ASP.NET Authorization Attribute Example

//
// ELMAH.Mvc
// Copyright (c) 2011 Atif Aziz, James Driscoll. All rights reserved.
//
//  Author(s):
//
//      James Driscoll
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//    http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//

namespace Elmah.Mvc
{
    using System;
    using System.Linq;

    internal class AuthorizeAttribute : System.Web.Mvc.AuthorizeAttribute
    {
        private readonly string[] allowedRoles;
        private readonly string[] allowedUsers;

        private readonly bool isHandlerDisabled;
        private readonly bool requiresAuthentication;

        public AuthorizeAttribute()
        {
            this.allowedRoles = Settings.AllowedRoles.Split(',')
                            .Where(r => !string.IsNullOrWhiteSpace(r))
                            .Select(r => r.Trim())
                            .ToArray();

            this.allowedUsers = Settings.AllowedUsers.Split(',')
                                    .Where(r => !string.IsNullOrWhiteSpace(r))
                                    .Select(r => r.Trim())
                                    .ToArray();

            this.isHandlerDisabled = Settings.DisableHandler;
            this.requiresAuthentication = Settings.RequiresAuthentication;
        }

        protected override bool AuthorizeCore(System.Web.HttpContextBase httpContext)
        {
            return !this.isHandlerDisabled && (!this.requiresAuthentication || this.UserIsAllowed(httpContext));
        }

        /// <summary>
        /// Check that current user is in allowed roles AND in allowed usernames
        /// </summary>
        /// <param name="httpContext"></param>
        /// <returns></returns>
        private bool UserIsAllowed(System.Web.HttpContextBase httpContext)
        {

            return this.UserIsAllowedByRole(httpContext) && this.UserIsAllowedByName(httpContext);
        }

        /// <summary>
        /// Check that current user is  in allowed roles
        /// </summary>
        /// <param name="httpContext"></param>
        /// <returns></returns>
        private bool UserIsAllowedByRole(System.Web.HttpContextBase httpContext)
        {
            return httpContext.Request.IsAuthenticated &&
                   (this.allowedRoles.Any(r => r == "*" || httpContext.User.IsInRole(r)));
        }

        /// <summary>
        /// Check that user is in allowed usernames
        /// </summary>
        /// <param name="httpContext"></param>
        /// <returns></returns>
        private bool UserIsAllowedByName(System.Web.HttpContextBase httpContext)
        {
            var stringComparison = Settings.UserAuthCaseSensitive ? StringComparison.Ordinal : StringComparison.OrdinalIgnoreCase;

            return httpContext.Request.IsAuthenticated &&
                  (this.allowedUsers.Any(u => u == "*" || u.Equals(httpContext.User.Identity.Name, stringComparison)));
        }
    }
}