/// <summary> /// Returns an aggregated permission value by all passed permissions for the current user on the current content. /// Value is Denied if there is any denied passed permission, /// Undefined if there is any undefined but there is no denied passed permission, /// Allowed if every passed permission is allowed. /// </summary> /// <param name="permissionTypes">Set of related permissions. Cannot be null. Empty set means "allowed nothing".</param> public PermissionValue GetPermission(params PermissionType[] permissionTypes) { return(_securityHandler.GetPermission(_node, permissionTypes)); }
internal void AuthorizeRequest(HttpContext context) { PortalContext currentPortalContext = PortalContext.Current; if (currentPortalContext == null) { return; } var currentUser = context?.User.Identity as User; // deny access for visitors in case of webdav or office protocol requests, if they have no See access to the content if (currentUser != null && currentUser.Id == Identifiers.VisitorUserId && (currentPortalContext.IsOfficeProtocolRequest || currentPortalContext.IsWebdavRequest)) { if (!currentPortalContext.IsRequestedResourceExistInRepository || currentPortalContext.ContextNodeHead == null || !SecurityHandler.HasPermission(currentPortalContext.ContextNodeHead, PermissionType.See)) { AuthenticationHelper.ForceBasicAuthentication(HttpContext.Current); } } if (context == null) { return; } if (currentPortalContext.IsRequestedResourceExistInRepository) { var authMode = currentPortalContext.AuthenticationMode; if (string.IsNullOrEmpty(authMode)) { authMode = WebApplication.DefaultAuthenticationMode; } bool appPerm; if (authMode == "Forms") { appPerm = currentPortalContext.CurrentAction.CheckPermission(); } else if (authMode == "Windows") { currentPortalContext.CurrentAction.AssertPermissions(); appPerm = true; } else { throw new NotSupportedException("None authentication is not supported"); } var path = currentPortalContext.RepositoryPath; var nodeHead = NodeHead.Get(path); var permissionValue = SecurityHandler.GetPermission(nodeHead, PermissionType.Open); if (permissionValue == PermissionValue.Allowed && DocumentPreviewProvider.Current.IsPreviewOrThumbnailImage(nodeHead)) { // In case of preview images we need to make sure that they belong to a content version that // is accessible by the user (e.g. must not serve images for minor versions if the user has // access only to major versions of the content). if (!DocumentPreviewProvider.Current.IsPreviewAccessible(nodeHead)) { permissionValue = PermissionValue.Denied; } } else if (permissionValue != PermissionValue.Allowed && appPerm && DocumentPreviewProvider.Current.HasPreviewPermission(nodeHead)) { // In case Open permission is missing: check for Preview permissions. If the current Document // Preview Provider allows access to a preview, we should allow the user to access the content. permissionValue = PermissionValue.Allowed; } if (permissionValue != PermissionValue.Allowed) { if (nodeHead.Id == Identifiers.PortalRootId) { if (currentPortalContext.IsOdataRequest) { if (currentPortalContext.ODataRequest.IsMemberRequest) { permissionValue = PermissionValue.Allowed; } } } } if (permissionValue != PermissionValue.Allowed || !appPerm) { if (currentPortalContext.IsOdataRequest) { AuthenticationHelper.ThrowForbidden(); } switch (authMode) { case "Forms": if (User.Current.IsAuthenticated) { // user is authenticated, but has no permissions: return 403 context.Response.StatusCode = 403; context.Response.Flush(); context.Response.Close(); } else { // let webdav and office protocol handle authentication - in these cases redirecting to a login page makes no sense if (PortalContext.Current.IsWebdavRequest || PortalContext.Current.IsOfficeProtocolRequest) { return; } // user is not authenticated and visitor has no permissions: redirect to login page // Get the login page Url (eg. http://localhost:1315/home/login) string loginPageUrl = currentPortalContext.GetLoginPageUrl(); // Append trailing slash if (loginPageUrl != null && !loginPageUrl.EndsWith("/")) { loginPageUrl = loginPageUrl + "/"; } // Cut down the querystring (eg. drop ?Param1=value1@Param2=value2) string currentRequestUrlWithoutQueryString = currentPortalContext.RequestedUri.GetComponents(UriComponents.Scheme | UriComponents.Host | UriComponents.Port | UriComponents.Path, UriFormat.Unescaped); // Append trailing slash if (!currentRequestUrlWithoutQueryString.EndsWith("/")) { currentRequestUrlWithoutQueryString = currentRequestUrlWithoutQueryString + "/"; } // Redirect to the login page, if neccessary. if (currentRequestUrlWithoutQueryString != loginPageUrl) { context.Response.Redirect(loginPageUrl + "?OriginalUrl=" + System.Web.HttpUtility.UrlEncode(currentPortalContext.RequestedUri.ToString()), true); } } break; default: AuthenticationHelper.DenyAccess(context); break; } } } }
void OnAuthorizeRequest(object sender, EventArgs e) { PortalContext currentPortalContext = PortalContext.Current; var d = NodeHead.Get("/Root"); if (currentPortalContext != null && currentPortalContext.IsRequestedResourceExistInRepository) { var authMode = currentPortalContext.AuthenticationMode; //install time if (string.IsNullOrEmpty(authMode) && currentPortalContext.Site == null) { authMode = "None"; } if (string.IsNullOrEmpty(authMode)) { authMode = WebConfigurationManager.AppSettings["DefaultAuthenticationMode"]; } bool appPerm = false; if (authMode == "Forms") { appPerm = currentPortalContext.CurrentAction.CheckPermission(); } else if (authMode == "Windows") { currentPortalContext.CurrentAction.AssertPermissions(); appPerm = true; } else { throw new NotSupportedException("None authentication is not supported"); } var application = sender as HttpApplication; var currentUser = application.Context.User.Identity as User; var path = currentPortalContext.RepositoryPath; var nodeHead = NodeHead.Get(path); var isOwner = nodeHead.CreatorId == currentUser.Id; var permissionValue = SecurityHandler.GetPermission(nodeHead, PermissionType.Open); if (permissionValue != PermissionValue.Allow || !appPerm) { switch (authMode) { case "Forms": if (User.Current.IsAuthenticated) { // user is authenticated, but has no permissions: return 403 application.Context.Response.StatusCode = 403; application.Context.Response.Flush(); application.Context.Response.Close(); } else { // user is not authenticated and visitor has no permissions: redirect to login page // Get the login page Url (eg. http://localhost:1315/home/login) string loginPageUrl = currentPortalContext.GetLoginPageUrl(); // Append trailing slash if (loginPageUrl != null && !loginPageUrl.EndsWith("/")) { loginPageUrl = loginPageUrl + "/"; } // Cut down the querystring (eg. drop ?Param1=value1@Param2=value2) string currentRequestUrlWithoutQueryString = currentPortalContext.OriginalUri.GetComponents(UriComponents.Scheme | UriComponents.Host | UriComponents.Port | UriComponents.Path, UriFormat.Unescaped); // Append trailing slash if (!currentRequestUrlWithoutQueryString.EndsWith("/")) { currentRequestUrlWithoutQueryString = currentRequestUrlWithoutQueryString + "/"; } // Redirect to the login page, if neccessary. if (currentRequestUrlWithoutQueryString != loginPageUrl) { application.Context.Response.Redirect(loginPageUrl + "?OriginalUrl=" + System.Web.HttpUtility.UrlEncode(currentPortalContext.OriginalUri.ToString()), true); } } break; //case "Windows": // application.Context.Response.Clear(); // application.Context.Response.Buffer = true; // application.Context.Response.Status = "401 Unauthorized"; // application.Context.Response.AddHeader("WWW-Authenticate", "NTLM"); // application.Context.Response.End(); // break; default: AuthenticationHelper.DenyAccess(application); break; } } } }