public IEnumerable <Section> GetSections()
{
var sections = _sectionService.GetAllowedSections(Security.GetUserId().ResultOr(0));
var sectionModels = sections.Select(Mapper.Map <Section>).ToArray();
// this is a bit nasty since we'll be proxying via the app tree controller but we sort of have to do that
// since tree's by nature are controllers and require request contextual data
var appTreeController = new ApplicationTreeController(GlobalSettings, UmbracoContextAccessor, SqlContext, Services, AppCaches, Logger, RuntimeState, _treeService, _sectionService, Umbraco)
{
ControllerContext = ControllerContext
};
var dashboards = _dashboardService.GetDashboards(Security.CurrentUser);
//now we can add metadata for each section so that the UI knows if there's actually anything at all to render for
//a dashboard for a given section, then the UI can deal with it accordingly (i.e. redirect to the first tree)
foreach (var section in sectionModels)
{
var hasDashboards = dashboards.TryGetValue(section.Alias, out var dashboardsForSection) && dashboardsForSection.Any();
if (hasDashboards)
{
continue;
}
// get the first tree in the section and get its root node route path
var sectionRoot = appTreeController.GetApplicationTrees(section.Alias, null, null).Result;
section.RoutePath = GetRoutePathForFirstTree(sectionRoot);
}
return(sectionModels);
}
public static bool CheckUserAccessByRules(IUser user, ISectionService sectionService, IAccessItem[] denyTypes, IAccessItem[] grantedTypes, IAccessItem[] grantedBySectionTypes)
{
var allowedSoFar = false;
// if there's no grantBySection or grant rules defined - we allow access so far and skip to checking deny rules
if (grantedBySectionTypes.Any() == false && grantedTypes.Any() == false)
{
allowedSoFar = true;
}
// else we check the rules and only allow if one matches
else
{
// check if this item has any grant-by-section arguments.
// if so check if the user has access to any of the sections approved, if so they will be allowed to see it (so far)
if (grantedBySectionTypes.Any())
{
var allowedApps = sectionService.GetAllowedSections(Convert.ToInt32(user.Id))
.Select(x => x.Alias)
.ToArray();
var allApprovedSections = grantedBySectionTypes.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray();
if (allApprovedSections.Any(allowedApps.Contains))
{
allowedSoFar = true;
}
}
// if not already granted access, check if this item as any grant arguments.
// if so check if the user is in one of the user groups approved, if so they will be allowed to see it (so far)
if (allowedSoFar == false && grantedTypes.Any())
{
var allApprovedUserTypes = grantedTypes.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray();
foreach (var userGroup in user.Groups)
{
if (allApprovedUserTypes.InvariantContains(userGroup.Alias))
{
allowedSoFar = true;
break;
}
}
}
}
// check if this item has any deny arguments, if so check if the user is in one of the denied user groups, if so they will
// be denied to see it no matter what
if (denyTypes.Any())
{
var allDeniedUserTypes = denyTypes.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray();
foreach (var userGroup in user.Groups)
{
if (allDeniedUserTypes.InvariantContains(userGroup.Alias))
{
allowedSoFar = false;
break;
}
}
}
return(allowedSoFar);
}
public static bool CheckUserAccessByRules(IUser user, ISectionService sectionService, IAccessItem[] denyTypes, IAccessItem[] grantedTypes, IAccessItem[] grantedBySectionTypes)
{
var allowedSoFar = false;
//Check if this item as any grant-by-section arguments, if so check if the user has access to any of the sections approved, if so they will
// be allowed to see it (so far)
if (grantedBySectionTypes.Any())
{
var allowedApps = sectionService.GetAllowedSections(Convert.ToInt32(user.Id))
.Select(x => x.Alias)
.ToArray();
var allApprovedSections = grantedBySectionTypes.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray();
if (allApprovedSections.Any(allowedApps.Contains))
{
allowedSoFar = true;
}
}
//Check if this item as any grant arguments, if so check if the user is one of the user types approved, if so they will
// be allowed to see it (so far)
if (grantedTypes.Any())
{
var allApprovedUserTypes = grantedTypes.SelectMany(g => g.Value.Split(new[] {','}, StringSplitOptions.RemoveEmptyEntries)).ToArray();
if (allApprovedUserTypes.InvariantContains(user.UserType.Alias))
{
allowedSoFar = true;
}
}
else
{
//if there are not explicit grant types then everyone is allowed so far and we'll only disallow on a deny basis
allowedSoFar = true;
}
//Check if this item as any deny arguments, if so check if the user is one of the user types approved, if so they will
// be denied to see it no matter what
if (denyTypes.Any())
{
var allDeniedUserTypes = denyTypes.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray();
if (allDeniedUserTypes.InvariantContains(user.UserType.Alias))
{
allowedSoFar = false;
}
}
return allowedSoFar;
}
public static bool CheckUserAccessByRules(IUser user, ISectionService sectionService, IAccessItem[] denyTypes, IAccessItem[] grantedTypes, IAccessItem[] grantedBySectionTypes)
{
var allowedSoFar = false;
//Check if this item as any grant-by-section arguments, if so check if the user has access to any of the sections approved, if so they will
// be allowed to see it (so far)
if (grantedBySectionTypes.Any())
{
var allowedApps = sectionService.GetAllowedSections(Convert.ToInt32(user.Id))
.Select(x => x.Alias)
.ToArray();
var allApprovedSections = grantedBySectionTypes.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray();
if (allApprovedSections.Any(allowedApps.Contains))
{
allowedSoFar = true;
}
}
//Check if this item as any grant arguments, if so check if the user is one of the user types approved, if so they will
// be allowed to see it (so far)
if (grantedTypes.Any())
{
var allApprovedUserTypes = grantedTypes.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray();
if (allApprovedUserTypes.InvariantContains(user.UserType.Alias))
{
allowedSoFar = true;
}
}
else
{
//if there are not explicit grant types then everyone is allowed so far and we'll only disallow on a deny basis
allowedSoFar = true;
}
//Check if this item as any deny arguments, if so check if the user is one of the user types approved, if so they will
// be denied to see it no matter what
if (denyTypes.Any())
{
var allDeniedUserTypes = denyTypes.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray();
if (allDeniedUserTypes.InvariantContains(user.UserType.Alias))
{
allowedSoFar = false;
}
}
return(allowedSoFar);
}
public async Task <ActionResult <IEnumerable <Section> > > GetSections()
{
IEnumerable <ISection> sections =
_sectionService.GetAllowedSections(_backofficeSecurityAccessor.BackOfficeSecurity?.GetUserId().Result ?? 0);
Section[] sectionModels = sections.Select(_umbracoMapper.Map <Section>).WhereNotNull().ToArray();
// this is a bit nasty since we'll be proxying via the app tree controller but we sort of have to do that
// since tree's by nature are controllers and require request contextual data
var appTreeController =
new ApplicationTreeController(_treeService, _sectionService, _localizedTextService, _controllerFactory, _actionDescriptorCollectionProvider)
{
ControllerContext = ControllerContext
};
IDictionary <string, IEnumerable <Tab <IDashboard> > > dashboards =
_dashboardService.GetDashboards(_backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser);
//now we can add metadata for each section so that the UI knows if there's actually anything at all to render for
//a dashboard for a given section, then the UI can deal with it accordingly (i.e. redirect to the first tree)
foreach (Section?section in sectionModels)
{
var hasDashboards = section?.Alias is not null &&
dashboards.TryGetValue(section.Alias, out IEnumerable <Tab <IDashboard> >?dashboardsForSection) &&
dashboardsForSection.Any();
if (hasDashboards)
{
continue;
}
// get the first tree in the section and get its root node route path
ActionResult <TreeRootNode> sectionRoot =
await appTreeController.GetApplicationTrees(section?.Alias, null, null);
if (!(sectionRoot.Result is null))
{
return(sectionRoot.Result);
}
if (section is not null)
{
section.RoutePath = GetRoutePathForFirstTree(sectionRoot.Value !);
}
}
return(sectionModels);
}
private bool CheckUserAccessByRules(IUser user, ISectionService sectionService, IEnumerable <IAccessRule> rules)
{
if (user.Id == Constants.Security.SuperUserId)
{
return(true);
}
var(denyRules, grantRules, grantBySectionRules) = GroupRules(rules);
var hasAccess = true;
string[] assignedUserGroups = null;
// if there are no grant rules, then access is granted by default, unless denied
// otherwise, grant rules determine if access can be granted at all
if (grantBySectionRules.Length > 0 || grantRules.Length > 0)
{
hasAccess = false;
// check if this item has any grant-by-section arguments.
// if so check if the user has access to any of the sections approved, if so they will be allowed to see it (so far)
if (grantBySectionRules.Length > 0)
{
var allowedSections = sectionService.GetAllowedSections(user.Id).Select(x => x.Alias).ToArray();
var wantedSections = grantBySectionRules.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray();
if (wantedSections.Intersect(allowedSections).Any())
{
hasAccess = true;
}
}
// if not already granted access, check if this item as any grant arguments.
// if so check if the user is in one of the user groups approved, if so they will be allowed to see it (so far)
if (hasAccess == false && grantRules.Any())
{
assignedUserGroups = user.Groups.Select(x => x.Alias).ToArray();
var wantedUserGroups = grantRules.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray();
if (wantedUserGroups.Intersect(assignedUserGroups).Any())
{
hasAccess = true;
}
}
}
if (!hasAccess || denyRules.Length == 0)
{
return(true);
}
// check if this item has any deny arguments, if so check if the user is in one of the denied user groups, if so they will
// be denied to see it no matter what
assignedUserGroups = assignedUserGroups ?? user.Groups.Select(x => x.Alias).ToArray();
var deniedUserGroups = denyRules.SelectMany(g => g.Value.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries)).ToArray();
if (deniedUserGroups.Intersect(assignedUserGroups).Any())
{
hasAccess = false;
}
return(hasAccess);
}
