public IEnumerable <Page> Get(string siteid)
{
List <Page> pages = new List <Page>();
int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{
List <Setting> settings = _settings.GetSettings(EntityNames.Page).ToList();
foreach (Page page in _pages.GetPages(SiteId))
{
if (_userPermissions.IsAuthorized(User, PermissionNames.View, page.Permissions))
{
page.Settings = settings.Where(item => item.EntityId == page.PageId)
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
pages.Add(page);
}
}
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Get Attempt {SiteId}", siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
pages = null;
}
return(pages);
}
public IEnumerable <ModuleDefinition> Get(string siteid)
{
int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{
List <ModuleDefinition> moduledefinitions = new List <ModuleDefinition>();
foreach (ModuleDefinition moduledefinition in _moduleDefinitions.GetModuleDefinitions(SiteId))
{
if (_userPermissions.IsAuthorized(User, PermissionNames.Utilize, moduledefinition.Permissions))
{
if (string.IsNullOrEmpty(moduledefinition.Version))
{
moduledefinition.Version = new Version(1, 0, 0).ToString();
}
moduledefinitions.Add(moduledefinition);
}
}
return(moduledefinitions);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized ModuleDefinition Get Attempt {SiteId}", siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return(null);
}
}
public Module Post([FromBody] Module Module)
{
if (ModelState.IsValid && UserPermissions.IsAuthorized(User, "Edit", Module.Permissions))
{
Module = Modules.AddModule(Module);
logger.Log(LogLevel.Information, this, LogFunction.Create, "Module Added {Module}", Module);
}
return(Module);
}
public Page Post([FromBody] Page Page)
{
if (ModelState.IsValid && UserPermissions.IsAuthorized(User, "Edit", Page.Permissions))
{
Page = Pages.AddPage(Page);
logger.Log(LogLevel.Information, this, LogFunction.Create, "Page Added {Page}", Page);
}
return(Page);
}
public IEnumerable <ModuleDefinition> Get(int siteid)
{
List <ModuleDefinition> moduledefinitions = new List <ModuleDefinition>();
foreach (ModuleDefinition moduledefinition in ModuleDefinitions.GetModuleDefinitions(siteid))
{
if (UserPermissions.IsAuthorized(User, "Utilize", moduledefinition.Permissions))
{
moduledefinitions.Add(moduledefinition);
}
}
return(moduledefinitions);
}
public IEnumerable <ModuleDefinition> Get(string siteid)
{
List <ModuleDefinition> moduledefinitions = new List <ModuleDefinition>();
foreach (ModuleDefinition moduledefinition in _moduleDefinitions.GetModuleDefinitions(int.Parse(siteid)))
{
if (_userPermissions.IsAuthorized(User, PermissionNames.Utilize, moduledefinition.Permissions))
{
moduledefinitions.Add(moduledefinition);
}
}
return(moduledefinitions);
}
public IEnumerable <Module> Get(string siteid)
{
List <Module> modules = new List <Module>();
int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{
List <ModuleDefinition> moduledefinitions = _moduleDefinitions.GetModuleDefinitions(SiteId).ToList();
List <Setting> settings = _settings.GetSettings(EntityNames.Module).ToList();
foreach (PageModule pagemodule in _pageModules.GetPageModules(SiteId))
{
if (_userPermissions.IsAuthorized(User, PermissionNames.View, pagemodule.Module.Permissions))
{
Module module = new Module();
module.SiteId = pagemodule.Module.SiteId;
module.ModuleDefinitionName = pagemodule.Module.ModuleDefinitionName;
module.AllPages = pagemodule.Module.AllPages;
module.Permissions = pagemodule.Module.Permissions;
module.CreatedBy = pagemodule.Module.CreatedBy;
module.CreatedOn = pagemodule.Module.CreatedOn;
module.ModifiedBy = pagemodule.Module.ModifiedBy;
module.ModifiedOn = pagemodule.Module.ModifiedOn;
module.IsDeleted = pagemodule.IsDeleted;
module.PageModuleId = pagemodule.PageModuleId;
module.ModuleId = pagemodule.ModuleId;
module.PageId = pagemodule.PageId;
module.Title = pagemodule.Title;
module.Pane = pagemodule.Pane;
module.Order = pagemodule.Order;
module.ContainerType = pagemodule.ContainerType;
module.ModuleDefinition = moduledefinitions.Find(item => item.ModuleDefinitionName == module.ModuleDefinitionName);
module.Settings = settings.Where(item => item.EntityId == pagemodule.ModuleId)
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
modules.Add(module);
}
}
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Module Get Attempt {SiteId}", siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
modules = null;
}
return(modules);
}
public IEnumerable <Models.File> Get(string folder)
{
List <Models.File> files = new List <Models.File>();
int folderid;
if (int.TryParse(folder, out folderid))
{
Folder f = _folders.GetFolder(folderid);
if (f != null && _userPermissions.IsAuthorized(User, PermissionNames.Browse, f.Permissions))
{
files = _files.GetFiles(folderid).ToList();
}
}
else
{
if (User.IsInRole(Constants.HostRole))
{
folder = GetFolderPath(folder);
if (Directory.Exists(folder))
{
foreach (string file in Directory.GetFiles(folder))
{
files.Add(new Models.File {
Name = Path.GetFileName(file), Extension = Path.GetExtension(file)?.Replace(".", "")
});
}
}
}
}
return(files);
}
public Folder Post([FromBody] Folder Folder)
{
if (ModelState.IsValid && UserPermissions.IsAuthorized(User, "Edit", Folder.Permissions))
{
Folder.Path = "";
if (string.IsNullOrEmpty(Folder.Path) && Folder.ParentId != null)
{
Folder parent = Folders.GetFolder(Folder.ParentId.Value);
Folder.Path = parent.Path + Folder.Name + "\\";
}
Folder = Folders.AddFolder(Folder);
logger.Log(LogLevel.Information, this, LogFunction.Create, "Folder Added {Folder}", Folder);
}
return(Folder);
}
public PageModule Get(int id)
{
PageModule pagemodule = _pageModules.GetPageModule(id);
if (pagemodule != null && pagemodule.Module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, PermissionNames.View, pagemodule.Module.Permissions))
{
return(pagemodule);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized PageModule Get Attempt {PageModuleId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return(null);
}
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionRequirement requirement)
{
// permission is scoped based on auth{entityname}id (ie ?authmoduleid ) which must be passed as a querystring parameter
var ctx = _httpContextAccessor.HttpContext;
if (ctx != null)
{
int entityId = -1;
if (ctx.Request.Query.ContainsKey("auth" + requirement.EntityName.ToLower() + "id"))
{
entityId = int.Parse(ctx.Request.Query["auth" + requirement.EntityName.ToLower() + "id"]);
}
if (ctx.Request.Query.ContainsKey("entityid"))
{
entityId = int.Parse(ctx.Request.Query["entityid"]);
}
if (_userPermissions.IsAuthorized(context.User, requirement.EntityName, entityId, requirement.PermissionName))
{
context.Succeed(requirement);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "User {User} Does Not Have {PermissionName} Permission For {EntityName}:{EntityId}", context.User, requirement.PermissionName, requirement.EntityName, entityId);
}
}
return(Task.CompletedTask);
}
private bool IsAuthorized(string EntityName, int EntityId, string PermissionName)
{
bool authorized = false;
if (EntityName == "PageModule")
{
EntityName = "Module";
EntityId = _pageModules.GetPageModule(EntityId).ModuleId;
}
switch (EntityName)
{
case "Host":
authorized = User.IsInRole(Constants.HostRole);
break;
case "Site":
authorized = User.IsInRole(Constants.AdminRole);
break;
case "Page":
case "Module":
case "Folder":
authorized = _userPermissions.IsAuthorized(User, EntityName, EntityId, PermissionName);
break;
case "User":
authorized = true;
if (PermissionName == "Edit")
{
authorized = User.IsInRole(Constants.AdminRole) || (_userPermissions.GetUser(User).UserId == EntityId);
}
break;
}
return(authorized);
}
private bool IsAuthorized(string entityName, int entityId, string permissionName)
{
bool authorized = false;
if (entityName == EntityNames.PageModule)
{
entityName = EntityNames.Module;
entityId = _pageModules.GetPageModule(entityId).ModuleId;
}
switch (entityName)
{
case EntityNames.Tenant:
authorized = User.IsInRole(RoleNames.Host);
break;
case EntityNames.Site:
authorized = User.IsInRole(RoleNames.Admin);
break;
case EntityNames.Page:
case EntityNames.Module:
case EntityNames.Folder:
authorized = _userPermissions.IsAuthorized(User, entityName, entityId, permissionName);
break;
case EntityNames.User:
authorized = true;
if (permissionName == PermissionNames.Edit)
{
authorized = User.IsInRole(RoleNames.Admin) || (_userPermissions.GetUser(User).UserId == entityId);
}
break;
}
return(authorized);
}
public IEnumerable <Module> Get(string siteid)
{
List <ModuleDefinition> moduledefinitions = _moduleDefinitions.GetModuleDefinitions(int.Parse(siteid)).ToList();
List <Module> modules = new List <Module>();
foreach (PageModule pagemodule in _pageModules.GetPageModules(int.Parse(siteid)))
{
if (_userPermissions.IsAuthorized(User, PermissionNames.View, pagemodule.Module.Permissions))
{
Module module = new Module();
module.SiteId = pagemodule.Module.SiteId;
module.ModuleDefinitionName = pagemodule.Module.ModuleDefinitionName;
module.Permissions = pagemodule.Module.Permissions;
module.CreatedBy = pagemodule.Module.CreatedBy;
module.CreatedOn = pagemodule.Module.CreatedOn;
module.ModifiedBy = pagemodule.Module.ModifiedBy;
module.ModifiedOn = pagemodule.Module.ModifiedOn;
module.IsDeleted = pagemodule.IsDeleted;
module.PageModuleId = pagemodule.PageModuleId;
module.ModuleId = pagemodule.ModuleId;
module.PageId = pagemodule.PageId;
module.Title = pagemodule.Title;
module.Pane = pagemodule.Pane;
module.Order = pagemodule.Order;
module.ContainerType = pagemodule.ContainerType;
module.ModuleDefinition = moduledefinitions.Find(item => item.ModuleDefinitionName == module.ModuleDefinitionName);
modules.Add(module);
}
}
return(modules);
}
public IEnumerable <Models.File> Get(string folder)
{
List <Models.File> files = new List <Models.File>();
int folderid;
if (int.TryParse(folder, out folderid))
{
Folder Folder = _folders.GetFolder(folderid);
if (Folder != null && Folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, PermissionNames.Browse, Folder.Permissions))
{
files = _files.GetFiles(folderid).ToList();
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized File Get Attempt {FolderId}", folder);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
files = null;
}
}
else
{
if (User.IsInRole(RoleNames.Host))
{
folder = GetFolderPath(folder);
if (Directory.Exists(folder))
{
foreach (string file in Directory.GetFiles(folder))
{
files.Add(new Models.File {
Name = Path.GetFileName(file), Extension = Path.GetExtension(file)?.Replace(".", "")
});
}
}
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized File Get Attempt {Folder}", folder);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
files = null;
}
}
return(files);
}
public IEnumerable<Folder> Get(string siteid)
{
List<Folder> folders = new List<Folder>();
foreach (Folder folder in _folders.GetFolders(int.Parse(siteid)))
{
if (_userPermissions.IsAuthorized(User, PermissionNames.Browse, folder.Permissions))
{
folders.Add(folder);
}
}
return folders;
}
public IEnumerable <Folder> Get(string siteid)
{
List <Folder> folders = new List <Folder>();
int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{
foreach (Folder folder in _folders.GetFolders(SiteId))
{
if (_userPermissions.IsAuthorized(User, PermissionNames.Browse, folder.Permissions))
{
folders.Add(folder);
}
}
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Folder Get Attempt {SiteId}", siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
folders = null;
}
return(folders);
}
public IEnumerable <Page> Get(string siteid)
{
List <Page> pages = new List <Page>();
foreach (Page page in _pages.GetPages(int.Parse(siteid)))
{
if (_userPermissions.IsAuthorized(User, PermissionNames.View, page.Permissions))
{
pages.Add(page);
}
}
return(pages);
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionRequirement requirement)
{
// permission is scoped based on EntityId which must be passed as a querystring parameter
var ctx = HttpContextAccessor.HttpContext;
if (ctx != null && ctx.Request.Query.ContainsKey("entityid"))
{
int EntityId = int.Parse(ctx.Request.Query["entityid"]);
if (UserPermissions.IsAuthorized(context.User, requirement.EntityName, EntityId, requirement.PermissionName))
{
context.Succeed(requirement);
}
}
return(Task.CompletedTask);
}
private bool IsAuthorized(string EntityName, int EntityId)
{
bool authorized = false;
switch (EntityName)
{
case "Module":
authorized = UserPermissions.IsAuthorized(User, EntityName, EntityId, "Edit");
break;
default:
authorized = User.IsInRole(Constants.AdminRole);
break;
}
return(authorized);
}
public IEnumerable <Page> Get(string siteid)
{
List <Setting> settings = _settings.GetSettings(EntityNames.Page).ToList();
List <Page> pages = new List <Page>();
foreach (Page page in _pages.GetPages(int.Parse(siteid)))
{
if (_userPermissions.IsAuthorized(User, PermissionNames.View, page.Permissions))
{
page.Settings = settings.Where(item => item.EntityId == page.PageId)
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
pages.Add(page);
}
}
return(pages);
}
public PageModule Get(int id)
{
PageModule pagemodule = _pageModules.GetPageModule(id);
if (_userPermissions.IsAuthorized(User, PermissionNames.View, pagemodule.Module.Permissions))
{
return(pagemodule);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access PageModule {PageModule}", pagemodule);
HttpContext.Response.StatusCode = 401;
return(null);
}
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionRequirement requirement)
{
// permission is scoped based on entitynames and ids passed as querystring parameters or headers
var ctx = _httpContextAccessor.HttpContext;
if (ctx != null)
{
// get entityid based on a parameter format of auth{entityname}id (ie. authmoduleid )
int entityId = -1;
if (ctx.Request.Query.ContainsKey("auth" + requirement.EntityName.ToLower() + "id"))
{
if (!int.TryParse(ctx.Request.Query["auth" + requirement.EntityName.ToLower() + "id"], out entityId))
{
entityId = -1;
}
}
// legacy support
if (entityId == -1)
{
if (ctx.Request.Query.ContainsKey("entityid"))
{
if (!int.TryParse(ctx.Request.Query["entityid"], out entityId))
{
entityId = -1;
}
}
}
// validate permissions
if (entityId != -1 && _userPermissions.IsAuthorized(context.User, requirement.EntityName, entityId, requirement.PermissionName))
{
context.Succeed(requirement);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "User {User} Does Not Have {PermissionName} Permission For {EntityName}:{EntityId}", context.User, requirement.PermissionName, requirement.EntityName, entityId);
}
}
return(Task.CompletedTask);
}
private bool IsAuthorized(string entityName, int entityId, string permissionName)
{
bool authorized = false;
if (entityName == EntityNames.PageModule)
{
entityName = EntityNames.Module;
entityId = _pageModules.GetPageModule(entityId).ModuleId;
}
switch (entityName)
{
case EntityNames.Tenant:
case EntityNames.ModuleDefinition:
case EntityNames.Host:
if (permissionName == PermissionNames.Edit)
{
authorized = User.IsInRole(RoleNames.Host);
}
else
{
authorized = true;
}
break;
case EntityNames.Site:
if (permissionName == PermissionNames.Edit)
{
authorized = User.IsInRole(RoleNames.Admin);
}
else
{
authorized = true;
}
break;
case EntityNames.Page:
case EntityNames.Module:
case EntityNames.Folder:
authorized = _userPermissions.IsAuthorized(User, entityName, entityId, permissionName);
break;
case EntityNames.User:
authorized = true;
if (permissionName == PermissionNames.Edit)
{
authorized = User.IsInRole(RoleNames.Admin) || (_userPermissions.GetUser(User).UserId == entityId);
}
break;
case EntityNames.Visitor:
authorized = User.IsInRole(RoleNames.Admin);
if (!authorized)
{
if (int.TryParse(Request.Cookies[_visitorCookie], out int visitorId))
{
authorized = (visitorId == entityId);
}
}
break;
default: // custom entity
if (permissionName == PermissionNames.Edit)
{
authorized = User.IsInRole(RoleNames.Admin) || _userPermissions.IsAuthorized(User, entityName, entityId, permissionName);
}
else
{
authorized = true;
}
break;
}
return(authorized);
}