protected override AccessResult GetAccessCore(ISecurable entity, Sitecore.Security.Accounts.Account oAccount, AccessRight oAccessRight)
{
#region VARIABLES
AccessResult oAccesResult;
AccessExplanation oAccessExplanation;
string sAccessExplanationText;
#endregion
//Sitecore.Diagnostics.Log.Info(string.Format("GenSqlServerAuthorizationProvider.GetAccessCore, entity{0}", entity.GetUniqueId()), this);
switch (oAccessRight.Name)
{
case "item:read":
case "field:read":
case "language:read":
case "site:enter":
oAccessExplanation = new AccessExplanation(string.Format("{0} acces right granted for entity {1}", oAccessRight.Name, entity.GetUniqueId()), new object[0]);
oAccesResult = new AccessResult(AccessPermission.Allow, oAccessExplanation);
break;
default:
sAccessExplanationText = string.Format("Access right {0} is unavailable in this instance layer", oAccessRight.Name);
oAccessExplanation = new AccessExplanation(sAccessExplanationText, new object[0]);
oAccesResult = new AccessResult(AccessPermission.Deny, oAccessExplanation);
Sitecore.Diagnostics.Log.Debug(sAccessExplanationText, this);
break;
}
//Sitecore.Diagnostics.Log.Info(string.Format("GenSqlServerAuthorizationProvider.GetAccessCore, AccessResult:{0}", oAccesResult.Permission), this);
return(oAccesResult);
}
protected override AccessResult GetAccessCore(ISecurable oEntity, Account oAccount, AccessRight oAccessRight)
{
Item oItem;
GenAuthorizationHelper oGenAuthorizationHelper;
AccessResult oItemAccessResult;
AccessExplanation oItemAccessExplanation;
string sAccessExplanationText;
oItemAccessResult = null;
//Validates that internal tasks have access to sitecore content
//Specially required for sitecore events Sitecore:Item:Write (Sitecore Cache Update Event)
//This is needed because we bypass Sitecore Authorization with the Custom Authorization process for GFWM
if (Sitecore.Context.IsBackgroundThread)
{
oItemAccessExplanation = new AccessExplanation(string.Format("{0} access right granted for Internal Task", oAccessRight.Name), new object[0]);
oItemAccessResult = new AccessResult(AccessPermission.Allow, oItemAccessExplanation);
}
else
{
switch (oAccessRight.Name)
{
case "item:read":
oGenAuthorizationHelper = ItemHelper as GenAuthorizationHelper;
if (oGenAuthorizationHelper != null)
{
oItem = oEntity as Item;
oItemAccessResult = oGenAuthorizationHelper.GetAccess(oItem, oAccount, oAccessRight);
}
break;
case "field:read":
case "language:read":
case "site:enter":
oItemAccessExplanation = new AccessExplanation(string.Format("{0} acces right granted", oAccessRight.Name), new object[0]);
oItemAccessResult = new AccessResult(AccessPermission.Allow, oItemAccessExplanation);
break;
default:
sAccessExplanationText = string.Format("Access right {0} is unavailable in the web layer", oAccessRight.Name);
oItemAccessExplanation = new AccessExplanation(sAccessExplanationText, new object[0]);
oItemAccessResult = new AccessResult(AccessPermission.Deny, oItemAccessExplanation);
Sitecore.Diagnostics.Log.Debug(sAccessExplanationText, this);
break;
}
}
return(oItemAccessResult);
}
protected virtual AccessResult GetItemAccess(Sitecore.Data.Items.Item item, Account account, BucketAccessRight right)
{
//
//Determine if comments should be allowed based on the max comments count.
//var result = HandleMaxComments(item, account, right);
//if (result.Permission == AccessPermission.Deny)
//{
// return result;
//}
////
////Determine if comments should be allowed based on the time range.
//result = HandleDaysToAllowComments(item, account, right);
//if (result.Permission == AccessPermission.Deny)
//{
// return result;
//}
//
//Allow comments.
var ex = new AccessExplanation("This item can be a bucket");
return new AccessResult(AccessPermission.Allow, ex);
}
protected virtual AccessResult GetItemAccess(Data.Items.Item item, Account account, BucketAccessRight right)
{
var ex = new AccessExplanation("This item can be a bucket");
return(new AccessResult(AccessPermission.Allow, ex));
}
protected virtual AccessResult GetItemAccess(Data.Items.Item item, Account account, BucketAccessRight right)
{
var ex = new AccessExplanation("This item can be a bucket");
return new AccessResult(AccessPermission.Allow, ex);
}
protected virtual AccessResult HandleDaysToAllowComments(Sitecore.Data.Items.Item item, Account account, BucketAccessRight right)
{
//
//Allow commenting if the value is -1 since that value means comments
//may be added indefinitely.
//if (right.DaysToAllowComments == -1)
//{
// var ex = new AccessExplanation("Comments can be added indefinitely.");
// return new AccessResult(AccessPermission.Allow, ex);
//}
//
//Deny commenting if the item has not been updated within the allowed
//time range.
var d1 = item.Statistics.Updated;
var d2 = d1.AddDays(1.0);
if (DateTime.Compare(d1, d2) != -1)
{
var ex = new AccessExplanation("Comments cannot be added after {0} {1}.", d2.ToLongDateString(), d2.ToLongTimeString());
return new AccessResult(AccessPermission.Deny, ex);
}
//
//No other rules need to be implemented, so allow comments.
var ex1 = new AccessExplanation("Comments can be added until {0} {1}.", d2.ToLongDateString(), d2.ToLongTimeString());
return new AccessResult(AccessPermission.Allow, ex1);
}
protected virtual AccessResult HandleMaxComments(Sitecore.Data.Items.Item item, Account account, BucketAccessRight right)
{
//
//Allow unlimited comments if no field name is specified for MaxCommentsFieldName.
if (string.IsNullOrEmpty(right.BucketFieldName))
{
var ex = new AccessExplanation("Unlimited comments are allowed.");
return new AccessResult(AccessPermission.Allow, ex);
}
//
//Allow unlimited comments if the specified field does not exist on the item.
var field = item.Fields["IsBucket"];
if (field == null)
{
var ex = new AccessExplanation("The item {0} does not have a field named \"{1}\", so unlimited comments are allowed.", item.ID.ToString(), "");
return new AccessResult(AccessPermission.Allow, ex);
}
//
//Deny commenting if the max comments value is not an integer.
var maxCommentCount = 0;
if (!string.IsNullOrEmpty(field.Value) && !int.TryParse(field.Value, out maxCommentCount))
{
var ex = new AccessExplanation("The value specified for the field named \"{0}\" is not a valid integer: {1}", "", field.Value);
return new AccessResult(AccessPermission.Deny, ex);
}
//
//Deny commenting if the max comments limit has already been met.
if (maxCommentCount > -1)
{
var currentCount = GetCurrentCommentCount(item);
if (currentCount >= maxCommentCount)
{
var ex = new AccessExplanation("{0} comments already exist, and the maximum number allowed is {1}.", currentCount, maxCommentCount);
return new AccessResult(AccessPermission.Deny, ex);
}
}
//
//No other rules need to be implemented, so allow comments.
var ex1 = new AccessExplanation("Additional comments are allowed.");
return new AccessResult(AccessPermission.Allow, ex1);
}
private AccessResult CheckAccess(Item oItem, AccessRight right)
{
Authorization oAuthorization;
bool bPass;
AccessResult oItemAccessResult;
AccessExplanation oItemAccessExplanation;
string sAccessExplanationText;
bool bExplanationTextSet;
bool bIsClient;
string[] oClientSecuredSections;
string sItemPath;
bPass = false;
oAuthorization = Authorization.CurrentAuthorization;
oItemAccessResult = null;
oItemAccessExplanation = null;
bExplanationTextSet = false;
sAccessExplanationText = string.Empty;
oClientSecuredSections = oAuthorization.ClientSecuredSections;
sItemPath = oItem.Paths.ParentPath;
if (oItem != null)
{
//We will only apply the authorization process if the current Item inherits the Security Base template
//if (oItem.InstanceOfTemplate(Constants.Security.Templates.SecurityBase.Name))
if (sItemPath.Contains(ContentPath) && oItem.InstanceOfTemplate(Constants.Security.Templates.SecurityBase.Name))
{
if (oAuthorization != null)
{
//Checking by User Levels
bPass = CheckLevels(
Constants.Security.Templates.SecurityBase.Sections.Security.Fields.UserLevelsFieldName,
Constants.Security.Templates.UserLevel.Sections.UserLevel.Name,
Constants.Security.Templates.UserLevel.Sections.UserLevel.Fields.CodeFieldName,
oItem,
oAuthorization.UserLevels,
oAuthorization,
Constants.Security.Templates.SecurityBase.Sections.Security.Name
);
//If any level check fails then there is no need to continue the validation has failed
if (bPass)
{
//Checking by Channels
bPass = CheckLevels(
Constants.Security.Templates.SecurityBase.Sections.Security.Fields.ChannelsFieldName,
Constants.Security.Templates.Channel.Sections.Channel.Name,
Constants.Security.Templates.Channel.Sections.Channel.Fields.CodeFieldName,
oItem,
oAuthorization.Channels,
oAuthorization,
Constants.Security.Templates.SecurityBase.Sections.Security.Name
);
}
else
{
sAccessExplanationText = string.Format("User failed user levels check for item {0}.", oItem.ID);
bExplanationTextSet = true;
}
if (bPass)
{
//Checking by Custodians
bPass = CheckLevels(
Constants.Security.Templates.SecurityBase.Sections.Security.Fields.CustodiansFieldName,
Constants.Security.Templates.Custodian.Sections.Custodian.Name,
Constants.Security.Templates.Custodian.Sections.Custodian.Fields.CodeFieldName,
oItem,
oAuthorization.Custodians,
oAuthorization,
Constants.Security.Templates.SecurityBase.Sections.Security.Name
);
}
else if (!bExplanationTextSet)
{
sAccessExplanationText = string.Format("User failed channels check for item {0}.", oItem.ID);
}
bIsClient = oAuthorization.IsClient;
if (bPass)
{
//TODO: We need a more flexible authorization resolution. for now we are hardcoding the mapping of the rules for clients
//Checking by Manager Strategist privileges
bPass = !bIsClient || (bIsClient && CheckLevels(
Constants.Security.Templates.SecurityBase.Sections.Security.Fields.ManagerStrategistPrivilegesFieldName,
Constants.Security.Templates.ManagerStrategistPrivilege.Sections.ManagerStrategistPrivilege.Name,
Constants.Security.Templates.ManagerStrategistPrivilege.Sections.ManagerStrategistPrivilege.Fields.CodeFieldName,
oItem,
oAuthorization.ManagerStrategistPrivileges,
oAuthorization,
Constants.Security.Templates.SecurityBase.Sections.Security.Name
)
);
}
else if (!bExplanationTextSet)
{
sAccessExplanationText = string.Format("User failed custodians check for item {0}.", oItem.ID);
}
if (bPass)
{
//TODO: We need a more flexible authorization resolution. for now we are hardcoding the mapping of the rules for clients
//Checking by Products
bPass = !bIsClient || (bIsClient && CheckLevels(
Constants.Security.Templates.SecurityBase.Sections.Security.Fields.ProductsFieldName,
Constants.Security.Templates.Product.Sections.Product.Name,
Constants.Security.Templates.Product.Sections.Product.Fields.CodeFieldName,
oItem,
oAuthorization.Products,
oAuthorization,
Constants.Security.Templates.SecurityBase.Sections.Security.Name
)
);
}
else if (!bExplanationTextSet)
{
sAccessExplanationText = string.Format("User failed Manager Strategist privileges check for item {0}.", oItem.ID);
}
if (bPass)
{
//TODO: We need a more flexible authorization resolution. for now we are hardcoding the mapping of the rules for clients
//Checking by client approved
if ((bIsClient && oClientSecuredSections != null && oClientSecuredSections.Any(sSection => oItem.Paths.FullPath.Contains(sSection))))
{
bPass = string.Equals(oItem.GetText(Constants.Security.Templates.SecurityBase.Sections.Security.Name, Constants.Security.Templates.SecurityBase.Sections.Security.Fields.ClientApprovedFieldName, string.Empty), ClientApprovedenabled);
}
}
else if (!bExplanationTextSet)
{
sAccessExplanationText = string.Format("User failed products check for item {0}.", oItem.ID);
}
//Validate PC_Status Security
if (bPass && oItem.InstanceOfTemplate(Constants.Security.Templates.PC_StatusSecurity.Name))
{
if (oAuthorization.IsAgent)
{
//Checking by PC_Status
bPass = CheckLevels(
Constants.Security.Templates.PC_StatusSecurity.Sections.Security.Fields.PC_StatusFieldName,
Constants.Security.Templates.PC_Status.Sections.PC_Status.Name,
Constants.Security.Templates.PC_Status.Sections.PC_Status.Fields.CodeFieldName,
oItem,
oAuthorization.PC_Status,
oAuthorization,
Constants.Security.Templates.PC_StatusSecurity.Sections.Security.Name
);
//If any level check fails then there is no need to continue the validation has failed
if (!bPass)
{
sAccessExplanationText = string.Format("User failed PC Status check for item {0}.", oItem.ID);
bExplanationTextSet = true;
}
}
else
{
bExplanationTextSet = true;
sAccessExplanationText = string.Format("The user is not an agent.", oItem.ID);
}
}
if (bPass)
{
sAccessExplanationText = string.Format("User authorized to access item {0}.", oItem.ID);
}
else if (!bExplanationTextSet)
{
sAccessExplanationText = string.Format("User failed alient approved check for item {0}.", oItem.ID);
}
}
else
{
if (System.Web.HttpContext.Current == null)
{
sAccessExplanationText = string.Format("{0} Item is being requested without an HTTP Context.", oItem.ID);
bPass = true; //Since the current item is being requested without an http context, it is an internal request and should be permitted.
}
else
{
sAccessExplanationText = "Unable to get authorization object";
oItemAccessExplanation = new AccessExplanation(sAccessExplanationText, new object[0]);
oItemAccessResult = new AccessResult(AccessPermission.Deny, oItemAccessExplanation);
Sitecore.Diagnostics.Log.Error(sAccessExplanationText, this);
}
}
}
else
{
sAccessExplanationText = string.Format("{0} item does not inherits from security base template", oItem.ID);
//check if an item is a media one and validate if user is logged on before providing it
// ignore if media item is part of AssetMark website
if (oItem.Paths.IsMediaItem && !oItem.Paths.FullPath.StartsWith(AssetMarkMediaLibraryPath))
{
if (oAuthorization != null)
{
if (oAuthorization.IsTestMode)
{
bPass = true;
}
else
{
if (oAuthorization.Claim != null)
{
bPass = true;
}
else
{
bPass = false;
}
}
}
else
{
bPass = false;
}
}
else
{
bPass = true; //Since the current item does not inherit from security base it should pass the validation
}
}
if (bPass)
{
oItemAccessExplanation = new AccessExplanation(string.Format("{0} right has been granted", right.Name), new object[0]);
oItemAccessResult = new AccessResult(AccessPermission.Allow, oItemAccessExplanation);
}
else
{
oItemAccessExplanation = new AccessExplanation(string.IsNullOrEmpty(sAccessExplanationText)? string.Format("{0} access denied", right.Name) : sAccessExplanationText, new object[0]);
oItemAccessResult = new AccessResult(AccessPermission.Deny, oItemAccessExplanation);
}
}
else
{
sAccessExplanationText = "No Item to validate";
oItemAccessExplanation = new AccessExplanation(sAccessExplanationText, new object[0]);
oItemAccessResult = new AccessResult(AccessPermission.NotSet, oItemAccessExplanation);
}
return(oItemAccessResult);
}
