0

I have .Net core authorization set through user roles. I have the authorize attribute set at the page level restricted by roles, and I have a method restricted by only one role.

I am using ajax call through a kendo Data Source raw crud transport calls. The user does have the correct attribute or role for the method call, but it's getting to the method some how.

I have to double check in the method which is the only way I can secure my app now. 

    [HttpGet]
            [AutoValidateAntiforgeryToken]
            [Authorize(Roles="Administrators")]
            public async Task<IActionResult> OnGetDeleteCustomerAsync(cbs_Customers customers)
            {
                if (!ModelState.IsValid)
                {
                    return Page();
                }

                if (User.Identity.IsAuthenticated)
                    if (!(User.IsInRole(Intrafiz.Authorization.Constants.ContactAdministratorsRole)))
                    {
                        return Unauthorized();
                    }


                if (customers is cbs_Customers)
                {
                    Customer = customers;
                }
                else
                {
                    Response.StatusCode = (int)System.Net.HttpStatusCode.BadRequest;
                    return new JsonResult(new
                    {
                        success = false,
                        error = "(Deleting customer): failed to locate customer !"
                    });
                }

                try
                {
                    _context.cbs_Customers.Remove(Customer);
                    await _context.SaveChangesAsync();

                }
                catch (DbUpdateConcurrencyException ex)
                {
                    if (!cbs_CustomersExists(Customer.CustomerId))
                    {
                        return new JsonResult(new
                        {
                            success = false,
                            error = "(Updating customer): failed to locate customer !"
                        });
                    }
                    else
                    {
                        return new JsonResult(new
                        {
                            success = false,
                            error = "(Updating customer): failed to locate customer !" + "\r\n" + ex.Message?.ToString()
                        });
                    }
                }

                return new JsonResult(Customer);

            }

This is in the configuration of the website 

services.AddIdentity<ApplicationUser, IdentityRole>(config =>
            {
                config.SignIn.RequireConfirmedEmail = true;
                config.Lockout.MaxFailedAccessAttempts = 5;
                config.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromDays(7);
                config.Lockout.AllowedForNewUsers = true;
                config.User.RequireUniqueEmail = true;

            }).AddEntityFrameworkStores<ApplicationDbContext>()
              .AddDefaultTokenProviders();

services.AddAuthenticationCore();

        // Authorization handlers.
        services.AddScoped<IAuthorizationHandler,
                              ContactIsOwnerAuthorizationHandler>();

        services.AddSingleton<IAuthorizationHandler,
                              ContactAdministratorsAuthorizationHandler>();

        services.AddSingleton<IAuthorizationHandler,
                              ContactManagerAuthorizationHandler>();

This is from the kendo dataSource 

destroy: {
                    url: window.location.origin + "/Energy/Index?handler=DeleteCustomer",
                    type: "GET"
            },

The user is authenticated by checking User.Identity.IsAuthorized , but the role isn't of Administrator or Manager but it's still the call from the dataSource is still getting to the method

John Dizzle
  • 1
  • 2
  • Have you added the authentication services into your ServiceCollection? For example: services.AddAuthentication("BasicAuthentication"); ? – Robert Perry May 10 '19 at 08:03
  • Authorization *is* working, which is why the call is blocked. If it didn't, anyone could call the method. Does your AJAX call contain the authentication cookie or the Authentication header? You can check that using the Network tab in your browser's Developer Tools or a debugging proxy like Fiddler – Panagiotis Kanavos May 10 '19 at 10:37
  • In any case, you should post your *Javascript* code and ASP.NET Identity code configuration. The code you posted will only be called *after* a succesfully authorized call so it doesn't help at all – Panagiotis Kanavos May 10 '19 at 10:39
  • Check [this probably duplicate question](https://stackoverflow.com/questions/45031738/interceptor-for-authorization-headers-using-kendo-ui-datasource) that shows how to set the authentication header in *one* data source and asks how to set it just once on *all* data sources – Panagiotis Kanavos May 10 '19 at 10:43
  • Possible duplicate of [Interceptor for Authorization headers using Kendo UI datasource](https://stackoverflow.com/questions/45031738/interceptor-for-authorization-headers-using-kendo-ui-datasource) – Panagiotis Kanavos May 10 '19 at 10:43

0 Answers0