jeudi 21 janvier 2016

Asp.net MVC Authorize Attribute not working Anonymous users can see contents

I have the following code for a simple asp.net mvc authentication

[ExcludeFromCodeCoverage]
    public partial class Startup
    {
        public void ConfigureAuth(IAppBuilder app)
        {
            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
            });
        }
    }

global.asax app start

 protected void Application_Start()
        {
            AreaRegistration.RegisterAllAreas();
            FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
            RouteConfig.RegisterRoutes(RouteTable.Routes);
            BundleConfig.RegisterBundles(BundleTable.Bundles);

            //Ejecuta la inicializacion de la base de datos
            Database.SetInitializer<ComisionesContext>(new ComisionesInitializer());
            GlobalConfiguration.Configuration.Formatters.XmlFormatter.SupportedMediaTypes.Clear();

             UnityConfig.RegisterComponents();

            AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.Name;
        }

unityconfig

[ExcludeFromCodeCoverage]
    public static class UnityConfig
    {
        public static void RegisterComponents()
        {
            var container = new UnityContainer();

            // register all your components with the container here
            // it is NOT necessary to register your controllers

            // e.g. container.RegisterType<ITestService, TestService>();
            container.RegisterType<IAuthenticationManager>(new InjectionFactory(o => HttpContext.Current.GetOwinContext().Authentication));
            container.RegisterType<IAccount, Account>();

            DependencyResolver.SetResolver(new UnityDependencyResolver(container));
        }
    }

Then, our view which should be protected from anonymous users.

 @model List<xx.Models.TipoDeCanal>
@using PowerData.Comisiones.Models
@{
    ViewBag.Title = "Tipos de Canal";
}

<h2>Tipos de Canal</h2>

@(Html.Kendo().Grid<TipoDeCanal>()
    .Name("Grid")
    .Columns(columns =>
    {
        columns.Bound(p => p.Nombre).Title("Nombre");
        columns.Bound(p => p.Descripcion).Title("Descripcion");
        columns.Command(command => { command.Edit(); command.Destroy(); });
    })
    .ToolBar(toolbar => toolbar.Create())   
    .Editable(editable => editable.Mode(GridEditMode.PopUp))
    .Pageable()
    .Sortable()
    .Scrollable(scr => scr.Height(430))
    .Filterable()  
    .DataSource(dataSource => dataSource
        .WebApi()
        //.Ajax()
        //.ServerOperation(false)
        .PageSize(20)
        .Events(events => events.Error("error_handler"))
        .Model(model =>
        {
            model.Id(p => p.ID);
            model.Field(p => p.ID).Editable(false);
        })
        .Create(create => create.Url(Url.HttpRouteUrl("DefaultApi", new { controller = "TipoDeCanales" }))) // Action invoked when the user saves a new data item
            .Read(read => read.Url(Url.HttpRouteUrl("DefaultApi", new { controller = "TipoDeCanales" }))) // Action invoked when the grid needs data
            .Update(update => update.Url(Url.HttpRouteUrl("DefaultApi", new { controller = "TipoDeCanales", id = "{0}" })))  // Action invoked when the user saves an updated data item
            .Destroy(destroy => destroy.Url(Url.HttpRouteUrl("DefaultApi", new { controller = "TipoDeCanales", id = "{0}" }))) // Action invoked when the user removes a data item

        //.Create(update => update.Action("Create", "TipoDeCanales"))
        //.Read(read => read.Action("Read", "TipoDeCanales"))
        //.Update(update => update.Action("Edit", "TipoDeCanales"))
        //.Destroy(update => update.Action("Delete", "TipoDeCanales"))
    )
)
<script type="text/javascript">
    function error_handler(e) {
        if (e.errors) {
            var message = "Errors:\n";
            $.each(e.errors, function (key, value) {
                if ('errors' in value) {
                    $.each(value.errors, function () {
                        message += this + "\n";
                    });
                }
            });
            toastr.error(message)
            //alert(message);
        }
    }
</script>

the main controller with the authorize attribute\

 [Authorize]
    public class TipoDeCanalesController : GenericController
    {
        public System.Web.Mvc.ActionResult Index()
        {
            ViewBag.Message = "Welcome to ASP.NET MVC!";
            return View();
        }
    }

and the api controller also have the authorize attribute

[System.Web.Mvc.Authorize]
    public class TipoDeCanalesController : GenericApiController
    {
        private UnitOfWork unitOfWork = new UnitOfWork();

        // GET api/TipoDeCanal/5
        public TipoDeCanal GetTipoDeCanal(int id)
        {
            TipoDeCanal tipoDeCanal = unitOfWork.TipoDeCanalRepository.GetByID(id);
            if (tipoDeCanal == null)
            {
                throw new HttpResponseException(Request.CreateResponse(HttpStatusCode.NotFound));
            }

            return tipoDeCanal;
        }

        // GET api/TiposDeCanal
        public DataSourceResult GetTiposDeCanal([System.Web.Http.ModelBinding.ModelBinder(typeof(WebApiDataSourceRequestModelBinder))]DataSourceRequest request)
        {
            TipoDeCanal[] tiposDeCanal = unitOfWork.TipoDeCanalRepository.Get().ToArray();
            DataSourceResult result = tiposDeCanal.ToDataSourceResult(request);
            return result;
        }

        // PUT api/TipoDeCanal/            edit
        public HttpResponseMessage PutTipoDeCanal(int id, TipoDeCanal tipoDeCanal)
        {
            if (!ModelState.IsValid)
            {
                return Request.CreateErrorResponse(HttpStatusCode.BadRequest, ModelState);
            }

            if (id != tipoDeCanal.ID)
            {
                return Request.CreateResponse(HttpStatusCode.BadRequest);
            }

            try
            {
                unitOfWork.TipoDeCanalRepository.Update(tipoDeCanal);
                unitOfWork.Save();
            }
            catch (DbUpdateConcurrencyException ex)
            {
                return Request.CreateErrorResponse(HttpStatusCode.NotFound, ex);
            }

            return Request.CreateResponse(HttpStatusCode.OK);
        }

        // POST api/TiposDeCanal   add
        public HttpResponseMessage PostTipoDeCanal(TipoDeCanal tipoDeCanal)
        {
            if (ModelState.IsValid)
            {
                unitOfWork.TipoDeCanalRepository.Insert(tipoDeCanal);
                unitOfWork.Save();

                DataSourceResult result = new DataSourceResult
                {
                    Data = new[] { tipoDeCanal },
                    Total = 1
                };
                HttpResponseMessage response = Request.CreateResponse(HttpStatusCode.Created, result);
                response.Headers.Location = new Uri(Url.Link("DefaultApi", new {Controller="TipoDeCanalesController", id = tipoDeCanal.ID}));
                return response;
            }
            else
            {
                return Request.CreateErrorResponse(HttpStatusCode.BadRequest, ModelState);
            }
        }

        // DELETE api/TipoDeCanal/5
        public HttpResponseMessage DeleteTipoDeCanal(int id)
            {
            TipoDeCanal tipoDeCanal= unitOfWork.TipoDeCanalRepository.GetByID(id);
            if (tipoDeCanal == null)
            {
                return Request.CreateResponse(HttpStatusCode.NotFound);
            }

            unitOfWork.TipoDeCanalRepository.Delete(tipoDeCanal.ID);           

            try
            {
                unitOfWork.Save();
            }
            catch (DbUpdateConcurrencyException ex)
            {
                return Request.CreateErrorResponse(HttpStatusCode.NotFound, ex);
            }

            return Request.CreateResponse(HttpStatusCode.OK, tipoDeCanal);
        }   

        protected override void Dispose(bool disposing)
        {
            unitOfWork.Dispose();
            base.Dispose(disposing);
        }
    }

However, as an anonymous user when I go to htttp://localhost/TiposDeCanales

which executes the Index action of that controller, the user can still see the contents of the page and the records in the database.

Aucun commentaire:

Enregistrer un commentaire