Fix bugs in sizing TableLayoutPanel (Xamarin bug 18638)

[mono.git] / mcs / class / System.Web.Mvc2 / System.Web.Mvc / AuthorizeAttribute.cs

/* ****************************************************************************\r
 *\r
 * Copyright (c) Microsoft Corporation. All rights reserved.\r
 *\r
 * This software is subject to the Microsoft Public License (Ms-PL). \r
 * A copy of the license can be found in the license.htm file included \r
 * in this distribution.\r
 *\r
 * You must not remove this notice, or any other, from this software.\r
 *\r
 * ***************************************************************************/\r
\r
namespace System.Web.Mvc {\r
    using System;\r
    using System.Diagnostics.CodeAnalysis;\r
    using System.Linq;\r
    using System.Security.Principal;\r
    using System.Web;\r
\r
    [SuppressMessage("Microsoft.Performance", "CA1813:AvoidUnsealedAttributes",\r
        Justification = "Unsealed so that subclassed types can set properties in the default constructor or override our behavior.")]\r
    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]\r
    public class AuthorizeAttribute : FilterAttribute, IAuthorizationFilter {\r
\r
        private readonly object _typeId = new object();\r
\r
        private string _roles;\r
        private string[] _rolesSplit = new string[0];\r
        private string _users;\r
        private string[] _usersSplit = new string[0];\r
\r
        public string Roles {\r
            get {\r
                return _roles ?? String.Empty;\r
            }\r
            set {\r
                _roles = value;\r
                _rolesSplit = SplitString(value);\r
            }\r
        }\r
\r
        public override object TypeId {\r
            get {\r
                return _typeId;\r
            }\r
        }\r
\r
        public string Users {\r
            get {\r
                return _users ?? String.Empty;\r
            }\r
            set {\r
                _users = value;\r
                _usersSplit = SplitString(value);\r
            }\r
        }\r
\r
        // This method must be thread-safe since it is called by the thread-safe OnCacheAuthorization() method.\r
        protected virtual bool AuthorizeCore(HttpContextBase httpContext) {\r
            if (httpContext == null) {\r
                throw new ArgumentNullException("httpContext");\r
            }\r
\r
            IPrincipal user = httpContext.User;\r
            if (!user.Identity.IsAuthenticated) {\r
                return false;\r
            }\r
\r
            if (_usersSplit.Length > 0 && !_usersSplit.Contains(user.Identity.Name, StringComparer.OrdinalIgnoreCase)) {\r
                return false;\r
            }\r
\r
            if (_rolesSplit.Length > 0 && !_rolesSplit.Any(user.IsInRole)) {\r
                return false;\r
            }\r
\r
            return true;\r
        }\r
\r
        private void CacheValidateHandler(HttpContext context, object data, ref HttpValidationStatus validationStatus) {\r
            validationStatus = OnCacheAuthorization(new HttpContextWrapper(context));\r
        }\r
\r
        public virtual void OnAuthorization(AuthorizationContext filterContext) {\r
            if (filterContext == null) {\r
                throw new ArgumentNullException("filterContext");\r
            }\r
\r
            if (AuthorizeCore(filterContext.HttpContext)) {\r
                // ** IMPORTANT **\r
                // Since we're performing authorization at the action level, the authorization code runs\r
                // after the output caching module. In the worst case this could allow an authorized user\r
                // to cause the page to be cached, then an unauthorized user would later be served the\r
                // cached page. We work around this by telling proxies not to cache the sensitive page,\r
                // then we hook our custom authorization code into the caching mechanism so that we have\r
                // the final say on whether a page should be served from the cache.\r
\r
                HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache;\r
                cachePolicy.SetProxyMaxAge(new TimeSpan(0));\r
                cachePolicy.AddValidationCallback(CacheValidateHandler, null /* data */);\r
            }\r
            else {\r
                HandleUnauthorizedRequest(filterContext);\r
            }\r
        }\r
\r
        protected virtual void HandleUnauthorizedRequest(AuthorizationContext filterContext) {\r
            // Returns HTTP 401 - see comment in HttpUnauthorizedResult.cs.\r
            filterContext.Result = new HttpUnauthorizedResult();\r
        }\r
\r
        // This method must be thread-safe since it is called by the caching module.\r
        protected virtual HttpValidationStatus OnCacheAuthorization(HttpContextBase httpContext) {\r
            if (httpContext == null) {\r
                throw new ArgumentNullException("httpContext");\r
            }\r
\r
            bool isAuthorized = AuthorizeCore(httpContext);\r
            return (isAuthorized) ? HttpValidationStatus.Valid : HttpValidationStatus.IgnoreThisRequest;\r
        }\r
\r
        internal static string[] SplitString(string original) {\r
            if (String.IsNullOrEmpty(original)) {\r
                return new string[0];\r
            }\r
\r
            var split = from piece in original.Split(',')\r
                        let trimmed = piece.Trim()\r
                        where !String.IsNullOrEmpty(trimmed)\r
                        select trimmed;\r
            return split.ToArray();\r
        }\r
\r
    }\r
}\r