/// <summary>
/// Returns a tuple with an action result and the thread with the id specified if valid.
/// if security check failed the action result will be set to the action to redirect to, otherwise it will return null.
/// </summary>
/// <param name="threadId">the threadid to check security for</param>
/// <returns></returns>
private async Task<(ActionResult redirectResult, ThreadEntity thread)> PerformSecurityCheckAsync(int threadId)
{
var thread = await ThreadGuiHelper.GetThreadAsync(threadId);
if(thread == null)
{
// not found, return to start page
return (RedirectToAction("Index", "Home"), null);
}
// Check credentials
bool userHasAccess = this.HttpContext.Session.CanPerformForumActionRight(thread.ForumID, ActionRights.AccessForum);
if(!userHasAccess)
{
// doesn't have access to this forum. redirect
return (RedirectToAction("Index", "Home"), null);
}
// check if the user can view this thread. If not, don't continue.
if(thread.StartedByUserID != this.HttpContext.Session.GetUserID() &&
!this.HttpContext.Session.CanPerformForumActionRight(thread.ForumID, ActionRights.ViewNormalThreadsStartedByOthers) &&
!thread.IsSticky)
{
// can't view this thread, it isn't visible to the user
return (RedirectToAction("Index", "Home"), null);
}
if(!this.HttpContext.Session.HasSystemActionRight(ActionRights.QueueContentManagement))
{
return (RedirectToAction("Index", "Home"), null);
}
// All ok
return (null, thread);
}
public async Task <ActionResult> Delete(int id = 0)
{
if (this.HttpContext.Session.IsAnonymousUser())
{
return(RedirectToAction("Index", "Home"));
}
var message = await MessageGuiHelper.GetMessageAsync(id);
if (message == null)
{
return(RedirectToAction("Index", "Home"));
}
var thread = await ThreadGuiHelper.GetThreadAsync(message.ThreadID);
if (thread == null)
{
return(RedirectToAction("Index", "Home"));
}
// Only delete if the message isn't the first in the thread (as that's not allowed), and whether the user is allowed to delete messages in that forum at all.
var messageIsFirstInThread = await ThreadGuiHelper.CheckIfMessageIsFirstInThreadAsync(thread.ThreadID, id);
if (!messageIsFirstInThread && this.HttpContext.Session.CanPerformForumActionRight(thread.ForumID, ActionRights.EditDeleteOtherUsersMessages))
{
await MessageManager.DeleteMessageAsync(id, thread.ThreadID);
}
return(RedirectToAction("Index", "Thread", new { threadId = thread.ThreadID, pageNo = 1 }));
}
/// <summary>
/// Performs the basic security check for the logged in user if that user has any access rights to this thread at all. It doesn't check specific thread actions.
/// </summary>
/// <param name="threadId">the thread id</param>
/// <param name="allowAnonymous">if set to true, anonymous users are allowed, otherwise they're denied access</param>
/// <returns>A tuple with a redirectaction and the thread of the threadId specified.
/// The redirectaction is set to an action result to redirect to if the current user shouldn't be here, otherwise null</returns>
private async Task <(ActionResult redirectResult, ThreadEntity thread)> PerformSecurityCheckAsync(int threadId, bool allowAnonymous)
{
var thread = await ThreadGuiHelper.GetThreadAsync(threadId);
if (thread == null || !allowAnonymous && this.HttpContext.Session.IsAnonymousUser() ||
!this.HttpContext.Session.CanPerformForumActionRight(thread.ForumID, ActionRights.AccessForum))
{
return(RedirectToAction("Index", "Home"), null);
}
// check if the user can view this thread. If not, don't continue.
if ((thread.StartedByUserID != this.HttpContext.Session.GetUserID()) &&
!this.HttpContext.Session.CanPerformForumActionRight(thread.ForumID, ActionRights.ViewNormalThreadsStartedByOthers) &&
!thread.IsSticky)
{
return(RedirectToAction("Index", "Home"), null);
}
// All OK
return(null, thread);
}
private async Task <(bool userMayAddMessages, ThreadEntity thread)> PerformAddMessageSecurityChecksAsync(int threadId)
{
if (this.HttpContext.Session.IsAnonymousUser())
{
return(false, null);
}
var thread = await ThreadGuiHelper.GetThreadAsync(threadId);
if (thread == null)
{
return(false, null);
}
if (!this.HttpContext.Session.CanPerformForumActionRight(thread.ForumID, ActionRights.AccessForum))
{
return(false, null);
}
var userMayAddMessages = false;
if (!thread.IsClosed)
{
userMayAddMessages = this.HttpContext.Session.CanPerformForumActionRight(thread.ForumID,
thread.IsSticky
? ActionRights.AddAndEditMessageInSticky
: ActionRights.AddAndEditMessage);
}
// check if the user can view the thread the message is in. If not, don't continue.
if (thread.StartedByUserID != this.HttpContext.Session.GetUserID() &&
!this.HttpContext.Session.CanPerformForumActionRight(thread.ForumID, ActionRights.ViewNormalThreadsStartedByOthers))
{
// can't edit this message, it's in a thread which isn't visible to the user
userMayAddMessages = false;
}
return(userMayAddMessages, thread);
}
