c# - How to separate authorization logic from controller action? -

-

given following code:

public class backupscontroller : apicontroller {     private readonly iapicontext context;     private readonly ibackupservice backupservice;      public backupscontroller(iapicontext context, ibackupservice backupservice)     {         this.context = context;         this.backupservice = backupservice;     }      public httpresponsemessage get(guid id)     {         if (id == guid.empty)         {             throw new httpresponseexception(httpstatuscode.badrequest);         }          ibackupview backup = backupservice.get(id);          if (backup == null)         {             return request.createerrorresponse(httpstatuscode.notfound, string.format("backupid '{0}' not found.", id));         }          if (!isauthorizedforbackup(backup))         {             throw new httpresponseexception(httpstatuscode.forbidden);         }          return request.createresponse(httpstatuscode.ok, backup);     }      private bool isauthorizedforbackup(ibackupview backup)     {         if (context.principal.isinrole(membershiprole.admin))         {             return true;         }          if (context.principal.allowdatasharing && backup.userid == context.principal.userid)         {             return true;         }          if (backup.userid == context.principal.userid && backup.device.uuid == context.deviceuuid)         {             return true;         }          return false;     } }

does make sense extract of method body authorization filter? don't see way without retrieving backup twice.

how go separating authorization concerns controller action?

in order separate security logic controller logic prefer use http headers carry security tokens between browser , controller , check header value in custom authorizeattribute

for example;

in beforesend function of jquery's ajax function set security token (which taken server, see below)

beforesend: function (xhr) {     xhr.setrequestheader('requesttoken', model.requesttoken); }

check token in custom authorizeattribute

public class authattribute : authorizeattribute {     public override void onauthorization(httpactioncontext actioncontext)     {         var token = httpcontext.current.request.headers["requesttoken"];         // authorization based on token     } }

decorate controller, actions require authorization, custom [auth] attribute, like:

[auth] public class somecontroller : apicontroller

we can send new token client again using http headers

httpcontext.current.response.headers["requesttoken"] = guid.newguid();

and @ client-side can store in success function of jquery's ajax function sending in request

success: function (res, status, xhr) {     model.requesttoken = xhr.getresponseheader('requesttoken'); }

this may not handle situation main idea carrying (preferably encrypted) security data in http headers , dealing security things in custom authorizeattribute


Comments

Post a Comment

Popular posts from this blog

android - getbluetoothservice() called with no bluetoothmanagercallback -

-
i getting getbluetoothservice() called no bluetoothmanagercallback error in android application. i have no idea causing or bluetooth manager callbacks. can give me idea of causing problem or start looking. by reading android source code, seems warning cannot about. source code shows if call bluetoothsocket#connect(); then call bluetoothadapter.getdefaultadapter().getbluetoothservice(null); the key here, null parameter passes in above line. due this, there no callback, , bluetoothsocket class throw out warning. since warning, not think need it. https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/bluetooth/bluetoothsocket.java line 306 https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/bluetooth/bluetoothadapter.java line 1610
Read more

sql - ASP.NET SqlDataSource, like on SelectCommand -

-
i'm working on asp.net. have sqldatasource query hardcoded on selectcommand: <asp:sqldatasource id="datasource1" runat="server" cancelselectonnullparameter="false" connectionstring="<%$ connectionstrings:s.properties.settings.connectionstring %>" selectcommand="select * [table] ([col1] case @col1_param when null col1 else @col1_param end) , ([col2] case @col2_param when null col2 else @col2_param end)" selectcommandtype="text"> <selectparameters> <asp:controlparameter controlid="textbox1" name="col1_param" propertyname="text" type="string" /> <asp:controlparameter controlid="textbox2" name="col2_param" propertyname="text" type="string" /> </selectparameters> what want if enter data on 1 textbox only, data display according textbox
Read more

ios - Undefined symbols for architecture armv7: "_OBJC_CLASS_$_SSZipArchive" -

-
i try using extractzipfile plugin @ this: https://github.com/phonegap/phonegap-plugins/tree/master/ios/extractzipfile but when compiler xcode 4.6.1 in sdk 6.1 throws error: undefined symbols architecture i386: "_objc_class_$_ssziparchive", referenced from: objc-class-ref in extractzipfileplugin.o ld: symbol(s) not found architecture i386 clang: error: linker command failed exit code 1 (use -v see invocation) i try issue @ here: undefined symbols architecture armv7 ssziparchive but shows error: /users/alienware/desktop/extractzipfile/ssziparchive/tests/ssziparchivetests.m:10:9: 'sentestingkit/sentestingkit.h' file not found i work phonegap , make app in ios, dump. update : try add ssziparchive.m compiler source , come new error: undefined symbols architecture i386: "_unzclose", referenced from: +[ssziparchive unzipfileatpath:todestination:overwrite:password:error:delegate:] in ssziparchive.o "_unzclosecurrentfil
Read more