huahaofeng
/
aspnetcore
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Don't call resource handlers without required resource

This commit is contained in:
Hao Kung 2015-10-20 14:01:57 -07:00
parent ef61b14d6a
commit defc9faac0
2 changed files with 52 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/Microsoft.AspNet.Authorization/AuthorizationHandler.cs
View File

@ -40,10 +40,12 @@ namespace Microsoft.AspNet.Authorization
{ {
public virtual async Task HandleAsync(AuthorizationContext context) public virtual async Task HandleAsync(AuthorizationContext context)
{ {
var resource = context.Resource as TResource; if (context.Resource is TResource)
foreach (var req in context.Requirements.OfType<TRequirement>())
{ {
await HandleAsync(context, req, resource); foreach (var req in context.Requirements.OfType<TRequirement>())
{
await HandleAsync(context, req, (TResource)context.Resource);
}
} }
} }

51
test/Microsoft.AspNet.Authorization.Test/DefaultAuthorizationServiceTests.cs
View File

@ -813,6 +813,35 @@ namespace Microsoft.AspNet.Authorization.Test
Assert.True(await authorizationService.AuthorizeAsync(user, null, Operations.Create)); Assert.True(await authorizationService.AuthorizeAsync(user, null, Operations.Create));
} }
public class NotCalledHandler : AuthorizationHandler<OperationAuthorizationRequirement, string>
{
protected override void Handle(AuthorizationContext context, OperationAuthorizationRequirement requirement, string resource)
{
throw new NotImplementedException();
}
}
[Fact]
public async Task DoesNotCallHandlerWithWrongResourceType()
{
// Arrange
var authorizationService = BuildAuthorizationService(services =>
{
services.AddTransient<IAuthorizationHandler, NotCalledHandler>();
});
var user = new ClaimsPrincipal(
new ClaimsIdentity(
new Claim[] {
new Claim("SuperUser", "yes")
},
"AuthType")
);
// Act
// Assert
Assert.False(await authorizationService.AuthorizeAsync(user, 1, Operations.Edit));
}
[Fact] [Fact]
public async Task CanAuthorizeOnlyAllowedOperations() public async Task CanAuthorizeOnlyAllowedOperations()
{ {
@ -820,15 +849,29 @@ namespace Microsoft.AspNet.Authorization.Test
var authorizationService = BuildAuthorizationService(services => var authorizationService = BuildAuthorizationService(services =>
{ {
services.AddInstance<IAuthorizationHandler>(new ExpenseReportAuthorizationHandler(new OperationAuthorizationRequirement[] { Operations.Edit })); services.AddInstance<IAuthorizationHandler>(new ExpenseReportAuthorizationHandler(new OperationAuthorizationRequirement[] { Operations.Edit }));
services.AddTransient<IAuthorizationHandler, SuperUserHandler>();
}); });
var user = new ClaimsPrincipal(); var user = new ClaimsPrincipal();
// Act // Act
// Assert // Assert
Assert.True(await authorizationService.AuthorizeAsync(user, null, Operations.Edit)); Assert.True(await authorizationService.AuthorizeAsync(user, new ExpenseReport(), Operations.Edit));
Assert.False(await authorizationService.AuthorizeAsync(user, null, Operations.Delete)); Assert.False(await authorizationService.AuthorizeAsync(user, new ExpenseReport(), Operations.Delete));
Assert.False(await authorizationService.AuthorizeAsync(user, null, Operations.Create)); Assert.False(await authorizationService.AuthorizeAsync(user, new ExpenseReport(), Operations.Create));
}
[Fact]
public async Task AuthorizeHandlerNotCalledWithNullResource()
{
// Arrange
var authorizationService = BuildAuthorizationService(services =>
{
services.AddInstance<IAuthorizationHandler>(new ExpenseReportAuthorizationHandler(new OperationAuthorizationRequirement[] { Operations.Edit }));
});
var user = new ClaimsPrincipal();
// Act
// Assert
Assert.False(await authorizationService.AuthorizeAsync(user, null, Operations.Edit));
} }
[Fact] [Fact]