private UpdateResult CheckSelfUpdate(IIdentity actor, UserUpdateInfo update, IUser target)
{
if (update.ChangedDomain(target))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot change domain"
});
}
if (Roles.IsInRole(actor, SecurityConst.ROLE_DOMAIN_ADMIN))
{
if (update.ChangedActive(target) && !target.Active)
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot reactivate yourself"
});
}
if (update.ChangedLogable(target) && !target.Logable)
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot reactivate logability"
});
}
return(new UpdateResult {
Ok = true
});
}
if (update.ChangedCustom(target))
{
if (update.Custom.stringify().ToUpper().Contains("SECURE_"))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot manage secure customs"
});
}
}
if (update.ChangedEmail(target))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot change email"
});
}
if (update.ChangedRoles(target))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot change roles"
});
}
if (update.ChangedGroups(target))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot change groups"
});
}
if (update.ChangedExpire(target))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot change expire"
});
}
return(new UpdateResult {
Ok = true
});
}
private UpdateResult CheckCommons(IIdentity actor, UserUpdateInfo update, IUser target)
{
if (null == Roles)
{
throw new Exception("cannot work without roles");
}
if (null == Users)
{
throw new Exception("cannot work without users");
}
var id = actor as Identity;
var u = target as User;
if (null != u)
{
if (null != u.UserSource)
{
var ws = u.UserSource as IWriteableUserSource;
if (null == ws || !ws.WriteUsersEnabled)
{
return(new UpdateResult {
IsError = true, ErrorMessage = "no storage"
});
}
}
}
if (null == id)
{
return(new UpdateResult {
IsError = true, ErrorMessage = "no actor"
});
}
if (!id.IsAuthenticated)
{
return(new UpdateResult {
IsError = true, ErrorMessage = "not auth"
});
}
if (id.IsAdmin)
{
return(new UpdateResult {
Ok = true
});
}
#region Q543
// >>> #Q-543 implementation ROLE_SECURITY_ADMIN can do anything except ADMIN and SECURITY_ADMIN management
if (null != update.IsAdmin && update.IsAdmin != target.IsAdmin)
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot set admin"
});
}
if (update.ChangedRoles(target))
{
if (update.Roles.Any(_ => _.Contains(SecurityConst.ROLE_SECURITY_ADMIN)))
{
return(new UpdateResult {
IsError = true, ErrorMessage = $"cannot manage {SecurityConst.ROLE_SECURITY_ADMIN} role"
});
}
}
if (Roles.IsInRole(id, SecurityConst.ROLE_SECURITY_ADMIN))
{
return(new UpdateResult {
Ok = true
});
}
#endregion
if (update.ChangedRoles(target))
{
if (update.Roles.Any(_ => _.ToUpper().Contains("SECURE_")))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot manage secure roles"
});
}
}
if (update.ChangedGroups(target))
{
if (update.Groups.Any(_ => _.ToUpper().Contains("SECURE_")))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot manage secure groups"
});
}
}
if (update.ChangedPublicKey(target))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot set public key"
});
}
if (null != update.IsGroup)
{
return(new UpdateResult {
IsError = true, ErrorMessage = "cannot manage groups"
});
}
if (!string.IsNullOrWhiteSpace(update.Email) &&
!Regex.IsMatch(update.Email, @"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$"))
{
return(new UpdateResult {
IsError = true, ErrorMessage = "mailformed email"
});
}
return(null);
}
