in RESTProxy/Models/Endpoint.cs [513:558]
private bool TryHasPermission(IPrincipal userPrincipal, HttpMethod method, out HttpResponseMessage errorResponse)
{
// These are used for formatting the error message returned when the user doesn't have permission.
const string UnauthorizedAccessMessageFormat = "You need to be a member of the \"{0}\" security group to access this API.";
const string SecurityExceptionMessageFormat = "{{\"code\":\"Unauthorized\", \"message\":{0}}}";
try
{
if (method == HttpMethod.Get)
{
// GET methods are equivalent to R/O methods, but R/W gets access as well
if (!userPrincipal.IsInRole(this.ReadOnlySecurityGroupAlias) &&
!userPrincipal.IsInRole(this.ReadWriteSecurityGroupAlias))
{
throw new UnauthorizedAccessException(string.Format(UnauthorizedAccessMessageFormat, this.ReadOnlySecurityGroupAlias));
}
}
else if (!userPrincipal.IsInRole(this.ReadWriteSecurityGroupAlias))
{
throw new UnauthorizedAccessException(string.Format(UnauthorizedAccessMessageFormat, this.ReadWriteSecurityGroupAlias));
}
errorResponse = null;
return true;
}
catch (UnauthorizedAccessException ex)
{
string response = string.Format(SecurityExceptionMessageFormat, JsonConvert.ToString(ex.Message));
errorResponse = new HttpResponseMessage(HttpStatusCode.Unauthorized)
{
Content = new StringContent(response, Encoding.UTF8, ProxyManager.JsonMediaType)
};
return false;
}
catch (SecurityException ex)
{
string response = string.Format(SecurityExceptionMessageFormat, JsonConvert.ToString(ex.Message));
errorResponse = new HttpResponseMessage(HttpStatusCode.Unauthorized)
{
Content = new StringContent(response, Encoding.UTF8, ProxyManager.JsonMediaType)
};
return false;
}
}