public static List <Guid> check_access(Guid applicationId, Guid?userId, List <Guid> objectIds, PrivacyObjectType objectType, PermissionType permission) { return(check_access(applicationId, userId, objectIds, objectType, new List <PermissionType>() { permission }) .Keys.ToList()); }
public static bool check_access(Guid applicationId, Guid?userId, Guid objectId, PrivacyObjectType objectType, PermissionType permission) { List <PermissionType> lst = check_access(applicationId, userId, objectId, objectType, new List <PermissionType>() { permission }); return(lst != null && lst.Count > 0); }
public static List <PermissionType> check_access(Guid applicationId, Guid?userId, Guid objectId, PrivacyObjectType objectType) { Dictionary <Guid, List <PermissionType> > dic = check_access(applicationId, userId, new List <Guid>() { objectId }, objectType); return(dic.ContainsKey(objectId) ? dic[objectId] : new List <PermissionType>()); }
protected void get_audience(List <Guid> objectIds, PrivacyObjectType objectType, ref string responseText) { //Privacy Check: OK if (!paramsContainer.GBEdit) { return; } bool accessDenied = objectIds.Count == 0 || !check_object_type(objectIds, objectType); Dictionary <Guid, List <Audience> > audience = accessDenied ? new Dictionary <Guid, List <Audience> >() : PrivacyController.get_audience(paramsContainer.Tenant.Id, objectIds); Dictionary <Guid, List <DefaultPermission> > defaultPermissions = accessDenied ? new Dictionary <Guid, List <DefaultPermission> >() : PrivacyController.get_default_permissions(paramsContainer.Tenant.Id, objectIds); List <Privacy> settings = accessDenied ? new List <Privacy>() : PrivacyController.get_settings(paramsContainer.Tenant.Id, objectIds); objectIds.ForEach(u => { if (!settings.Any(x => x.ObjectID == u)) { settings.Add(new Privacy() { ObjectID = u }); } }); settings.ForEach(s => { if (audience.ContainsKey(s.ObjectID.Value)) { s.Audience = audience[s.ObjectID.Value]; } if (defaultPermissions.ContainsKey(s.ObjectID.Value)) { s.DefaultPermissions = defaultPermissions[s.ObjectID.Value]; } }); List <ConfidentialityLevel> levels = PrivacyController.get_confidentiality_levels(paramsContainer.Tenant.Id); responseText = "{\"ConfidentialityLevels\":[" + string.Join(",", levels.Select(x => x.toJson())) + "]" + ",\"Items\":{" + string.Join(",", settings.Where(x => x.ObjectID.HasValue) .Select(u => "\"" + u.ObjectID.ToString() + "\":" + u.toJson())) + "}" + (!accessDenied ? string.Empty : ",\"ErrorText\":\"" + Messages.AccessDenied + "\"") + "}"; }
protected void set_audience(List <Privacy> items, PrivacyObjectType objectType, ref string responseText) { //Privacy Check: OK if (!paramsContainer.GBEdit) { return; } if (items.Count != 0 && !check_object_type(items.Where(x => x.ObjectID.HasValue).Select(u => u.ObjectID.Value).ToList(), objectType)) { responseText = "{\"ErrorText\":\"" + Messages.AccessDenied + "\"}"; if (items.Count == 1 && items[0].ObjectID.HasValue) { _save_error_log(Modules.Log.Action.SetPrivacyAudience_PermissionFailed, items[0].ObjectID); } return; } bool result = paramsContainer.CurrentUserID.HasValue && PrivacyController.set_audience(paramsContainer.Tenant.Id, items, paramsContainer.CurrentUserID.Value); responseText = result ? "{\"Succeed\":\"" + Messages.OperationCompletedSuccessfully + "\"}" : "{\"ErrorText\":\"" + Messages.OperationFailed + "\"}"; //Save Log if (result && items.Count == 1) { LogController.save_log(paramsContainer.Tenant.Id, new Log() { UserID = paramsContainer.CurrentUserID.Value, Date = DateTime.Now, HostAddress = PublicMethods.get_client_ip(HttpContext.Current), HostName = PublicMethods.get_client_host_name(HttpContext.Current), Action = Modules.Log.Action.SetPrivacyAudience, SubjectID = items[0].ObjectID, Info = items[0].toJson(), ModuleIdentifier = ModuleIdentifier.PRVC }); } //end of Save Log }
protected void check_access(List <Guid> objectIds, PrivacyObjectType objectType, List <PermissionType> permissions, ref string responseText) { //Privacy Check: OK if (!paramsContainer.GBView) { return; } if (permissions.Count > 0) { permissions = permissions.Where(p => p != PermissionType.None).ToList(); } Dictionary <Guid, List <PermissionType> > results = objectType == PrivacyObjectType.None ? new Dictionary <Guid, List <PermissionType> >() : (permissions.Count == 0 ? PrivacyController.check_access(paramsContainer.Tenant.Id, paramsContainer.CurrentUserID, objectIds, objectType) : PrivacyController.check_access(paramsContainer.Tenant.Id, paramsContainer.CurrentUserID, objectIds, objectType, permissions)); responseText = "{" + string.Join(",", results.Keys.Select( k => "\"" + k + "\":[" + string.Join(",", results[k].Select(p => "\"" + p.ToString() + "\"")) + "]")) + "}"; }
public static Dictionary <Guid, List <PermissionType> > check_access(Guid applicationId, Guid?userId, List <Guid> objectIds, PrivacyObjectType objectType) { return(check_access(applicationId, userId, objectIds, objectType, new List <PermissionType>())); }
public static Dictionary <Guid, List <PermissionType> > check_access(Guid applicationId, Guid?userId, List <Guid> objectIds, PrivacyObjectType objectType, List <PermissionType> permissions) { Dictionary <Guid, List <PermissionType> > ret = new Dictionary <Guid, List <PermissionType> >(); PublicMethods.split_list <Guid>(objectIds, 200, ids => { DataProvider.CheckAccess(applicationId, userId, ids, objectType, permissions) .ToList().ForEach(x => ret.Add(x.Key, x.Value)); }); return(ret); }
protected bool check_object_type(List <Guid> objectIds, PrivacyObjectType objectType) { switch (objectType) { case PrivacyObjectType.None: case PrivacyObjectType.Node: case PrivacyObjectType.NodeType: { if (objectIds.Count != 1) { return(false); } bool isNodeType = objectType != PrivacyObjectType.Node && CNController.is_node_type(paramsContainer.Tenant.Id, objectIds).Count == objectIds.Count; bool isNode = !isNodeType && objectType != PrivacyObjectType.NodeType && CNController.is_node(paramsContainer.Tenant.Id, objectIds).Count == objectIds.Count; if (!isNodeType && !isNode) { return(false); } bool accessPermission = AuthorizationManager.has_right(AccessRoleName.ManageOntology, paramsContainer.CurrentUserID); if (!accessPermission) { accessPermission = CNController.is_service_admin(paramsContainer.Tenant.Id, objectIds[0], paramsContainer.CurrentUserID.Value); } if (!accessPermission && isNode) { accessPermission = CNController.is_node_admin(paramsContainer.Tenant.Id, paramsContainer.CurrentUserID.Value, objectIds[0], null, null, null) || PrivacyController.check_access(paramsContainer.Tenant.Id, paramsContainer.CurrentUserID, objectIds[0], PrivacyObjectType.Node, PermissionType.Modify); } return(accessPermission); } case PrivacyObjectType.FAQCategory: return(QAController.is_faq_category(paramsContainer.Tenant.Id, objectIds).Count == objectIds.Count && (AuthorizationManager.has_right(AccessRoleName.ManageQA, paramsContainer.CurrentUserID) || QAController.is_workflow_admin(paramsContainer.Tenant.Id, paramsContainer.CurrentUserID.Value, null))); case PrivacyObjectType.QAWorkFlow: return(QAController.is_workflow(paramsContainer.Tenant.Id, objectIds).Count == objectIds.Count && AuthorizationManager.has_right(AccessRoleName.ManageQA, paramsContainer.CurrentUserID)); case PrivacyObjectType.Poll: return(FGController.is_poll(paramsContainer.Tenant.Id, objectIds).Count == objectIds.Count && AuthorizationManager.has_right(AccessRoleName.ManagePolls, paramsContainer.CurrentUserID)); case PrivacyObjectType.Report: return(!objectIds.Any(u => !ReportUtilities.ReportIDs.Any(x => x.Value == u)) && PublicMethods.is_system_admin(paramsContainer.Tenant.Id, paramsContainer.CurrentUserID.Value)); case PrivacyObjectType.FormElement: return(FGController.is_form_element(paramsContainer.Tenant.Id, objectIds).Count == objectIds.Count && AuthorizationManager.has_right(AccessRoleName.ManageForms, paramsContainer.CurrentUserID)); } return(false); }
public void ProcessRequest(HttpContext context) { paramsContainer = new ParamsContainer(context, nullTenantResponse: true); if (!paramsContainer.ApplicationID.HasValue) { return; } string responseText = string.Empty; string command = PublicMethods.parse_string(context.Request.Params["Command"], false); switch (command) { case "CheckAuthority": check_authority(ListMaker.get_string_items(context.Request.Params["Permissions"], '|'), ref responseText); _return_response(ref responseText); return; case "CheckAccess": { PrivacyObjectType pType = PrivacyObjectType.None; if (!Enum.TryParse <PrivacyObjectType>(context.Request.Params["Type"], out pType)) { pType = PrivacyObjectType.None; } List <PermissionType> permissions = new List <PermissionType>(); check_access(ListMaker.get_guid_items(context.Request.Params["ObjectIDs"], '|'), pType, ListMaker.get_enum_items <PermissionType>(context.Request.Params["Permissions"], '|') .Where(p => p != PermissionType.None).ToList(), ref responseText); _return_response(ref responseText); } return; case "SetAudience": { PrivacyObjectType objectType = PrivacyObjectType.None; if (!Enum.TryParse(context.Request.Params["ObjectType"], out objectType)) { objectType = PrivacyObjectType.None; } Dictionary <string, object> data = PublicMethods.fromJSON(PublicMethods.parse_string(context.Request.Params["Data"])); List <Privacy> items = new List <Privacy>(); foreach (string k in data.Keys) { Guid objId = Guid.Empty; if (!Guid.TryParse(k, out objId) || data[k].GetType() != typeof(Dictionary <string, object>)) { continue; } Privacy p = Privacy.fromJson((Dictionary <string, object>)data[k]); if (p != null) { p.ObjectID = objId; items.Add(p); } } set_audience(items, objectType, ref responseText); _return_response(ref responseText); return; } case "GetAudience": { PrivacyObjectType objectType = PrivacyObjectType.None; if (!Enum.TryParse(context.Request.Params["ObjectType"], out objectType)) { objectType = PrivacyObjectType.None; } get_audience(ListMaker.get_guid_items(context.Request.Params["ObjectIDs"], '|'), objectType, ref responseText); _return_response(ref responseText); return; } case "AddConfidentialityLevel": add_confidentiality_level(PublicMethods.parse_int(context.Request.Params["LevelID"]), PublicMethods.parse_string(context.Request.Params["Title"]), ref responseText); _return_response(ref responseText); return; case "ModifyConfidentialityLevel": modify_confidentiality_level(PublicMethods.parse_guid(context.Request.Params["ConfidentialityID"]), PublicMethods.parse_int(context.Request.Params["LevelID"]), PublicMethods.parse_string(context.Request.Params["Title"]), ref responseText); _return_response(ref responseText); return; case "RemoveConfidentialityLevel": remove_confidentiality_level(PublicMethods.parse_guid(context.Request.Params["ConfidentialityID"]), ref responseText); _return_response(ref responseText); return; case "GetConfidentialityLevels": get_confidentiality_levels(ref responseText); _return_response(ref responseText); return; case "SetConfidentialityLevel": set_confidentiality_level(PublicMethods.parse_guid(context.Request.Params["ObjectID"]), PublicMethods.parse_guid(context.Request.Params["ConfidentialityID"]), ref responseText); _return_response(ref responseText); return; case "UnsetConfidentialityLevel": unset_confidentiality_level(PublicMethods.parse_guid(context.Request.Params["ObjectID"]), ref responseText); _return_response(ref responseText); return; case "GetConfidentialityLevel": get_confidentiality_level(PublicMethods.parse_guid(context.Request.Params["ObjectID"]), ref responseText); _return_response(ref responseText); return; case "GetConfidentialityLevelUsers": get_confidentiality_level_users(PublicMethods.parse_guid(context.Request.Params["ConfidentialityID"]), PublicMethods.parse_string(context.Request.Params["SearchText"]), PublicMethods.parse_int(context.Request.Params["Count"]), PublicMethods.parse_long(context.Request.Params["LowerBoundary"]), ref responseText); _return_response(ref responseText); return; } paramsContainer.return_response(PublicConsts.BadRequestResponse); }
public void ProcessRequest(HttpContext context) { //Privacy Check: OK paramsContainer = new ParamsContainer(context, nullTenantResponse: true); if (!paramsContainer.ApplicationID.HasValue) { return; } string responseText = string.Empty; string command = PublicMethods.parse_string(context.Request.Params["Command"], false); if (string.IsNullOrEmpty(command)) { return; } Guid currentUserId = paramsContainer.CurrentUserID.HasValue ? paramsContainer.CurrentUserID.Value : Guid.Empty; Guid fileId = string.IsNullOrEmpty(context.Request.Params["FileID"]) ? Guid.Empty : Guid.Parse(context.Request.Params["FileID"]); DocFileInfo file = DocumentsController.get_file(paramsContainer.Tenant.Id, fileId); if (file == null) { paramsContainer.return_response(PublicConsts.BadRequestResponse); return; } bool isTemporary = PublicMethods.parse_string(HttpContext.Current.Request.Params["Category"], false).ToLower() == "temporary"; bool hasAccess = isTemporary || PublicMethods.is_system_admin(paramsContainer.Tenant.Id, currentUserId); PrivacyObjectType pot = file.OwnerType == FileOwnerTypes.Node ? PrivacyObjectType.Node : PrivacyObjectType.None; hasAccess = hasAccess || PrivacyController.check_access(paramsContainer.Tenant.Id, paramsContainer.CurrentUserID, file.OwnerID.Value, pot, PermissionType.View); if (!hasAccess && currentUserId != Guid.Empty && CNController.is_node(paramsContainer.Tenant.Id, file.OwnerID.Value)) { bool isCreator = false, isContributor = false, isExpert = false, isMember = false, isAdminMember = false, isServiceAdmin = false, isAreaAdmin = false, perCreatorLevel = false; CNController.get_user2node_status(paramsContainer.Tenant.Id, paramsContainer.CurrentUserID.Value, file.OwnerID.Value, ref isCreator, ref isContributor, ref isExpert, ref isMember, ref isAdminMember, ref isServiceAdmin, ref isAreaAdmin, ref perCreatorLevel); hasAccess = isServiceAdmin || isAreaAdmin || isCreator || isContributor || isExpert || isMember; } if (!hasAccess) { paramsContainer.return_response("{\"ErrorText\":\"" + Messages.AccessDenied.ToString() + "\"}"); } if (isTemporary) { file.FolderName = FolderNames.TemporaryFiles; } else { file.refresh_folder_name(); } if (!file.exists(paramsContainer.Tenant.Id)) { _return_response(ref responseText); } DocFileInfo destFile = new DocFileInfo() { FileID = file.FileID, FolderName = FolderNames.PDFImages }; switch (command) { case "Convert2Image": convert2image(file, PublicMethods.parse_string(context.Request.Params["PS"]), destFile, PublicMethods.parse_bool(context.Request.Params["Repair"]), ref responseText); _return_response(ref responseText); return; case "GetPagesCount": get_pages_count(file, PublicMethods.parse_string(context.Request.Params["PS"]), destFile, ref responseText); _return_response(ref responseText); return; case "GetPage": get_page(PublicMethods.parse_int(context.Request.Params["Page"], 1), destFile); return; } paramsContainer.return_response(PublicConsts.BadRequestResponse); }
public void ProcessRequest(HttpContext context) { //Privacy Check: OK paramsContainer = new ParamsContainer(context, nullTenantResponse: false); Guid fileId = string.IsNullOrEmpty(context.Request.Params["FileID"]) ? Guid.Empty : Guid.Parse(context.Request.Params["FileID"]); if (fileId == Guid.Empty && !Guid.TryParse(context.Request.Params["ATTFID"], out fileId)) { fileId = Guid.Empty; } string category = PublicMethods.parse_string(context.Request.Params["Category"], false); bool isTemporary = category.ToLower() == FolderNames.TemporaryFiles.ToString().ToLower(); bool? addFooter = PublicMethods.parse_bool(context.Request.Params["Meta"]); Guid? coverId = PublicMethods.parse_guid(context.Request.Params["CoverID"]); string pdfPassword = PublicMethods.parse_string(context.Request.Params["PS"]); List <FolderNames> freeFolders = new[] { FolderNames.ProfileImages, FolderNames.HighQualityProfileImage, FolderNames.CoverPhoto, FolderNames.HighQualityCoverPhoto, FolderNames.Icons, FolderNames.HighQualityIcon, FolderNames.ApplicationIcons, FolderNames.HighQualityApplicationIcon, FolderNames.Pictures }.ToList(); bool isFreeFolder = !string.IsNullOrEmpty(category) && freeFolders.Any(f => f.ToString().ToLower() == category.ToLower()); if (isFreeFolder) { FolderNames fn = freeFolders.Where(u => u.ToString().ToLower() == category.ToLower()).FirstOrDefault(); DocFileInfo pic = new DocFileInfo() { FileID = fileId, Extension = "jpg", FileName = fileId.ToString(), FolderName = fn }; send_file(pic, false); } if (!paramsContainer.ApplicationID.HasValue) { paramsContainer.return_response(PublicConsts.NullTenantResponse); return; } if (isTemporary) { string ext = PublicMethods.parse_string(context.Request.Params["Extension"]); DocFileInfo temp = new DocFileInfo() { FileID = fileId, Extension = ext, FileName = fileId.ToString(), FolderName = FolderNames.TemporaryFiles }; send_file(temp, false); } else { DocFileInfo AttachFile = DocumentsController.get_file(paramsContainer.Tenant.Id, fileId); if (AttachFile == null) { paramsContainer.return_response("{\"ErrorText\":\"" + Messages.AccessDenied + "\"}"); return; } PrivacyObjectType pot = AttachFile.OwnerType == FileOwnerTypes.Node ? PrivacyObjectType.Node : PrivacyObjectType.None; DocFileInfo ownerNode = !AttachFile.FileID.HasValue ? null : DocumentsController.get_file_owner_node(paramsContainer.Tenant.Id, AttachFile.FileID.Value); if (ownerNode != null) { AttachFile.OwnerNodeID = ownerNode.OwnerNodeID; AttachFile.OwnerNodeName = ownerNode.OwnerNodeName; AttachFile.OwnerNodeType = ownerNode.OwnerNodeType; } bool accessDenied = !PrivacyController.check_access(paramsContainer.Tenant.Id, paramsContainer.CurrentUserID, AttachFile.OwnerID.Value, pot, PermissionType.View) && !( paramsContainer.CurrentUserID.HasValue && new CNAPI() { paramsContainer = this.paramsContainer } ._is_admin(paramsContainer.Tenant.Id, AttachFile.OwnerID.Value, paramsContainer.CurrentUserID.Value, CNAPI.AdminLevel.Creator, false) ); if (accessDenied) { //Save Log try { LogController.save_log(paramsContainer.Tenant.Id, new Log() { UserID = paramsContainer.CurrentUserID, HostAddress = PublicMethods.get_client_ip(HttpContext.Current), HostName = PublicMethods.get_client_host_name(HttpContext.Current), Action = Modules.Log.Action.Download_AccessDenied, SubjectID = fileId, Info = "{\"Error\":\"" + Base64.encode(Messages.AccessDenied.ToString()) + "\"}", ModuleIdentifier = ModuleIdentifier.DCT }); } catch { } //end of Save Log paramsContainer.return_response("{\"ErrorText\":\"" + Messages.AccessDenied + "\"}"); return; } AttachFile.refresh_folder_name(); string ext = AttachFile == null || string.IsNullOrEmpty(AttachFile.Extension) ? string.Empty : AttachFile.Extension.ToLower(); bool isImage = ext == "jpg" || ext == "jpeg" || ext == "png" || ext == "gif" || ext == "bmp"; if (string.IsNullOrEmpty(AttachFile.Extension) || AttachFile.Extension.ToLower() != "pdf") { coverId = null; } bool dl = !isImage || PublicMethods.parse_bool(context.Request.Params["dl"], defaultValue: true) == true; string contentType = !dl && isImage?PublicMethods.get_mime_type_by_extension(ext) : null; send_file(AttachFile, !isImage, addPDFCover: true, addPDFFooter: addFooter.HasValue && addFooter.Value, coverId: coverId, pdfPassword: pdfPassword, contentType: contentType, isAttachment: dl); } }
public static Dictionary <Guid, List <PermissionType> > CheckAccess(Guid applicationId, Guid?userId, List <Guid> objectIds, PrivacyObjectType objectType, List <PermissionType> permissions) { if (!userId.HasValue) { userId = Guid.NewGuid(); } if (objectIds.Count == 0) { return(new Dictionary <Guid, List <PermissionType> >()); } if (permissions.Count == 0) { foreach (string s in Enum.GetNames(typeof(PermissionType))) { PermissionType pt = PermissionType.None; if (Enum.TryParse <PermissionType>(s, out pt) && pt != PermissionType.None) { permissions.Add(pt); } } } SqlConnection con = new SqlConnection(ProviderUtil.ConnectionString); SqlCommand cmd = new SqlCommand(); cmd.Connection = con; //Add ObjectIDs DataTable objectIdsTable = new DataTable(); objectIdsTable.Columns.Add("Value", typeof(Guid)); foreach (Guid id in objectIds) { objectIdsTable.Rows.Add(id); } SqlParameter objectIdsParam = new SqlParameter("@ObjectIDs", SqlDbType.Structured); objectIdsParam.TypeName = "[dbo].[GuidTableType]"; objectIdsParam.Value = objectIdsTable; //end of Add ObjectIDs //Add Permissions DataTable permissionsTable = new DataTable(); permissionsTable.Columns.Add("GuidValue", typeof(string)); permissionsTable.Columns.Add("FirstValue", typeof(string)); foreach (PermissionType p in permissions) { if (p == PermissionType.None) { continue; } List <PermissionType> defaultItems = new List <PermissionType>() { PermissionType.Create, PermissionType.View, PermissionType.ViewAbstract, PermissionType.ViewRelatedItems, PermissionType.Download }; string defaultPrivacy = defaultItems.Any(d => d == p) ? RaaiVanSettings.DefaultPrivacy(applicationId) : string.Empty; permissionsTable.Rows.Add(p.ToString(), defaultPrivacy); } SqlParameter permissionsParam = new SqlParameter("@Permissions", SqlDbType.Structured); permissionsParam.TypeName = "[dbo].[StringPairTableType]"; permissionsParam.Value = permissionsTable; //end of Add Permissions cmd.Parameters.AddWithValue("@ApplicationID", applicationId); cmd.Parameters.AddWithValue("@UserID", userId); if (objectType != PrivacyObjectType.None) { cmd.Parameters.AddWithValue("@ObjectType", objectType.ToString()); } cmd.Parameters.Add(objectIdsParam); cmd.Parameters.Add(permissionsParam); cmd.Parameters.AddWithValue("@Now", DateTime.Now); string spName = GetFullyQualifiedName("CheckAccess"); string sep = ", "; string arguments = "@ApplicationID" + sep + "@UserID" + sep + (objectType == PrivacyObjectType.None ? "null" : "@ObjectType") + sep + "@ObjectIDs" + sep + "@Permissions" + sep + "@Now"; cmd.CommandText = ("EXEC" + " " + spName + " " + arguments); con.Open(); try { IDataReader reader = (IDataReader)cmd.ExecuteReader(); return(_parse_access_checked_items(ref reader)); } catch (Exception ex) { LogController.save_error_log(applicationId, null, spName, ex, ModuleIdentifier.PRVC); return(new Dictionary <Guid, List <PermissionType> >()); } finally { con.Close(); } }