public static XDoc GetCommentXmlAsAtom(IList <CommentBE> comments, XUri feedUri, PageBE page)
{
var resources = DekiContext.Current.Resources;
string title = resources.Localize(DekiResources.COMMENT_FOR(page.Title.AsUserFriendlyName()));
XAtomFeed feed = new XAtomFeed(title, feedUri, DateTime.UtcNow);
feed.AddLink(PageBL.GetUriUi(page), XAtomBase.LinkRelation.Alternate, MimeType.XHTML, null, page.Title.AsUserFriendlyName());
feed.Id = feedUri;
foreach (CommentBE c in comments)
{
UserBE posterUser = UserBL.GetUserById(c.PosterUserId);
title = c.Title;
if (string.IsNullOrEmpty(title))
{
title = resources.Localize(DekiResources.COMMENT_BY_TO(posterUser.Name, page.Title.AsUserFriendlyName()));
}
XAtomEntry entry = feed.StartEntry(title, c.CreateDate, (c.LastEditDate == null || c.LastEditDate == DateTime.MinValue) ? c.CreateDate : c.LastEditDate.Value);
entry.Id = GetUri(c);
entry.AddAuthor(posterUser.Name, UserBL.GetUriUiHomePage(posterUser), posterUser.Email);
MimeType commentMimetype;
MimeType.TryParse(c.ContentMimeType, out commentMimetype);
entry.AddContent(c.Content);
XUri entryLink = PageBL.GetUriUi(page).WithFragment("comment" + c.Number);
entry.AddLink(entryLink, XAtomBase.LinkRelation.Alternate, null, null, null);
entry.AddLink(GetUri(c).At("content"), XAtomBase.LinkRelation.Enclosure, commentMimetype, c.Content.Length, "content");
feed.End();
}
return(feed);
}
private static XDoc AppendBanXml(XDoc doc, BanBE ban)
{
UserBE createdBy = UserBL.GetUserById(ban.ByUserId);
doc.Attr("id", ban.Id);
doc.Attr("href", DekiContext.Current.ApiUri.At("site", "bans", ban.Id.ToString()));
if (createdBy != null)
{
doc.Add(UserBL.GetUserXml(createdBy, "createdby", Utils.ShowPrivateUserInfo(createdBy)));
}
doc.Elem("date.modified", ban.LastEdit);
doc.Elem("description", ban.Reason);
doc.Elem("date.expires", ban.Expires);
doc.Add(PermissionsBL.GetPermissionXml(ban.RevokeMask, "revoked"));
doc.Start("ban.addresses");
if (ban.BanAddresses != null)
{
foreach (string address in ban.BanAddresses)
{
doc.Elem("address", address);
}
}
doc.End();
doc.Start("ban.users");
if (ban.BanUserIds != null)
{
var banUsers = DbUtils.CurrentSession.Users_GetByIds(ban.BanUserIds);
foreach (UserBE u in banUsers)
{
doc.Add(UserBL.GetUserXml(u, null, Utils.ShowPrivateUserInfo(createdBy)));
}
}
doc.End();
return(doc);
}
public static UserBE CreateNewUser(UserBE newUser)
{
if (newUser == null)
{
return(null);
}
//throw exception if licensing does not allow creation of another user
DekiContext.Current.LicenseManager.IsUserCreationAllowed(true);
if (newUser.RoleId == 0)
{
RoleBE defaultRole = PermissionsBL.RetrieveDefaultRoleForNewAccounts();
if (defaultRole != null)
{
newUser.RoleId = defaultRole.ID;
}
}
ValidateUser(newUser);
newUser.CreateTimestamp = DateTime.UtcNow;
uint userId = DbUtils.CurrentSession.Users_Insert(newUser);
if (userId == 0)
{
return(null);
}
newUser.ID = userId;
PageBE userHomepage = null;
try {
// User homepages are created upon user creation (an attempt to create user homepages may also be done upon login)
userHomepage = PageBL.CreateUserHomePage(newUser);
} catch (Exception e) {
_log.WarnExceptionFormat(e, "Error creating user page for {0}", newUser);
}
if (userHomepage != null)
{
var rcUser = UserBL.GetUserById(userHomepage.UserID) ?? DekiContext.Current.User ?? newUser;
RecentChangeBL.AddUserCreatedRecentChange(DekiContext.Current.Now, userHomepage, rcUser, DekiResources.USER_ADDED(newUser.Name));
}
DekiContext.Current.Instance.EventSink.UserCreate(DekiContext.Current.Now, newUser);
return(newUser);
}
private static UserBE ValidateAuthToken(string authToken, bool impersonationOnly)
{
var context = DekiContext.Current;
var token = ParseToken(authToken);
var instance = context.Instance;
if (token == null)
{
return(null);
}
UserBE user;
if (token.IsImpersonationToken)
{
if (ValidateImpersonationToken(context, token))
{
user = string.IsNullOrEmpty(token.Username) ? UserBL.GetUserById(token.UserId) : UserBL.GetUserByName(token.Username);
instance.Log.InfoFormat("APIKEY impersonation token provided. Impersonating user '{0}' ({1})", user.Name, user.ID);
return(user);
}
return(null);
}
// only allowing impersonation tokens?
if (impersonationOnly)
{
return(null);
}
// check timestamp
if (token.Timestamp < DateTime.UtcNow.Subtract(instance.AuthCookieExpirationTime) && instance.AuthCookieExpirationTime.TotalSeconds > 0)
{
return(null);
}
// retrieve associated user object
user = UserBL.GetUserById(token.UserId);
if (user == null)
{
return(null);
}
// TODO Max: Consider logging this as an intrusion attempt.
return(authToken == CreateAuthTokenForUser(user, token.Timestamp) ? user : null);
}
public static XDoc GetArchivePageXml(uint pageid)
{
XDoc ret = XDoc.Empty;
ArchiveBE page = DbUtils.CurrentSession.Archive_GetPageHeadById(pageid);
if (page == null)
{
throw new PageArchiveLogicNotFoundException(pageid);
}
//Retrieve metadata about the deletion to populate page info
TransactionBE t = DbUtils.CurrentSession.Transactions_GetById(page.TransactionId);
DateTime deleteTs = DateTime.MinValue;
UserBE deletedBy = null;
if (t != null)
{
deletedBy = UserBL.GetUserById(t.UserId);
deleteTs = t.TimeStamp;
}
return(GetArchivePageXml(ret, page, deletedBy, deleteTs));
}
//--- Class Methods ---
public static UserBE Authenticate(DreamContext context, DreamMessage request, uint serviceId, bool autoCreateExternalUser, bool allowAnon, out bool altPassword)
{
UserBE user = null;
altPassword = false;
// Case 1: username/fullname, password, provider (login window)
// 1. Validate & retrieve fullname using credentials
// Failed -> return null
// 2. Populate user object
// A. Populates user info
// B. Populates group info in user object
// 3. Does fullname exist?
// Yes -> Update user (email, fullname, ...)
// No -> Create user
// 4. Update Group information
// 5. return user object
//
// Case 2: fullname, password (http, api, ...)
// 1. Lookup full name, exist?
// Yes -> return user
// No -> return null
//
// Case 3: auth-token (header auth)
// 0. Valid auth token?
// No -> return null
// 1. Lookup user by name
// Found -> return user
// Else -> return null
string userName = null;
string password = null;
UserBE userFromToken = null;
ServiceBE authService = null;
// Extract authtoken and impersonation authtoken from request.
// AllowAnon is false when in GET/POST: users/authenticate or when ?authenticate=true.
// Standard user authtokens are ignored when AllowAnon=false but impersonation tokens are accepted.
bool impersonationOnly = !allowAnon;
userFromToken = UserFromAuthTokenInRequest(context, impersonationOnly);
if (userFromToken == null)
{
HttpUtil.GetAuthentication(context.Uri.ToUri(), request.Headers, out userName, out password);
}
// check if we need to retrieve authentication service information
if (serviceId > 0)
{
authService = ServiceBL.GetServiceById(serviceId);
if (authService == null)
{
throw new AuthServiceIdInvalidArgumentException(serviceId);
}
if (authService.Type != ServiceType.AUTH)
{
throw new AuthNotAnAuthServiceInvalidArgumentException(serviceId);
}
}
// check if a username was provided
if (!string.IsNullOrEmpty(userName))
{
//Case 2: Given username + password
if (authService == null)
{
//Assuming local user or existing external account
user = DbUtils.CurrentSession.Users_GetByName(userName);
if (user != null)
{
serviceId = user.ServiceId;
authService = ServiceBL.GetServiceById(serviceId);
}
else
{
LoginAccessDenied(context, request, userName, null, password);
}
}
if (authService == null)
{
throw new AuthServiceIdInvalidArgumentException(serviceId);
}
if (authService.Type != ServiceType.AUTH)
{
throw new AuthNotAnAuthServiceInvalidArgumentException(serviceId);
}
if (user == null)
{
//Performing auth on local account
if (ServiceBL.IsLocalAuthService(authService))
{
user = DbUtils.CurrentSession.Users_GetByName(userName);
}
else
{
//Performing external auth. Lookup by external user name
user = DbUtils.CurrentSession.Users_GetByExternalName(userName, authService.Id);
}
if (user != null && user.ServiceId != authService.Id)
{
ServiceBE currentUsersAuthService = ServiceBL.GetServiceById(user.ServiceId);
if (currentUsersAuthService != null)
{
throw new AuthLoginExternalUserConflictException(currentUsersAuthService.Description);
}
throw new LoginExternalUserUnknownConflictException();
}
}
//Local account in the db.
if (user != null && ServiceBL.IsLocalAuthService(authService))
{
//Validate password for local account or validate the apikey
if (!IsValidAuthenticationForLocalUser(user, password, out altPassword))
{
// try impersonation using the ApiKey
if (string.IsNullOrEmpty(password) && PermissionsBL.ValidateRequestApiKey())
{
DekiContext.Current.Instance.Log.InfoFormat("user '{0}' authenticated via apikey impersonation", userName);
}
else
{
LoginAccessDenied(context, request, userName, user.ID, password);
}
}
}
// User was not found in the db and not being asked to create it.
if (user == null && !autoCreateExternalUser)
{
LoginAccessDenied(context, request, userName, null, password);
}
// Creating local account if apikey checks out and our authservice is local
if (user == null && string.IsNullOrEmpty(password) && PermissionsBL.ValidateRequestApiKey() && ServiceBL.IsLocalAuthService(authService))
{
XDoc newUserDoc = new XDoc("user")
.Elem("username", userName);
DreamMessage newUserResponse = DekiContext.Current.ApiPlug.At("users")
.With("apikey", DreamContext.Current.GetParam("apikey", string.Empty))
.Post(newUserDoc);
user = UserBL.GetUserById(newUserResponse.ToDocument()["/user/@id"].AsUInt ?? 0);
if (user != null && !string.IsNullOrEmpty(password))
{
user = UserBL.SetPassword(user, password, false);
}
}
// Got an external account
// Passing in the user object from db if it was found.
List <GroupBE> externalGroups = null;
if (!ServiceBL.IsLocalAuthService(authService))
{
bool bypassAuthentication = false;
string externalName;
if (user == null || string.IsNullOrEmpty(user.ExternalName))
{
externalName = userName;
}
else
{
externalName = user.ExternalName;
}
// If apikey is valid, try to bypass auth with the external provider
// and only lookup user/group details.
if (string.IsNullOrEmpty(password) && PermissionsBL.ValidateRequestApiKey())
{
DekiContext.Current.Instance.Log.InfoFormat("user '{0}' authenticating being bypassed via apikey impersonation", userName);
bypassAuthentication = true;
}
user = ExternalServiceSA.BuildUserFromAuthService(authService, user, userName, bypassAuthentication, externalName, password, out externalGroups);
}
// User was not found or did not authenticate with external provider
if (user == null)
{
LoginAccessDenied(context, request, userName, null, password);
}
else
{
//New user creation from external provider
if (user.ID == 0)
{
if (!autoCreateExternalUser)
{
LoginAccessDenied(context, request, userName, null, password);
}
}
else
{
//user exists
// TODO (steveb): ???
}
if (user.UserActive)
{
user = UserBL.CreateOrUpdateUser(user);
if (externalGroups != null)
{
UserBL.UpdateUsersGroups(user, externalGroups.ToArray());
}
}
}
}
else if (userFromToken != null)
{
// valid token exists that resolved to a user
user = userFromToken;
}
else if (allowAnon)
{
// Anonymous user
user = DbUtils.CurrentSession.Users_GetByName(DekiWikiService.ANON_USERNAME);
}
if (user == null)
{
//No credentials. Or token not provided or is invalid.
LoginAccessDenied(context, request, null, null, password);
}
else if (!user.UserActive && !PermissionsBL.ValidateRequestApiKey())
{
//If a valid api key is provided, override the disabled account flag
throw new AuthUserDisabledForbiddenException(user.Name);
}
return(user);
}
/// <summary>
/// Get a user out of an authtoken from a request if it's valid.
/// </summary>
/// <returns></returns>
private static UserBE UserFromAuthTokenInRequest(DreamContext context, bool impersonationOnly)
{
DreamMessage request = context.Request;
string authToken = context.Uri.GetParam(DekiWikiService.AUTHTOKEN_URIPARAM, null);
UserBE user = null;
// Check if auth token is in a cookie
if ((authToken == null) && request.HasCookies)
{
DreamCookie authCookie = DreamCookie.GetCookie(request.Cookies, DekiWikiService.AUTHTOKEN_COOKIENAME);
if ((authCookie != null) && (!authCookie.Expired))
{
authToken = authCookie.Value;
}
}
// Check if auth token is in a header or passed in as query parameter
authToken = authToken ?? request.Headers[DekiWikiService.AUTHTOKEN_HEADERNAME];
// Extract user name from auth token if it's valid
if (authToken != null)
{
user = ValidateAuthToken(authToken, impersonationOnly);
// check whether licensestate prevents user from being authenticated
var license = DekiContext.Current.LicenseManager;
LicenseStateType licensestate = license.LicenseState;
if ((licensestate == LicenseStateType.EXPIRED || licensestate == LicenseStateType.INVALID || licensestate == LicenseStateType.INACTIVE) &&
!PermissionsBL.IsUserAllowed(user, Permissions.ADMIN)
)
{
if (DekiContext.Current.Instance.Log.IsWarnEnabled)
{
switch (licensestate)
{
case LicenseStateType.EXPIRED:
DekiContext.Current.Instance.Log.WarnFormat("UserFromAuthTokenInRequest: Expired license {0}, reverting non-admin user to anonymous", license.LicenseExpiration);
break;
case LicenseStateType.INVALID:
DekiContext.Current.Instance.Log.WarnFormat("UserFromAuthTokenInRequest: Invalid license, reverting non-admin user to anonymous");
break;
case LicenseStateType.INACTIVE:
DekiContext.Current.Instance.Log.WarnFormat("UserFromAuthTokenInRequest: Inactive license, reverting non-admin user to anonymous");
break;
}
}
user = null;
}
else
{
DekiContext.Current.AuthToken = authToken;
}
}
if (PermissionsBL.ValidateRequestApiKey())
{
uint userIdOverride = 0;
if (uint.TryParse(context.GetParam(DekiWikiService.IMPERSONATE_USER_QUERYNAME, null), out userIdOverride))
{
UserBE userOverride = UserBL.GetUserById(userIdOverride);
if (userOverride != null)
{
user = userOverride;
DekiContext.Current.Instance.Log.InfoFormat("APIKEY provided. Impersonating user id '{0}': {1}", user.ID, user.Name);
}
}
}
return(user);
}
private XDoc AppendFileXml(XDoc doc, ResourceBE file, string fileSuffix, bool?explicitRevisionInfo, UserBE updatedByUser, PageBE parentPage)
{
bool requiresEnd = false;
string fileElement = string.IsNullOrEmpty(fileSuffix) ? "file" : "file." + fileSuffix;
if (doc == null || doc.IsEmpty)
{
doc = new XDoc(fileElement);
}
else
{
doc.Start(fileElement);
requiresEnd = true;
}
doc.Attr("id", file.MetaXml.FileId ?? 0);
doc.Attr("revision", file.Revision);
doc.Attr("res-id", file.ResourceId);
if (file.IsHidden)
{
doc.Attr("hidden", true);
}
doc.Attr("href", GetUriInfo(file, explicitRevisionInfo));
doc.Start("filename").Value(file.Name).End();
//Description comes from a property
string description = string.Empty;
if (!ArrayUtil.IsNullOrEmpty(file.ChildResources))
{
ResourceBE descProp = Array.Find(file.ChildResources, p => p != null && p.ResourceType == ResourceBE.Type.PROPERTY && p.Name.EqualsInvariantIgnoreCase(PropertyBL.PROP_DESC));
if (descProp != null)
{
description = descProp.Content.ToText();
}
}
doc.Start("description").Value(description).End();
doc.Start("contents")
.Attr("type", file.MimeType == null ? null : file.MimeType.ToString())
.Attr("size", file.Size);
if ((file.MetaXml.ImageHeight ?? 0) > 0 && (file.MetaXml.ImageWidth ?? 0) > 0)
{
doc.Attr("width", file.MetaXml.ImageWidth.Value);
doc.Attr("height", file.MetaXml.ImageHeight.Value);
}
doc.Attr("href", GetUriContent(file, explicitRevisionInfo));
doc.End(); //contents
if ((file.MetaXml.ImageWidth ?? 0) > 0 && (file.MetaXml.ImageHeight ?? 0) > 0)
{
string previewMime = AttachmentPreviewBL.ResolvePreviewMime(file.MimeType).ToString();
doc.Start("contents.preview")
.Attr("rel", "thumb")
.Attr("type", previewMime)
.Attr("maxwidth", _dekiContext.Instance.ImageThumbPixels)
.Attr("maxheight", _dekiContext.Instance.ImageThumbPixels)
.Attr("href", GetUriContent(file, explicitRevisionInfo).With("size", "thumb"));
if (!file.IsHeadRevision() || (explicitRevisionInfo ?? false))
{
doc.Attr("revision", file.Revision);
}
doc.End(); //contents.preview: thumb
doc.Start("contents.preview")
.Attr("rel", "webview")
.Attr("type", previewMime)
.Attr("maxwidth", _dekiContext.Instance.ImageWebviewPixels)
.Attr("maxheight", _dekiContext.Instance.ImageWebviewPixels)
.Attr("href", GetUriContent(file, explicitRevisionInfo).With("size", "webview"));
if (!file.IsHeadRevision() || (explicitRevisionInfo ?? false))
{
doc.Attr("revision", file.Revision);
}
doc.End(); //contents.preview: webview
}
doc.Start("date.created").Value(file.Timestamp).End();
if (updatedByUser != null)
{
doc.Add(UserBL.GetUserXml(updatedByUser, "createdby", Utils.ShowPrivateUserInfo(updatedByUser)));
}
if (file.ResourceIsDeleted && ((file.ChangeMask & ResourceBE.ChangeOperations.DELETEFLAG) == ResourceBE.ChangeOperations.DELETEFLAG))
{
if (updatedByUser != null)
{
doc.Add(UserBL.GetUserXml(updatedByUser, "deletedby", Utils.ShowPrivateUserInfo(updatedByUser)));
}
doc.Start("date.deleted").Value(file.Timestamp).End();
}
if (file.IsHeadRevision() && !(explicitRevisionInfo ?? false) && !file.ResourceIsDeleted)
{
uint filteredCount = _session.Resources_GetRevisionCount(file.ResourceId, DEFAULT_REVISION_FILTER);
doc.Start("revisions");
doc.Attr("count", filteredCount);
doc.Attr("totalcount", file.Revision);
doc.Attr("href", GetUri(file).At("revisions"));
doc.End();
}
else
{
if (file.ChangeMask != ResourceBE.ChangeOperations.UNDEFINED)
{
doc.Start("user-action").Attr("type", file.ChangeMask.ToString().ToLowerInvariant()).End();
}
}
//parent page is passed in for verbose output only
if (parentPage != null)
{
doc.Add(PageBL.GetPageXml(parentPage, "parent"));
}
if (file.ChildResources != null)
{
List <ResourceBE> properties = new List <ResourceBE>();
foreach (ResourceBE p in file.ChildResources)
{
properties.Add(p);
}
doc = PropertyBL.Instance.GetPropertyXml(properties.ToArray(), GetUri(file), null, null, doc);
}
if (file.IsHidden)
{
uint?userIdHiddenBy = file.MetaXml.RevisionHiddenUserId;
if (userIdHiddenBy != null)
{
UserBE userHiddenBy = UserBL.GetUserById(userIdHiddenBy.Value);
if (userHiddenBy != null)
{
doc.Add(UserBL.GetUserXml(userHiddenBy, "hiddenby", Utils.ShowPrivateUserInfo(userHiddenBy)));
}
}
doc.Elem("date.hidden", file.MetaXml.RevisionHiddenTimestamp ?? DateTime.MinValue);
doc.Elem("description.hidden", file.MetaXml.RevisionHiddenComment ?? string.Empty);
}
if (requiresEnd)
{
doc.End(); //file
}
return(doc);
}
private static XDoc AppendCommentXml(XDoc doc, CommentBE comment, string suffix, bool?includeParentInfo)
{
bool requiresEnd = false;
string commentElement = string.IsNullOrEmpty(suffix) ? "comment" : "comment." + suffix;
if (doc == null || doc.IsEmpty)
{
doc = new XDoc(commentElement);
}
else
{
doc.Start(commentElement);
requiresEnd = true;
}
doc.Attr("id", comment.Id).Attr("href", CommentBL.GetUri(comment));
//include parentinfo by default if the parent page is populated
PageBE page = PageBL.GetPageById(comment.PageId);
if (page != null && (includeParentInfo ?? true))
{
doc.Add(PageBL.GetPageXml(page, "parent"));
}
UserBE posterUser = UserBL.GetUserById(comment.PosterUserId);
if (posterUser != null)
{
doc.Add(UserBL.GetUserXml(posterUser, "createdby", Utils.ShowPrivateUserInfo(posterUser)));
}
doc.Start("date.posted").Value(comment.CreateDate).End();
doc.Start("title").Value(comment.Title).End();
doc.Start("number").Value(comment.Number).End();
//Note (MaxM): Replytoid/replies not yet exposed
//if (ReplyToId.HasValue) {
// doc.Start("comment.replyto")
// .Attr("number", ReplyToId.Value.ToString())
// .Attr("href", DekiContext.Current.ApiUri.At("pages", PageId.ToString(), "comments", ReplyToId.Value.ToString())).End();
//}
bool displayContent = true;
//Only display content for nondeleted comments or for admins
if (comment.IsCommentMarkedAsDeleted)
{
displayContent = PermissionsBL.IsUserAllowed(DekiContext.Current.User, Permissions.ADMIN);
}
if (displayContent)
{
doc.Start("content")
.Attr("type", comment.ContentMimeType)
.Attr("href", CommentBL.GetUri(comment).At("content"))
.Value(comment.Content).End();
}
if (comment.LastEditUserId.HasValue)
{
UserBE lastEditUser = UserBL.GetUserById(comment.LastEditUserId.Value);
if (null != lastEditUser)
{
doc.Add(UserBL.GetUserXml(lastEditUser, "editedby", Utils.ShowPrivateUserInfo(lastEditUser)));
doc.Start("date.edited").Value(comment.LastEditDate).End();
}
}
if (comment.IsCommentMarkedAsDeleted && comment.DeleterUserId.HasValue)
{
UserBE deleteUser = UserBL.GetUserById(comment.DeleterUserId.Value);
if (null != deleteUser)
{
doc.Add(UserBL.GetUserXml(deleteUser, "deletedby", Utils.ShowPrivateUserInfo(deleteUser)));
doc.Start("date.deleted").Value(comment.DeleteDate).End();
}
}
if (requiresEnd)
{
doc.End(); //comment
}
return(doc);
}
//--- Class Methods ---
public static bool IsSafeMode(PageBE page)
{
return(!PermissionsBL.IsUserAllowed(UserBL.GetUserById(page.UserID), page, Permissions.UNSAFECONTENT));
}
public UserBE GetUserById(uint userId)
{
return(UserBL.GetUserById(userId));
}