Esempio n. 1
0
        public static void SetHyperLink(string adminSectionPageId, string querystring, HyperLink hyperlink)
        {
            AdminSectionPage adminSectionPage = AdminNavigationManager.GetAdminSectionPageById(adminSectionPageId);
            string           url = (adminSectionPage == null) ? "#" : string.Format("{0}{1}", adminSectionPage.Url, querystring);

            hyperlink.NavigateUrl = url;
        }
        /// <summary>
        /// Searches the AdminSectionPage and all its subpages for a page
        /// matching the specified url.  Returns page if found. Otherwise, null.
        /// </summary>
        private static AdminSectionPage Search(AdminSectionPage page, string url)
        {
            if (StringUtils.IgnoreCaseCompare(page.Url, url))
            {
                return(page);
            }

            return(page.Pages.Select(subPage => Search(subPage, url)).FirstOrDefault(p => p != null));
        }
Esempio n. 3
0
        public static void SetHyperLink(User user, string adminSectionPageId, string querystring, HyperLink hyperlink)
        {
            AdminSectionPage adminSectionPage = AdminNavigationManager.GetAdminSectionPageById(adminSectionPageId);

            if (adminSectionPage == null)
            {
                hyperlink.Visible = false;
            }
            else
            {
                hyperlink.Visible     = SecurityManager.UserHasAccess(user, adminSectionPage);
                hyperlink.NavigateUrl = string.Format("{0}{1}", adminSectionPage.Url, querystring);
            }
        }
        /// <summary>
        /// Checks if the user is in a role that has access to the requested page
        /// </summary>
        public static bool UserHasAccess(User user, AdminSectionPage adminSectionPage)
        {
            if (user.IsNull)
            {
                return(false);
            }

            if (adminSectionPage == null)
            {
                return(user.UserRole == UserRole.SuperAdministrator);
            }

            if (adminSectionPage.RestrictToEngineers && !user.IsEngineer)
            {
                return(false);
            }

            return(adminSectionPage.UserRoleList.Contains(user.UserRole));
        }
        public AdminSectionPage(XmlNode node) : base(node)
        {
            if (node.Attributes == null)
            {
                throw new SystemException("Node does not have any attributes");
            }

            // Get the page URL, using the ID if no URL is specified
            XmlNode urlNode = node.Attributes.GetNamedItem("Url");

            Url = (urlNode == null) ? string.Format("~/Admin/{0}.aspx", Id.Replace('.', '/')) : urlNode.Value;

            // Get the minimum role and/or allowed roles to access this page
            XmlNode minimumRoleNode  = node.Attributes.GetNamedItem("MinimumRole");
            XmlNode allowedRolesNode = node.Attributes.GetNamedItem(("AllowedRoles"));

            // If no minimum role or allowed roles are specified, then search through
            // the parents until we find this information.
            if (minimumRoleNode == null && allowedRolesNode == null)
            {
                // Get the parent node.  This will be another <Page> node or a <Section> node
                XmlNode parentNode = node.ParentNode;

                while (parentNode != null && parentNode.Attributes != null)
                {
                    // Get the nodes
                    minimumRoleNode  = parentNode.Attributes.GetNamedItem("MinimumRole");
                    allowedRolesNode = parentNode.Attributes.GetNamedItem(("AllowedRoles"));

                    // Drop out if we found valid nodes.  Otherwise, keep searching upwards
                    if (minimumRoleNode != null || allowedRolesNode != null)
                    {
                        break;
                    }

                    // Set parent to this parent and keep searching
                    parentNode = parentNode.ParentNode;
                }
            }

            if (minimumRoleNode == null)
            {
                UserRoleList.Add(UserRole.SuperAdministrator);
            }
            else
            {
                foreach (UserRole userRole in Enum.GetValues(typeof(UserRole)))
                {
                    int userRoleId    = (int)userRole;
                    int minimumRoleId = (int)EnumUtils.GetEnumFromValue <UserRole>(minimumRoleNode.Value);

                    if (userRoleId >= minimumRoleId)
                    {
                        UserRoleList.Add(userRole);
                    }
                }
            }

            if (allowedRolesNode != null)
            {
                string[] allowedRoles = allowedRolesNode.Value.Split(',');

                foreach (string role in allowedRoles)
                {
                    UserRole userRole = EnumUtils.GetEnumFromValue <UserRole>(role);

                    if (userRole != 0 && !UserRoleList.Contains(userRole))
                    {
                        UserRoleList.Add(userRole);
                    }
                }
            }

            XmlNodeList pages = node.SelectNodes("Page");

            if (pages != null)
            {
                foreach (XmlNode pageNode in pages)
                {
                    AdminSectionPage page = new AdminSectionPage(pageNode);
                    Pages.Add(page);
                }
            }

            // Add all user roles from children pages to this too
            // (Otherwise, this node won't show up in navigation
            // and the children won't be accessible).
            UserRoleList.AddRange(GetUserRoleList());
        }
        /// <summary>
        /// Checks if the user has access to the requested path.
        /// This method is the 'big kahuna', and does various security checks.  It's main
        /// purpose is to ensure that the admin area pages are correctly restricted, and it
        /// ensures that upload users and brand admins cannot access entities to
        /// which their role does not have permission (ie. those outside their brand).
        /// </summary>
        /// <param name="user">The user requesting access</param>
        /// <param name="path">The path to which access is being requested</param>
        /// <returns>[True] if user can access path.  Otherwise [False].</returns>
        public static bool UserHasAccess(User user, Uri path)
        {
            // Turn the path into a relative one (eg. /AppVirtualDir/Admin/Default.aspx -> ~/Admin/Default.aspx)
            string relativePath = VirtualPathUtility.ToAppRelative(path.AbsolutePath).ToLower();

            // Always allow NeatUpload stuff through
            if (relativePath.StartsWith("~/neatupload/"))
            {
                return(true);
            }

            // Login and registration pages open to all.  Admin homepage open to
            // any user belonging to any role greater than normal.
            switch (relativePath)
            {
            case "~/login.aspx":
            case "~/register.aspx":
            case "~/changepassword.aspx":
            case "~/reactivate.aspx":
            case "~/viewcontactsheet.aspx":
            case "~/popups/termsconditions.aspx":
            case "~/popups/privacypolicy.aspx":
                return(true);

            case "~/admin/default.aspx":
                return(user.UserRoleId > Convert.ToInt32(UserRole.Normal));
            }

            // Allow access to non-existent pages so we can redirect to 404
            if (!File.Exists(HttpContext.Current.Server.MapPath(relativePath)))
            {
                return(true);
            }

            // Everything from here on needs a user
            if (user.IsNull)
            {
                return(false);
            }

            // Ensure that the asset popup can only be viewed by authorised users
            if (relativePath.StartsWith("~/popups/assetinfo.aspx"))
            {
                int assetId = GetQuerystringValue(path.Query, "assetId", -1);

                if (assetId != -1)
                {
                    Asset asset = Asset.Get(assetId);

                    if (asset.IsNull || !EntitySecurityManager.CanViewAssetInfo(user, asset))
                    {
                        return(false);
                    }

                    HttpContext.Current.Items.Add("Asset", asset);
                }
            }

            if (relativePath.StartsWith("~/admin/"))
            {
                // Get the admin section page by the URL
                AdminSectionPage adminSectionPage = AdminNavigationManager.GetAdminSectionPageByUrl(relativePath);

                // Ensure that we found it in the admin page list
                if (adminSectionPage == null)
                {
                    throw new SystemException(string.Format("Unknown admin page: '{0}'. Please check AdminNavigation.Config", relativePath));
                }

                // Ensure that the page being accessed is available to the user role.
                // No point continuing if their role is too weak
                if (!adminSectionPage.UserRoleList.Contains(user.UserRole))
                {
                    return(false);
                }

                // Do role specific processing, as some roles can access pages, but
                // only when editing certain entities - ie. a Brand Admin can
                // access the user pages, but only when managing users from their own
                // brand.  Here, we check the querystring for values, get the
                // matching entity, and then ensure that it's from the same BU as
                // the requesting user.

                if (user.UserRole == UserRole.SuperAdministrator)
                {
                    return(true);
                }

                if (user.UserRole == UserRole.Normal)
                {
                    throw new SecurityException("Access to admin area denied");
                }

                if (GeneralUtils.ValueIsInList(user.UserRole, UserRole.BrandAdministrator, UserRole.UploadUser))
                {
                    // Assume page is okay, as querystring might be blank
                    bool ok = true;

                    // Check for user ID, and if it exists, ensure the user
                    // can be accessed by the requesting user
                    int userId = GetQuerystringValue(path.Query, "userId", -1);
                    if (userId != -1)
                    {
                        User u = User.Get(userId);
                        if (user.IsNull || !EntitySecurityManager.CanManageUser(user, u))
                        {
                            ok = false;
                        }
                        else
                        {
                            HttpContext.Current.Items.Add("User", u);
                        }
                    }

                    // Check for asset Id, and if it exists, ensure the
                    // asset can be accessed by the requesting user
                    if (ok)
                    {
                        int assetId = GetQuerystringValue(path.Query, "assetId", -1);
                        if (assetId != -1)
                        {
                            Asset asset = Asset.Get(assetId);
                            if (asset.IsNull || !EntitySecurityManager.CanManageAsset(user, asset))
                            {
                                ok = false;
                            }
                            else
                            {
                                HttpContext.Current.Items.Add("Asset", asset);
                            }
                        }
                    }

                    // Check for AssetWorkflowId, and if it exists, ensure the
                    // AssetWorkflow can be accessed by the requesting user
                    if (ok)
                    {
                        int assetWorkflowId = GetQuerystringValue(path.Query, "assetWorkflowId", -1);
                        if (assetWorkflowId != -1)
                        {
                            AssetWorkflow assetWorkflow = AssetWorkflow.Get(assetWorkflowId);
                            if (assetWorkflow.IsNull || !EntitySecurityManager.CanParticipateInAssetWorkflow(user, assetWorkflow))
                            {
                                ok = false;
                            }
                            else
                            {
                                HttpContext.Current.Items.Add("AssetWorkflow", assetWorkflow);
                            }
                        }
                    }

                    return(ok);
                }

                throw new SecurityException("Unable to check permissions for user role: " + user.UserRole);
            }

            return(true);
        }