public static void SetHyperLink(string adminSectionPageId, string querystring, HyperLink hyperlink)
{
AdminSectionPage adminSectionPage = AdminNavigationManager.GetAdminSectionPageById(adminSectionPageId);
string url = (adminSectionPage == null) ? "#" : string.Format("{0}{1}", adminSectionPage.Url, querystring);
hyperlink.NavigateUrl = url;
}
/// <summary>
/// Searches the AdminSectionPage and all its subpages for a page
/// matching the specified url. Returns page if found. Otherwise, null.
/// </summary>
private static AdminSectionPage Search(AdminSectionPage page, string url)
{
if (StringUtils.IgnoreCaseCompare(page.Url, url))
{
return(page);
}
return(page.Pages.Select(subPage => Search(subPage, url)).FirstOrDefault(p => p != null));
}
public static void SetHyperLink(User user, string adminSectionPageId, string querystring, HyperLink hyperlink)
{
AdminSectionPage adminSectionPage = AdminNavigationManager.GetAdminSectionPageById(adminSectionPageId);
if (adminSectionPage == null)
{
hyperlink.Visible = false;
}
else
{
hyperlink.Visible = SecurityManager.UserHasAccess(user, adminSectionPage);
hyperlink.NavigateUrl = string.Format("{0}{1}", adminSectionPage.Url, querystring);
}
}
/// <summary>
/// Checks if the user is in a role that has access to the requested page
/// </summary>
public static bool UserHasAccess(User user, AdminSectionPage adminSectionPage)
{
if (user.IsNull)
{
return(false);
}
if (adminSectionPage == null)
{
return(user.UserRole == UserRole.SuperAdministrator);
}
if (adminSectionPage.RestrictToEngineers && !user.IsEngineer)
{
return(false);
}
return(adminSectionPage.UserRoleList.Contains(user.UserRole));
}
public AdminSectionPage(XmlNode node) : base(node)
{
if (node.Attributes == null)
{
throw new SystemException("Node does not have any attributes");
}
// Get the page URL, using the ID if no URL is specified
XmlNode urlNode = node.Attributes.GetNamedItem("Url");
Url = (urlNode == null) ? string.Format("~/Admin/{0}.aspx", Id.Replace('.', '/')) : urlNode.Value;
// Get the minimum role and/or allowed roles to access this page
XmlNode minimumRoleNode = node.Attributes.GetNamedItem("MinimumRole");
XmlNode allowedRolesNode = node.Attributes.GetNamedItem(("AllowedRoles"));
// If no minimum role or allowed roles are specified, then search through
// the parents until we find this information.
if (minimumRoleNode == null && allowedRolesNode == null)
{
// Get the parent node. This will be another <Page> node or a <Section> node
XmlNode parentNode = node.ParentNode;
while (parentNode != null && parentNode.Attributes != null)
{
// Get the nodes
minimumRoleNode = parentNode.Attributes.GetNamedItem("MinimumRole");
allowedRolesNode = parentNode.Attributes.GetNamedItem(("AllowedRoles"));
// Drop out if we found valid nodes. Otherwise, keep searching upwards
if (minimumRoleNode != null || allowedRolesNode != null)
{
break;
}
// Set parent to this parent and keep searching
parentNode = parentNode.ParentNode;
}
}
if (minimumRoleNode == null)
{
UserRoleList.Add(UserRole.SuperAdministrator);
}
else
{
foreach (UserRole userRole in Enum.GetValues(typeof(UserRole)))
{
int userRoleId = (int)userRole;
int minimumRoleId = (int)EnumUtils.GetEnumFromValue <UserRole>(minimumRoleNode.Value);
if (userRoleId >= minimumRoleId)
{
UserRoleList.Add(userRole);
}
}
}
if (allowedRolesNode != null)
{
string[] allowedRoles = allowedRolesNode.Value.Split(',');
foreach (string role in allowedRoles)
{
UserRole userRole = EnumUtils.GetEnumFromValue <UserRole>(role);
if (userRole != 0 && !UserRoleList.Contains(userRole))
{
UserRoleList.Add(userRole);
}
}
}
XmlNodeList pages = node.SelectNodes("Page");
if (pages != null)
{
foreach (XmlNode pageNode in pages)
{
AdminSectionPage page = new AdminSectionPage(pageNode);
Pages.Add(page);
}
}
// Add all user roles from children pages to this too
// (Otherwise, this node won't show up in navigation
// and the children won't be accessible).
UserRoleList.AddRange(GetUserRoleList());
}
/// <summary>
/// Checks if the user has access to the requested path.
/// This method is the 'big kahuna', and does various security checks. It's main
/// purpose is to ensure that the admin area pages are correctly restricted, and it
/// ensures that upload users and brand admins cannot access entities to
/// which their role does not have permission (ie. those outside their brand).
/// </summary>
/// <param name="user">The user requesting access</param>
/// <param name="path">The path to which access is being requested</param>
/// <returns>[True] if user can access path. Otherwise [False].</returns>
public static bool UserHasAccess(User user, Uri path)
{
// Turn the path into a relative one (eg. /AppVirtualDir/Admin/Default.aspx -> ~/Admin/Default.aspx)
string relativePath = VirtualPathUtility.ToAppRelative(path.AbsolutePath).ToLower();
// Always allow NeatUpload stuff through
if (relativePath.StartsWith("~/neatupload/"))
{
return(true);
}
// Login and registration pages open to all. Admin homepage open to
// any user belonging to any role greater than normal.
switch (relativePath)
{
case "~/login.aspx":
case "~/register.aspx":
case "~/changepassword.aspx":
case "~/reactivate.aspx":
case "~/viewcontactsheet.aspx":
case "~/popups/termsconditions.aspx":
case "~/popups/privacypolicy.aspx":
return(true);
case "~/admin/default.aspx":
return(user.UserRoleId > Convert.ToInt32(UserRole.Normal));
}
// Allow access to non-existent pages so we can redirect to 404
if (!File.Exists(HttpContext.Current.Server.MapPath(relativePath)))
{
return(true);
}
// Everything from here on needs a user
if (user.IsNull)
{
return(false);
}
// Ensure that the asset popup can only be viewed by authorised users
if (relativePath.StartsWith("~/popups/assetinfo.aspx"))
{
int assetId = GetQuerystringValue(path.Query, "assetId", -1);
if (assetId != -1)
{
Asset asset = Asset.Get(assetId);
if (asset.IsNull || !EntitySecurityManager.CanViewAssetInfo(user, asset))
{
return(false);
}
HttpContext.Current.Items.Add("Asset", asset);
}
}
if (relativePath.StartsWith("~/admin/"))
{
// Get the admin section page by the URL
AdminSectionPage adminSectionPage = AdminNavigationManager.GetAdminSectionPageByUrl(relativePath);
// Ensure that we found it in the admin page list
if (adminSectionPage == null)
{
throw new SystemException(string.Format("Unknown admin page: '{0}'. Please check AdminNavigation.Config", relativePath));
}
// Ensure that the page being accessed is available to the user role.
// No point continuing if their role is too weak
if (!adminSectionPage.UserRoleList.Contains(user.UserRole))
{
return(false);
}
// Do role specific processing, as some roles can access pages, but
// only when editing certain entities - ie. a Brand Admin can
// access the user pages, but only when managing users from their own
// brand. Here, we check the querystring for values, get the
// matching entity, and then ensure that it's from the same BU as
// the requesting user.
if (user.UserRole == UserRole.SuperAdministrator)
{
return(true);
}
if (user.UserRole == UserRole.Normal)
{
throw new SecurityException("Access to admin area denied");
}
if (GeneralUtils.ValueIsInList(user.UserRole, UserRole.BrandAdministrator, UserRole.UploadUser))
{
// Assume page is okay, as querystring might be blank
bool ok = true;
// Check for user ID, and if it exists, ensure the user
// can be accessed by the requesting user
int userId = GetQuerystringValue(path.Query, "userId", -1);
if (userId != -1)
{
User u = User.Get(userId);
if (user.IsNull || !EntitySecurityManager.CanManageUser(user, u))
{
ok = false;
}
else
{
HttpContext.Current.Items.Add("User", u);
}
}
// Check for asset Id, and if it exists, ensure the
// asset can be accessed by the requesting user
if (ok)
{
int assetId = GetQuerystringValue(path.Query, "assetId", -1);
if (assetId != -1)
{
Asset asset = Asset.Get(assetId);
if (asset.IsNull || !EntitySecurityManager.CanManageAsset(user, asset))
{
ok = false;
}
else
{
HttpContext.Current.Items.Add("Asset", asset);
}
}
}
// Check for AssetWorkflowId, and if it exists, ensure the
// AssetWorkflow can be accessed by the requesting user
if (ok)
{
int assetWorkflowId = GetQuerystringValue(path.Query, "assetWorkflowId", -1);
if (assetWorkflowId != -1)
{
AssetWorkflow assetWorkflow = AssetWorkflow.Get(assetWorkflowId);
if (assetWorkflow.IsNull || !EntitySecurityManager.CanParticipateInAssetWorkflow(user, assetWorkflow))
{
ok = false;
}
else
{
HttpContext.Current.Items.Add("AssetWorkflow", assetWorkflow);
}
}
}
return(ok);
}
throw new SecurityException("Unable to check permissions for user role: " + user.UserRole);
}
return(true);
}
