/// <summary> /// Checks a single StoreFront permission for the specified user. /// </summary> /// <param name="storeFront"></param> /// <param name="userProfile"></param> /// <param name="action"></param> /// <returns></returns> public static bool Authorization_IsAuthorized(this StoreFront storeFront, UserProfile userProfile, Identity.GStoreAction action) { if (userProfile == null) { return false; } if (userProfile.AspNetIdentityUserIsInRoleSystemAdmin()) { return true; } if (storeFront == null) { return false; } return CheckSinglePermission(userProfile, storeFront, action); }
/// <summary> /// Checks multiple StoreFront permissions for the specified user /// </summary> /// <param name="storeFront"></param> /// <param name="userProfile"></param> /// <param name="allowAnyMatch">If allowAnyMatch is true, this is an OR test for each option. If allowAnyMatch = false, this is an AND test for all options</param> /// <param name="actions"></param> /// <returns></returns> public static bool Authorization_IsAuthorized(this StoreFront storeFront, UserProfile userProfile, bool allowAnyMatch, params Identity.GStoreAction[] actions) { if (actions == null || actions.Count() == 0) { throw new ApplicationException("Authorization_IsAuthorized: no GStoreActions specified. You must call Authorization_IsAuthorized with one or more GStoreActions"); } if (userProfile == null) { return false; } if (userProfile.AspNetIdentityUserIsInRoleSystemAdmin()) { return true; } if (storeFront == null) { return false; } foreach (GStoreAction action in actions) { bool result = CheckSinglePermission(userProfile, storeFront, action); if (allowAnyMatch && result) { //OR test, if one is true, return true return true; } if (!allowAnyMatch && result == false) { //AND result, one is false, return false return false; } } if (allowAnyMatch) { //OR result, nothing matched return false; } else { //AND result, all matched return true; } }
/// <summary> /// Checks multiple StoreFront permissions for the specified user /// </summary> /// <param name="storeFront"></param> /// <param name="userProfile"></param> /// <param name="allowAnyMatch">If allowAnyMatch is true, this is an OR test for each option. If allowAnyMatch = false, this is an AND test for all options</param> /// <param name="actions"></param> /// <returns></returns> public static bool Authorization_IsAuthorized(this StoreFront storeFront, UserProfile userProfile, bool allowAnyMatch, params Identity.GStoreAction[] actions) { if (actions == null || actions.Count() == 0) { throw new ApplicationException("Authorization_IsAuthorized: no GStoreActions specified. You must call Authorization_IsAuthorized with one or more GStoreActions"); } if (userProfile == null) { return(false); } if (userProfile.AspNetIdentityUserIsInRoleSystemAdmin()) { return(true); } if (storeFront == null) { return(false); } foreach (GStoreAction action in actions) { bool result = CheckSinglePermission(userProfile, storeFront, action); if (allowAnyMatch && result) { //OR test, if one is true, return true return(true); } if (!allowAnyMatch && result == false) { //AND result, one is false, return false return(false); } } if (allowAnyMatch) { //OR result, nothing matched return(false); } else { //AND result, all matched return(true); } }
/// <summary> /// Checks a single StoreFront permission for the specified user. /// </summary> /// <param name="storeFront"></param> /// <param name="userProfile"></param> /// <param name="action"></param> /// <returns></returns> public static bool Authorization_IsAuthorized(this StoreFront storeFront, UserProfile userProfile, Identity.GStoreAction action) { if (userProfile == null) { return(false); } if (userProfile.AspNetIdentityUserIsInRoleSystemAdmin()) { return(true); } if (storeFront == null) { return(false); } return(CheckSinglePermission(userProfile, storeFront, action)); }
protected override sealed void HandleUnknownAction(string actionName) { if (!User.IsRegistered()) { this.ExecuteBounceToLoginNoAccess("You must log in to view this page", this.TempData); return; } //perform redirect if not authorized for system admin UserProfile profile = CurrentUserProfileOrNull; if (profile == null) { this.ExecuteBounceToLoginNoAccess("You must log in with an active account to view this page", this.TempData); return; } if (!profile.AspNetIdentityUserIsInRoleSystemAdmin()) { this.ExecuteBounceToLoginNoAccess("You must log in with an account that has permission to view this page", this.TempData); return; } base.HandleUnknownAction(actionName); }
public AdminMenuViewModel(StoreFront storeFront, UserProfile userProfile, string currentArea) { this.UserProfile = userProfile; if (currentArea.ToLower() != "blogadmin") { this.ShowBlogAdminLink = storeFront.ShowBlogAdminLink(userProfile); } if (currentArea.ToLower() != "catalogadmin") { this.ShowCatalogAdminLink = storeFront.ShowCatalogAdminLink(userProfile); } if (currentArea.ToLower() != "orderadmin") { this.ShowOrderAdminLink = storeFront.ShowOrderAdminLink(userProfile); } if (currentArea.ToLower() != "storeadmin") { this.ShowStoreAdminLink = storeFront.ShowStoreAdminLink(userProfile); } if (currentArea.ToLower() != "systemadmin") { this.ShowSystemAdminLink = userProfile.AspNetIdentityUserIsInRoleSystemAdmin(); } }
/// <summary> /// Checks if user is allowed to log in. Mostly for inactive storefront bounce after login /// </summary> /// <param name="profile"></param> /// <returns></returns> protected bool PostLoginAuthCheck(UserProfile profile) { if (profile == null) { throw new ArgumentNullException("profile"); } if (profile.AspNetIdentityUserIsInRoleSystemAdmin()) { return(true); } StoreFront currentStoreFront = CurrentStoreFrontOrNull; if (currentStoreFront != null) { return(true); } //storefront is null. Inactive StoreFront record (nobody but sys admin can log in) or Config inactive (only storeadmins can log in) StoreFrontConfiguration testSFConfig = null; try { testSFConfig = GStoreDb.GetCurrentStoreFrontConfig(Request, false, true); } catch (Exception) { } if (testSFConfig == null) { //store front not found (no matching bindings or other reason) AuthenticationManager.SignOut(); GStoreDb.LogSecurityEvent_LoginFailedNoStoreFront(this.HttpContext, this.RouteData, profile, this); AddUserMessage("Login Error", "This Store Front is not activated. Login is limited to System Admins only.", UserMessageType.Danger); return(false); } int storeFrontId = testSFConfig.StoreFrontId; if (!testSFConfig.IsActiveBubble()) { //store front inactive (no matching bindings or other reason) AuthenticationManager.SignOut(); string inactiveStoreFrontName = testSFConfig.Name; GStoreDb.LogSecurityEvent_LoginFailedStoreFrontInactive(this.HttpContext, this.RouteData, inactiveStoreFrontName, storeFrontId, profile, this); AddUserMessage("Login Error", "This Store Front is inactive. Login is limited to System Admins only.", UserMessageType.Danger); return(false); } if (testSFConfig == null) { //no config found; only users with store admin access can log in if (testSFConfig.StoreFront.Authorization_IsAuthorized(profile, GStoreAction.Admin_StoreAdminArea)) { return(true); } AuthenticationManager.SignOut(); GStoreDb.LogSecurityEvent_LoginFailedNoStoreFrontConfig(this.HttpContext, this.RouteData, storeFrontId, profile, this); AddUserMessage("Login Error", "This Store Front Configuration is not activated. Login is limited to Site Administrators only.", UserMessageType.Danger); return(false); } if (!testSFConfig.IsActiveBubble()) { //all configs are inactive //no config found; only users with store admin access can log in if (testSFConfig.StoreFront.Authorization_IsAuthorized(profile, GStoreAction.Admin_StoreAdminArea)) { return(true); } AuthenticationManager.SignOut(); string storeFrontName = testSFConfig.Name; string configName = testSFConfig.ConfigurationName; int configurationId = testSFConfig.StoreFrontConfigurationId; GStoreDb.LogSecurityEvent_LoginFailedStoreFrontConfigInactive(this.HttpContext, this.RouteData, storeFrontName, storeFrontId, configName, configurationId, profile, this); AddUserMessage("Login Error", "This Store Front Configuration is inactive. Login is limited to Site Administrators only.", UserMessageType.Danger); return(false); } return(true); }
public ActionResult ViewOrder(string id, string email) { if (string.IsNullOrEmpty(id) || id == "0") { GStoreDb.LogUserActionEvent(HttpContext, RouteData, this, UserActionCategoryEnum.Orders, UserActionActionEnum.Orders_View, "Bad Url - no order id", false); return(HttpBadRequest("Order ID cannot be null or zero")); } UserProfile profile = CurrentUserProfileOrNull; Order order = null; if (profile == null) { if (string.IsNullOrWhiteSpace(email)) { GStoreDb.LogUserActionEvent(HttpContext, RouteData, this, UserActionCategoryEnum.Orders, UserActionActionEnum.Orders_View, "Bad Url - no email", false); return(HttpBadRequest("No Email specified")); } order = CurrentStoreFrontOrThrow.Orders.Where(o => o.OrderNumber == id && o.Email.ToLower() == email.ToLower()).SingleOrDefault(); if (order == null) { GStoreDb.LogUserActionEvent(HttpContext, RouteData, this, UserActionCategoryEnum.Orders, UserActionActionEnum.Orders_NotFound, id, false, orderNumber: id); return(HttpNotFound("Order not found. Order Id: " + id + " Email: " + email)); } } else { if (profile.AspNetIdentityUserIsInRoleSystemAdmin()) { order = CurrentStoreFrontOrThrow.Orders.Where(o => o.OrderNumber == id).SingleOrDefault(); if (order == null) { GStoreDb.LogUserActionEvent(HttpContext, RouteData, this, UserActionCategoryEnum.Orders, UserActionActionEnum.Orders_NotFound, "SysAdmin Order id: " + id, false, orderNumber: id); return(HttpNotFound("SysAdmin Order not found. Order Id: " + id)); } } else if (CurrentStoreFrontConfigOrThrow.OrderAdmin_UserProfileId == profile.UserProfileId) { order = CurrentStoreFrontOrThrow.Orders.Where(o => o.OrderNumber == id).SingleOrDefault(); if (order == null) { GStoreDb.LogUserActionEvent(HttpContext, RouteData, this, UserActionCategoryEnum.Orders, UserActionActionEnum.Orders_NotFound, "Order Admin Order id: " + id, false, orderNumber: id); return(HttpNotFound("Order Admin Order not found. Order Id: " + id)); } } else { order = CurrentStoreFrontOrThrow.Orders.Where(o => o.OrderNumber == id && o.UserProfileId == profile.UserProfileId).SingleOrDefault(); if (order == null) { GStoreDb.LogUserActionEvent(HttpContext, RouteData, this, UserActionCategoryEnum.Orders, UserActionActionEnum.Orders_NotFound, id, false, orderNumber: id); return(HttpNotFound("Order not found. Order Id: " + id + " User Profile Id: " + profile.UserProfileId)); } } } if (order.UserProfile != null) { if (CurrentUserProfileOrNull == null) { GStoreDb.LogUserActionEvent(HttpContext, RouteData, this, UserActionCategoryEnum.Orders, UserActionActionEnum.Orders_View, "Not logged in", false, orderNumber: id); AddUserMessage("Login Required", "You must log in to view your order.", GStoreData.AppHtmlHelpers.UserMessageType.Info); return(RedirectToAction("Login", "Account", new { returnUrl = Request.RawUrl })); } else if (CurrentUserProfileOrThrow.UserProfileId != order.UserProfileId) { //order is for another user, ask for login GStoreDb.LogUserActionEvent(HttpContext, RouteData, this, UserActionCategoryEnum.Orders, UserActionActionEnum.Orders_View, "Order is for another user", false, orderNumber: id); AddUserMessage("Login Required", "This order was placed by another user. Please log in to view.", GStoreData.AppHtmlHelpers.UserMessageType.Info); return(RedirectToAction("Login", "Account", new { returnUrl = Request.RawUrl })); } } GStoreDb.LogUserActionEvent(HttpContext, RouteData, this, UserActionCategoryEnum.Orders, UserActionActionEnum.Orders_View, id, true, orderNumber: id); return(View("View", order)); }
public ActionResult Create(NotificationCreateViewModel data) { Order order = null; if (data.OrderId.HasValue) { //verify user has access to the order StoreFrontConfiguration storeFrontConfig = CurrentStoreFrontConfigOrThrow; StoreFront storeFront = storeFrontConfig.StoreFront; UserProfile profile = CurrentUserProfileOrNull; string trimmedEmail = (string.IsNullOrWhiteSpace(data.OrderEmail) ? "" : data.OrderEmail.Trim().ToLower()); if (profile == null) { order = storeFront.Orders.SingleOrDefault(o => o.OrderId == data.OrderId.Value && o.Email.ToLower() == trimmedEmail && o.UserProfileId == null); if (order == null) { return(HttpBadRequest("Anonymous order not found or not authorized for order id " + data.OrderId.Value + " with email: " + data.OrderEmail)); } } else { if (profile.AspNetIdentityUserIsInRoleSystemAdmin()) { order = storeFront.Orders.SingleOrDefault(o => o.OrderId == data.OrderId.Value); if (order == null) { return(HttpBadRequest("Sys Admin order not found order id " + data.OrderId.Value)); } } else if (storeFrontConfig.OrderAdmin_UserProfileId == profile.UserProfileId) { order = storeFront.Orders.SingleOrDefault(o => o.OrderId == data.OrderId.Value); if (order == null) { return(HttpBadRequest("Order Admin order not found order id " + data.OrderId.Value)); } } else { order = storeFront.Orders.SingleOrDefault(o => o.OrderId == data.OrderId.Value && o.UserProfileId == profile.UserProfileId); if (order == null) { return(HttpBadRequest("Logged in order not found or no access order id " + data.OrderId.Value)); } } } } UserProfile target = GStoreDb.UserProfiles.SingleOrDefault(prof => prof.UserProfileId == data.ToUserProfileId); if (target == null) { ModelState.AddModelError("", "Target recipient is not found. Please email the system administrator if you think this is an error."); } if (!User.IsInRole("SystemAdmin")) { if (!target.AllowUsersToSendSiteMessages) { ModelState.AddModelError("", "You are not authorized to send a message to the selected user. Please email the system administrator if you think this is an error."); } } if (!ModelState.IsValid) { ViewBag.Importance = ImportanceItems(); ViewBag.ToUserProfileId = AllowedToProfiles(); data.UpdateOrder(order); return(View(data)); } Notification notification = GStoreDb.Notifications.Create(); UserProfile sender = CurrentUserProfileOrThrow; notification.FromUserProfileId = sender.UserProfileId; notification.From = sender.FullName; notification.To = target.FullName; notification.Subject = data.Subject; notification.ToUserProfileId = data.ToUserProfileId; notification.Importance = data.Importance; notification.Message = data.Message; notification.UrlHost = Request.Url.Host; notification.Client = CurrentClientOrThrow; notification.StoreFront = CurrentStoreFrontOrThrow; notification.OrderId = data.OrderId; if (!Request.Url.IsDefaultPort) { notification.UrlHost += ":" + Request.Url.Port; } notification.BaseUrl = Url.Action("Details", "Notifications", new { id = "" }); List <NotificationLink> linkCollection = new List <NotificationLink>(); if (!string.IsNullOrWhiteSpace(data.Link1Url)) { if (string.IsNullOrWhiteSpace(data.Link1Text)) { data.Link1Text = data.Link1Url; } NotificationLink newLink1 = GStoreDb.NotificationLinks.Create(); newLink1.SetDefaultsForNew(notification); newLink1.Order = 1; newLink1.LinkText = data.Link1Text; newLink1.Url = data.Link1Url; if (data.Link1Url.StartsWith("/") || data.Link1Url.StartsWith("~/")) { newLink1.IsExternal = false; } else { newLink1.IsExternal = true; } linkCollection.Add(newLink1); } if (!string.IsNullOrWhiteSpace(data.Link2Url)) { if (string.IsNullOrWhiteSpace(data.Link2Text)) { data.Link2Text = data.Link2Url; } NotificationLink newLink2 = GStoreDb.NotificationLinks.Create(); newLink2.SetDefaultsForNew(notification); newLink2.Order = 2; newLink2.LinkText = data.Link2Text; newLink2.Url = data.Link2Url; if (data.Link2Url.StartsWith("/") || data.Link2Url.StartsWith("~/")) { newLink2.IsExternal = false; } else { newLink2.IsExternal = true; } linkCollection.Add(newLink2); } if (!string.IsNullOrWhiteSpace(data.Link3Url)) { if (string.IsNullOrWhiteSpace(data.Link3Text)) { data.Link3Text = data.Link3Url; } NotificationLink newLink3 = GStoreDb.NotificationLinks.Create(); newLink3.SetDefaultsForNew(notification); newLink3.Order = 3; newLink3.LinkText = data.Link3Text; newLink3.Url = data.Link3Url; if (data.Link3Url.StartsWith("/") || data.Link3Url.StartsWith("~/")) { newLink3.IsExternal = false; } else { newLink3.IsExternal = true; } linkCollection.Add(newLink3); } if (!string.IsNullOrWhiteSpace(data.Link4Url)) { if (string.IsNullOrWhiteSpace(data.Link4Text)) { data.Link4Text = data.Link4Url; } NotificationLink newLink4 = GStoreDb.NotificationLinks.Create(); newLink4.SetDefaultsForNew(notification); newLink4.Order = 4; newLink4.LinkText = data.Link4Text; newLink4.Url = data.Link4Url; if (data.Link4Url.StartsWith("/") || data.Link4Url.StartsWith("~/")) { newLink4.IsExternal = false; } else { newLink4.IsExternal = true; } linkCollection.Add(newLink4); } if (linkCollection.Count != 0) { notification.NotificationLinks = linkCollection; } notification.IsPending = false; notification.StartDateTimeUtc = DateTime.UtcNow; notification.EndDateTimeUtc = DateTime.UtcNow; GStoreDb.Notifications.Add(notification); GStoreDb.SaveChanges(); AddUserMessage("Message sent!", "Message sent to " + notification.To.ToHtml(), UserMessageType.Success); return(RedirectToAction("Index")); }
// GET: Notifications/Create public ActionResult Create(string orderNumber, string orderEmail) { NotificationCreateViewModel viewModel = new NotificationCreateViewModel(); if (!string.IsNullOrWhiteSpace(orderNumber)) { //verify user has access to the order StoreFrontConfiguration storeFrontConfig = CurrentStoreFrontConfigOrThrow; StoreFront storeFront = storeFrontConfig.StoreFront; UserProfile profile = CurrentUserProfileOrNull; string trimmedOrderNumber = orderNumber.Trim().ToLower(); string trimmedEmail = orderEmail.Trim().ToLower(); Order order = null; if (profile == null) { order = storeFront.Orders.SingleOrDefault(o => o.OrderNumber.ToLower() == trimmedOrderNumber && o.Email.ToLower() == trimmedEmail && o.UserProfileId == null); if (order == null) { return(HttpBadRequest("Anonymous order not found or not authorized for order #" + orderNumber + " with email: " + orderEmail)); } } else { if (profile.AspNetIdentityUserIsInRoleSystemAdmin()) { order = storeFront.Orders.SingleOrDefault(o => o.OrderNumber.ToLower() == trimmedOrderNumber); if (order == null) { return(HttpBadRequest("Sys Admin order not found order #" + orderNumber)); } } else if (storeFrontConfig.OrderAdmin_UserProfileId == profile.UserProfileId) { order = storeFront.Orders.SingleOrDefault(o => o.OrderNumber.ToLower() == trimmedOrderNumber); if (order == null) { return(HttpBadRequest("Order Admin order not found order id " + orderNumber)); } } else { order = storeFront.Orders.SingleOrDefault(o => o.OrderNumber.ToLower() == trimmedOrderNumber && o.UserProfileId == profile.UserProfileId); if (order == null) { return(HttpBadRequest("Logged in order not found or no access order #" + orderNumber)); } } } if (order != null) { viewModel.UpdateOrder(order); viewModel.OrderEmail = trimmedEmail; viewModel.Subject = "Question about order " + order.OrderNumber + " placed " + order.CreateDateTimeUtc.ToUserDateTimeString(profile, storeFrontConfig, storeFront.Client); } } ViewBag.Importance = ImportanceItems(); ViewBag.ToUserProfileId = AllowedToProfiles(); return(View(viewModel)); }