Thread: Throw HTTP Status Code error

Nope...Get the same error...I've also tried:-

Code:

HttpContext context = application.Context;

And

Code:

application.Context.User...

But all give the same error...

What if you add the following to the top of the page?

Code:

using System;
using System.Web;

Originally Posted by jmurrayhead

What if you add the following to the top of the page?

Code:

using System;
using System.Web;

I already have those J...Damn this is annoying...

Surely this should be reasonably straightforward...If you're using authentication, you would want the option of returning HTTP status codes, wouldn't you?

Are you building this httpmodule as its own project or as part of your application? You may need to add a reference for System and System.Web

It's part of the application.

I'm just trying to work through this logically. I'll post the whole code:-

Code:

using System;
using System.Web;
using System.Net;

using MyApp.App.BLL.Users;

namespace MyApp.App.BLL.Permissions
{

    public class PermissionModule : IHttpModule
    {
        public PermissionModule()
        {
        }
        public void Init(HttpApplication application)
        {
            application.BeginRequest +=
                (new EventHandler(this.Application_BeginRequest));
            application.EndRequest +=
                (new EventHandler(this.Application_EndRequest));
        }

        private User user { get; set; }

        public void Application_BeginRequest(Object source, EventArgs e)
        {
            // Create HttpApplication and HttpContext objects to access
            // request and response properties.
            HttpApplication application = (HttpApplication)source;
            HttpContext context = application.Context;
            if (user == null)
            {
                user = new User();
                user = User.GetUser(Convert.ToInt32(context.User.Identity.Name));
            }

            SiteMapNode node = SiteMap.CurrentNode;
            if (node != null)
            {
                if (node["section"] != "0")
                {
                    if (!user.admin && !user.CheckUserPermission(Convert.ToInt32(node["section"]), Convert.ToInt32(node["permission"])))
                        HttpContext.Current.Response.StatusCode = (int)HttpStatusCode.Forbidden;
                    //throw new HttpException(403, "Permission Denied");
                    //HttpContext.Current.Response.Redirect("default.aspx?access=none");
                }
            }
            /*
            HttpApplication application = (HttpApplication)source;
            HttpContext context = application.Context;
            string filePath = context.Request.FilePath;
            string fileExtension =
                VirtualPathUtility.GetExtension(filePath);
            if (fileExtension.Equals(".aspx"))
            {
                context.Response.Write("<h1><font color=red>" +
                    "HelloWorldModule: Beginning of Request" +
                    "</font></h1><hr>");
            }
             */
        }

        private void Application_EndRequest(Object source, EventArgs e)
        {
            //This isn't doing anything at the moment
            /*
            HttpApplication application = (HttpApplication)source;
            HttpContext context = application.Context;
            string filePath = context.Request.FilePath;
            string fileExtension =
                VirtualPathUtility.GetExtension(filePath);
            if (fileExtension.Equals(".aspx"))
            {
                context.Response.Write("<hr><h1><font color=red>" +
                    "HelloWorldModule: End of Request</font></h1>");
            }
             */
        }
        public void Dispose() { }
    }
}

So on initializing, it adds EventHandlers to BeginRequest and EndRequest events of the application. So when the application starts, Init is the only thing that should be called, right?

So, what about pages where there wouldn't be an instance? My login page, for example. How would I check for an empty reference?

Code:

if(context.User==null)?
if(context.User.Identity==null)?
if(context.User.Identity.Name==null)?

Or would any of the those work?

OK. I added this conditional to my Begin_Request sub

Code:

            HttpApplication application = (HttpApplication)source;
            HttpContext context = application.Context;
            if (context.User != null)

and it's failing each time ie context.User is always coming back as null...

So, I obviously need to find where this is initialized and check the permission after this event.

I think I might know what the problem is. Not sure though.

This is being called on each request, including CSS, images(I presume) etc., not just on asp.net page requests.

HttpContext.Current is an object because in the else of my if(name==null), I have

Code:

            else
            {
                HttpContext.Current.Response.Write("<h1><font color=red>" +
                    "PermissionModule: Beginning of Request" +
                    "</font></h1>");
            }

And that gets written to each request (including the CSS files).
I tried the code from here but my name is still coming back as null.

OK. The HttpContext User is only available after AuthorizeRequest. However, I changed my code to check the permissions in an event handler for AuthorizeRequest and it's acting the same as if I used it in my master page.

It allows a user to view a page they shouldn't have permission for. I've used this to send the status code so I don't know if it's this that is the problem.

Code:

HttpContext.Current.Response.StatusCode = (int)HttpStatusCode.Forbidden;

Might just try Fiddler to see if what gets returned. See if it is a 403 status code.

Ok...I've used this code

Code:

        private void Application_AuthenticateRequest(object source, EventArgs e)
        {
            HttpApplication application = (HttpApplication)source;
            HttpResponse response = application.Context.Response;
            string name = application.Context.User.Identity.Name;
            if (name != null)
            {
                if (user == null)
                {
                    user = new User();
                    user = User.GetUser(Convert.ToInt32(name));
                }

                SiteMapNode node = SiteMap.CurrentNode;
                if (node != null)
                {
                    if (node["section"] != "0")
                    {
                        if (!user.admin && !user.CheckUserPermission(Convert.ToInt32(node["section"]), Convert.ToInt32(node["permission"])))
                            response.StatusCode = 403;
                        HttpContext.Current.Response.Write("<h1><font color=red>" + response.StatusCode +
                            "PermissionModule Node: Beginning of Request" +
                            "</font></h1>");
                        //HttpContext.Current.Response.StatusCode = (int)HttpStatusCode.Forbidden;
                        //throw new HttpException(403, "Permission Denied");
                        //HttpContext.Current.Response.Redirect("default.aspx?access=none");
                    }
                }
            }
            else
            {
                HttpContext.Current.Response.Write("<h1><font color=red>" + response.StatusCode +
                    "PermissionModule: Beginning of Request" +
                    "</font></h1>");
            }
        }

and response.StatusCode is returning 403. Why isn't this then showing a "You do not have permission..." error page?

What do you see?