kocoded/oqtane.framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2579 from sbwalker/dev

Browse Source 
Suppress unauthorized visitor logging as it is usually caused by clients that do not support cookies
This commit is contained in:
Shaun Walker 2023-02-03 16:10:57 -05:00 committed by GitHub
commit cf2d9af664
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 29 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Oqtane.Server/Controllers/SettingController.cs
View File

@ -63,10 +63,14 @@ namespace Oqtane.Controllers
} }
} }
else else
{
// suppress unauthorized visitor logging as it is usually caused by clients that do not support cookies
if (entityName != EntityNames.Visitor)
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityName, entityId); _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityName, entityId);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
} }
}
return settings; return settings;
} }
@ -84,9 +88,12 @@ namespace Oqtane.Controllers
return setting; return setting;
} }
else else
{
if (entityName != EntityNames.Visitor)
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Setting {EntityName} {SettingId}", entityName, id); _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Setting {EntityName} {SettingId}", entityName, id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
return null; return null;
} }
} }
@ -102,9 +109,12 @@ namespace Oqtane.Controllers
_logger.Log(LogLevel.Information, this, LogFunction.Create, "Setting Added {Setting}", setting); _logger.Log(LogLevel.Information, this, LogFunction.Create, "Setting Added {Setting}", setting);
} }
else else
{
if (setting.EntityName != EntityNames.Visitor)
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Setting {Setting}", setting); _logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Setting {Setting}", setting);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
setting = null; setting = null;
} }
return setting; return setting;
@ -121,9 +131,12 @@ namespace Oqtane.Controllers
_logger.Log(LogLevel.Information, this, LogFunction.Update, "Setting Updated {Setting}", setting); _logger.Log(LogLevel.Information, this, LogFunction.Update, "Setting Updated {Setting}", setting);
} }
else else
{
if (setting.EntityName != EntityNames.Visitor)
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Setting {Setting}", setting); _logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Setting {Setting}", setting);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
setting = null; setting = null;
} }
return setting; return setting;
@ -141,11 +154,14 @@ namespace Oqtane.Controllers
_logger.Log(LogLevel.Information, this, LogFunction.Delete, "Setting Deleted {Setting}", setting); _logger.Log(LogLevel.Information, this, LogFunction.Delete, "Setting Deleted {Setting}", setting);
} }
else else
{
if (entityName != EntityNames.Visitor)
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Setting {Setting}", setting); _logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Setting {Setting}", setting);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
} }
} }
}
// DELETE api/<controller>/clear // DELETE api/<controller>/clear
[HttpDelete("clear")] [HttpDelete("clear")]
@ -219,10 +235,12 @@ namespace Oqtane.Controllers
authorized = User.IsInRole(RoleNames.Admin); authorized = User.IsInRole(RoleNames.Admin);
if (!authorized) if (!authorized)
{ {
// a visitor may have cookies disabled
if (int.TryParse(Request.Cookies[_visitorCookie], out int visitorId)) if (int.TryParse(Request.Cookies[_visitorCookie], out int visitorId))
{ {
authorized = (visitorId == entityId); authorized = (visitorId == entityId);
} }
authorized = false;
} }
break; break;
default: // custom entity default: // custom entity

1
Oqtane.Server/Pages/_Host.cshtml.cs
View File

@ -20,7 +20,6 @@ using Oqtane.Enums;
using Oqtane.Security; using Oqtane.Security;
using Oqtane.Extensions; using Oqtane.Extensions;
using Oqtane.Themes; using Oqtane.Themes;
using Oqtane.UI;
namespace Oqtane.Pages namespace Oqtane.Pages
{ {

2
Oqtane.Shared/Shared/SiteState.cs
View File

@ -8,7 +8,7 @@ namespace Oqtane.Shared
public Alias Alias { get; set; } public Alias Alias { get; set; }
public string AntiForgeryToken { get; set; } // passed from server for use in service calls on client public string AntiForgeryToken { get; set; } // passed from server for use in service calls on client
public string AuthorizationToken { get; set; } // passed from server for use in service calls on client public string AuthorizationToken { get; set; } // passed from server for use in service calls on client
public string RemoteIPAddress { get; set; } // passed from server as cannot be reliable retrieved on client public string RemoteIPAddress { get; set; } // passed from server as cannot be reliably retrieved on client
private dynamic _properties; private dynamic _properties;