public IEnumerable <Section> GetSections() { var sections = _sectionService.GetAllowedSections(Security.GetUserId().ResultOr(0)); var sectionModels = sections.Select(Mapper.Map <Section>).ToArray(); // this is a bit nasty since we'll be proxying via the app tree controller but we sort of have to do that // since tree's by nature are controllers and require request contextual data var appTreeController = new ApplicationTreeController(GlobalSettings, UmbracoContextAccessor, SqlContext, Services, AppCaches, Logger, RuntimeState, _treeService, _sectionService, Umbraco) { ControllerContext = ControllerContext }; var dashboards = _dashboardService.GetDashboards(Security.CurrentUser); //now we can add metadata for each section so that the UI knows if there's actually anything at all to render for //a dashboard for a given section, then the UI can deal with it accordingly (i.e. redirect to the first tree) foreach (var section in sectionModels) { var hasDashboards = dashboards.TryGetValue(section.Alias, out var dashboardsForSection) && dashboardsForSection.Any(); if (hasDashboards) { continue; } // get the first tree in the section and get its root node route path var sectionRoot = appTreeController.GetApplicationTrees(section.Alias, null, null).Result; section.RoutePath = GetRoutePathForFirstTree(sectionRoot); } return(sectionModels); }
public static bool CheckUserAccessByRules(IUser user, ISectionService sectionService, IAccessItem[] denyTypes, IAccessItem[] grantedTypes, IAccessItem[] grantedBySectionTypes) { var allowedSoFar = false; // if there's no grantBySection or grant rules defined - we allow access so far and skip to checking deny rules if (grantedBySectionTypes.Any() == false && grantedTypes.Any() == false) { allowedSoFar = true; } // else we check the rules and only allow if one matches else { // check if this item has any grant-by-section arguments. // if so check if the user has access to any of the sections approved, if so they will be allowed to see it (so far) if (grantedBySectionTypes.Any()) { var allowedApps = sectionService.GetAllowedSections(Convert.ToInt32(user.Id)) .Select(x => x.Alias) .ToArray(); var allApprovedSections = grantedBySectionTypes.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray(); if (allApprovedSections.Any(allowedApps.Contains)) { allowedSoFar = true; } } // if not already granted access, check if this item as any grant arguments. // if so check if the user is in one of the user groups approved, if so they will be allowed to see it (so far) if (allowedSoFar == false && grantedTypes.Any()) { var allApprovedUserTypes = grantedTypes.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray(); foreach (var userGroup in user.Groups) { if (allApprovedUserTypes.InvariantContains(userGroup.Alias)) { allowedSoFar = true; break; } } } } // check if this item has any deny arguments, if so check if the user is in one of the denied user groups, if so they will // be denied to see it no matter what if (denyTypes.Any()) { var allDeniedUserTypes = denyTypes.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray(); foreach (var userGroup in user.Groups) { if (allDeniedUserTypes.InvariantContains(userGroup.Alias)) { allowedSoFar = false; break; } } } return(allowedSoFar); }
public static bool CheckUserAccessByRules(IUser user, ISectionService sectionService, IAccessItem[] denyTypes, IAccessItem[] grantedTypes, IAccessItem[] grantedBySectionTypes) { var allowedSoFar = false; //Check if this item as any grant-by-section arguments, if so check if the user has access to any of the sections approved, if so they will // be allowed to see it (so far) if (grantedBySectionTypes.Any()) { var allowedApps = sectionService.GetAllowedSections(Convert.ToInt32(user.Id)) .Select(x => x.Alias) .ToArray(); var allApprovedSections = grantedBySectionTypes.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray(); if (allApprovedSections.Any(allowedApps.Contains)) { allowedSoFar = true; } } //Check if this item as any grant arguments, if so check if the user is one of the user types approved, if so they will // be allowed to see it (so far) if (grantedTypes.Any()) { var allApprovedUserTypes = grantedTypes.SelectMany(g => g.Value.Split(new[] {','}, StringSplitOptions.RemoveEmptyEntries)).ToArray(); if (allApprovedUserTypes.InvariantContains(user.UserType.Alias)) { allowedSoFar = true; } } else { //if there are not explicit grant types then everyone is allowed so far and we'll only disallow on a deny basis allowedSoFar = true; } //Check if this item as any deny arguments, if so check if the user is one of the user types approved, if so they will // be denied to see it no matter what if (denyTypes.Any()) { var allDeniedUserTypes = denyTypes.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray(); if (allDeniedUserTypes.InvariantContains(user.UserType.Alias)) { allowedSoFar = false; } } return allowedSoFar; }
public static bool CheckUserAccessByRules(IUser user, ISectionService sectionService, IAccessItem[] denyTypes, IAccessItem[] grantedTypes, IAccessItem[] grantedBySectionTypes) { var allowedSoFar = false; //Check if this item as any grant-by-section arguments, if so check if the user has access to any of the sections approved, if so they will // be allowed to see it (so far) if (grantedBySectionTypes.Any()) { var allowedApps = sectionService.GetAllowedSections(Convert.ToInt32(user.Id)) .Select(x => x.Alias) .ToArray(); var allApprovedSections = grantedBySectionTypes.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray(); if (allApprovedSections.Any(allowedApps.Contains)) { allowedSoFar = true; } } //Check if this item as any grant arguments, if so check if the user is one of the user types approved, if so they will // be allowed to see it (so far) if (grantedTypes.Any()) { var allApprovedUserTypes = grantedTypes.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray(); if (allApprovedUserTypes.InvariantContains(user.UserType.Alias)) { allowedSoFar = true; } } else { //if there are not explicit grant types then everyone is allowed so far and we'll only disallow on a deny basis allowedSoFar = true; } //Check if this item as any deny arguments, if so check if the user is one of the user types approved, if so they will // be denied to see it no matter what if (denyTypes.Any()) { var allDeniedUserTypes = denyTypes.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray(); if (allDeniedUserTypes.InvariantContains(user.UserType.Alias)) { allowedSoFar = false; } } return(allowedSoFar); }
public async Task <ActionResult <IEnumerable <Section> > > GetSections() { IEnumerable <ISection> sections = _sectionService.GetAllowedSections(_backofficeSecurityAccessor.BackOfficeSecurity?.GetUserId().Result ?? 0); Section[] sectionModels = sections.Select(_umbracoMapper.Map <Section>).WhereNotNull().ToArray(); // this is a bit nasty since we'll be proxying via the app tree controller but we sort of have to do that // since tree's by nature are controllers and require request contextual data var appTreeController = new ApplicationTreeController(_treeService, _sectionService, _localizedTextService, _controllerFactory, _actionDescriptorCollectionProvider) { ControllerContext = ControllerContext }; IDictionary <string, IEnumerable <Tab <IDashboard> > > dashboards = _dashboardService.GetDashboards(_backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser); //now we can add metadata for each section so that the UI knows if there's actually anything at all to render for //a dashboard for a given section, then the UI can deal with it accordingly (i.e. redirect to the first tree) foreach (Section?section in sectionModels) { var hasDashboards = section?.Alias is not null && dashboards.TryGetValue(section.Alias, out IEnumerable <Tab <IDashboard> >?dashboardsForSection) && dashboardsForSection.Any(); if (hasDashboards) { continue; } // get the first tree in the section and get its root node route path ActionResult <TreeRootNode> sectionRoot = await appTreeController.GetApplicationTrees(section?.Alias, null, null); if (!(sectionRoot.Result is null)) { return(sectionRoot.Result); } if (section is not null) { section.RoutePath = GetRoutePathForFirstTree(sectionRoot.Value !); } } return(sectionModels); }
private bool CheckUserAccessByRules(IUser user, ISectionService sectionService, IEnumerable <IAccessRule> rules) { if (user.Id == Constants.Security.SuperUserId) { return(true); } var(denyRules, grantRules, grantBySectionRules) = GroupRules(rules); var hasAccess = true; string[] assignedUserGroups = null; // if there are no grant rules, then access is granted by default, unless denied // otherwise, grant rules determine if access can be granted at all if (grantBySectionRules.Length > 0 || grantRules.Length > 0) { hasAccess = false; // check if this item has any grant-by-section arguments. // if so check if the user has access to any of the sections approved, if so they will be allowed to see it (so far) if (grantBySectionRules.Length > 0) { var allowedSections = sectionService.GetAllowedSections(user.Id).Select(x => x.Alias).ToArray(); var wantedSections = grantBySectionRules.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray(); if (wantedSections.Intersect(allowedSections).Any()) { hasAccess = true; } } // if not already granted access, check if this item as any grant arguments. // if so check if the user is in one of the user groups approved, if so they will be allowed to see it (so far) if (hasAccess == false && grantRules.Any()) { assignedUserGroups = user.Groups.Select(x => x.Alias).ToArray(); var wantedUserGroups = grantRules.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray(); if (wantedUserGroups.Intersect(assignedUserGroups).Any()) { hasAccess = true; } } } if (!hasAccess || denyRules.Length == 0) { return(true); } // check if this item has any deny arguments, if so check if the user is in one of the denied user groups, if so they will // be denied to see it no matter what assignedUserGroups = assignedUserGroups ?? user.Groups.Select(x => x.Alias).ToArray(); var deniedUserGroups = denyRules.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray(); if (deniedUserGroups.Intersect(assignedUserGroups).Any()) { hasAccess = false; } return(hasAccess); }