Merge pull request #2579 from sbwalker/dev

Suppress unauthorized visitor logging as it is usually caused by clients that do not support cookies
2023-02-03 16:10:57 -05:00 · 2023-02-03 16:10:57 -05:00 · cf2d9af664
commit cf2d9af664
parent bc8bdef37d 1f2ad4e884
3 changed files with 29 additions and 12 deletions
--- a/Oqtane.Server/Controllers/SettingController.cs
+++ b/Oqtane.Server/Controllers/SettingController.cs
@ -64,8 +64,12 @@ namespace Oqtane.Controllers
            }
            else
            {
-                _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityName, entityId);
-                HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                // suppress unauthorized visitor logging as it is usually caused by clients that do not support cookies 
+                if (entityName != EntityNames.Visitor) 
+                {
+                    _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityName, entityId);
+                    HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                }
            }
            return settings;
        }
@ -85,8 +89,11 @@ namespace Oqtane.Controllers
            }
            else
            {
-                _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Setting {EntityName} {SettingId}", entityName, id);
-                HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                if (entityName != EntityNames.Visitor)
+                {
+                    _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Setting {EntityName} {SettingId}", entityName, id);
+                    HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                }
                return null;
            }
        }
@ -103,8 +110,11 @@ namespace Oqtane.Controllers
            }
            else
            {
-                _logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Setting {Setting}", setting);
-                HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                if (setting.EntityName != EntityNames.Visitor)
+                {
+                    _logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Setting {Setting}", setting);
+                    HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                }
                setting = null;
            }
            return setting;
@ -122,8 +132,11 @@ namespace Oqtane.Controllers
            }
            else
            {
-                _logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Setting {Setting}", setting);
-                HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                if (setting.EntityName != EntityNames.Visitor)
+                {
+                    _logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Setting {Setting}", setting);
+                    HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                }
                setting = null;
            }
            return setting;
@ -142,8 +155,11 @@ namespace Oqtane.Controllers
            }
            else
            {
-                _logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Setting {Setting}", setting);
-                HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                if (entityName != EntityNames.Visitor)
+                {
+                    _logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Setting {Setting}", setting);
+                    HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                }
            }
        }

@ -219,10 +235,12 @@ namespace Oqtane.Controllers
                    authorized = User.IsInRole(RoleNames.Admin);
                    if (!authorized)
                    {
+                        // a visitor may have cookies disabled
                        if (int.TryParse(Request.Cookies[_visitorCookie], out int visitorId))
                        {
                            authorized = (visitorId == entityId);
                        }
+                        authorized = false;
                    }
                    break;
                default: // custom entity
--- a/Oqtane.Server/Pages/_Host.cshtml.cs
+++ b/Oqtane.Server/Pages/_Host.cshtml.cs
@ -20,7 +20,6 @@ using Oqtane.Enums;
 using Oqtane.Security;
 using Oqtane.Extensions;
 using Oqtane.Themes;
-using Oqtane.UI;

 namespace Oqtane.Pages
 {
--- a/Oqtane.Shared/Shared/SiteState.cs
+++ b/Oqtane.Shared/Shared/SiteState.cs
@ -8,7 +8,7 @@ namespace Oqtane.Shared
        public Alias Alias { get; set; }
        public string AntiForgeryToken { get; set; } // passed from server for use in service calls on client
        public string AuthorizationToken { get; set; } // passed from server for use in service calls on client
-        public string RemoteIPAddress { get; set; } // passed from server as cannot be reliable retrieved on client
+        public string RemoteIPAddress { get; set; } // passed from server as cannot be reliably retrieved on client


        private dynamic _properties;