void OnCMSAdminAuthenticationSuccess(string source, Result result)
{
if (!WebAuthentication.VerifyAccess(PermissionType.AdministrativeAccess))
{
result.SetFailed("You don't have access to this area.");
}
}
public void PreProcessLoginPage(PageEntry page)
{
if (WebAuthentication.VerifyAccess(PermissionType.AccessAdminArea))
{
WebUtility.Redirect("admin");
}
}
Result AuthenticateForAjaxRequest(System.Reflection.MethodInfo source)
{
if (!SecurityProvider.CurrentUser.Enabled)
{
return(new Result("Ajax method called failed because your account has been disabled."));
}
Attribute[] roleAttr = Attribute.GetCustomAttributes(source, typeof(RequiresRoleAttribute));
Attribute[] permAttr = Attribute.GetCustomAttributes(source, typeof(RequiresPermissionAttribute));
for (int i = 0; i < roleAttr.Length; i++)
{
if (!SecurityProvider.CurrentUser.HasRole(((RequiresRoleAttribute)roleAttr[i]).RoleCode))
{
return(new Result("Ajax method call failed because you do not have one or more required roles."));
}
}
for (int i = 0; i < permAttr.Length; i++)
{
if (!WebAuthentication.VerifyAccess(((RequiresPermissionAttribute)permAttr[i]).PermissionTypeCode))
{
return(new Result("Ajax method call failed because you do not have one or more required permissions."));
}
}
return(new Result());
}
void WebEvents_OnLoadRequestedPath(HandleFlag handled)
{
if (handled.Handled)
{
return;
}
if (!WebAuthentication.IsLoggedIn)
{
return;
}
if (!WebAuthentication.VerifyAccess(PermissionType.ModifyPages))
{
return;
}
if (SprocketPath.Sections.Length >= 4 && SprocketPath.Sections[0] == "admin")
{
switch (SprocketPath.Sections[1])
{
case "pages":
switch (SprocketPath.Sections[2])
{
case "delete":
{
long id;
if (long.TryParse(SprocketPath.Sections[3], out id))
{
Page page = ContentManager.Instance.DataProvider.SelectPage(id);
if (page != null)
{
Result r = page.SaveRevision("** Page deleted.", page.RevisionInformation.Draft, page.RevisionInformation.Hidden, true);
if (!r.Succeeded)
{
Response.Write("Unable to delete page:<br/>" + r.Message);
Response.End();
return;
}
}
}
}
WebUtility.Redirect("admin/pages");
break;
case "imgthumb":
{
long id;
if (long.TryParse(SprocketPath.Sections[3], out id))
{
SizingOptions options = new SizingOptions(60, 45, SizingOptions.Display.Constrain, id);
FileManager.FileManager.Instance.TransmitImage(options);
}
}
break;
}
break;
}
}
}
void AdminWindow_OnBeforeDisplayAdminWindowOverlay(Result result)
{
if (WebAuthentication.IsLoggedIn)
{
if (WebAuthentication.VerifyAccess(PermissionType.AdministrativeAccess))
{
return;
}
}
result.SetFailed("access denied");
}
void AdminHandler_OnLoadAdminPage(AdminInterface admin, PageEntry page, HandleFlag handled)
{
if (WebAuthentication.VerifyAccess(PermissionType.ModifyPages))
{
admin.AddMainMenuLink(new AdminMenuLink("Pages and Content", WebUtility.MakeFullPath("admin/pages"), ObjectRank.Normal, "pages_and_content"));
}
if (WebAuthentication.VerifyAccess(PermissionType.ModifyTemplates))
{
admin.AddMainMenuLink(new AdminMenuLink("Page Templates", WebUtility.MakeFullPath("admin/templates"), ObjectRank.Normal, "page_templates"));
}
}
public void ProcessLoginForm()
{
WebAuthentication auth = WebAuthentication.Instance;
if (auth.ProcessLoginForm("SprocketUsername", "SprocketPassword", "SprocketPreserveLogin"))
{
if (WebAuthentication.VerifyAccess(PermissionType.AccessAdminArea))
{
WebUtility.Redirect("admin");
}
else
{
auth.ClearAuthenticationCookie();
}
}
FormValues.Set("login", "", null, true);
}
void WebEvents_OnRequestedPathProcessed()
{
if (!HttpContext.Current.Response.ContentType.Contains("html"))
{
return;
}
if (!IsAdminRequest)
{
return;
}
if (!WebAuthentication.VerifyAccess(PermissionType.AccessAdminArea))
{
return;
}
string html = WebUtility.CacheTextFile("resources/admin/header.htm");
HttpContext.Current.Response.Write(string.Format(html, WebUtility.BasePath));
}
void OnAdminRequest(AdminInterface admin, PageEntry page, HandleFlag handled)
{
// build the "current user" block
User user = User.Select(SecurityProvider.ClientSpaceID, WebAuthentication.Instance.CurrentUsername);
string block = "<div id=\"currentuser-block\">"
+ "You are currently logged in as <b>{0}</b>."
+ "</div>";
admin.AddLeftColumnSection(new AdminSection(
string.Format(block, (user.FirstName + " " + user.Surname).Trim()), ObjectRank.First));
if (!WebAuthentication.VerifyAccess(PermissionType.UserAdministrator))
{
return;
}
admin.AddMainMenuLink(new AdminMenuLink("Users and Roles", WebUtility.MakeFullPath("admin/security"), ObjectRank.Normal));
// build the security interface if it has been requested
if (SprocketPath.Value.StartsWith("admin/security"))
{
//handled.Set();
int defaultMaxFilterMatches;
try { defaultMaxFilterMatches = int.Parse(SprocketSettings.GetValue("WebSecurityDefaultUserFilterMatches")); }
catch { defaultMaxFilterMatches = 50; }
admin.AddInterfaceScript(WebControlScript.TabStrip);
admin.AddInterfaceScript(WebControlScript.Fader);
admin.AddInterfaceScript(WebControlScript.AjaxForm);
string scr = ResourceLoader.LoadTextResource("Sprocket.Security.CMS.security.js")
.Replace("50,//{defaultMaxFilterMatches}", defaultMaxFilterMatches.ToString() + ",")
.Replace("if(true)//{ifUserCanAccessRoleManagement}",
WebAuthentication.VerifyAccess(PermissionType.RoleAdministrator) ? "" : "if(false)");
admin.AddInterfaceScript(new AdminSection(scr, 0));
admin.AddBodyOnLoadScript(new AdminSection("SecurityInterface.Run()", 0));
string html = "<div id=\"user-admin-container\"></div>";
admin.AddPreContentSection(new AdminSection(html, 0));
admin.AddHeadSection(new AdminSection("<link rel=\"stylesheet\" type=\"text/css\" href=\""
+ WebUtility.MakeFullPath("resources/admin/security.css") + "\" />", 0));
}
}
public object Evaluate(Token contextToken, List <ExpressionArgument> args, ExecutionState state)
{
if (args.Count != 1)
{
throw new InstructionExecutionException("\"haspermission\" expects exactly one argument specifying the name of a permission.", contextToken);
}
object o = TokenParser.ReduceFromExpression(state, args[0].Token, args[0].Expression.Evaluate(state, args[0].Token));
string permission = o == null ? null : o.ToString();
if (permission == null)
{
throw new InstructionExecutionException("the argument didn't equate to a string naming a permission.", contextToken);
}
if (!WebAuthentication.IsLoggedIn)
{
return(false);
}
return(WebAuthentication.VerifyAccess(permission));
}
void OnSaveForm(AjaxFormSubmittedValues form)
{
List <string> roleCodes = new List <string>(), permissionTypeCodes = new List <string>();
switch (form.FormName)
{
case "UserEditForm":
if (!WebAuthentication.VerifyAccess(PermissionType.UserAdministrator))
{
return;
}
AjaxFormSubmittedValues.Block block = form.Blocks["MainUserFields"];
string pw = block.Fields["Password"].Value;
bool enabled = block.Fields["Enabled"].Value == "True";
if (pw.Length == 0)
{
pw = null;
}
User user;
if (form.RecordID == null)
{
user = new User(
SecurityProvider.ClientSpaceID,
block.Fields["Username"].Value,
pw,
block.Fields["FirstName"].Value,
block.Fields["Surname"].Value,
block.Fields["Email"].Value,
enabled, false, false, 0);
Result result = SecurityProvider.DataLayer.Store(user);
if (!result.Succeeded)
{
throw new AjaxException(result.Message);
}
if (OnUserSaved != null)
{
OnUserSaved(form, user);
}
form.RecordID = user.UserID;
}
else
{
user = User.Select(form.RecordID.Value);
//if (!CurrentUser.CanModifyUser(user))
// throw new AjaxException("You don't have access to modify that user.");
user.Username = block.Fields["Username"].Value;
if (pw != null)
{
user.Password = pw;
}
user.FirstName = block.Fields["FirstName"].Value;
user.Surname = block.Fields["Surname"].Value;
user.Email = block.Fields["Email"].Value;
user.Enabled = enabled;
SecurityProvider.DataLayer.Store(user);
//user.Save();
if (OnUserSaved != null)
{
OnUserSaved(form, user);
}
if (user.Locked)
{
return; // don't muck with permissions/roles
}
}
if (user.Username != SecurityProvider.CurrentUser.Username) // users can't alter their own permissions
{
if (form.Blocks.ContainsKey("Roles"))
{
foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Roles"].Fields)
{
if (SecurityProvider.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role
{
if (kvp.Value.Value == "True")
{
roleCodes.Add(kvp.Value.Name);
}
}
}
}
//sql.AppendFormat("exec AssignUserToRole '{0}', '{1}'\r\n", user.UserID, kvp.Value.Name.Replace("'", "''"));
if (form.Blocks.ContainsKey("Permissions"))
{
foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Permissions"].Fields)
{
if (SecurityProvider.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role
{
if (kvp.Value.Value == "True")
{
permissionTypeCodes.Add(kvp.Value.Name);
}
}
}
}
//sql.AppendFormat("exec AssignPermission '{0}', null, '{1}'\r\n", kvp.Value.Name.Replace("'", "''"), user.UserID);
//if (sql.Length == 0) return;
SecurityProvider.DataLayer.SetRolesAndPermissionsForUser(user.UserID, roleCodes, permissionTypeCodes);
//user.RevokeRolesAndPermissions(); // revoke any pre-existing permissions/roles before we assign the new ones
//Database.Main.CreateCommand(sql.ToString(), CommandType.Text).ExecuteNonQuery();
}
break;
case "RoleEditForm":
if (!WebAuthentication.VerifyAccess(PermissionType.RoleAdministrator))
{
return;
}
block = form.Blocks["RoleDetails"];
string name = block.Fields["Name"].Value;
enabled = block.Fields["Enabled"].Value == "True";
Role role;
if (form.RecordID == null)
{
role = new Role();
role.RoleID = DatabaseManager.GetUniqueID();
role.RoleCode = role.RoleID.ToString(); // role codes are only used by system roles
role.ClientSpaceID = SecurityProvider.ClientSpaceID;
}
else
{
role = Role.Select(form.RecordID.Value);
if (role == null)
{
return;
}
if (role.Locked)
{
return; // locked roles aren't supposed to be edited by users
}
}
role.Name = name;
role.Enabled = enabled;
SecurityProvider.DataLayer.Store(role);
//((SecurityProvider)Core.Instance["SecurityProvider"]).SaveRole(role);
//sql = new StringBuilder();
if (form.Blocks.ContainsKey("Roles"))
{
foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Roles"].Fields)
{
if (SecurityProvider.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role
{
if (kvp.Value.Value == "True")
{
roleCodes.Add(kvp.Value.Name);
}
}
}
}
//sql.AppendFormat("exec InheritRoleFrom '{0}', '{1}'\r\n", role.RoleID, kvp.Value.Name.Replace("'", "''"));
if (form.Blocks.ContainsKey("Permissions"))
{
foreach (KeyValuePair <string, AjaxFormSubmittedValues.Field> kvp in form.Blocks["Permissions"].Fields)
{
if (SecurityProvider.CurrentUser.HasRole(kvp.Value.Name)) //make sure the logged in user has the right to assign this role
{
if (kvp.Value.Value == "True")
{
permissionTypeCodes.Add(kvp.Value.Name);
}
}
}
}
//sql.AppendFormat("exec AssignPermission '{0}', null, '{1}'\r\n", kvp.Value.Name.Replace("'", "''"), role.RoleID);
SecurityProvider.DataLayer.SetRolesAndPermissionsForRole(role.RoleID, roleCodes, permissionTypeCodes);
//role.RevokeRolesAndPermissions(); // revoke any pre-existing permissions/roles before we assign the new ones
//if (sql.Length == 0) return;
//Database.Main.CreateCommand(sql.ToString(), CommandType.Text).ExecuteNonQuery();
break;
}
}
void WebEvents_OnLoadRequestedPath(HandleFlag handled)
{
if (handled.Handled)
{
return;
}
if (!IsAdminRequest)
{
return;
}
PageEntry page = pages.FromPath(SprocketPath.Value);
if (page == null)
{
return;
}
KeyValuePair <string, object>[] vars;
if (!SprocketPath.StartsWith("admin", "login"))
{
if (!WebAuthentication.VerifyAccess(PermissionType.AccessAdminArea))
{
WebUtility.Redirect("admin/login");
return;
}
AdminInterface admin = new AdminInterface();
WebClientScripts scripts = WebClientScripts.Instance;
admin.AddMainMenuLink(new AdminMenuLink("Website Home", WebUtility.MakeFullPath(""), ObjectRank.Last, "website_home"));
admin.AddMainMenuLink(new AdminMenuLink("Overview", WebUtility.MakeFullPath("admin"), ObjectRank.First, "website_overview"));
admin.AddMainMenuLink(new AdminMenuLink("Log Out", WebUtility.MakeFullPath("admin/logout"), ObjectRank.Last, "log_out"));
admin.AddFooterLink(new AdminMenuLink("Log Out", WebUtility.MakeFullPath("admin/logout"), ObjectRank.Early));
admin.AddFooterLink(new AdminMenuLink("© 2005-" + DateTime.UtcNow.Year + " " + SprocketSettings.GetValue("WebsiteName"), "", ObjectRank.Late));
admin.AddFooterLink(new AdminMenuLink("Powered by Sprocket", "http://www.sprocketcms.com", ObjectRank.Last));
admin.AddHeadSection(new AdminSection(scripts.BuildStandardScriptsBlock(), ObjectRank.Late));
admin.WebsiteName = GetWebsiteName();
if (OnLoadAdminPage != null)
{
OnLoadAdminPage(admin, page, handled);
if (handled.Handled)
{
return;
}
}
vars = admin.GetScriptVariables();
}
else
{
vars = new KeyValuePair <string, object> [1];
vars[0] = new KeyValuePair <string, object>("_admin_websitename", GetWebsiteName());
}
ContentManager.RequestedPage = page;
if (pagePreProcessors.ContainsKey(page.PageCode))
{
foreach (PagePreprocessorHandler method in pagePreProcessors[page.PageCode])
{
method(page);
}
}
string txt = page.Render(vars);
Response.ContentType = page.ContentType;
Response.Write(txt);
handled.Set();
}
void WebEvents_OnLoadRequestedPath(HandleFlag handled)
{
if (handled.Handled)
{
return;
}
switch (SprocketPath.Value)
{
case "activate/fix":
{
bool failed = false;
if (!WebAuthentication.IsLoggedIn)
{
failed = true;
}
else if (!WebAuthentication.VerifyAccess(PermissionType.AdministrativeAccess))
{
failed = true;
}
if (failed)
{
HttpContext.Current.Response.Write("<html><body><p>Access denied. Administrative access required.</p></body></html>");
handled.Set();
return;
}
else
{
try
{
int k;
using (TransactionScope scope = new TransactionScope())
{
DatabaseManager.DatabaseEngine.GetConnection();
List <User> users = SecurityProvider.DataLayer.FilterUsers(null, null, null, null, null, null, false, out k);
foreach (User user in users)
{
SecurityProvider.RequestUserActivation(user.UserID, user.Email);
}
scope.Complete();
}
HttpContext.Current.Response.Write("<html><body><p>" + k + " activation requests created.</p></body></html>");
handled.Set();
return;
}
finally
{
DatabaseManager.DatabaseEngine.ReleaseConnection();
}
}
}
default:
switch (SprocketPath.Sections[0])
{
case "_captcha":
RenderCAPTCHAImage();
break;
case "activate":
if (SprocketPath.Sections.Length == 2)
{
string activationCode = SprocketPath.Sections[1];
long userID;
Result r = SecurityProvider.DataLayer.ActivateUser(activationCode, out userID);
if (r.Succeeded)
{
User user = null;
if (WebAuthentication.IsLoggedIn)
{
if (SecurityProvider.CurrentUser.UserID == userID)
{
user = SecurityProvider.CurrentUser;
user.Activated = true;
}
}
if (user == null)
{
user = SecurityProvider.DataLayer.SelectUser(userID);
}
if (OnUserActivated != null)
{
OnUserActivated(user, handled);
}
if (!handled.Handled)
{
HttpContext.Current.Response.Write("<html><body><p>The user has been successfully activated.</p></body></html>");
handled.Set();
}
}
else
{
if (OnUserActivationError != null)
{
OnUserActivationError(r, handled);
}
if (!handled.Handled)
{
HttpContext.Current.Response.Write("<html><body><p>" + r.Message + "</p></body></html>");
handled.Set();
}
}
}
break;
}
break;
}
}
