aspnet.zero user is logged out when he has not enough permissions - authorization

I'm using aspnet zero and .NET 6. Whenever a user has not enough permissions the user is being logged out. Is there a way to change this behavior? For example show an error message instead? Rather than logging the user out completely.
My controller looks like this:
[AbpMvcAuthorize(AppPermissions.Pages_CommunicationLog_Index)]
// GET: Incidents/CommunicationLogs
public ActionResult Index()
{
return View();
}
When the user does not have the Pages_CommunicationLog_Index permission and tries to visit the page he is logged out.

Related

How do I simply set the ModelStateError from the HandleUnauthorizedRequest method?

So what is happening is that I have a condition within my override of the HandleUnauthorizedRequest method in my custom authorize attribute. Up to this point, I've been throwing a 403 which gets picked up and redirects to a custom error page. Well now, that's not really what I want. What I actually want is to show the same login page but add a message to the validation summary "You do not have access to this resource.", that way it's a bit more user friendly. It'll indicate that your creds were good, but you don't belong here.
I thought something like this would work:
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
// passed authentication, failed authorization
if (filterContext.HttpContext.User.Identity.IsAuthenticated)
{
filterContext.Controller.ViewData.ModelState.AddModelError("", "Not Authorized");
return;
}
base.HandleUnauthorizedRequest(filterContext);
}
But this isn't working. What's happening is that the login page simply reloads. So this makes me feel like I'm close, but I need that model error to show up.
Any ideas?
UPDATE:
It would seem that the Controller that I'm adding an error to here is actually controller of whichever action had the attribute that led to here. I need to somehow add the error to the login controller. Not sure if that's even possible.
You are calling the base method here:
base.HandleUnauthorizedRequest(filterContext);
If you are using Forms Authentication this base method simply redirects you to the login page. And a redirect means a new HTTP request from the client. The current context and whatever you stored in it is lost. Well, to be more precise, the base method is returning a 401 HTTP status code which is then intercepted by the FormsAuthenticationModule which redirects to the login page defined in your web.config. But this implementation details is not important.
What you could do is perform the redirect yourself to the login page instead of leaving it to the base method. You could do this by setting the filterContext.Result property to a RedirectToRouteResult instance. In this case you could pass the error message as a query string parameter.
UPDATE:
According to your updated question it seems that you are calling return; after setting the ModelState value and not calling the base method and thus no redirect will happen to the login url. You could in this case return some error view by setting the filterContext.Result to an instance of a ViewResult in which view you could use the value you stored in the ModelState.

symfony 2 how to display the error after login with custom authentication handler

I have created an authentication handler and everything is working fine when the user authenticates with success...but when there is a failure I don't know how to return the failure error to my form and display it.
public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
{
}
How should my function look like because I do not know how to pass $exception and redirect back to my form.
You probably want to display a message to the user.
You can display a flash message and redirect the user.
$request->getSession()->setFlash('error', $exception->getMessage());
If you look at the FosUserBundle they display a message direcly in the template
https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Resources/views/Security/login.html.twig
https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Controller/SecurityController.php
Hope it's helpful
Best regard

Login Control in ASP.NET 4

I'm using Login Control form in ASP.NET and after successful login would like to track the username to give welcome greeting and so on. Also, if any user tried to directly go to a random page without passing the authentication, then I would like to raise an error page. I tried various methods with Membership Control to retrieve the username but I'am getting errors. Can someone point me to the right direction?
There are two controls for this task. LoginName gives you the current logged in user name and the other is LoginStatus which gives you the current status whether user is logged in successfully or not.
if (User.Identity.IsAuthenticated == false)
{
Response.Redirect("your_redirecting_url");
}

Play Framework: how to auto-login with Secure module upon user registration?

I am using Play Framework 1.2.4
My main controller is protected with the "secure" module.
Now, I need to add a process to register a new user for the system. I implement it in another controller. Assuming the registration process is successful, I would like to display the "home page" for the newly created user, without asking to type username / password again.
How to achieve that?
A bit of "simplified" code:
In the Registration controller:
public static void newUser(String username, String password, String fullname)
{
User user = new User(username, password, fullname);
user.save();
// What is the trick to avoid login being displayed???
MainController.index();
}
MainController is using the "secure" module.
Thanks for any hint,
Max
Well, looks like the answer is here:
How to use play frameworks Secure module to login a user after that user has been created
I found it after I posted.
Max

A better way of passing variables from controller to view in symfony

Hey.
I've got a login form with post as method. The action goes to 'auth/login' and will check the database if the user exists. If the user exists, I call the $this->getUser->setAuthenticated(true);. After this I want to redirect to a welcome page if success.
If the login failed, I would want to tell the user so in the view of course. But settings variables in the controller only if login failed, and check in the view if each of those variables are set, is a lot of work?
This means I have to check almost all variables I want to use in the view set from the controller. If it should happen that it is not set, and I just go ahead and echo it, I get an error from symfony, and production stage-mode-ish don't show anything but an 500 internal server error .
Thanks
EDIT:
This is my current, new and better solution. Still looking for feeback.
in /templates/loginSuccess
if ($sf_params->has('bad_login')) {
echo "Wrong username or password";
}
And in my controller:
$this->redirect('auth/login?bad_login=');
Take a look at how sfDoctrineGuardPlugin (the de-facto standard for authentication) does it: they created sfGuardValidatorUser and use it as a post validator in the signin form.
Advantage of this method: the form takes care of the username/password validation, you do not need to put that code in your action. It simplifies that to a simple $form->isValid() { $this->redirect("#homepage"); }.
It seems like you could use symfony's form to take care of the validation. Since the forms show errors built in, you could put this into the form validation and then your controller looks something like:
$form = new LoginForm;
if ($request->isMethod('post'))
{
if ($form->isValid())
{
$this->redirect('account');
}
else
{
// this would show the form, and since you put the login in the form validation it will show errors. You could have the username show the error
}
}
To do what you are doing though, I'd recommend this. That way you aren't accessing any parameters in the view as well.
Controller:
$this->bad_login = $this->getParameter('bad_login',false);
View:
if ($bad_login) { echo 'bad login'; }
Use forward()
Put all the logic required for the view population into separate method of a controller, and call it in both places.
Use cgratigny's solution - put login form and processing code in a single action, and redirect to welcome page if isMethod('post') && $login_success