kocoded/oqtane.framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2579 from sbwalker/dev

Browse Source 
Suppress unauthorized visitor logging as it is usually caused by clients that do not support cookies
This commit is contained in:
Shaun Walker 2023-02-03 16:10:57 -05:00 committed by GitHub
commit cf2d9af664
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 29 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
Oqtane.Server/Controllers/SettingController.cs
View File

@ -64,8 +64,12 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityName, entityId); // suppress unauthorized visitor logging as it is usually caused by clients that do not support cookies
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; if (entityName != EntityNames.Visitor)
{
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityName, entityId);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
} }
return settings; return settings;
} }
@ -85,8 +89,11 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Setting {EntityName} {SettingId}", entityName, id); if (entityName != EntityNames.Visitor)
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Setting {EntityName} {SettingId}", entityName, id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
return null; return null;
} }
} }
@ -103,8 +110,11 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Setting {Setting}", setting); if (setting.EntityName != EntityNames.Visitor)
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; {
_logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Setting {Setting}", setting);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
setting = null; setting = null;
} }
return setting; return setting;
@ -122,8 +132,11 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Setting {Setting}", setting); if (setting.EntityName != EntityNames.Visitor)
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; {
_logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Setting {Setting}", setting);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
setting = null; setting = null;
} }
return setting; return setting;
@ -142,8 +155,11 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Setting {Setting}", setting); if (entityName != EntityNames.Visitor)
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; {
_logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Setting {Setting}", setting);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
} }
} }
@ -219,10 +235,12 @@ namespace Oqtane.Controllers
authorized = User.IsInRole(RoleNames.Admin); authorized = User.IsInRole(RoleNames.Admin);
if (!authorized) if (!authorized)
{ {
// a visitor may have cookies disabled
if (int.TryParse(Request.Cookies[_visitorCookie], out int visitorId)) if (int.TryParse(Request.Cookies[_visitorCookie], out int visitorId))
{ {
authorized = (visitorId == entityId); authorized = (visitorId == entityId);
} }
authorized = false;
} }
break; break;
default: // custom entity default: // custom entity

1
Oqtane.Server/Pages/_Host.cshtml.cs
View File

@ -20,7 +20,6 @@ using Oqtane.Enums;
using Oqtane.Security; using Oqtane.Security;
using Oqtane.Extensions; using Oqtane.Extensions;
using Oqtane.Themes; using Oqtane.Themes;
using Oqtane.UI;
namespace Oqtane.Pages namespace Oqtane.Pages
{ {

2
Oqtane.Shared/Shared/SiteState.cs
View File

@ -8,7 +8,7 @@ namespace Oqtane.Shared
public Alias Alias { get; set; } public Alias Alias { get; set; }
public string AntiForgeryToken { get; set; } // passed from server for use in service calls on client public string AntiForgeryToken { get; set; } // passed from server for use in service calls on client
public string AuthorizationToken { get; set; } // passed from server for use in service calls on client public string AuthorizationToken { get; set; } // passed from server for use in service calls on client
public string RemoteIPAddress { get; set; } // passed from server as cannot be reliable retrieved on client public string RemoteIPAddress { get; set; } // passed from server as cannot be reliably retrieved on client
private dynamic _properties; private dynamic _properties;