yodeski / mvc-mini-profiler

Automatically exported from code.google.com/p/mvc-mini-profiler
0 stars 0 forks source link

MiniProfilerStartupModule IHttpModule needs a non-broken / better default implementation #154

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
in MiniProfiler.mvc the file MiniProfiler.cs has some example code commented 
out. It's uncompleted, and should probably attach to AuthorizeRequest and not 
AuthenticateRequest, as most users will already have something else running to 
authenticate the request that will, most likely fill in 
HttpContext.Current.User.

1. uncomment the lines in the file MiniProfiler.cs when using on an asp.net mvc 
project that begin with "context.AuthenticateRequest += (sender, e)"
2. Implement CurrentUserIsAllowedToSeeProfiler() using 
((HttpApplication)sender).Context.User.IsAuthenticated, or 
mContext.User.IsInRole("PROFILERS")
3. Make a request. 

It fails intermittently because IIS will sometimes call this modules 
AuthenticateRequest before the actual forms auth modules AuthenticateRequest 
event. Most users probably won't be doing authentication here, they want to do 
authorization, where they already know who it is, they just don't know if the 
user has the right privileges.

to fix:
1) Change AuthenticateRequest to AuthorizeRequest
2) provide a default implementation of CurrentUserIsAllowedToSeeProfiler(), 
like below

        if (!CurrentUserIsAllowedToSeeProfiler(((HttpApplication)sender).Context))

...snip...

    private static bool CurrentUserIsAllowedToSeeProfiler(HttpContext mContext)
    {

      return mContext.User != null && (mContext.User.Identity.IsAuthenticated && mContext.User.IsInRole("PROFILERS"));
    }

What version of the product are you using? On what operating system?
MiniProfiler.mvc on iis7.5 / mvc 4

Original issue reported on code.google.com by g...@stonefin.com on 13 Aug 2012 at 10:58