Esempio n. 1
0
        internal bool ExtensionIsOk(string fileName, out HttpExceptionAbstraction preparedException)
        {
            if (!TenantAllowsExtension(fileName))
            {
                preparedException = HttpException.NotAllowedFileType(fileName, "Not in whitelisted CMS file types.");
                return(false);
            }

            if (SecurityCheckHelpers.IsKnownRiskyExtension(fileName))
            {
                preparedException = HttpException.NotAllowedFileType(fileName, "This is a known risky file type.");
                return(false);
            }
            preparedException = null;
            return(true);
        }
Esempio n. 2
0
        /// <summary>
        /// Initializes the object and performs all the initial security checks
        /// </summary>
        protected AdamState(IBlock block, int appId, string contentType, string field, Guid guid, bool usePortalRoot, ILog log)
            : base("Adm.State", log)
        {
            var callLog = Log.Call($"field:{field}, guid:{guid}");

            App         = Factory.Resolve <Apps.App>().Init(appId, log, block);
            Permissions = new MultiPermissionsTypes()
                          .Init(block.Context, App, contentType, Log);
            Block = block;

            // only do checks on field/guid if it's actually accessing that, if it's on the portal root, don't.
            UseTenantRoot = usePortalRoot;
            if (!usePortalRoot)
            {
                ItemField = field;
                ItemGuid  = guid;
            }

            Security = Factory.Resolve <SecurityChecksBase>().Init(this, usePortalRoot, Log);

            SecurityCheckHelpers.ThrowIfAccessingRootButNotAllowed(usePortalRoot, Security.UserIsRestricted);

            Log.Add("check if feature enabled");
            if (Security.UserIsRestricted && !ToSic.Eav.Configuration.Features.Enabled(FeaturesForRestrictedUsers))
            {
                throw HttpException.PermissionDenied(
                          $"low-permission users may not access this - {ToSic.Eav.Configuration.Features.MsgMissingSome(FeaturesForRestrictedUsers)}");
            }

            PrepCore(App, guid, field, usePortalRoot);

            if (string.IsNullOrEmpty(contentType) || string.IsNullOrEmpty(field))
            {
                return;
            }

            Attribute = Definition(appId, contentType, field);
            if (!Security.FileTypeIsOkForThisField(out var exp))
            {
                throw exp;
            }
            callLog(null);
        }
Esempio n. 3
0
 internal bool SuperUserOrAccessingItemFolder(string path, out HttpExceptionAbstraction preparedException)
 {
     preparedException = null;
     return(!UserIsRestricted || SecurityCheckHelpers.DestinationIsInItem(AdamState.ItemGuid, AdamState.ItemField, path, out preparedException));
 }