Diplomarbeit-Absolventenverein/oqtane.framework
10
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Scope permissions by SiteId to support entity level authorization as well as improve caching and performance. Optimize GetTenant to use existing cache.

Browse Source
This commit is contained in:
Shaun Walker
2022-11-07 18:16:32 -05:00
parent 2aa6eb90e2
commit 6182b96d16
19 changed files with 103 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
Oqtane.Server/Security/PermissionHandler.cs
View File

@ -2,6 +2,7 @@ using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Oqtane.Enums;
using Oqtane.Extensions;
using Oqtane.Infrastructure;
using Oqtane.Shared;
@ -9,24 +10,30 @@ namespace Oqtane.Security
{
public class PermissionHandler : AuthorizationHandler<PermissionRequirement>
{
private readonly IHttpContextAccessor _httpContextAccessor;
private readonly IHttpContextAccessor _accessor;
private readonly IUserPermissions _userPermissions;
private readonly ILogManager _logger;
public PermissionHandler(IHttpContextAccessor httpContextAccessor, IUserPermissions userPermissions, ILogManager logger)
public PermissionHandler(IHttpContextAccessor accessor, IUserPermissions userPermissions, ILogManager logger)
{
_httpContextAccessor = httpContextAccessor;
_accessor = accessor;
_userPermissions = userPermissions;
_logger = logger;
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionRequirement requirement)
{
// permission is scoped based on entitynames and ids passed as querystring parameters
var ctx = _httpContextAccessor.HttpContext;
// permission is scoped based on entity name and in some cases entity id
var ctx = _accessor.HttpContext;
if (ctx != null)
{
// get entityid based on a parameter format of auth{entityname}id (ie. authmoduleid )
int siteId = -1;
if (ctx.GetAlias() != null)
{
siteId = ctx.GetAlias().SiteId;
}
// get entityid from querystring based on a parameter format of auth{entityname}id (ie. authmoduleid )
int entityId = -1;
if (ctx.Request.Query.ContainsKey("auth" + requirement.EntityName.ToLower() + "id"))
{
@ -36,7 +43,7 @@ namespace Oqtane.Security
}
}
// legacy support
// legacy support for deprecated CreateAuthorizationPolicyUrl(string url, int entityId)
if (entityId == -1)
{
if (ctx.Request.Query.ContainsKey("entityid"))
@ -49,13 +56,20 @@ namespace Oqtane.Security
}
// validate permissions
if (entityId != -1 && _userPermissions.IsAuthorized(context.User, requirement.EntityName, entityId, requirement.PermissionName))
if (_userPermissions.IsAuthorized(context.User, siteId, requirement.EntityName, entityId, requirement.PermissionName))
{
context.Succeed(requirement);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "User {User} Does Not Have {PermissionName} Permission For {EntityName}:{EntityId}", context.User, requirement.PermissionName, requirement.EntityName, entityId);
if (entityId == -1)
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "User {User} Does Not Have {PermissionName} Permission For {EntityName} Entity", context.User.Identity.Name, requirement.PermissionName, requirement.EntityName);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "User {User} Does Not Have {PermissionName} Permission For {EntityName} Entity With ID {EntityId}", context.User.Identity.Name, requirement.PermissionName, requirement.EntityName, entityId);
}
}
}
return Task.CompletedTask;