Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Change Authorization to return 403 if user is not in group or users list

added users list
  • Loading branch information...
commit 539b2330a169d43bb71b0a64fb2601c7a0dbc86c 1 parent 52b3f25
Daniel Dar authored
Showing with 23 additions and 8 deletions.
  1. +23 −8 Raven.Database/Server/Security/Windows/WindowsRequestAuthorizer.cs
View
31 Raven.Database/Server/Security/Windows/WindowsRequestAuthorizer.cs
@@ -10,15 +10,23 @@ namespace Raven.Database.Server.Security.Windows
public class WindowsRequestAuthorizer : AbstractRequestAuthorizer
{
private readonly List<string> requiredGroups = new List<string>();
+ private readonly List<string> requiredUsers = new List<string>();
protected override void Initialize()
{
var requiredGroupsString = server.Configuration.Settings["Raven/Authorization/Windows/RequiredGroups"];
- if (requiredGroupsString == null)
- return;
+ var requiredUsersString = server.Configuration.Settings["Raven/Authorization/Windows/RequiredUsers"];
+ if (requiredGroupsString != null)
+ {
+ var groups = requiredGroupsString.Split(new[] {';'}, StringSplitOptions.RemoveEmptyEntries);
+ requiredGroups.AddRange(groups);
+ }
- var groups = requiredGroupsString.Split(new[]{';'}, StringSplitOptions.RemoveEmptyEntries);
- requiredGroups.AddRange(groups);
+ if (requiredUsersString != null)
+ {
+ var users = requiredUsersString.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries);
+ requiredUsers.AddRange(users);
+ }
}
public override bool Authorize(IHttpContext ctx)
@@ -29,7 +37,6 @@ public override bool Authorize(IHttpContext ctx)
if (NeverSecret.Urls.Contains(requestUrl, StringComparer.InvariantCultureIgnoreCase))
return true;
- ctx.SetStatusToUnauthorized();
return false;
}
@@ -43,7 +50,6 @@ public override bool Authorize(IHttpContext ctx)
if (NeverSecret.Urls.Contains(requestUrl, StringComparer.InvariantCultureIgnoreCase))
return true;
- ctx.SetStatusToUnauthorized();
return false;
}
@@ -59,10 +65,19 @@ private bool IsInvalidUser(IHttpContext ctx)
{
var invalidUser = (ctx.User == null ||
ctx.User.Identity.IsAuthenticated == false);
- if (invalidUser == false && requiredGroups.Count > 0)
+ if (invalidUser == false && (requiredGroups.Count > 0 || requiredUsers.Count > 0))
{
- return requiredGroups.All(requiredGroup => !ctx.User.IsInRole(requiredGroup));
+ if (requiredGroups.Any(requiredGroup => ctx.User.IsInRole(requiredGroup)))
+ return true;
+
+ if (requiredUsers.Any(requiredUser => string.Compare(ctx.User.Identity.Name, requiredUser, StringComparison.OrdinalIgnoreCase) == 0))
+ return true;
+
+ ctx.SetStatusToUnauthorized();
+ return false;
}
+
+ ctx.SetStatusToForbidden();
return invalidUser;
}
}
Please sign in to comment.
Something went wrong with that request. Please try again.