public void SetSecurity(string id, bool enabled, params Guid[] subjects)
{
if (SettingsManager.Load <TenantAccessSettings>().Anyone)
{
throw new SecurityException("Security settings are disabled for an open portal");
}
var securityObj = WebItemSecurityObject.Create(id, WebItemManager);
// remove old aces
AuthorizationManager.RemoveAllAces(securityObj);
var allowToAll = new AzRecord(ASC.Core.Users.Constants.GroupEveryone.ID, Read.ID, AceType.Allow, securityObj);
AuthorizationManager.RemoveAce(allowToAll);
// set new aces
if (subjects == null || subjects.Length == 0 || subjects.Contains(ASC.Core.Users.Constants.GroupEveryone.ID))
{
if (!enabled && subjects != null && subjects.Length == 0)
{
// users from list with no users equals allow to all users
enabled = true;
}
subjects = new[] { ASC.Core.Users.Constants.GroupEveryone.ID };
}
foreach (var s in subjects)
{
var a = new AzRecord(s, Read.ID, enabled ? AceType.Allow : AceType.Deny, securityObj);
AuthorizationManager.AddAce(a);
}
WebItemSecurityCache.Publish(TenantManager.GetCurrentTenant().TenantId);
}
public void SetProductAdministrator(Guid productid, Guid userid, bool administrator)
{
if (productid == Guid.Empty)
{
productid = ASC.Core.Users.Constants.GroupAdmin.ID;
}
if (administrator)
{
if (UserManager.IsUserInGroup(userid, ASC.Core.Users.Constants.GroupVisitor.ID))
{
throw new SecurityException("Collaborator can not be an administrator");
}
if (productid == WebItemManager.PeopleProductID)
{
foreach (var ace in GetPeopleModuleActions(userid))
{
AuthorizationManager.AddAce(ace);
}
}
UserManager.AddUserIntoGroup(userid, productid);
}
else
{
if (productid == ASC.Core.Users.Constants.GroupAdmin.ID)
{
var groups = new List <Guid> {
WebItemManager.MailProductID
};
groups.AddRange(WebItemManager.GetItemsAll().OfType <IProduct>().Select(p => p.ID));
foreach (var id in groups)
{
UserManager.RemoveUserFromGroup(userid, id);
}
}
if (productid == ASC.Core.Users.Constants.GroupAdmin.ID || productid == WebItemManager.PeopleProductID)
{
foreach (var ace in GetPeopleModuleActions(userid))
{
AuthorizationManager.RemoveAce(ace);
}
}
UserManager.RemoveUserFromGroup(userid, productid);
}
WebItemSecurityCache.Publish(TenantManager.GetCurrentTenant().TenantId);
}
public WebItemSecurity(
UserManager userManager,
AuthContext authContext,
PermissionContext permissionContext,
AuthManager authentication,
WebItemManager webItemManager,
TenantManager tenantManager,
AuthorizationManager authorizationManager,
CoreBaseSettings coreBaseSettings,
WebItemSecurityCache webItemSecurityCache,
SettingsManager settingsManager)
{
UserManager = userManager;
AuthContext = authContext;
PermissionContext = permissionContext;
Authentication = authentication;
WebItemManager = webItemManager;
TenantManager = tenantManager;
AuthorizationManager = authorizationManager;
CoreBaseSettings = coreBaseSettings;
WebItemSecurityCache = webItemSecurityCache;
SettingsManager = settingsManager;
}
public bool IsAvailableForUser(Guid itemId, Guid @for)
{
var id = itemId.ToString();
var result = false;
var tenant = TenantManager.GetCurrentTenant();
var dic = WebItemSecurityCache.GetOrInsert(tenant.TenantId);
if (dic != null)
{
lock (dic)
{
if (dic.ContainsKey(id + @for))
{
return(dic[id + @for]);
}
}
}
// can read or administrator
var securityObj = WebItemSecurityObject.Create(id, WebItemManager);
if (CoreBaseSettings.Personal &&
securityObj.WebItemId != WebItemManager.DocumentsProductID)
{
// only files visible in your-docs portal
result = false;
}
else
{
var webitem = WebItemManager[securityObj.WebItemId];
if (webitem != null)
{
if ((webitem.ID == WebItemManager.CRMProductID ||
webitem.ID == WebItemManager.PeopleProductID ||
webitem.ID == WebItemManager.BirthdaysProductID ||
webitem.ID == WebItemManager.MailProductID) &&
UserManager.GetUsers(@for).IsVisitor(UserManager))
{
// hack: crm, people, birtthday and mail products not visible for collaborators
result = false;
}
else if ((webitem.ID == WebItemManager.CalendarProductID ||
webitem.ID == WebItemManager.TalkProductID) &&
UserManager.GetUsers(@for).IsOutsider(UserManager))
{
// hack: calendar and talk products not visible for outsider
result = false;
}
else if (webitem is IModule)
{
result = PermissionContext.PermissionResolver.Check(Authentication.GetAccountByID(tenant.TenantId, @for), securityObj, null, Read) &&
IsAvailableForUser(WebItemManager.GetParentItemID(webitem.ID), @for);
}
else
{
var hasUsers = AuthorizationManager.GetAces(Guid.Empty, Read.ID, securityObj).Any(a => a.SubjectId != ASC.Core.Users.Constants.GroupEveryone.ID);
result = PermissionContext.PermissionResolver.Check(Authentication.GetAccountByID(tenant.TenantId, @for), securityObj, null, Read) ||
(hasUsers && IsProductAdministrator(securityObj.WebItemId, @for));
}
}
else
{
result = false;
}
}
dic = WebItemSecurityCache.Get(tenant.TenantId);
if (dic != null)
{
lock (dic)
{
dic[id + @for] = result;
}
}
return(result);
}
