The project I'm working on is for an intranet site that is using nopCommerce 2.6, which has been modified so that it combines both Forms and Windows authentication. How I log the user in is the following:
- I get the user's Windows account name.
- I run that against the Customer table within Nop based on Username.
- If the user is found, and their account isn't marked inactive or deleted, I log them in.
- If the user doesn't exist, I send them to the registration page.
- If the user is inactive, deleted, or unauthorized to enter the site, I send them to the Unauthorized page.
Seems simple enough but there is a hitch. When the user doesn't exist, they are correctly thrown to the Registration page. When the user does exist and their account is fine, they are properly logged in.
However, if the user is marked inactive or deleted, the system starts to act weird. It repeatedly recalls the OnAuthorization method within UserAuthorizationAttribute.cs (in Nop.Web.Framework). To be accurate, it recalls the same method 6 times before giving up.
I'm trying to figure out why OnAuthorization is repeatedly recalled before outright failing in the end.
Below is the code I currently have.
UserAuthorizeAttribute.cs
private void HandleUnauthorizedRequest(string action, AuthorizationContext filterContext)
{
var routeDictionary = new RouteValueDictionary { { "action", action }, { "controller", "Customer" } };
filterContext.Result = new RedirectToRouteResult(routeDictionary);
}
public void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext == null)
throw new ArgumentNullException("filterContext");
if (OutputCacheAttribute.IsChildActionCacheActive(filterContext))
throw new InvalidOperationException("You cannot use [UserAuthorize] attribute when a child action cache is active");
if (IsUserPageRequested(filterContext))
{
var userAccess = HasUserAccess(filterContext);
var action = string.Empty;
/*
* 0: User not in system
* 1: User is inactive
* 2: User is deleted
* 3: User not authorized
* 4: User is authorized
*/
switch (userAccess)
{
case 0:
action = "Register";
break;
case 1:
case 2:
case 3:
action = "Unauthorized";
break;
}
if (userAccess != 4)
this.HandleUnauthorizedRequest(action, filterContext);
}
}
public virtual int HasUserAccess(AuthorizationContext filterContext)
{
//Grab permission needed
var permissionService = EngineContext.Current.Resolve<IPermissionService>();
//Get user's Windows Authenticated account
var userAccount = string.Empty;
var userLogin = Thread.CurrentPrincipal.Identity.Name;
//Determine if user has proper permissions
var result = permissionService.NewUserAuthorize(StandardPermissionProvider.UserAccessArea, userLogin);
return result;
}
PermissionService.cs
/// <summary>
/// Authorize User
/// </summary>
/// <param name="permission">Permission Record</param>
/// <param name="userLogin">User Login</param>
/// <returns>
/// 0: User not in system
/// 1: User is inactive
/// 2: User is deleted
/// 3: User not authorized
/// 4: User is authorized
/// </returns>
public virtual int NewUserAuthorize(PermissionRecord permission, string userLogin)
{
//Find the user within Nop
var currentCustomer = _customerService.GetCustomerByUsername(userLogin);
//User not in system
if (currentCustomer == null)
return 0;
//User is set to inactive
if (!currentCustomer.Active)
return 1;
//User is deleted
if (currentCustomer.Deleted)
return 2;
//Sign user in and make them the current user
_authenticationService.SignIn(currentCustomer, true);
var authorize = Authorize(permission, currentCustomer);
return authorize ? 4 : 3;
}