#1099 : Current user is validated against all API calls.

SitecorePowerShell · Mar 9, 2019 · e84699e · e84699e
1 parent b585736
commit e84699e
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 25 deletions.
diff --git a/Cognifide.PowerShell/sitecore modules/PowerShell/Services/RemoteScriptCall.ashx.cs b/Cognifide.PowerShell/sitecore modules/PowerShell/Services/RemoteScriptCall.ashx.cs
@@ -124,19 +124,20 @@ public void ProcessRequest(HttpContext context)
 
             var isAuthenticated = Context.IsLoggedIn;
 
-            if (!CheckServiceAuthentication(context, apiVersion, serviceName, isAuthenticated))
+            if (!CheckServiceAuthentication(context, serviceName, identity, isAuthenticated))
             {
                 return;
             }
+
+            var useContextDatabase = apiVersion.Is("file") || apiVersion.Is("handle") || !isAuthenticated ||
+                                     string.IsNullOrEmpty(originParam) || originParam.Is("current");
 
             // in some cases we need to set the database as it's still set to web after authentication
             if (!scDb.IsNullOrEmpty())
             {
                 Context.Database = Database.GetDatabase(scDb);
             }
 
-            var useContextDatabase = apiVersion.Is("file") || apiVersion.Is("handle") || !isAuthenticated ||
-                                     string.IsNullOrEmpty(originParam) || originParam.Is("current");
             var scriptDb = useContextDatabase ? Context.Database : Database.GetDatabase(originParam);
             var dbName = scriptDb?.Name;
 
@@ -243,32 +244,21 @@ private static bool CheckServiceEnabled(HttpContext context, string apiVersion,
             return false;
         }
 
-        private static bool CheckServiceAuthentication(HttpContext context, string apiVersion, string serviceName, bool isAuthenticated)
+        private static bool CheckServiceAuthentication(HttpContext context, string serviceName, AccountIdentity identity, bool isAuthenticated)
         {
-            var skipAuthentication = false;
+            if (identity.Name == Context.User.Name) return true;
 
-            switch (apiVersion)
+            if (isAuthenticated) return true;
-            {
-                case "1":
-                case "2":
-                    skipAuthentication = true;
-                    break;
-                default:
-                    if (!isAuthenticated)
-                    {
-                        const string disabledMessage =
-                            "The request could not be completed because the service requires authentication.";
 
-                        context.Response.StatusCode = 401;
+            const string disabledMessage =
-                        context.Response.StatusDescription = disabledMessage;
+                "The request could not be completed because the service requires authentication.";
-                        context.Response.SuppressFormsAuthenticationRedirect = true;
-                        PowerShellLog.Error($"Attempt to call the {serviceName} service failed as - user not logged in, authentication failed, or no credentials provided.");
-                    }
 
-                    break;
+            context.Response.StatusCode = 401;
-            }
+            context.Response.StatusDescription = disabledMessage;
+            context.Response.SuppressFormsAuthenticationRedirect = true;
+            PowerShellLog.Error($"Attempt to call the {serviceName} service failed as - user not logged in, authentication failed, or no credentials provided.");
 
-            return skipAuthentication || isAuthenticated;
+            return false;
         }
 
         private static bool CheckIsUserAuthorized(HttpContext context, string authUserName, string serviceName)

diff --git a/Modules/Remoting Tests - Web Api.Tests.ps1 b/Modules/Remoting Tests - Web Api.Tests.ps1
@@ -65,11 +65,15 @@ Describe "Web API Responses" {
         }
         It "Wrong password should throw exception" {
             $execution = { Invoke-RestMethod -Uri "$protocolHost/-/script/v2/master/ChildrenAsHtml?user=admin&password=invalid" }
-            $execution | Should Throw "(404) Not Found"
+            $execution | Should Throw "(401) Unauthorized"
         }
         It "Non existing user should throw exception" {
             $execution = { Invoke-RestMethod -Uri "$protocolHost/-/script/v2/master/ChildrenAsHtml?user=non_existing&password=invalid" }
             $execution | Should Throw "(401) Unauthorized"
         }
+        It "Not found script should throw exception" {
+            $execution = { Invoke-RestMethod -Uri "$protocolHost/-/script/v2/master/NotFound" }
+            $execution | Should Throw "(404) Not Found"
+        }
     }
 }