/ViewModels/Auth/BlogViewHandler.cs @@ -8,7 +8,8 @@ namespace Yavsc.ViewModels.Auth { protected override void Handle(AuthorizationContext context, ViewRequirement requirement, Blog resource) { - if (context.User.IsInRole("Moderator")) + if (context.User.IsInRole(Constants.BlogModeratorGroupName) + || context.User.IsInRole(Constants.AdminGroupName)) context.Succeed(requirement); else if (context.User.Identity.IsAuthenticated) if (resource.AuthorId == context.User.GetUserId()) diff --git a/Yavsc/ViewModels/Auth/EstimateViewHandler.cs b/Yavsc/ViewModels/Auth/EstimateViewHandler.cs index b4a8dd84..04eecdd9 100644 --- a/Yavsc/ViewModels/Auth/EstimateViewHandler.cs +++ b/Yavsc/ViewModels/Auth/EstimateViewHandler.cs @@ -6,20 +6,17 @@ namespace Yavsc.ViewModels.Auth { public class EstimateViewHandler : AuthorizationHandler { - protected override void Handle(AuthorizationContext context, ViewRequirement requirement, Estimate resource) + protected override void Handle(AuthorizationContext context, ViewRequirement requirement, Estimate resource) { - if (context.User.IsInRole("Moderator")) - context.Succeed(requirement); - else if (!context.User.Identity.IsAuthenticated) - context.Fail(); - else { - var uid = context.User.GetUserId(); - if (resource.OwnerId == uid || resource.Query.ClientId == uid) - context.Succeed(requirement); - else - // TODO && ( resource.Circles == null || context.User belongs to resource.Circles ) - context.Fail(); + if (context.User.IsInRole(Constants.AdminGroupName) + || context.User.IsInRole(Constants.FrontOfficeGroupName)) + context.Succeed(requirement); + else if (context.User.Identity.IsAuthenticated) { + var uid = context.User.GetUserId(); + if (resource.OwnerId == uid || resource.ClientId == uid) + context.Succeed(requirement); + // TODO && ( resource.Circles == null || context.User belongs to resource.Circles ) } } } diff --git a/Yavsc/Views/_ViewImports.cshtml b/Yavsc/Views/_ViewImports.cshtml index d29ca532..513a301a 100755 --- a/Yavsc/Views/_ViewImports.cshtml +++ b/Yavsc/Views/_ViewImports.cshtml @@ -1,3 +1,11 @@ + +@using Microsoft.AspNet.Identity; +@using Microsoft.AspNet.Mvc; +@using Microsoft.Extensions.Localization; +@using Microsoft.AspNet.Mvc.Localization; +@using Microsoft.AspNet.Authorization; +@using Microsoft.Extensions.OptionsModel; +@using System.Web.Optimization; @using Yavsc; @using Yavsc.Models; @using Yavsc.Models.Google; @@ -8,13 +16,7 @@ @using Yavsc.ViewModels.Account; @using Yavsc.ViewModels.Manage; @using Yavsc.ViewModels.Calendar; -@using Microsoft.AspNet.Identity; -@using Microsoft.AspNet.Mvc; -@using Microsoft.Extensions.Localization; -@using Microsoft.AspNet.Mvc.Localization; -@using Microsoft.AspNet.Authorization; -@using Microsoft.Extensions.OptionsModel; -@using System.Web.Optimization; +@using Yavsc.ViewModels.Auth; @inject IViewLocalizer LocString @addTagHelper "*, Microsoft.AspNet.Mvc.TagHelpers"