public static void SetHyperLink(string adminSectionPageId, string querystring, HyperLink hyperlink)
{
AdminSectionPage adminSectionPage = AdminNavigationManager.GetAdminSectionPageById(adminSectionPageId);
string url = (adminSectionPage == null) ? "#" : string.Format("{0}{1}", adminSectionPage.Url, querystring);
hyperlink.NavigateUrl = url;
}
public static void SetHyperLink(User user, string adminSectionPageId, string querystring, HyperLink hyperlink)
{
AdminSectionPage adminSectionPage = AdminNavigationManager.GetAdminSectionPageById(adminSectionPageId);
if (adminSectionPage == null)
{
hyperlink.Visible = false;
}
else
{
hyperlink.Visible = SecurityManager.UserHasAccess(user, adminSectionPage);
hyperlink.NavigateUrl = string.Format("{0}{1}", adminSectionPage.Url, querystring);
}
}
/// <summary>
/// Checks if the user has access to the requested path.
/// This method is the 'big kahuna', and does various security checks. It's main
/// purpose is to ensure that the admin area pages are correctly restricted, and it
/// ensures that upload users and brand admins cannot access entities to
/// which their role does not have permission (ie. those outside their brand).
/// </summary>
/// <param name="user">The user requesting access</param>
/// <param name="path">The path to which access is being requested</param>
/// <returns>[True] if user can access path. Otherwise [False].</returns>
public static bool UserHasAccess(User user, Uri path)
{
// Turn the path into a relative one (eg. /AppVirtualDir/Admin/Default.aspx -> ~/Admin/Default.aspx)
string relativePath = VirtualPathUtility.ToAppRelative(path.AbsolutePath).ToLower();
// Always allow NeatUpload stuff through
if (relativePath.StartsWith("~/neatupload/"))
{
return(true);
}
// Login and registration pages open to all. Admin homepage open to
// any user belonging to any role greater than normal.
switch (relativePath)
{
case "~/login.aspx":
case "~/register.aspx":
case "~/changepassword.aspx":
case "~/reactivate.aspx":
case "~/viewcontactsheet.aspx":
case "~/popups/termsconditions.aspx":
case "~/popups/privacypolicy.aspx":
return(true);
case "~/admin/default.aspx":
return(user.UserRoleId > Convert.ToInt32(UserRole.Normal));
}
// Allow access to non-existent pages so we can redirect to 404
if (!File.Exists(HttpContext.Current.Server.MapPath(relativePath)))
{
return(true);
}
// Everything from here on needs a user
if (user.IsNull)
{
return(false);
}
// Ensure that the asset popup can only be viewed by authorised users
if (relativePath.StartsWith("~/popups/assetinfo.aspx"))
{
int assetId = GetQuerystringValue(path.Query, "assetId", -1);
if (assetId != -1)
{
Asset asset = Asset.Get(assetId);
if (asset.IsNull || !EntitySecurityManager.CanViewAssetInfo(user, asset))
{
return(false);
}
HttpContext.Current.Items.Add("Asset", asset);
}
}
if (relativePath.StartsWith("~/admin/"))
{
// Get the admin section page by the URL
AdminSectionPage adminSectionPage = AdminNavigationManager.GetAdminSectionPageByUrl(relativePath);
// Ensure that we found it in the admin page list
if (adminSectionPage == null)
{
throw new SystemException(string.Format("Unknown admin page: '{0}'. Please check AdminNavigation.Config", relativePath));
}
// Ensure that the page being accessed is available to the user role.
// No point continuing if their role is too weak
if (!adminSectionPage.UserRoleList.Contains(user.UserRole))
{
return(false);
}
// Do role specific processing, as some roles can access pages, but
// only when editing certain entities - ie. a Brand Admin can
// access the user pages, but only when managing users from their own
// brand. Here, we check the querystring for values, get the
// matching entity, and then ensure that it's from the same BU as
// the requesting user.
if (user.UserRole == UserRole.SuperAdministrator)
{
return(true);
}
if (user.UserRole == UserRole.Normal)
{
throw new SecurityException("Access to admin area denied");
}
if (GeneralUtils.ValueIsInList(user.UserRole, UserRole.BrandAdministrator, UserRole.UploadUser))
{
// Assume page is okay, as querystring might be blank
bool ok = true;
// Check for user ID, and if it exists, ensure the user
// can be accessed by the requesting user
int userId = GetQuerystringValue(path.Query, "userId", -1);
if (userId != -1)
{
User u = User.Get(userId);
if (user.IsNull || !EntitySecurityManager.CanManageUser(user, u))
{
ok = false;
}
else
{
HttpContext.Current.Items.Add("User", u);
}
}
// Check for asset Id, and if it exists, ensure the
// asset can be accessed by the requesting user
if (ok)
{
int assetId = GetQuerystringValue(path.Query, "assetId", -1);
if (assetId != -1)
{
Asset asset = Asset.Get(assetId);
if (asset.IsNull || !EntitySecurityManager.CanManageAsset(user, asset))
{
ok = false;
}
else
{
HttpContext.Current.Items.Add("Asset", asset);
}
}
}
// Check for AssetWorkflowId, and if it exists, ensure the
// AssetWorkflow can be accessed by the requesting user
if (ok)
{
int assetWorkflowId = GetQuerystringValue(path.Query, "assetWorkflowId", -1);
if (assetWorkflowId != -1)
{
AssetWorkflow assetWorkflow = AssetWorkflow.Get(assetWorkflowId);
if (assetWorkflow.IsNull || !EntitySecurityManager.CanParticipateInAssetWorkflow(user, assetWorkflow))
{
ok = false;
}
else
{
HttpContext.Current.Items.Add("AssetWorkflow", assetWorkflow);
}
}
}
return(ok);
}
throw new SecurityException("Unable to check permissions for user role: " + user.UserRole);
}
return(true);
}
