Ejemplo n.º 1
0
        public bool ExtensionIsOk(string fileName, out HttpResponseException preparedException)
        {
            if (!SecurityChecks.IsAllowedDnnExtension(fileName))
            {
                preparedException = Http.NotAllowedFileType(fileName, "Not in whitelisted CMS file types.");
                return(false);
            }

            if (SecurityChecks.IsKnownRiskyExtension(fileName))
            {
                preparedException = Http.NotAllowedFileType(fileName, "This is a known risky file type.");
                return(false);
            }
            preparedException = null;
            return(true);
        }
Ejemplo n.º 2
0
        /// <summary>
        /// Initializes the object and performs all the initial security checks
        /// </summary>
        public AdamSecureState(SxcInstance sxcInstance, int appId, string contentType, string field, Guid guid, bool usePortalRoot, Log log)
            : base(sxcInstance, appId, contentType, log)
        {
            // only do checks on field/guid if it's actually accessing that, if it's on the portal root, don't.
            if (!usePortalRoot)
            {
                Field = field;
                Guid  = guid;
            }

            var firstChecker          = PermissionCheckers.First().Value;
            var userMayAdminSomeFiles = firstChecker.UserMay(GrantSets.WritePublished);

            UserMayAdminSiteFiles = firstChecker.GrantedBecause == ConditionType.EnvironmentGlobal ||
                                    firstChecker.GrantedBecause == ConditionType.EnvironmentInstance;

            UserIsRestricted = !(usePortalRoot
                ? UserMayAdminSiteFiles
                : userMayAdminSomeFiles);


            Log.Add($"AdamSecureState - field:{field}, guid:{guid}, adminSome:{userMayAdminSomeFiles}, restricted:{UserIsRestricted}");

            SecurityChecks.ThrowIfAccessingRootButNotAllowed(usePortalRoot, UserIsRestricted);

            Log.Add("check if feature enabled");
            if (UserIsRestricted && !Feats.Enabled(FeaturesForRestrictedUsers))
            {
                throw Http.PermissionDenied(
                          $"low-permission users may not access this - {Feats.MsgMissingSome(FeaturesForRestrictedUsers)}");
            }

            PrepCore(App, guid, field, usePortalRoot);

            if (string.IsNullOrEmpty(contentType) || string.IsNullOrEmpty(field))
            {
                return;
            }

            Attribute = Definition(appId, contentType, field);
            if (!FileTypeIsOkForThisField(out var exp))
            {
                throw exp;
            }
        }
Ejemplo n.º 3
0
 public bool SuperUserOrAccessingItemFolder(string path, out HttpResponseException preparedException)
 {
     preparedException = null;
     return(!UserIsRestricted || SecurityChecks.DestinationIsInItem(Guid, Field, path, out preparedException));
 }