From 1f2ad4e8847e835da2371897a978fafb94707dd3 Mon Sep 17 00:00:00 2001 From: Shaun Walker Date: Fri, 3 Feb 2023 16:12:13 -0500 Subject: [PATCH] Suppress unauthorized visitor logging as it is usually caused by clients that do not support cookies --- .../Controllers/SettingController.cs | 38 ++++++++++++++----- Oqtane.Server/Pages/_Host.cshtml.cs | 1 - Oqtane.Shared/Shared/SiteState.cs | 2 +- 3 files changed, 29 insertions(+), 12 deletions(-) diff --git a/Oqtane.Server/Controllers/SettingController.cs b/Oqtane.Server/Controllers/SettingController.cs index 0938e5c0..3f38259e 100644 --- a/Oqtane.Server/Controllers/SettingController.cs +++ b/Oqtane.Server/Controllers/SettingController.cs @@ -64,8 +64,12 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityName, entityId); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + // suppress unauthorized visitor logging as it is usually caused by clients that do not support cookies + if (entityName != EntityNames.Visitor) + { + _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityName, entityId); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } } return settings; } @@ -85,8 +89,11 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Setting {EntityName} {SettingId}", entityName, id); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (entityName != EntityNames.Visitor) + { + _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Setting {EntityName} {SettingId}", entityName, id); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } return null; } } @@ -103,8 +110,11 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Setting {Setting}", setting); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (setting.EntityName != EntityNames.Visitor) + { + _logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Setting {Setting}", setting); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } setting = null; } return setting; @@ -122,8 +132,11 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Setting {Setting}", setting); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (setting.EntityName != EntityNames.Visitor) + { + _logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Setting {Setting}", setting); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } setting = null; } return setting; @@ -142,8 +155,11 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Setting {Setting}", setting); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (entityName != EntityNames.Visitor) + { + _logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Setting {Setting}", setting); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } } } @@ -219,10 +235,12 @@ namespace Oqtane.Controllers authorized = User.IsInRole(RoleNames.Admin); if (!authorized) { + // a visitor may have cookies disabled if (int.TryParse(Request.Cookies[_visitorCookie], out int visitorId)) { authorized = (visitorId == entityId); } + authorized = false; } break; default: // custom entity diff --git a/Oqtane.Server/Pages/_Host.cshtml.cs b/Oqtane.Server/Pages/_Host.cshtml.cs index 8b3044da..135493fc 100644 --- a/Oqtane.Server/Pages/_Host.cshtml.cs +++ b/Oqtane.Server/Pages/_Host.cshtml.cs @@ -20,7 +20,6 @@ using Oqtane.Enums; using Oqtane.Security; using Oqtane.Extensions; using Oqtane.Themes; -using Oqtane.UI; namespace Oqtane.Pages { diff --git a/Oqtane.Shared/Shared/SiteState.cs b/Oqtane.Shared/Shared/SiteState.cs index 411c60ab..7dcea082 100644 --- a/Oqtane.Shared/Shared/SiteState.cs +++ b/Oqtane.Shared/Shared/SiteState.cs @@ -8,7 +8,7 @@ namespace Oqtane.Shared public Alias Alias { get; set; } public string AntiForgeryToken { get; set; } // passed from server for use in service calls on client public string AuthorizationToken { get; set; } // passed from server for use in service calls on client - public string RemoteIPAddress { get; set; } // passed from server as cannot be reliable retrieved on client + public string RemoteIPAddress { get; set; } // passed from server as cannot be reliably retrieved on client private dynamic _properties;