init

KretaWeb/Security/ApiFeatureAuthorizeAttribute.cs

@@ -0,0 +1,38 @@
+using System;
+using System.Net;
+using System.Net.Http;
+using System.Web;
+using System.Web.Http;
+using System.Web.Http.Controllers;
+
+namespace Kreta.Web.Security
+{
+    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
+    public class ApiFeatureAuthorizeAttribute : AuthorizeAttribute
+    {
+        private readonly string[] featureNames;
+
+        public ApiFeatureAuthorizeAttribute(params string[] features)
+        {
+            featureNames = features;
+        }
+
+        public override void OnAuthorization(HttpActionContext actionContext)
+        {
+            if (IsAuthorized(actionContext))
+                return;
+            HandleUnauthorizedRequest(actionContext);
+        }
+
+        protected override bool IsAuthorized(HttpActionContext actionContext)
+        {
+            return AuthorizeHelper.CheckFeatureAccess(featureNames);
+        }
+
+        protected override void HandleUnauthorizedRequest(HttpActionContext actionContext)
+        {
+            HttpContext.Current.Response.AddHeader("AuthenticationStatus", "NotAuthorized");
+            actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Forbidden);
+        }
+    }
+}