protected override AccessResult GetAccessCore(ISecurable entity, Sitecore.Security.Accounts.Account oAccount, AccessRight oAccessRight) { #region VARIABLES AccessResult oAccesResult; AccessExplanation oAccessExplanation; string sAccessExplanationText; #endregion //Sitecore.Diagnostics.Log.Info(string.Format("GenSqlServerAuthorizationProvider.GetAccessCore, entity{0}", entity.GetUniqueId()), this); switch (oAccessRight.Name) { case "item:read": case "field:read": case "language:read": case "site:enter": oAccessExplanation = new AccessExplanation(string.Format("{0} acces right granted for entity {1}", oAccessRight.Name, entity.GetUniqueId()), new object[0]); oAccesResult = new AccessResult(AccessPermission.Allow, oAccessExplanation); break; default: sAccessExplanationText = string.Format("Access right {0} is unavailable in this instance layer", oAccessRight.Name); oAccessExplanation = new AccessExplanation(sAccessExplanationText, new object[0]); oAccesResult = new AccessResult(AccessPermission.Deny, oAccessExplanation); Sitecore.Diagnostics.Log.Debug(sAccessExplanationText, this); break; } //Sitecore.Diagnostics.Log.Info(string.Format("GenSqlServerAuthorizationProvider.GetAccessCore, AccessResult:{0}", oAccesResult.Permission), this); return(oAccesResult); }
protected override AccessResult GetAccessCore(ISecurable oEntity, Account oAccount, AccessRight oAccessRight) { Item oItem; GenAuthorizationHelper oGenAuthorizationHelper; AccessResult oItemAccessResult; AccessExplanation oItemAccessExplanation; string sAccessExplanationText; oItemAccessResult = null; //Validates that internal tasks have access to sitecore content //Specially required for sitecore events Sitecore:Item:Write (Sitecore Cache Update Event) //This is needed because we bypass Sitecore Authorization with the Custom Authorization process for GFWM if (Sitecore.Context.IsBackgroundThread) { oItemAccessExplanation = new AccessExplanation(string.Format("{0} access right granted for Internal Task", oAccessRight.Name), new object[0]); oItemAccessResult = new AccessResult(AccessPermission.Allow, oItemAccessExplanation); } else { switch (oAccessRight.Name) { case "item:read": oGenAuthorizationHelper = ItemHelper as GenAuthorizationHelper; if (oGenAuthorizationHelper != null) { oItem = oEntity as Item; oItemAccessResult = oGenAuthorizationHelper.GetAccess(oItem, oAccount, oAccessRight); } break; case "field:read": case "language:read": case "site:enter": oItemAccessExplanation = new AccessExplanation(string.Format("{0} acces right granted", oAccessRight.Name), new object[0]); oItemAccessResult = new AccessResult(AccessPermission.Allow, oItemAccessExplanation); break; default: sAccessExplanationText = string.Format("Access right {0} is unavailable in the web layer", oAccessRight.Name); oItemAccessExplanation = new AccessExplanation(sAccessExplanationText, new object[0]); oItemAccessResult = new AccessResult(AccessPermission.Deny, oItemAccessExplanation); Sitecore.Diagnostics.Log.Debug(sAccessExplanationText, this); break; } } return(oItemAccessResult); }
protected virtual AccessResult GetItemAccess(Sitecore.Data.Items.Item item, Account account, BucketAccessRight right) { // //Determine if comments should be allowed based on the max comments count. //var result = HandleMaxComments(item, account, right); //if (result.Permission == AccessPermission.Deny) //{ // return result; //} //// ////Determine if comments should be allowed based on the time range. //result = HandleDaysToAllowComments(item, account, right); //if (result.Permission == AccessPermission.Deny) //{ // return result; //} // //Allow comments. var ex = new AccessExplanation("This item can be a bucket"); return new AccessResult(AccessPermission.Allow, ex); }
protected virtual AccessResult GetItemAccess(Data.Items.Item item, Account account, BucketAccessRight right) { var ex = new AccessExplanation("This item can be a bucket"); return(new AccessResult(AccessPermission.Allow, ex)); }
protected virtual AccessResult GetItemAccess(Data.Items.Item item, Account account, BucketAccessRight right) { var ex = new AccessExplanation("This item can be a bucket"); return new AccessResult(AccessPermission.Allow, ex); }
protected virtual AccessResult HandleDaysToAllowComments(Sitecore.Data.Items.Item item, Account account, BucketAccessRight right) { // //Allow commenting if the value is -1 since that value means comments //may be added indefinitely. //if (right.DaysToAllowComments == -1) //{ // var ex = new AccessExplanation("Comments can be added indefinitely."); // return new AccessResult(AccessPermission.Allow, ex); //} // //Deny commenting if the item has not been updated within the allowed //time range. var d1 = item.Statistics.Updated; var d2 = d1.AddDays(1.0); if (DateTime.Compare(d1, d2) != -1) { var ex = new AccessExplanation("Comments cannot be added after {0} {1}.", d2.ToLongDateString(), d2.ToLongTimeString()); return new AccessResult(AccessPermission.Deny, ex); } // //No other rules need to be implemented, so allow comments. var ex1 = new AccessExplanation("Comments can be added until {0} {1}.", d2.ToLongDateString(), d2.ToLongTimeString()); return new AccessResult(AccessPermission.Allow, ex1); }
protected virtual AccessResult HandleMaxComments(Sitecore.Data.Items.Item item, Account account, BucketAccessRight right) { // //Allow unlimited comments if no field name is specified for MaxCommentsFieldName. if (string.IsNullOrEmpty(right.BucketFieldName)) { var ex = new AccessExplanation("Unlimited comments are allowed."); return new AccessResult(AccessPermission.Allow, ex); } // //Allow unlimited comments if the specified field does not exist on the item. var field = item.Fields["IsBucket"]; if (field == null) { var ex = new AccessExplanation("The item {0} does not have a field named \"{1}\", so unlimited comments are allowed.", item.ID.ToString(), ""); return new AccessResult(AccessPermission.Allow, ex); } // //Deny commenting if the max comments value is not an integer. var maxCommentCount = 0; if (!string.IsNullOrEmpty(field.Value) && !int.TryParse(field.Value, out maxCommentCount)) { var ex = new AccessExplanation("The value specified for the field named \"{0}\" is not a valid integer: {1}", "", field.Value); return new AccessResult(AccessPermission.Deny, ex); } // //Deny commenting if the max comments limit has already been met. if (maxCommentCount > -1) { var currentCount = GetCurrentCommentCount(item); if (currentCount >= maxCommentCount) { var ex = new AccessExplanation("{0} comments already exist, and the maximum number allowed is {1}.", currentCount, maxCommentCount); return new AccessResult(AccessPermission.Deny, ex); } } // //No other rules need to be implemented, so allow comments. var ex1 = new AccessExplanation("Additional comments are allowed."); return new AccessResult(AccessPermission.Allow, ex1); }
private AccessResult CheckAccess(Item oItem, AccessRight right) { Authorization oAuthorization; bool bPass; AccessResult oItemAccessResult; AccessExplanation oItemAccessExplanation; string sAccessExplanationText; bool bExplanationTextSet; bool bIsClient; string[] oClientSecuredSections; string sItemPath; bPass = false; oAuthorization = Authorization.CurrentAuthorization; oItemAccessResult = null; oItemAccessExplanation = null; bExplanationTextSet = false; sAccessExplanationText = string.Empty; oClientSecuredSections = oAuthorization.ClientSecuredSections; sItemPath = oItem.Paths.ParentPath; if (oItem != null) { //We will only apply the authorization process if the current Item inherits the Security Base template //if (oItem.InstanceOfTemplate(Constants.Security.Templates.SecurityBase.Name)) if (sItemPath.Contains(ContentPath) && oItem.InstanceOfTemplate(Constants.Security.Templates.SecurityBase.Name)) { if (oAuthorization != null) { //Checking by User Levels bPass = CheckLevels( Constants.Security.Templates.SecurityBase.Sections.Security.Fields.UserLevelsFieldName, Constants.Security.Templates.UserLevel.Sections.UserLevel.Name, Constants.Security.Templates.UserLevel.Sections.UserLevel.Fields.CodeFieldName, oItem, oAuthorization.UserLevels, oAuthorization, Constants.Security.Templates.SecurityBase.Sections.Security.Name ); //If any level check fails then there is no need to continue the validation has failed if (bPass) { //Checking by Channels bPass = CheckLevels( Constants.Security.Templates.SecurityBase.Sections.Security.Fields.ChannelsFieldName, Constants.Security.Templates.Channel.Sections.Channel.Name, Constants.Security.Templates.Channel.Sections.Channel.Fields.CodeFieldName, oItem, oAuthorization.Channels, oAuthorization, Constants.Security.Templates.SecurityBase.Sections.Security.Name ); } else { sAccessExplanationText = string.Format("User failed user levels check for item {0}.", oItem.ID); bExplanationTextSet = true; } if (bPass) { //Checking by Custodians bPass = CheckLevels( Constants.Security.Templates.SecurityBase.Sections.Security.Fields.CustodiansFieldName, Constants.Security.Templates.Custodian.Sections.Custodian.Name, Constants.Security.Templates.Custodian.Sections.Custodian.Fields.CodeFieldName, oItem, oAuthorization.Custodians, oAuthorization, Constants.Security.Templates.SecurityBase.Sections.Security.Name ); } else if (!bExplanationTextSet) { sAccessExplanationText = string.Format("User failed channels check for item {0}.", oItem.ID); } bIsClient = oAuthorization.IsClient; if (bPass) { //TODO: We need a more flexible authorization resolution. for now we are hardcoding the mapping of the rules for clients //Checking by Manager Strategist privileges bPass = !bIsClient || (bIsClient && CheckLevels( Constants.Security.Templates.SecurityBase.Sections.Security.Fields.ManagerStrategistPrivilegesFieldName, Constants.Security.Templates.ManagerStrategistPrivilege.Sections.ManagerStrategistPrivilege.Name, Constants.Security.Templates.ManagerStrategistPrivilege.Sections.ManagerStrategistPrivilege.Fields.CodeFieldName, oItem, oAuthorization.ManagerStrategistPrivileges, oAuthorization, Constants.Security.Templates.SecurityBase.Sections.Security.Name ) ); } else if (!bExplanationTextSet) { sAccessExplanationText = string.Format("User failed custodians check for item {0}.", oItem.ID); } if (bPass) { //TODO: We need a more flexible authorization resolution. for now we are hardcoding the mapping of the rules for clients //Checking by Products bPass = !bIsClient || (bIsClient && CheckLevels( Constants.Security.Templates.SecurityBase.Sections.Security.Fields.ProductsFieldName, Constants.Security.Templates.Product.Sections.Product.Name, Constants.Security.Templates.Product.Sections.Product.Fields.CodeFieldName, oItem, oAuthorization.Products, oAuthorization, Constants.Security.Templates.SecurityBase.Sections.Security.Name ) ); } else if (!bExplanationTextSet) { sAccessExplanationText = string.Format("User failed Manager Strategist privileges check for item {0}.", oItem.ID); } if (bPass) { //TODO: We need a more flexible authorization resolution. for now we are hardcoding the mapping of the rules for clients //Checking by client approved if ((bIsClient && oClientSecuredSections != null && oClientSecuredSections.Any(sSection => oItem.Paths.FullPath.Contains(sSection)))) { bPass = string.Equals(oItem.GetText(Constants.Security.Templates.SecurityBase.Sections.Security.Name, Constants.Security.Templates.SecurityBase.Sections.Security.Fields.ClientApprovedFieldName, string.Empty), ClientApprovedenabled); } } else if (!bExplanationTextSet) { sAccessExplanationText = string.Format("User failed products check for item {0}.", oItem.ID); } //Validate PC_Status Security if (bPass && oItem.InstanceOfTemplate(Constants.Security.Templates.PC_StatusSecurity.Name)) { if (oAuthorization.IsAgent) { //Checking by PC_Status bPass = CheckLevels( Constants.Security.Templates.PC_StatusSecurity.Sections.Security.Fields.PC_StatusFieldName, Constants.Security.Templates.PC_Status.Sections.PC_Status.Name, Constants.Security.Templates.PC_Status.Sections.PC_Status.Fields.CodeFieldName, oItem, oAuthorization.PC_Status, oAuthorization, Constants.Security.Templates.PC_StatusSecurity.Sections.Security.Name ); //If any level check fails then there is no need to continue the validation has failed if (!bPass) { sAccessExplanationText = string.Format("User failed PC Status check for item {0}.", oItem.ID); bExplanationTextSet = true; } } else { bExplanationTextSet = true; sAccessExplanationText = string.Format("The user is not an agent.", oItem.ID); } } if (bPass) { sAccessExplanationText = string.Format("User authorized to access item {0}.", oItem.ID); } else if (!bExplanationTextSet) { sAccessExplanationText = string.Format("User failed alient approved check for item {0}.", oItem.ID); } } else { if (System.Web.HttpContext.Current == null) { sAccessExplanationText = string.Format("{0} Item is being requested without an HTTP Context.", oItem.ID); bPass = true; //Since the current item is being requested without an http context, it is an internal request and should be permitted. } else { sAccessExplanationText = "Unable to get authorization object"; oItemAccessExplanation = new AccessExplanation(sAccessExplanationText, new object[0]); oItemAccessResult = new AccessResult(AccessPermission.Deny, oItemAccessExplanation); Sitecore.Diagnostics.Log.Error(sAccessExplanationText, this); } } } else { sAccessExplanationText = string.Format("{0} item does not inherits from security base template", oItem.ID); //check if an item is a media one and validate if user is logged on before providing it // ignore if media item is part of AssetMark website if (oItem.Paths.IsMediaItem && !oItem.Paths.FullPath.StartsWith(AssetMarkMediaLibraryPath)) { if (oAuthorization != null) { if (oAuthorization.IsTestMode) { bPass = true; } else { if (oAuthorization.Claim != null) { bPass = true; } else { bPass = false; } } } else { bPass = false; } } else { bPass = true; //Since the current item does not inherit from security base it should pass the validation } } if (bPass) { oItemAccessExplanation = new AccessExplanation(string.Format("{0} right has been granted", right.Name), new object[0]); oItemAccessResult = new AccessResult(AccessPermission.Allow, oItemAccessExplanation); } else { oItemAccessExplanation = new AccessExplanation(string.IsNullOrEmpty(sAccessExplanationText)? string.Format("{0} access denied", right.Name) : sAccessExplanationText, new object[0]); oItemAccessResult = new AccessResult(AccessPermission.Deny, oItemAccessExplanation); } } else { sAccessExplanationText = "No Item to validate"; oItemAccessExplanation = new AccessExplanation(sAccessExplanationText, new object[0]); oItemAccessResult = new AccessResult(AccessPermission.NotSet, oItemAccessExplanation); } return(oItemAccessResult); }