simon/adl
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

bug 1801 : Prevent non-administrator access to administrator-only pages. This has involved creating a framework for authentication at controller level, which is not quite working at this stage

Browse source
This commit is contained in:
sb 2008-04-17 16:16:19 +00:00
parent c480c2d41e
commit fd3bfabe3a
1 changed files with 171 additions and 143 deletions

314
transforms01/adl2controllerclasses.xslt
View file

@ -9,8 +9,8 @@
Transform ADL into (partial) controller classes
$Author: sb $
$Revision: 1.19 $
$Date: 2008-04-17 15:04:15 $
$Revision: 1.20 $
$Date: 2008-04-17 16:16:19 $
-->
<!-- WARNING WARNING WARNING: Do NOT reformat this file!
@ -71,7 +71,7 @@
//
// Controller for auto-generated forms for editing <xsl:value-of select="@name"/>s
// Automatically generated from application description using
// adl2controllerclasses.xslt version <xsl:value-of select="substring( '$Revision: 1.19 $', 10)"/>
// adl2controllerclasses.xslt version <xsl:value-of select="substring( '$Revision: 1.20 $', 10)"/>
//
// This file is automatically generated; DO NOT EDIT IT.
//
@ -92,7 +92,7 @@ namespace <xsl:value-of select="$controllerns"/> {
///
/// DO NOT EDIT THIS FILE!
/// &lt;/summary&gt;
public abstract class <xsl:value-of select="concat( 'Abstract', /adl:application/@name, 'Controller')"/> : BaseController {
public abstract partial class <xsl:value-of select="concat( 'Abstract', /adl:application/@name, 'Controller')"/> : BaseController {
<xsl:for-each select="//adl:entity">
/// &lt;summary&gt;
/// Return a list of all instances of <xsl:value-of select="@name"/> for use in menus, etc;
@ -128,7 +128,7 @@ namespace <xsl:value-of select="$controllerns"/> {
//
// Controller for auto-generated forms for editing <xsl:value-of select="@name"/>s
// Automatically generated from application description using
// adl2controllerclasses.xslt version <xsl:value-of select="substring( '$Revision: 1.19 $', 10)"/>
// adl2controllerclasses.xslt version <xsl:value-of select="substring( '$Revision: 1.20 $', 10)"/>
//
// This file is automatically generated; DO NOT EDIT IT.
//
@ -182,6 +182,10 @@ namespace <xsl:value-of select="$controllerns"/> {
NHibernateHelper.GetCurrentSession( <xsl:if test="$authentication-layer = 'Database'">Session[ NHibernateHelper.USERTOKEN],
Session[NHibernateHelper.PASSTOKEN]</xsl:if>);
List&lt;string&gt; messages = new List&lt;string&gt;();
// A 'newborn' instance can be updated even if the current user doesn't have
// update permissions, seeing that we use an update operation to set the
// field values and save the entity.
Boolean isnewborn = false;
<xsl:apply-templates select="descendant::adl:property"/>
@ -190,17 +194,18 @@ namespace <xsl:value-of select="$controllerns"/> {
</xsl:call-template>
if ( record == null) {
/* it seems to be new, create persistent object */
try {
record = new <xsl:value-of select="concat($entityns, '.', @name)"/>(<xsl:for-each select="adl:key/adl:property">
if ( AssertUserCanCreate()) {
/* it seems to be new, create persistent object */
try {
record = new <xsl:value-of select="concat($entityns, '.', @name)"/>(<xsl:for-each select="adl:key/adl:property">
<xsl:variable name="basetype">
<xsl:call-template name="base-type">
<xsl:with-param name="property" select="."/>
</xsl:call-template>
</xsl:variable>
<xsl:choose>
<xsl:when test="$basetype='integer'">Int32.Parse( Form["<xsl:value-of select="concat( 'instance.', @name)"/>"])</xsl:when>
<xsl:when test="$basetype='entity'">
<xsl:when test="$basetype='integer'">Int32.Parse( Form["<xsl:value-of select="concat( 'instance.', @name)"/>"])</xsl:when>
<xsl:when test="$basetype='entity'">
<!-- Maybe TODO: this doesn't work recursively - if an entity has a key which is an entity
and the key of that entity is an entity, you're on your own, mate! -->
<xsl:variable name="keyentity" select="@entity"/>
@ -209,12 +214,12 @@ namespace <xsl:value-of select="$controllerns"/> {
<xsl:with-param name="entity" select="//adl:entity[@name=$keyentity]"/>
</xsl:call-template>
</xsl:variable>
hibernator.CreateCriteria( typeof( <xsl:value-of select="concat( $entityns, '.', $keyentity)"/>))
.Add(Expression.Eq( "<xsl:value-of select="//adl:entity[@name=$keyentity]/adl:key/adl:property[position()=1]/@name"/>",<xsl:choose>
hibernator.CreateCriteria( typeof( <xsl:value-of select="concat( $entityns, '.', $keyentity)"/>))
.Add(Expression.Eq( "<xsl:value-of select="//adl:entity[@name=$keyentity]/adl:key/adl:property[position()=1]/@name"/>",<xsl:choose>
<xsl:when test="$keyenttype = 'int'">Int32.Parse( Form[ "<xsl:value-of select="concat( 'instance.', @name)"/>"])</xsl:when>
<xsl:otherwise>Form[ "<xsl:value-of select="concat( 'instance.', @name)"/>"]</xsl:otherwise>
</xsl:choose>))
.UniqueResult&lt;<xsl:value-of select="concat( $entityns, '.', $keyentity)"/>&gt;()</xsl:when>
.UniqueResult&lt;<xsl:value-of select="concat( $entityns, '.', $keyentity)"/>&gt;()</xsl:when>
<xsl:otherwise>Form["<xsl:value-of select="concat( 'instance.', @name)"/>"]</xsl:otherwise>
</xsl:choose>
<xsl:choose>
@ -222,62 +227,70 @@ namespace <xsl:value-of select="$controllerns"/> {
<xsl:otherwise>, </xsl:otherwise>
</xsl:choose>
</xsl:for-each>);
}
catch ( FormatException) {
/* failed to parse a number - not wholly unexpected, since it's most likely
that an empty string was passed in */
record = new <xsl:value-of select="concat($entityns, '.', @name)"/>();
}
catch ( NullReferenceException) {
/* again, probably more normal than otherwise */
record = new <xsl:value-of select="concat($entityns, '.', @name)"/>();
}
messages.Add( "New <xsl:value-of select="@name"/> record created");
isnewborn = true;
}
catch ( FormatException) {
/* failed to parse a number - not wholly unexpected, since it's most likely
that an empty string was passed in */
record = new <xsl:value-of select="concat($entityns, '.', @name)"/>();
else
{
AddError( "You are not authorised to create objects of type <xsl:value-of select="@name"/>");
}
catch ( NullReferenceException) {
/* again, probably more normal than otherwise */
record = new <xsl:value-of select="concat($entityns, '.', @name)"/>();
}
messages.Add( "New <xsl:value-of select="@name"/> record created");
}
if ( record != null) {
try {
/* actually update the record */
BindObjectInstance( record, ParamStore.Form, "instance");
if ( isnewborn || AssertUserCanUpdate())
{
try {
/* actually update the record */
BindObjectInstance( record, ParamStore.Form, "instance");
<xsl:if test="descendant::adl:property[@type='message']">
/* there is at least one slot whose value is an internationalised message;
* if these have yet to be initialised they must be handled specially */
Locale locale = GetBestLocaleForUser();
/* there is at least one slot whose value is an internationalised message;
* if these have yet to be initialised they must be handled specially */
Locale locale = GetBestLocaleForUser();
<xsl:for-each select="descendant::adl:property[@type='message']">
if ( ! String.IsNullOrEmpty( Form["<xsl:value-of select="concat( 'i18n.instance.', @name)"/>"])){
/* there's an uninitialised message for this slot */
Message mess = record.<xsl:value-of select="@name"/>;
if ( mess == null){
mess = new Message();
}
hibernator.Save( mess);
if ( ! String.IsNullOrEmpty( Form["<xsl:value-of select="concat( 'i18n.instance.', @name)"/>"])){
/* there's an uninitialised message for this slot */
Message mess = record.<xsl:value-of select="@name"/>;
if ( mess == null){
mess = new Message();
}
hibernator.Save( mess);
Translation trans = mess.GetTranslationObject( locale, hibernator);
if ( trans == null) {
trans = new Translation( mess, locale);
Translation trans = mess.GetTranslationObject( locale, hibernator);
if ( trans == null) {
trans = new Translation( mess, locale);
}
trans.MessageText = Form["<xsl:value-of select="concat( 'i18n.instance.', @name)"/>"];
record.<xsl:value-of select="@name"/> = mess;
hibernator.Save( trans);
}
trans.MessageText = Form["<xsl:value-of select="concat( 'i18n.instance.', @name)"/>"];
record.<xsl:value-of select="@name"/> = mess;
hibernator.Save( trans);
}
</xsl:for-each>
</xsl:if>
<xsl:for-each select="descendant::adl:property[@type='entity']">
/* for properties of type 'entity', it should not be necessary to do anything
* special - BindObjectInstance /should/ do it all. Unfortunately it sometimes
* doesn't, and I haven't yet characterised why not. */
/* for properties of type 'entity', it should not be necessary to do anything
* special - BindObjectInstance /should/ do it all. Unfortunately it sometimes
* doesn't, and I haven't yet characterised why not. */
<xsl:variable name="entityname" select="@entity"/>
<xsl:choose>
<xsl:when test="//adl:entity[@name=$entityname]">
if ( ! String.IsNullOrEmpty( Form["<xsl:value-of select="concat( 'instance.', @name)"/>"]))
{
record.<xsl:value-of select="@name"/> = <xsl:call-template name="fetch-property-instance">
<xsl:with-param name="property" select="."/>
<xsl:with-param name="valuename" select="concat( 'instance.', @name)"/>
</xsl:call-template>;
}
if ( ! String.IsNullOrEmpty( Form["<xsl:value-of select="concat( 'instance.', @name)"/>"]))
{
record.<xsl:value-of select="@name"/> = <xsl:call-template name="fetch-property-instance">
<xsl:with-param name="property" select="."/>
<xsl:with-param name="valuename" select="concat( 'instance.', @name)"/>
</xsl:call-template>;
}
</xsl:when>
<xsl:otherwise>
<xsl:message terminate="yes">
@ -289,92 +302,98 @@ namespace <xsl:value-of select="$controllerns"/> {
</xsl:for-each>
<xsl:for-each select="property[@type='link']">
/* to update a link table which has no other data than the near and far keys, it is
* sufficient to smash the existing values and create new ones. It's also a lot easier! */
/* to update a link table which has no other data than the near and far keys, it is
* sufficient to smash the existing values and create new ones. It's also a lot easier! */
string[] <xsl:value-of select="concat(@name, 'Values')"/> = Form.GetValues( "<xsl:value-of select="concat( 'instance.', @name)"/>");
string[] <xsl:value-of select="concat(@name, 'Values')"/> = Form.GetValues( "<xsl:value-of select="concat( 'instance.', @name)"/>");
if ( <xsl:value-of select="concat(@name, 'Values')"/> != null)
{
/* update the linking table for my <xsl:value-of select="@name"/>; first smash the old values */
if ( <xsl:value-of select="concat( 'record.', @name)"/> != null)
if ( <xsl:value-of select="concat(@name, 'Values')"/> != null)
{
<xsl:value-of select="concat( 'record.', @name)"/>.Clear();
}
else
{
<xsl:value-of select="concat( 'record.', @name)"/> = new HashedSet&lt;<xsl:value-of select="@entity"/>&gt;();
}
/* update the linking table for my <xsl:value-of select="@name"/>; first smash the old values */
if ( <xsl:value-of select="concat( 'record.', @name)"/> != null)
{
<xsl:value-of select="concat( 'record.', @name)"/>.Clear();
}
else
{
<xsl:value-of select="concat( 'record.', @name)"/> = new HashedSet&lt;<xsl:value-of select="@entity"/>&gt;();
}
/* then reinstate the values from the indexes passed */
foreach ( string index in <xsl:value-of select="concat(@name, 'Values')"/>)
{
<xsl:value-of select="concat( 'record.', @name)"/>.Add(
hibernator.CreateCriteria(typeof(<xsl:value-of select="@entity"/>))
.Add(Expression.Eq("<xsl:value-of select="@entity"/>Id", index))
.UniqueResult&lt;<xsl:value-of select="$entityns"/>.<xsl:value-of select="@entity"/>&gt;());
/* then reinstate the values from the indexes passed */
foreach ( string index in <xsl:value-of select="concat(@name, 'Values')"/>)
{
<xsl:value-of select="concat( 'record.', @name)"/>.Add(
hibernator.CreateCriteria(typeof(<xsl:value-of select="@entity"/>))
.Add(Expression.Eq("<xsl:value-of select="@entity"/>Id", index))
.UniqueResult&lt;<xsl:value-of select="$entityns"/>.<xsl:value-of select="@entity"/>&gt;());
}
}
}
</xsl:for-each>
<xsl:for-each select="descendant::adl:property[@type='list']">
/* with a list we cannot just smash the old values! Instead we need to check
* each one and exclude it if no longer required */
if ( Form.GetValues( "<xsl:value-of select="concat( 'instance.', @name)"/>") != null)
{
string[] <xsl:value-of select="concat(@name, 'Values')"/> = Form.GetValues( "<xsl:value-of select="concat( 'instance.', @name)"/>");
/* updating <xsl:value-of select="@name"/> child records; first remove any not on the submitted list */
foreach ( <xsl:value-of select="@entity"/> item in record.<xsl:value-of select="@name"/>)
/* with a list we cannot just smash the old values! Instead we need to check
* each one and exclude it if no longer required */
if ( Form.GetValues( "<xsl:value-of select="concat( 'instance.', @name)"/>") != null)
{
String itemId = item.KeyString;
bool found = false;
string[] <xsl:value-of select="concat(@name, 'Values')"/> = Form.GetValues( "<xsl:value-of select="concat( 'instance.', @name)"/>");
foreach ( string index in <xsl:value-of select="concat(@name, 'Values')"/>)
/* updating <xsl:value-of select="@name"/> child records; first remove any not on the submitted list */
foreach ( <xsl:value-of select="@entity"/> item in record.<xsl:value-of select="@name"/>)
{
<!-- TODO: this could definitely be made more efficient -->
if ( index.Equals( itemId))
String itemId = item.KeyString;
bool found = false;
foreach ( string index in <xsl:value-of select="concat(@name, 'Values')"/>)
{
found = true;
<!-- TODO: this could definitely be made more efficient -->
if ( index.Equals( itemId))
{
found = true;
}
}
if ( ! found)
{
record.<xsl:value-of select="@name"/>.Remove( item);
}
}
if ( ! found)
{
record.<xsl:value-of select="@name"/>.Remove( item);
}
}
/* then add any on the included list which are not already members */
foreach ( string index in <xsl:value-of select="concat(@name, 'Values')"/>)
{
<xsl:variable name="entityname" select="@entity"/>
<xsl:value-of select="@entity"/> item =
hibernator.CreateCriteria(typeof(<xsl:value-of select="@entity"/>))
.Add(Expression.Eq("<xsl:value-of select="@entity"/>Id", index))
.UniqueResult&lt;<xsl:value-of select="$entityns"/>.<xsl:value-of select="@entity"/>&gt;();
if ( ! record.<xsl:value-of select="@name"/>.Contains( item))
/* then add any on the included list which are not already members */
foreach ( string index in <xsl:value-of select="concat(@name, 'Values')"/>)
{
record.<xsl:value-of select="@name"/>.Add( item);
<xsl:variable name="entityname" select="@entity"/>
<xsl:value-of select="@entity"/> item =
hibernator.CreateCriteria(typeof(<xsl:value-of select="@entity"/>))
.Add(Expression.Eq("<xsl:value-of select="@entity"/>Id", index))
.UniqueResult&lt;<xsl:value-of select="$entityns"/>.<xsl:value-of select="@entity"/>&gt;();
if ( ! record.<xsl:value-of select="@name"/>.Contains( item))
{
record.<xsl:value-of select="@name"/>.Add( item);
}
}
}
}
</xsl:for-each>
/* write the record to the database, in order to guarantee we have a valid key */
hibernator.Save(record);
hibernator.Flush();
/* write the record to the database, in order to guarantee we have a valid key */
hibernator.Save(record);
hibernator.Flush();
messages.Add( "Record saved successfully");
messages.Add( "Record saved successfully");
}
catch ( DataSuitabilityException dse)
{
AddError( dse.Message);
}
catch ( ApplicationException axe)
{
AddError( axe.Message);
}
}
catch ( DataSuitabilityException dse)
{
AddError( dse.Message);
}
catch ( ApplicationException axe)
{
AddError( axe.Message);
else {
AddError( "You are not authorised to update objects of type <xsl:value-of select="@name"/>");
}
PropertyBag["messages"] = messages;
@ -414,37 +433,42 @@ namespace <xsl:value-of select="$controllerns"/> {
[AccessibleThrough(Verb.Post)]
public void Delete()
{
ISession hibernator =
if ( AssertUserCanDelete())
{
ISession hibernator =
NHibernateHelper.GetCurrentSession( <xsl:if test="$authentication-layer = 'Database'">Session[ NHibernateHelper.USERTOKEN],
Session[NHibernateHelper.PASSTOKEN]</xsl:if>);
string reallydelete = Params["reallydelete"];
string reallydelete = Params["reallydelete"];
if ( "true".Equals( reallydelete))
{
if ( "true".Equals( reallydelete))
{
<xsl:call-template name="fetch-instance">
<xsl:with-param name="entity" select="."/>
</xsl:call-template>
if ( record != null)
{
hibernator.Delete( record);
if ( record != null)
{
hibernator.Delete( record);
hibernator.Flush();
hibernator.Flush();
}
else
{
throw new ApplicationException( "No such record?");
}
}
else
{
throw new ApplicationException( "No such record?");
}
}
<xsl:choose>
<xsl:when test="adl:list">
Redirect( "<xsl:value-of select="concat(adl:list[position()=1]/@name, '.rails')"/>");
Redirect( "<xsl:value-of select="concat(adl:list[position()=1]/@name, '.rails')"/>");
</xsl:when>
<xsl:otherwise>
Redirect( FormsAuthentication.DefaultUrl);
Redirect( FormsAuthentication.DefaultUrl);
</xsl:otherwise>
</xsl:choose>
} else {
AddError( "You are not authorised to delete objects of type <xsl:value-of select="@name"/>");
}
}
</xsl:if>
<xsl:apply-templates select="adl:form"/>
@ -468,21 +492,25 @@ namespace <xsl:value-of select="$controllerns"/> {
/// &lt;param name="view"&gt;The name of the list view to show&lt;/param&gt;
public void InternalShowList( String view)
{
ISession hibernator =
NHibernateHelper.GetCurrentSession( <xsl:if test="$authentication-layer = 'Database'">Session[ NHibernateHelper.USERTOKEN],
if ( AssertUserCanRead()) {
ISession hibernator =
NHibernateHelper.GetCurrentSession( <xsl:if test="$authentication-layer = 'Database'">Session[ NHibernateHelper.USERTOKEN],
Session[NHibernateHelper.PASSTOKEN]</xsl:if>);
IList&lt;<xsl:value-of select="concat( $entityns, '.', @name)"/>&gt; instances =
hibernator.CreateCriteria(typeof(<xsl:value-of select="concat($entityns, '.', @name)"/>))<xsl:for-each select="property[@distinct='user']">
<xsl:value-of select="concat( '.AddOrder( new Order( &#34;', @name, '&#34;, true))')"/>
</xsl:for-each>.List&lt;<xsl:value-of select="concat($entityns, '.', @name)"/>&gt;();
IList&lt;<xsl:value-of select="concat( $entityns, '.', @name)"/>&gt; instances =
hibernator.CreateCriteria(typeof(<xsl:value-of select="concat($entityns, '.', @name)"/>))<xsl:for-each select="property[@distinct='user']">
<xsl:value-of select="concat( '.AddOrder( new Order( &#34;', @name, '&#34;, true))')"/>
</xsl:for-each>.List&lt;<xsl:value-of select="concat($entityns, '.', @name)"/>&gt;();
<xsl:if test="$authentication-layer = 'Database'">
PropertyBag["username"] = Session[ NHibernateHelper.USERTOKEN];
</xsl:if>
PropertyBag["instances"] =
PaginationHelper.CreatePagination( this, instances, 25);
<xsl:if test="$authentication-layer = 'Database'">
PropertyBag["username"] = Session[ NHibernateHelper.USERTOKEN];
</xsl:if>
PropertyBag["instances"] =
PaginationHelper.CreatePagination( this, instances, 25);
RenderViewWithFailover(view + ".vm", view + ".auto.vm");
RenderViewWithFailover(view + ".vm", view + ".auto.vm");
} else {
AddError( "You are not authorised to delete view of type <xsl:value-of select="@name"/>");
}
}
</xsl:if>
}