From 62a67e9a7be2d87ecbfcf666be022b118b887cac Mon Sep 17 00:00:00 2001 From: Sebastien Ros Date: Fri, 24 Feb 2012 17:51:25 -0800 Subject: [PATCH] #18455: Fixing XmlRpc front end access Work Item: 18455 --HG-- branch : 1.x --- .../Core/XmlRpc/Controllers/HomeController.cs | 2 ++ .../Controllers/LiveWriterController.cs | 2 ++ .../Controllers/AccountController.cs | 9 ++++++ .../Orchard.Users/Orchard.Users.csproj | 1 - .../Security/AccessFrontEndFilter.cs | 32 ------------------- src/Orchard/Orchard.Framework.csproj | 1 + .../Security/AlwaysAccessibleAttribute.cs | 10 ++++++ src/Orchard/Security/SecurityFilter.cs | 20 ++++++++++-- src/Orchard/Security/UnauthorizedException.cs | 9 ------ 9 files changed, 41 insertions(+), 45 deletions(-) delete mode 100644 src/Orchard.Web/Modules/Orchard.Users/Security/AccessFrontEndFilter.cs create mode 100644 src/Orchard/Security/AlwaysAccessibleAttribute.cs delete mode 100644 src/Orchard/Security/UnauthorizedException.cs diff --git a/src/Orchard.Web/Core/XmlRpc/Controllers/HomeController.cs b/src/Orchard.Web/Core/XmlRpc/Controllers/HomeController.cs index a56c62017..492efef20 100644 --- a/src/Orchard.Web/Core/XmlRpc/Controllers/HomeController.cs +++ b/src/Orchard.Web/Core/XmlRpc/Controllers/HomeController.cs @@ -6,6 +6,7 @@ using System.Web.Mvc; using Orchard.Core.XmlRpc.Models; using Orchard.Core.XmlRpc.Services; using Orchard.Logging; +using Orchard.Security; namespace Orchard.Core.XmlRpc.Controllers { public class HomeController : Controller { @@ -24,6 +25,7 @@ namespace Orchard.Core.XmlRpc.Controllers { public ILogger Logger { get; set; } [HttpPost, ActionName("Index")] + [AlwaysAccessible] public ActionResult ServiceEndpoint(XRpcMethodCall methodCall) { Logger.Debug("XmlRpc methodName {0}", methodCall.MethodName); var methodResponse = Dispatch(methodCall); diff --git a/src/Orchard.Web/Core/XmlRpc/Controllers/LiveWriterController.cs b/src/Orchard.Web/Core/XmlRpc/Controllers/LiveWriterController.cs index 4b3f0885a..3c8daff1a 100644 --- a/src/Orchard.Web/Core/XmlRpc/Controllers/LiveWriterController.cs +++ b/src/Orchard.Web/Core/XmlRpc/Controllers/LiveWriterController.cs @@ -4,6 +4,7 @@ using System.Web; using System.Web.Mvc; using System.Xml.Linq; using Orchard.Logging; +using Orchard.Security; namespace Orchard.Core.XmlRpc.Controllers { public class LiveWriterController : Controller { @@ -18,6 +19,7 @@ namespace Orchard.Core.XmlRpc.Controllers { protected ILogger Logger { get; set; } [NoCache] + [AlwaysAccessible] public ActionResult Manifest() { Logger.Debug("Manifest requested"); diff --git a/src/Orchard.Web/Modules/Orchard.Users/Controllers/AccountController.cs b/src/Orchard.Web/Modules/Orchard.Users/Controllers/AccountController.cs index e0b9ec2d8..c7a78576d 100644 --- a/src/Orchard.Web/Modules/Orchard.Users/Controllers/AccountController.cs +++ b/src/Orchard.Web/Modules/Orchard.Users/Controllers/AccountController.cs @@ -47,6 +47,7 @@ namespace Orchard.Users.Controllers { public ILogger Logger { get; set; } public Localizer T { get; set; } + [AlwaysAccessible] public ActionResult AccessDenied() { var returnUrl = Request.QueryString["ReturnUrl"]; var currentUser = _authenticationService.GetAuthenticatedUser(); @@ -68,6 +69,7 @@ namespace Orchard.Users.Controllers { return View(); } + [AlwaysAccessible] public ActionResult LogOn() { if (_authenticationService.GetAuthenticatedUser() != null) return Redirect("~/"); @@ -77,6 +79,7 @@ namespace Orchard.Users.Controllers { } [HttpPost] + [AlwaysAccessible] [SuppressMessage("Microsoft.Design", "CA1054:UriParametersShouldNotBeStrings", Justification = "Needs to take same parameter type as Controller.Redirect()")] public ActionResult LogOn(string userNameOrEmail, string password, string returnUrl) { @@ -110,6 +113,7 @@ namespace Orchard.Users.Controllers { } } + [AlwaysAccessible] public ActionResult Register() { // ensure users can register var registrationSettings = _orchardServices.WorkContext.CurrentSite.As(); @@ -124,6 +128,7 @@ namespace Orchard.Users.Controllers { } [HttpPost] + [AlwaysAccessible] public ActionResult Register(string userName, string email, string password, string confirmPassword) { // ensure users can register var registrationSettings = _orchardServices.WorkContext.CurrentSite.As(); @@ -169,6 +174,7 @@ namespace Orchard.Users.Controllers { return new ShapeResult(this, shape); } + [AlwaysAccessible] public ActionResult RequestLostPassword() { // ensure users can request lost password var registrationSettings = _orchardServices.WorkContext.CurrentSite.As(); @@ -180,6 +186,7 @@ namespace Orchard.Users.Controllers { } [HttpPost] + [AlwaysAccessible] public ActionResult RequestLostPassword(string username) { // ensure users can request lost password var registrationSettings = _orchardServices.WorkContext.CurrentSite.As(); @@ -200,6 +207,7 @@ namespace Orchard.Users.Controllers { } [Authorize] + [AlwaysAccessible] public ActionResult ChangePassword() { ViewData["PasswordLength"] = MinPasswordLength; @@ -208,6 +216,7 @@ namespace Orchard.Users.Controllers { [Authorize] [HttpPost] + [AlwaysAccessible] [SuppressMessage("Microsoft.Design", "CA1031:DoNotCatchGeneralExceptionTypes", Justification = "Exceptions result in password not being changed.")] public ActionResult ChangePassword(string currentPassword, string newPassword, string confirmPassword) { diff --git a/src/Orchard.Web/Modules/Orchard.Users/Orchard.Users.csproj b/src/Orchard.Web/Modules/Orchard.Users/Orchard.Users.csproj index bfa65efe0..39a73306b 100644 --- a/src/Orchard.Web/Modules/Orchard.Users/Orchard.Users.csproj +++ b/src/Orchard.Web/Modules/Orchard.Users/Orchard.Users.csproj @@ -72,7 +72,6 @@ - diff --git a/src/Orchard.Web/Modules/Orchard.Users/Security/AccessFrontEndFilter.cs b/src/Orchard.Web/Modules/Orchard.Users/Security/AccessFrontEndFilter.cs deleted file mode 100644 index 6fbf9ef1d..000000000 --- a/src/Orchard.Web/Modules/Orchard.Users/Security/AccessFrontEndFilter.cs +++ /dev/null @@ -1,32 +0,0 @@ -using System.Web.Mvc; -using Orchard.Localization; -using Orchard.Mvc.Filters; -using Orchard.Security; -using Orchard.UI.Admin; - -namespace Orchard.Users.Security { - public class FrontEndFilter : FilterProvider, IAuthorizationFilter { - private readonly IAuthorizer _authorizer; - - public FrontEndFilter(IAuthorizer authorizer) { - _authorizer = authorizer; - T = NullLocalizer.Instance; - } - - public Localizer T { get; set; } - - public void OnAuthorization(AuthorizationContext filterContext) { - - var isAuthPage = (filterContext.ActionDescriptor.ActionName == "LogOn" - || filterContext.ActionDescriptor.ActionName == "ChangePassword" - || filterContext.ActionDescriptor.ActionName == "AccessDenied" - || filterContext.ActionDescriptor.ActionName == "Register" - || filterContext.ActionDescriptor.ActionName == "RequestLostPassword") - && filterContext.ActionDescriptor.ControllerDescriptor.ControllerName == "Account"; - - if (!AdminFilter.IsApplied(filterContext.RequestContext) && !isAuthPage && !_authorizer.Authorize(StandardPermissions.AccessFrontEnd)) { - filterContext.Result = new HttpUnauthorizedResult(); - } - } - } -} diff --git a/src/Orchard/Orchard.Framework.csproj b/src/Orchard/Orchard.Framework.csproj index 29416ff40..a17d8f1c5 100644 --- a/src/Orchard/Orchard.Framework.csproj +++ b/src/Orchard/Orchard.Framework.csproj @@ -253,6 +253,7 @@ + diff --git a/src/Orchard/Security/AlwaysAccessibleAttribute.cs b/src/Orchard/Security/AlwaysAccessibleAttribute.cs new file mode 100644 index 000000000..8403063a1 --- /dev/null +++ b/src/Orchard/Security/AlwaysAccessibleAttribute.cs @@ -0,0 +1,10 @@ +using System; + +namespace Orchard.Security { + /// + /// Applied on a Controller or an Action, will prevent any action from being filtered by AccessFrontEnd permssion + /// + [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)] + public class AlwaysAccessibleAttribute : Attribute { + } +} diff --git a/src/Orchard/Security/SecurityFilter.cs b/src/Orchard/Security/SecurityFilter.cs index 710e6aee1..cb3f47a1e 100644 --- a/src/Orchard/Security/SecurityFilter.cs +++ b/src/Orchard/Security/SecurityFilter.cs @@ -1,17 +1,31 @@ -using System.Web.Mvc; +using System.Linq; +using System.Web.Mvc; using JetBrains.Annotations; using Orchard.Logging; using Orchard.Mvc.Filters; +using Orchard.UI.Admin; namespace Orchard.Security { [UsedImplicitly] - public class SecurityFilter : FilterProvider, IExceptionFilter { - public SecurityFilter() { + public class SecurityFilter : FilterProvider, IExceptionFilter, IAuthorizationFilter { + private readonly IAuthorizer _authorizer; + + public SecurityFilter(IAuthorizer authorizer) { + _authorizer = authorizer; Logger = NullLogger.Instance; } public ILogger Logger { get; set; } + public void OnAuthorization(AuthorizationContext filterContext) { + + var accessFrontEnd = filterContext.ActionDescriptor.GetCustomAttributes(typeof (AlwaysAccessibleAttribute), true).Any(); + + if (!AdminFilter.IsApplied(filterContext.RequestContext) && !accessFrontEnd && !_authorizer.Authorize(StandardPermissions.AccessFrontEnd)) { + filterContext.Result = new HttpUnauthorizedResult(); + } + } + public void OnException(ExceptionContext filterContext) { if (!(filterContext.Exception is OrchardSecurityException)) return; diff --git a/src/Orchard/Security/UnauthorizedException.cs b/src/Orchard/Security/UnauthorizedException.cs deleted file mode 100644 index e572cf65f..000000000 --- a/src/Orchard/Security/UnauthorizedException.cs +++ /dev/null @@ -1,9 +0,0 @@ -using System; -using System.Collections.Generic; -using System.Linq; -using System.Text; - -namespace Orchard.Security { - public class UnauthorizedException : ApplicationException { - } -}