Please can somebody help me improve what I have done here

46 views
Skip to first unread message

Mark Gray

unread,
May 21, 2013, 4:31:36 AM5/21/13
to fubumv...@googlegroups.com
To provide a bit of background, I was asked to add some restrictions to an application where we had to control access to certain actions based on roles, but the stumbling block came when I was asked to add further restrictions to prevent particular users from accessing data specific to other users. Sounds like something FubuMvc should be easily able to provide, but I am sure my lack of understanding has made my implementation akin to performing dentistry via the belly button. To make matters a bit more tricky the developers that built the application are no longer working here, so I cannot ask them to explain the best practices or help in general.

Here is my code which (I hope) should explain better than my words:

public class MyAuthorizationPolicy
{
        private readonly ISecurityContext securityContext;

        public MyAuthorizationPolicy( ISecurityContext securityContext)
        {
                this.securityContext = securityContext;
        }

        public AuthorizationRight RightsFor(IFubuRequest request)
        {
              // stuff
               if (request.Has<string>())
{
var id = request.Get<string>();
var claims = ((ClaimsIdentity) securityContext.CurrentUser.Identity).Claims;
var partnerIdsForCurrentUser = claims
.Where(claim => claim.ClaimType == ClaimTypes.Partner)
.Select(claim => Guid.Parse(claim.Value));

var match = partnerIdsForCurrentUser.Any(i => i == new Guid(id));
if (!match)
return AuthorizationRight.Deny;
}

              // more stuff
        }
}

[ AllowRole( Roles.AllowRole) ]
public class Get_Id_Handler
{
public Get_Id_Handler( IBindingContext context, ICurrentHttpRequest request )
{
// How can I avoid doing this, maybe some kind of route mapping that could be accessed in the policy?
var fubuRequest = context.Service<IFubuRequest>();
var PartnerId = GetPartnerIdFromRequest(request);
fubuRequest.Set(typeof(string), PartnerId);
}
public ViewModelExecute( GetInputModel inputModel )
{
        // stuff
}
private string GetPartnerIdFromRequest(ICurrentHttpRequest request)
{
// I want the last part which would be a guid representing the users claim (he might have more than one but at this point the user is trying to access this particular claim)
return new Uri(request.FullUrl()).Segments.Skip(4).Take(1).Single(); // I wish I knew how to get this data in a 'better' way
}
}

Ok, I know at this point a lot people are having brain haemorrhages from looking at this code, I would really love to be educated how I can achieve what I am doing here in a method that is not hacky. The code does work and is wired up successfully but I would really like to have the policy check the current context of the user and the page they are accessing to ensure they have the claims to match their request.

I guess I would like to have some light shed on this and learn a number of things along the way.

Sorry for my butchery the framework :(

Joshua Arnold

unread,
May 21, 2013, 9:59:50 AM5/21/13
to fubumv...@googlegroups.com
Hey Mark,

Can you give me an example of a URL where this would be taking place? 


--
You received this message because you are subscribed to the Google Groups "FubuMVC Development Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fubumvc-deve...@googlegroups.com.
To post to this group, send email to fubumv...@googlegroups.com.
Visit this group at http://groups.google.com/group/fubumvc-devel?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

Mark Gray

unread,
May 21, 2013, 11:36:49 AM5/21/13
to fubumv...@googlegroups.com
Thanks for responding, unfortunately I cannot provide a URL as it is an internal app.

Joshua Arnold

unread,
May 21, 2013, 12:12:08 PM5/21/13
to fubumv...@googlegroups.com
Sorry, Mark. I meant just an example URL -- not a url where I can actually visit it.

Joshua Arnold

unread,
May 21, 2013, 3:40:30 PM5/21/13
to fubumv...@googlegroups.com
e..g, users/123412341255 ?

Mark Gray

unread,
May 22, 2013, 3:28:59 AM5/22/13
to fubumv...@googlegroups.com
Ahhh ok;

/section/subsection/id

Mark Gray

unread,
May 22, 2013, 3:29:54 AM5/22/13
to fubumv...@googlegroups.com

jmarnold

unread,
May 22, 2013, 10:07:41 AM5/22/13
to fubumv...@googlegroups.com
@Mark,

There are a few different ways to approach this. Given that it's all URL-driven, I think I'm going to recommend something like this:

  1. Create an interface that provides the contextual information you're looking for (e.g., IPartnerContext with an Id property)
  2. All of your input models for routes that have this behavior should implement this interface
  3. Write a convention that finds the chains with inputs that implement this interface and append custom authorization rules
This post is a little old but it covers something very similar to your scenario:

Mark Gray

unread,
May 24, 2013, 3:36:53 AM5/24/13
to fubumv...@googlegroups.com
Hi, thanks for your help I have been off sick for the past 2 days so have not had a chance to implement your suggestion, I will do it today.

Thanks again,

Mark
Reply all
Reply to author
Forward
0 new messages