kocoded/oqtane.framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2579 from sbwalker/dev

Browse Source 
Suppress unauthorized visitor logging as it is usually caused by clients that do not support cookies
This commit is contained in:
Shaun Walker 2023-02-03 16:10:57 -05:00 committed by GitHub
commit cf2d9af664
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 29 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Oqtane.Server/Controllers/SettingController.cs
View File

@ -63,10 +63,14 @@ namespace Oqtane.Controllers
}
}
else
{
// suppress unauthorized visitor logging as it is usually caused by clients that do not support cookies
if (entityName != EntityNames.Visitor)
{
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityName, entityId);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
}
return settings;
}
@ -84,9 +88,12 @@ namespace Oqtane.Controllers
return setting;
}
else
{
if (entityName != EntityNames.Visitor)
{
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Setting {EntityName} {SettingId}", entityName, id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
return null;
}
}
@ -102,9 +109,12 @@ namespace Oqtane.Controllers
_logger.Log(LogLevel.Information, this, LogFunction.Create, "Setting Added {Setting}", setting);
}
else
{
if (setting.EntityName != EntityNames.Visitor)
{
_logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Setting {Setting}", setting);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
setting = null;
}
return setting;
@ -121,9 +131,12 @@ namespace Oqtane.Controllers
_logger.Log(LogLevel.Information, this, LogFunction.Update, "Setting Updated {Setting}", setting);
}
else
{
if (setting.EntityName != EntityNames.Visitor)
{
_logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Setting {Setting}", setting);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
setting = null;
}
return setting;
@ -141,11 +154,14 @@ namespace Oqtane.Controllers
_logger.Log(LogLevel.Information, this, LogFunction.Delete, "Setting Deleted {Setting}", setting);
}
else
{
if (entityName != EntityNames.Visitor)
{
_logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Setting {Setting}", setting);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
}
}
// DELETE api/<controller>/clear
[HttpDelete("clear")]
@ -219,10 +235,12 @@ namespace Oqtane.Controllers
authorized = User.IsInRole(RoleNames.Admin);
if (!authorized)
{
// a visitor may have cookies disabled
if (int.TryParse(Request.Cookies[_visitorCookie], out int visitorId))
{
authorized = (visitorId == entityId);
}
authorized = false;
}
break;
default: // custom entity

1
Oqtane.Server/Pages/_Host.cshtml.cs
View File

@ -20,7 +20,6 @@ using Oqtane.Enums;
using Oqtane.Security;
using Oqtane.Extensions;
using Oqtane.Themes;
using Oqtane.UI;
namespace Oqtane.Pages
{

2
Oqtane.Shared/Shared/SiteState.cs
View File

@ -8,7 +8,7 @@ namespace Oqtane.Shared
public Alias Alias { get; set; }
public string AntiForgeryToken { get; set; } // passed from server for use in service calls on client
public string AuthorizationToken { get; set; } // passed from server for use in service calls on client
public string RemoteIPAddress { get; set; } // passed from server as cannot be reliable retrieved on client
public string RemoteIPAddress { get; set; } // passed from server as cannot be reliably retrieved on client
private dynamic _properties;