Example #1
        public static void SetHyperLink(string adminSectionPageId, string querystring, HyperLink hyperlink)
            AdminSectionPage adminSectionPage = AdminNavigationManager.GetAdminSectionPageById(adminSectionPageId);
            string           url = (adminSectionPage == null) ? "#" : string.Format("{0}{1}", adminSectionPage.Url, querystring);

            hyperlink.NavigateUrl = url;
        /// <summary>
        /// Searches the AdminSectionPage and all its subpages for a page
        /// matching the specified url.  Returns page if found. Otherwise, null.
        /// </summary>
        private static AdminSectionPage Search(AdminSectionPage page, string url)
            if (StringUtils.IgnoreCaseCompare(page.Url, url))

            return(page.Pages.Select(subPage => Search(subPage, url)).FirstOrDefault(p => p != null));
Example #3
        public static void SetHyperLink(User user, string adminSectionPageId, string querystring, HyperLink hyperlink)
            AdminSectionPage adminSectionPage = AdminNavigationManager.GetAdminSectionPageById(adminSectionPageId);

            if (adminSectionPage == null)
                hyperlink.Visible = false;
                hyperlink.Visible     = SecurityManager.UserHasAccess(user, adminSectionPage);
                hyperlink.NavigateUrl = string.Format("{0}{1}", adminSectionPage.Url, querystring);
        /// <summary>
        /// Checks if the user is in a role that has access to the requested page
        /// </summary>
        public static bool UserHasAccess(User user, AdminSectionPage adminSectionPage)
            if (user.IsNull)

            if (adminSectionPage == null)
                return(user.UserRole == UserRole.SuperAdministrator);

            if (adminSectionPage.RestrictToEngineers && !user.IsEngineer)

        public AdminSectionPage(XmlNode node) : base(node)
            if (node.Attributes == null)
                throw new SystemException("Node does not have any attributes");

            // Get the page URL, using the ID if no URL is specified
            XmlNode urlNode = node.Attributes.GetNamedItem("Url");

            Url = (urlNode == null) ? string.Format("~/Admin/{0}.aspx", Id.Replace('.', '/')) : urlNode.Value;

            // Get the minimum role and/or allowed roles to access this page
            XmlNode minimumRoleNode  = node.Attributes.GetNamedItem("MinimumRole");
            XmlNode allowedRolesNode = node.Attributes.GetNamedItem(("AllowedRoles"));

            // If no minimum role or allowed roles are specified, then search through
            // the parents until we find this information.
            if (minimumRoleNode == null && allowedRolesNode == null)
                // Get the parent node.  This will be another <Page> node or a <Section> node
                XmlNode parentNode = node.ParentNode;

                while (parentNode != null && parentNode.Attributes != null)
                    // Get the nodes
                    minimumRoleNode  = parentNode.Attributes.GetNamedItem("MinimumRole");
                    allowedRolesNode = parentNode.Attributes.GetNamedItem(("AllowedRoles"));

                    // Drop out if we found valid nodes.  Otherwise, keep searching upwards
                    if (minimumRoleNode != null || allowedRolesNode != null)

                    // Set parent to this parent and keep searching
                    parentNode = parentNode.ParentNode;

            if (minimumRoleNode == null)
                foreach (UserRole userRole in Enum.GetValues(typeof(UserRole)))
                    int userRoleId    = (int)userRole;
                    int minimumRoleId = (int)EnumUtils.GetEnumFromValue <UserRole>(minimumRoleNode.Value);

                    if (userRoleId >= minimumRoleId)

            if (allowedRolesNode != null)
                string[] allowedRoles = allowedRolesNode.Value.Split(',');

                foreach (string role in allowedRoles)
                    UserRole userRole = EnumUtils.GetEnumFromValue <UserRole>(role);

                    if (userRole != 0 && !UserRoleList.Contains(userRole))

            XmlNodeList pages = node.SelectNodes("Page");

            if (pages != null)
                foreach (XmlNode pageNode in pages)
                    AdminSectionPage page = new AdminSectionPage(pageNode);

            // Add all user roles from children pages to this too
            // (Otherwise, this node won't show up in navigation
            // and the children won't be accessible).
        /// <summary>
        /// Checks if the user has access to the requested path.
        /// This method is the 'big kahuna', and does various security checks.  It's main
        /// purpose is to ensure that the admin area pages are correctly restricted, and it
        /// ensures that upload users and brand admins cannot access entities to
        /// which their role does not have permission (ie. those outside their brand).
        /// </summary>
        /// <param name="user">The user requesting access</param>
        /// <param name="path">The path to which access is being requested</param>
        /// <returns>[True] if user can access path.  Otherwise [False].</returns>
        public static bool UserHasAccess(User user, Uri path)
            // Turn the path into a relative one (eg. /AppVirtualDir/Admin/Default.aspx -> ~/Admin/Default.aspx)
            string relativePath = VirtualPathUtility.ToAppRelative(path.AbsolutePath).ToLower();

            // Always allow NeatUpload stuff through
            if (relativePath.StartsWith("~/neatupload/"))

            // Login and registration pages open to all.  Admin homepage open to
            // any user belonging to any role greater than normal.
            switch (relativePath)
            case "~/login.aspx":
            case "~/register.aspx":
            case "~/changepassword.aspx":
            case "~/reactivate.aspx":
            case "~/viewcontactsheet.aspx":
            case "~/popups/termsconditions.aspx":
            case "~/popups/privacypolicy.aspx":

            case "~/admin/default.aspx":
                return(user.UserRoleId > Convert.ToInt32(UserRole.Normal));

            // Allow access to non-existent pages so we can redirect to 404
            if (!File.Exists(HttpContext.Current.Server.MapPath(relativePath)))

            // Everything from here on needs a user
            if (user.IsNull)

            // Ensure that the asset popup can only be viewed by authorised users
            if (relativePath.StartsWith("~/popups/assetinfo.aspx"))
                int assetId = GetQuerystringValue(path.Query, "assetId", -1);

                if (assetId != -1)
                    Asset asset = Asset.Get(assetId);

                    if (asset.IsNull || !EntitySecurityManager.CanViewAssetInfo(user, asset))

                    HttpContext.Current.Items.Add("Asset", asset);

            if (relativePath.StartsWith("~/admin/"))
                // Get the admin section page by the URL
                AdminSectionPage adminSectionPage = AdminNavigationManager.GetAdminSectionPageByUrl(relativePath);

                // Ensure that we found it in the admin page list
                if (adminSectionPage == null)
                    throw new SystemException(string.Format("Unknown admin page: '{0}'. Please check AdminNavigation.Config", relativePath));

                // Ensure that the page being accessed is available to the user role.
                // No point continuing if their role is too weak
                if (!adminSectionPage.UserRoleList.Contains(user.UserRole))

                // Do role specific processing, as some roles can access pages, but
                // only when editing certain entities - ie. a Brand Admin can
                // access the user pages, but only when managing users from their own
                // brand.  Here, we check the querystring for values, get the
                // matching entity, and then ensure that it's from the same BU as
                // the requesting user.

                if (user.UserRole == UserRole.SuperAdministrator)

                if (user.UserRole == UserRole.Normal)
                    throw new SecurityException("Access to admin area denied");

                if (GeneralUtils.ValueIsInList(user.UserRole, UserRole.BrandAdministrator, UserRole.UploadUser))
                    // Assume page is okay, as querystring might be blank
                    bool ok = true;

                    // Check for user ID, and if it exists, ensure the user
                    // can be accessed by the requesting user
                    int userId = GetQuerystringValue(path.Query, "userId", -1);
                    if (userId != -1)
                        User u = User.Get(userId);
                        if (user.IsNull || !EntitySecurityManager.CanManageUser(user, u))
                            ok = false;
                            HttpContext.Current.Items.Add("User", u);

                    // Check for asset Id, and if it exists, ensure the
                    // asset can be accessed by the requesting user
                    if (ok)
                        int assetId = GetQuerystringValue(path.Query, "assetId", -1);
                        if (assetId != -1)
                            Asset asset = Asset.Get(assetId);
                            if (asset.IsNull || !EntitySecurityManager.CanManageAsset(user, asset))
                                ok = false;
                                HttpContext.Current.Items.Add("Asset", asset);

                    // Check for AssetWorkflowId, and if it exists, ensure the
                    // AssetWorkflow can be accessed by the requesting user
                    if (ok)
                        int assetWorkflowId = GetQuerystringValue(path.Query, "assetWorkflowId", -1);
                        if (assetWorkflowId != -1)
                            AssetWorkflow assetWorkflow = AssetWorkflow.Get(assetWorkflowId);
                            if (assetWorkflow.IsNull || !EntitySecurityManager.CanParticipateInAssetWorkflow(user, assetWorkflow))
                                ok = false;
                                HttpContext.Current.Items.Add("AssetWorkflow", assetWorkflow);


                throw new SecurityException("Unable to check permissions for user role: " + user.UserRole);
