I have an MVC 5 Site, using a shared _Layout view.
In this _Layout view i render my scripts in the bottom part, after the body.
#Scripts.Render("~/bundles/jquery")
#Scripts.Render("~/bundles/jqueryui")
#*BootStrap must be loaded after JQuery UI in order to override the tooltip function*#
#Scripts.Render("~/bundles/bootstrap")
#Scripts.Render("~/bundles/jqueryval")
#Scripts.Render("~/bundles/Session")
My Problem now, is that i want to include the Session Bundle in every page, except my Login pages.
In other words, i want to use the Session Bundle only for pages where the user is logged in and they have an active session.
How can i check for this condition in my _Layout View and render the Script Render conditionally?
In other pages, i would add a bool field to my Model and then use an C# If construction to only render the Script part if true, but i do not have a Model in my _Layout View.
I am also using custom, very simple login methods, so i am not using the Identity Framework of MVC5.
EDIT
I was suggested to use the Request object
#if (Request.IsAuthenticated) { #Render...}
This does not work since im using custom login, that does not work with the built in framework.
I read up on how this field works, here How does Request.IsAuthenticated work?
The problem is still unresolved
#if (Request.IsAuthenticated)
{
// Render stuff for authenticated user
}
I found an Answer.
access session variable from layout page ASP.NET MVC3 RAZOR
I am able to access the Session object from my Layout. Using that, i can check if my custom authentication object is null. If its not null, the user is logged in
#if (Session["BrugerSession"] != null)
{
#Scripts.Render("~/bundles/Session")
}
Related
OpenUI5 version: 1.86
Browser/version (+device/version): Chrome Dev
Upon the authentication I validate the user session:
if (isUserSessionValid) {
const oRouter = UIComponent.getRouterFor(this);
oRouter.navTo("overview");
} else {
this.getOwnerComponent().openAuthDialog();
}
If isUserSessionValid is true, then I forward an user to the internal page, otherwise I show the login dialog.
The problem is, however, that an user can change the value of isUserSessionValid in DevTools and then getting forwarded to the UI5 app internal page. Of course, due to a lack of a valid session, no piece of the business data will be displayed, just an empty UI5 app template, but I would like to prevent even such screen.
If it would be a classical webapp, I would just send an appropriate server response with a redirect to the login page (e.g. res.redirect(403, "/login");). But, if I understand it correctly, since I'm sending am asynchronous request, a plain res.redirect won't work out and I'm required to implement a redirection logic on the UI5-client, which can be manipulated and bypassed by user.
How to prevent a manipulation of a view navigation in UI5 and ensure that unauthorized user can't get any piece of the UI5-app code?
The answer from SAP:
If you want to prevent an unauthorized user from accessing the client-side code (e.g. view/controller) you need to enforce
authorization on the server also for those static files. When bundling
the application code you also need to ensure that those files are
separate from the "public" files. One approach would be to have 2
separate components, one for the public page/auth dialog and one for
the actual application.
I implemented Google authentication in my Yesod application.
When I open http://localhost:3000/auth/login I see a page generated by Yesod.
I tried to add login.hamlet to templates folder but it didn't override default login page.
Which is the right way to customize login page in Yesod?
You can override the classes methods listed here https://www.stackage.org/package/yesod-auth
For example if you want to change the default email login page, you can do in Foundation.hs
instance YesodAuthEmail App where
...
emailLoginHandler = myEmailLoginHandler
and then look here to see how to implement it https://www.stackage.org/haddock/nightly-2019-08-26/yesod-auth-1.6.7/src/Yesod.Auth.Email.html#defaultEmailLoginHandler
I need to execute some code everytime I load a page, except if the page belongs to the admin panel. I created an IActionFilter and in the OnActionExecuting method I tried to check for the Controller name, but it isn't an optimal solution because there are a lot of different controllers being called from the dashboard. Is there a more efficient way to recognize if I'm loading a page of the admin panel?
Yes there is
using Orchard.UI.Admin;
&
if (AdminFilter.IsApplied(filterContext.RequestContext))
{
// This is an admin page, do nothing
return;
}
I have been trying to find a solution to my problem for 2 days now and I am really stuck. Here's the problem:
I have an MVC application (with Dependency injection and the works) with just one webform. This page needs to be a webform because it has a ReportViewer in it and please correct me if I am wrong but an MVC View is incompatible with server controls like ReportViewer. This is the navigation flow of the pages:
Home page navigates to the ReportList page
ReportList page displays the reports that a user is able to view and navigates to the Report page and passes it the ID of the report that the user selected.
Report page should look up the ReportPath and the ServerUrl from the database based on the ID passed from the ReportList page at the same time authorizing the user, whose permissions are stored in the database.
I could potentially pass the ReportPath and the ServerUrl as part of the query string so that the report page (aspx, not driven by a controller) does not have to go to the database to get these values. The problem however is how to check that the user is authorized to view the report (someone could just use a link to look at the report).
I did try to hook it into the MVC model and inherited the page from the ViewPage class. The problem there is that the page kept reloading itself for some reason. I still want my page to do as little as possible and a controller to handle calls to the authorization attribute and to the business layer. So, as a last resort, I want to call the controller from the aspx page but I can't create an object of it becasue dependency injection.
Can someone please provide some guidance on this? I have all the code available but don't know what to post.
I found out the answer and posting here if it helps anyone.
I added another class called ReportManager, which the aspx code behind calls to execute the requests. The ReportManager simulates the Controller call through this code:
var routeData = new RouteData();
routeData.Values["controller"] = "Report";
routeData.Values["action"] = "SomeAction";
routeData.Values["SomeRouteValueKey"] = "someroutevalue";
var requestContext = new RequestContext(new HttpContextWrapper(HttpContext.Current), routeData);
IController controller = DependencyResolver.Current.GetService<ReportController>();
controller.Execute(requestContext);
I want a page has to appear to user after logged in. But if we use that link we can see the page and its content only thing is that it wont be having user data. what to do to prevent this. what can be done in this scenario ?
You can declare a PhaseListener where to redirect to the homepage instead the user is not logged
public void afterPhase(PhaseEvent evt) {
User user =
evt.getFacesContext().getExternalContext().getSessionMap().get(USER_KEY);
if (user == null) {
FacesContext.getExternalContext().redirect("home.xhtml");
}
}
The phase listener can be defined globally, or at view-level with:
<f:view afterPhase="#{bean.afterPhase}">...</f:view>
(in facelets the attribute is called afterPhaseListener)
Use a ServletFilter to check existence of UserData in Session.
If "yes: then forward else forward to error page.
Another option is to use the rendered attribute on tags to check the existence of UserData object.
I'm not familiar with JSF or if it has built in authentication/authorization. But you should be able to apply authentication/access rules directly on your web server.