Still using a very old (and slightly customized) version of BlogEngine.NET on a Windows XP (!) server so I'm a bit afraid to upgrade.
In the past, I have written a couple of extensions in order to grant or prevent access to static pages and/or posts based upon the users / roles and / or the post categories. For instance, I can prevent access to the blog from unauthenticated users, I can grant access to a subset of the blog (post categories) to users having the 'Readers' role, etc.
I noticed that images are still accessible, either ones stored explicitly under the /App_Data/files/ folder and served by the image.axd handler, or ones associated with blog posts.
Is there an extension point available where I could add some logic to prevent access to images based on criteria such as authentication and/or users / roles ? Perhaps based upon their file extensions, or whatnot ?
I don't know about an official extension point but I think the edits you need to make are as follows.
According to this line in the web.config
<add verb="*" path="image.axd" type="BlogEngine.Core.Web.HttpHandlers.ImageHandler, BlogEngine.Core" validate="false"/>
The image.axd is handled by BlogEngine.Core.Web.HttpHandlers.ImageHandler
If you look in the BlogEngine.Core project you will find the ImageHandler.cs that defines this class. Assuming you need access to the Session you will need to IReadOnlySessionState as an implemented interface to the class.
public class ImageHandler : IHttpHandler, IReadOnlySessionState {
...
}
Once this is in place you can access the Session in the ProcessRequest Method to perform your custom checks.
public void ProcessRequest(HttpContext context) {
if(context.Session["SomeKey"] == true){
//serve image code goes here
}
}
Related
I am trying to access session data from inside a view.
Use Case: I'm storing status messages in the session that will be displayed at the top of the page. Currently I implemented this by using a DisplayMessages() function that sets some ViewData[....] properties and calling it at the beginning of every controller action.
Goal: I want to only set the status message once without needing additional code in the controller to display the messages on the next page load.
So I'm trying to access the messages that are stored in the session directly from the view.
So far I have tried the following:
Dependency Injection of an IHttpContextAccessor (doesn't seem to work anymore with ASP .NET Core MVC 1.0.0
Creating a static class to access the session, including the change from next() to next.invoke() suggested in the comment
This didn't work. I could access the HttpContext and Session.IsAvailable was true, but there was no data in the session.
The following should work in the view: Context.Session.TryGetValue
If you are using the SessionExtensions then Context.Session.GetString will work.
Injecting IHttpContextAccessor does work, but starting with ASP.NET Core 1.0.0 RC2, the IHttpContextAcessor is not registered by default, because it has significant performance overhead per request. See this GitHub announcement for more information.
Tratcher posted:
IHttpContextAccessor can be used to access the HttpContext for the current thread. However, maintaining this state has non-trivial performance costs so it has been removed from the default set of services.
Developers that depend on it can add it back as needed:
services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
But in your use case, I would suggest using a ViewComponent, which is a reusable piece of View with logic, that do not depend on a controller.
The documentation can be found here.
In your Views you would simply embed it with
#await Component.InvokeAsync("PriorityList", new { maxPriority = 2, isDone = false })
or
#Component.Invoke("PriorityList", new { maxPriority = 2, isDone = false })
for synchronous calls.
We are creating webevents in a DB other than Kentico. These webevents are then used for enterprise reporting. I need to implement the same inside Kentico project.
Is there an event that can fire after the page has loaded so that i can create my web event with page name and user information if logged in.
I have also seen in the past that with events, the Request and Session objects are not available. However, HTTPContext.Current is available. I need the Request and Session objects.
We are using Kentico version 7.0.92 and have a portal template site.
Now, i don't want to use portal template page to create events since this code executes multiple times with each request for a page.
Basically, i am interested in the PageName, Session and Request objects.
I have looked around Kentico 7 documentation. Looks like we have CMSRequestEvents but haven't been able to find sample code.
Update:
Looks like the missing piece is CMSContext class. Now just trying to find the right event for CMSRequestEvents, where i have the Session object available.
I'd suggest modifying Kentico\CMS\Global.asax.cs in the following way:
public override void Init()
{
base.Init();
CMSRequestEvents.AcquireRequestState.After += AcquireRequestState_After;
}
void AcquireRequestState_After(object sender, EventArgs e)
{
// Do your stuff...
}
By that time the HttpContext.Current.Session should already be initialized. Page name can be retrieved from the HttpContext.Current.Request which should never be null.
What's the proper way for implementing front-end Ajax functionality in ModX Revolution? I like the idea of connectors and processors, but for some reason they are for back-end use only - modConnectorResponse checks if user is logged in and returns 'access denied', if he is not.
Inserting a snippet into resource and calling it by resource URL seems a one-time solution, but that doesn't look right to me.
So how do I get safe Connector-like functionality for front-end?
So, as boundaryfunctions said, it's not possible and ModX developers recommend using a resource with a single snippet included. But for those who despite the will of developers look for Connector-like functionality, there may be a solution made by guess who-- ModX core developer splittingred in Gallery extra. In connector.php, before handleRequest() call, there's a code that fakes authorisation:
if ($_REQUEST['action'] == 'web/phpthumb') {
$version = $modx->getVersionData();
if (version_compare($version['full_version'],'2.1.1-pl') >= 0) {
if ($modx->user->hasSessionContext($modx->context->get('key'))) {
$_SERVER['HTTP_MODAUTH'] = $_SESSION["modx.{$modx->context->get('key')}.user.token"];
} else {
$_SESSION["modx.{$modx->context->get('key')}.user.token"] = 0;
$_SERVER['HTTP_MODAUTH'] = 0;
}
} else {
$_SERVER['HTTP_MODAUTH'] = $modx->site_id;
}
$_REQUEST['HTTP_MODAUTH'] = $_SERVER['HTTP_MODAUTH'];
}
Works for me. Just need to replace first if condition with my own actions.
UPDATE: I forgot to mention that you need to pass &ctx=web parameter with your AJAX request, because default context for connectors is "mgr" and anonymous users will not pass policy check (unless you set access to the "mgr" context for anonymous users).
And also the code from Gallery extra I posted here seems to check some session stuff that for me doesn't work with anonymous front-end users (and works only when I'm logged in to back-end), so I replaced it with the next:
if (in_array($_REQUEST['action'], array('loadMap', 'loadMarkers'))){
$_SESSION["modx.{$modx->context->get('key')}.user.token"] = 1;
$_SERVER['HTTP_MODAUTH'] = $_REQUEST['HTTP_MODAUTH'] = 1;
}
I don't know if this code is 100% safe, but when anonymous user calls it, he doesn't appear to be logged in to Manager, and when admin is logged in and calls the action from back-end, he is not logged off by force. And that looks like enough security for me.
This solution is still portable (i.e. can be embedded into distributable Extra), but security should be researched more seriously for serious projects.
As far as I know, this is not possible in modX at the moment. It has already been discussed on the modx forums and filed as a bug here, but it doesn't look like anybody is working on it.
There are also two possible workarounds in the second link. Personally, I would favour putting the connector functionality into the assets folder to keep the resource tree clean.
There's a more complete explanation of the technique used in Gallery here:
http://www.virtudraft.com/blog/ajaxs-connector-file-using-modxs-main-index.php.html
It allows you to create a connector to run your own processors or a built-in MODX processors without creating a resource.
We have an MVC ASP.NET Application. A Person can see a View, if they are in one of the Active Directory Groups. We have only one box for hosting our Database and Application(code)
Our Problem:
A person does not exist in any one of The ADGroups, but he is Administrator on the box.
For Some Reason, he is authenticated with the View.. He is not supposed to be authenticated.
Do not know why its happening.
I know this is unique problem, Does anyone had similar issue?
This is the code we are using for authenticating a user
if (LoginHelper.IsUserMemberOfRoles(LoginHelper.GetLoggedInUser(), new List<string> { GroupEnum.OurADGroupName.ToString()}))
{
//authenticated
}
else
{
//Redirect to not authorised View
}
My Understanding:
As the Person is Admin on the Box, does this override all ADGroupName Permissions.
It sounds very silly but I thing, this is one possibilty?
He surely must be an admin or in a group in Active Directory
Is there a way to enable sessions for just a specific part of the Coldfusion application by just adding Application.cfm into its directory with the session enablers?
For example, a website that has the following:
/extranet
/intranet
/store
/rentals
I want to use session variables in the rental section, independent of the ones in the intranet and store.
If you don't want to share session variables, and don't need to share application variables, then it's easy. Just put a different Application.cfc (or .cfm) in the root of the context for which you want access to the session variables.
So if you want sessions in /extranet, and sessions in /intranet and don't want them to be the same application, then:
/extranet/Application.cfc:
component {
this.name = "extranet";
this.sessionmanagement = true;
}
/intranet/Application.cfc:
component {
this.name = "intranet";
this.sessionmanagement = true;
}
It sounds like you aren't really up to speed on all of the things that you can do with Application.cfc, so I'll also add that this is a really good reference. There is a lot to learn, but it is also pretty simple once you understand how it works.
Maybe a Single Signon (SSO) solution would work for you? Rather than monkey around with the values in the session struct, just pass a user id from one app to another. When the user passes from extranet to rentals, the app says "here comes user #45", the rentals app looks them up in the db, does some validation to make sure that the user is who the extranet says they are, then starts a new session for them in rentals.