public dynamic Query([FromUri] string name)
{
// use the previously defined query, or just get it from the request (module-mode)
if (_queryApp == null)
_queryApp = App;
var query = GetQueryByName(name);
var queryConf = query.QueryDefinition;
var permissionChecker = new PermissionController(_queryApp.ZoneId, _queryApp.AppId, queryConf.EntityGuid, _useModuleAndCheckModulePermissions ? Dnn.Module : null);
var readAllowed = permissionChecker.UserMay(PermissionGrant.Read);
var isAdmin = _useModuleAndCheckModulePermissions && DotNetNuke.Security.Permissions.ModulePermissionController.CanAdminModule(Dnn.Module);
// Only return query if permissions ok
if (!(readAllowed || isAdmin))
throw new HttpResponseException(new HttpResponseMessage(HttpStatusCode.Unauthorized)
{
Content = new StringContent("Request not allowed. User does not have read permissions for query '" + name + "'"),
ReasonPhrase = "Request not allowed"
});
return new Serializer().Prepare(query);
// 2016-05-03 2dm - if it turns out that the serializer on the Sxc-object is better (can't find a reason why)...
// ...then I would need this variation below:
//return _useModuleAndCheckModulePermissions
// ? Sxc.Serializer.Prepare(query)
// : new Serializer().Prepare(query);
}
public dynamic Query([FromUri] string name)
{
// Try to find the query, abort if not found
if (!App.Query.ContainsKey(name))
throw new Exception("Can't find Query with name '" + name + "'");
// Get query, check what permissions were assigned to the query-definition
var query = App.Query[name] as DeferredPipelineQuery;
var queryConf = query.QueryDefinition;
var permissionChecker = new PermissionController(App.ZoneId, App.AppId, queryConf.EntityGuid, Dnn.Module);
var readAllowed = permissionChecker.UserMay(PermissionGrant.Read);
var isAdmin = DotNetNuke.Security.Permissions.ModulePermissionController.CanAdminModule(Dnn.Module);
// Only return query if permissions ok
if (readAllowed || isAdmin)
return Sxc.Serializer.Prepare(query);
else
throw new HttpResponseException(new HttpResponseMessage(HttpStatusCode.Unauthorized)
{
Content = new StringContent("Request not allowed. User does not have read permissions for query '" + name + "'"),
ReasonPhrase = "Request not allowed"
});
}
/// <summary>
/// Check if a user may do something - and throw an error if the permission is not given
/// </summary>
/// <param name="contentType"></param>
/// <param name="grant"></param>
private void PerformSecurityCheck(string contentType, PermissionGrant grant, bool autoAllowAdmin = false)
{
// Check if we can find this content-type
var ct = new Eav.WebApi.ContentTypeController().GetSingle(App.AppId, contentType, null);
if(ct == null)
ThrowHttpError(HttpStatusCode.NotFound, "Could not find Content Type '" + contentType + "'.", "content-types");
// Check if the content-type has a GUID as name - only these can have permission assignments
Guid ctGuid;
var staticNameIsGuid = Guid.TryParse(ct.StaticName, out ctGuid);
if(!staticNameIsGuid)
ThrowHttpError(HttpStatusCode.Unauthorized, "Content Type '" + contentType + "' is not a standard Content Type - no permissions possible.");
// Check permissions in 2sxc - or check if the user has admin-right (in which case he's always granted access for these types of content)
var permissionChecker = new PermissionController(App.ZoneId, App.AppId, ctGuid, Dnn.Module);
var allowed = permissionChecker.UserMay(grant);
var isAdmin = autoAllowAdmin && DotNetNuke.Security.Permissions.ModulePermissionController.CanAdminModule(Dnn.Module);
if(!(allowed || isAdmin))
ThrowHttpError(HttpStatusCode.Unauthorized, "Request not allowed. User needs permissions to " + grant + " for Content Type '" + contentType + "'.", "permissions");
}
private void CheckTemplatePermissions(PortalSettings portalSettings)
{
// 2015-05-19 2dm: new: do security check if security exists
// should probably happen somewhere else - so it doesn't throw errors when not even rendering...
var permissionsOnThisTemplate = new PermissionController(App.ZoneId, App.AppId, Template.Guid, ModuleInfo);
// Views only use permissions to prevent access, so only check if there are any configured permissions
if (!portalSettings.UserInfo.IsInRole(portalSettings.AdministratorRoleName) && permissionsOnThisTemplate.PermissionList.Any())
if (!permissionsOnThisTemplate.UserMay(PermissionGrant.Read))
throw new RenderingException(new UnauthorizedAccessException(
"This view is not accessible for the current user. To give access, change permissions in the view settings. See http://2sxc.org/help?tag=view-permissions"));
}
/// <summary>
/// Get the content data and render it with the given template to the page.
/// </summary>
protected void ProcessView(PlaceHolder phOutput, Panel pnlError, Panel pnlMessage)
{
#region Check if everything has values and return if not
if (Template == null)
{
ShowError(LocalizeString("TemplateConfigurationMissing.Text"), pnlError);
return;
}
if (Template.ContentTypeStaticName != "" && DataSource.GetCache(ZoneId.Value, AppId.Value).GetContentType(Template.ContentTypeStaticName) == null)
{
ShowError("The contents of this module cannot be displayed because it's located in another VDB.", pnlError);
return;
}
if (Template.ContentTypeStaticName != "" && Template.ContentDemoEntity == null && ContentGroup.Content.All(e => e == null))
{
var toolbar = IsEditable ? "<ul class='sc-menu' data-toolbar='" + JsonConvert.SerializeObject(new { sortOrder = 0, useModuleList = true, action = "edit" }) + "'></ul>" : "";
ShowMessage(LocalizeString("NoDemoItem.Text") + " " + toolbar, pnlMessage);
return;
}
#endregion
#region PermissionsCheck
// 2015-05-19 2dm: new: do security check if security exists
// should probably happen somewhere else - so it doesn't throw errors when not even rendering...
// maybe should show
var permissions = new Security.PermissionController(ZoneId.Value, AppId.Value, Template.Guid, this.ModuleContext.Configuration);
// Views only need permissions to limit access, so only check if there are any configured permissions
if (!UserInfo.IsInRole(PortalSettings.AdministratorRoleName) && permissions.PermissionList.Any())
if (!permissions.UserMay(PermissionGrant.Read))
throw new UnauthorizedAccessException("This view is not accessible for the current user. To give access, change permissions in the view settings. See http://2sxc.org/help?tag=view-permissions");
#endregion
try
{
//var renderTemplate = Template;
string renderedTemplate;
var engine = EngineFactory.CreateEngine(Template);
var dataSource = (ViewDataSource)Sexy.GetViewDataSource(ModuleId, SexyContent.HasEditPermission(ModuleConfiguration), Template);
engine.Init(Template, Sexy.App, ModuleConfiguration, dataSource, Request.QueryString["type"] == "data" ? InstancePurposes.PublishData : InstancePurposes.WebView, Sexy);
engine.CustomizeData();
// Output JSON data if type=data in URL
if (Request.QueryString["type"] == "data")
{
if (dataSource.Publish.Enabled)
{
var publishedStreams = dataSource.Publish.Streams;
renderedTemplate = Sexy.GetJsonFromStreams(dataSource, publishedStreams.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries));
}
else
{
Response.StatusCode = 403;
var moduleTitle = new ModuleController().GetModule(ModuleId).ModuleTitle;
renderedTemplate = JsonConvert.SerializeObject(new { error = "2sxc Content (" + ModuleId + "): " + String.Format(LocalizeString("EnableDataPublishing.Text"), ModuleId, moduleTitle) });
Response.TrySkipIisCustomErrors = true;
}
Response.ContentType = "application/json";
}
else
{
renderedTemplate = engine.Render();
}
// If standalone is specified, output just the template without anything else
if (StandAlone)
{
Response.Clear();
Response.Write(renderedTemplate);
Response.Flush();
Response.SuppressContent = true;
HttpContext.Current.ApplicationInstance.CompleteRequest();
}
else
phOutput.Controls.Add(new LiteralControl(renderedTemplate));
}
// Catch errors; log them
catch (Exception Ex)
{
ShowError(LocalizeString("TemplateError.Text") + ": " + HttpUtility.HtmlEncode(Ex.ToString()), pnlError, LocalizeString("TemplateError.Text"), false);
Exceptions.LogException(Ex);
}
}
