| public OnActionExecuting ( System.Web.Http.Controllers.HttpActionContext actionContext ) : void | ||
| actionContext | System.Web.Http.Controllers.HttpActionContext | |
| return | void | |
public override void OnActionExecuting(HttpActionContext actionContext)
{
var name = actionContext.ActionArguments.Keys.FirstOrDefault();
if (name != null)
{
var model = actionContext.ActionArguments[name];
if (model == null) throw new HttpResponseException(HttpStatusCode.InternalServerError);
int? userIdProperty = GetUserIdProperty(model);
if (userIdProperty != null && userIdProperty != 0)
{
var username = actionContext.ControllerContext.RequestContext.Principal.Identity.Name;
if (string.IsNullOrEmpty(username))
throw new HttpResponseException(HttpStatusCode.InternalServerError);
var user = UsersResource.GetByUserName(username);
if (user == null) throw new HttpResponseException(HttpStatusCode.InternalServerError);
if (userIdProperty != user.Id) throw new HttpResponseException(HttpStatusCode.Forbidden);
}
else
{
throw new HttpResponseException(HttpStatusCode.InternalServerError);
}
}
else
{
throw new HttpResponseException(HttpStatusCode.InternalServerError);
}
base.OnActionExecuting(actionContext);
}
public void ShouldSuccessWhenParameterIsUserAndUserIsAllowed()
{
_controller.ControllerContext.RequestContext.Principal =
new GenericPrincipal(new GenericIdentity("foo", "bar"), new[] { "user" });
_userResource.Setup(a => a.GetByUserName(It.IsAny<string>())).Returns(new User { Id = 1 });
_httpActionContext.ActionArguments.Add("dummy", new User { Id = 1 });
var attribute = new PreventCrossUserManipulationAttribute { UsersResource = _userResource.Object };
Assert.DoesNotThrow(() => attribute.OnActionExecuting(_httpActionContext));
}
