/// <summary>
/// Checks a single StoreFront permission for the specified user.
/// </summary>
/// <param name="storeFront"></param>
/// <param name="userProfile"></param>
/// <param name="action"></param>
/// <returns></returns>
public static bool Authorization_IsAuthorized(this StoreFront storeFront, UserProfile userProfile, Identity.GStoreAction action)
{
if (userProfile == null)
{
return false;
}
if (userProfile.AspNetIdentityUserIsInRoleSystemAdmin())
{
return true;
}
if (storeFront == null)
{
return false;
}
return CheckSinglePermission(userProfile, storeFront, action);
}
/// <summary>
/// Checks multiple StoreFront permissions for the specified user
/// </summary>
/// <param name="storeFront"></param>
/// <param name="userProfile"></param>
/// <param name="allowAnyMatch">If allowAnyMatch is true, this is an OR test for each option. If allowAnyMatch = false, this is an AND test for all options</param>
/// <param name="actions"></param>
/// <returns></returns>
public static bool Authorization_IsAuthorized(this StoreFront storeFront, UserProfile userProfile, bool allowAnyMatch, params Identity.GStoreAction[] actions)
{
if (actions == null || actions.Count() == 0)
{
throw new ApplicationException("Authorization_IsAuthorized: no GStoreActions specified. You must call Authorization_IsAuthorized with one or more GStoreActions");
}
if (userProfile == null)
{
return false;
}
if (userProfile.AspNetIdentityUserIsInRoleSystemAdmin())
{
return true;
}
if (storeFront == null)
{
return false;
}
foreach (GStoreAction action in actions)
{
bool result = CheckSinglePermission(userProfile, storeFront, action);
if (allowAnyMatch && result)
{
//OR test, if one is true, return true
return true;
}
if (!allowAnyMatch && result == false)
{
//AND result, one is false, return false
return false;
}
}
if (allowAnyMatch)
{
//OR result, nothing matched
return false;
}
else
{
//AND result, all matched
return true;
}
}
/// <summary>
/// Checks multiple StoreFront permissions for the specified user
/// </summary>
/// <param name="storeFront"></param>
/// <param name="userProfile"></param>
/// <param name="allowAnyMatch">If allowAnyMatch is true, this is an OR test for each option. If allowAnyMatch = false, this is an AND test for all options</param>
/// <param name="actions"></param>
/// <returns></returns>
public static bool Authorization_IsAuthorized(this StoreFront storeFront, UserProfile userProfile, bool allowAnyMatch, params Identity.GStoreAction[] actions)
{
if (actions == null || actions.Count() == 0)
{
throw new ApplicationException("Authorization_IsAuthorized: no GStoreActions specified. You must call Authorization_IsAuthorized with one or more GStoreActions");
}
if (userProfile == null)
{
return(false);
}
if (userProfile.AspNetIdentityUserIsInRoleSystemAdmin())
{
return(true);
}
if (storeFront == null)
{
return(false);
}
foreach (GStoreAction action in actions)
{
bool result = CheckSinglePermission(userProfile, storeFront, action);
if (allowAnyMatch && result)
{
//OR test, if one is true, return true
return(true);
}
if (!allowAnyMatch && result == false)
{
//AND result, one is false, return false
return(false);
}
}
if (allowAnyMatch)
{
//OR result, nothing matched
return(false);
}
else
{
//AND result, all matched
return(true);
}
}
/// <summary>
/// Checks a single StoreFront permission for the specified user.
/// </summary>
/// <param name="storeFront"></param>
/// <param name="userProfile"></param>
/// <param name="action"></param>
/// <returns></returns>
public static bool Authorization_IsAuthorized(this StoreFront storeFront, UserProfile userProfile, Identity.GStoreAction action)
{
if (userProfile == null)
{
return(false);
}
if (userProfile.AspNetIdentityUserIsInRoleSystemAdmin())
{
return(true);
}
if (storeFront == null)
{
return(false);
}
return(CheckSinglePermission(userProfile, storeFront, action));
}
protected override sealed void HandleUnknownAction(string actionName)
{
if (!User.IsRegistered())
{
this.ExecuteBounceToLoginNoAccess("You must log in to view this page", this.TempData);
return;
}
//perform redirect if not authorized for system admin
UserProfile profile = CurrentUserProfileOrNull;
if (profile == null)
{
this.ExecuteBounceToLoginNoAccess("You must log in with an active account to view this page", this.TempData);
return;
}
if (!profile.AspNetIdentityUserIsInRoleSystemAdmin())
{
this.ExecuteBounceToLoginNoAccess("You must log in with an account that has permission to view this page", this.TempData);
return;
}
base.HandleUnknownAction(actionName);
}
public AdminMenuViewModel(StoreFront storeFront, UserProfile userProfile, string currentArea)
{
this.UserProfile = userProfile;
if (currentArea.ToLower() != "blogadmin")
{
this.ShowBlogAdminLink = storeFront.ShowBlogAdminLink(userProfile);
}
if (currentArea.ToLower() != "catalogadmin")
{
this.ShowCatalogAdminLink = storeFront.ShowCatalogAdminLink(userProfile);
}
if (currentArea.ToLower() != "orderadmin")
{
this.ShowOrderAdminLink = storeFront.ShowOrderAdminLink(userProfile);
}
if (currentArea.ToLower() != "storeadmin")
{
this.ShowStoreAdminLink = storeFront.ShowStoreAdminLink(userProfile);
}
if (currentArea.ToLower() != "systemadmin")
{
this.ShowSystemAdminLink = userProfile.AspNetIdentityUserIsInRoleSystemAdmin();
}
}
public AdminMenuViewModel(StoreFront storeFront, UserProfile userProfile, string currentArea)
{
this.UserProfile = userProfile;
if (currentArea.ToLower() != "blogadmin")
{
this.ShowBlogAdminLink = storeFront.ShowBlogAdminLink(userProfile);
}
if (currentArea.ToLower() != "catalogadmin")
{
this.ShowCatalogAdminLink = storeFront.ShowCatalogAdminLink(userProfile);
}
if (currentArea.ToLower() != "orderadmin")
{
this.ShowOrderAdminLink = storeFront.ShowOrderAdminLink(userProfile);
}
if (currentArea.ToLower() != "storeadmin")
{
this.ShowStoreAdminLink = storeFront.ShowStoreAdminLink(userProfile);
}
if (currentArea.ToLower() != "systemadmin")
{
this.ShowSystemAdminLink = userProfile.AspNetIdentityUserIsInRoleSystemAdmin();
}
}
/// <summary>
/// Checks if user is allowed to log in. Mostly for inactive storefront bounce after login
/// </summary>
/// <param name="profile"></param>
/// <returns></returns>
protected bool PostLoginAuthCheck(UserProfile profile)
{
if (profile == null)
{
throw new ArgumentNullException("profile");
}
if (profile.AspNetIdentityUserIsInRoleSystemAdmin())
{
return(true);
}
StoreFront currentStoreFront = CurrentStoreFrontOrNull;
if (currentStoreFront != null)
{
return(true);
}
//storefront is null. Inactive StoreFront record (nobody but sys admin can log in) or Config inactive (only storeadmins can log in)
StoreFrontConfiguration testSFConfig = null;
try
{
testSFConfig = GStoreDb.GetCurrentStoreFrontConfig(Request, false, true);
}
catch (Exception)
{
}
if (testSFConfig == null)
{
//store front not found (no matching bindings or other reason)
AuthenticationManager.SignOut();
GStoreDb.LogSecurityEvent_LoginFailedNoStoreFront(this.HttpContext, this.RouteData, profile, this);
AddUserMessage("Login Error", "This Store Front is not activated. Login is limited to System Admins only.", UserMessageType.Danger);
return(false);
}
int storeFrontId = testSFConfig.StoreFrontId;
if (!testSFConfig.IsActiveBubble())
{
//store front inactive (no matching bindings or other reason)
AuthenticationManager.SignOut();
string inactiveStoreFrontName = testSFConfig.Name;
GStoreDb.LogSecurityEvent_LoginFailedStoreFrontInactive(this.HttpContext, this.RouteData, inactiveStoreFrontName, storeFrontId, profile, this);
AddUserMessage("Login Error", "This Store Front is inactive. Login is limited to System Admins only.", UserMessageType.Danger);
return(false);
}
if (testSFConfig == null)
{
//no config found; only users with store admin access can log in
if (testSFConfig.StoreFront.Authorization_IsAuthorized(profile, GStoreAction.Admin_StoreAdminArea))
{
return(true);
}
AuthenticationManager.SignOut();
GStoreDb.LogSecurityEvent_LoginFailedNoStoreFrontConfig(this.HttpContext, this.RouteData, storeFrontId, profile, this);
AddUserMessage("Login Error", "This Store Front Configuration is not activated. Login is limited to Site Administrators only.", UserMessageType.Danger);
return(false);
}
if (!testSFConfig.IsActiveBubble())
{
//all configs are inactive
//no config found; only users with store admin access can log in
if (testSFConfig.StoreFront.Authorization_IsAuthorized(profile, GStoreAction.Admin_StoreAdminArea))
{
return(true);
}
AuthenticationManager.SignOut();
string storeFrontName = testSFConfig.Name;
string configName = testSFConfig.ConfigurationName;
int configurationId = testSFConfig.StoreFrontConfigurationId;
GStoreDb.LogSecurityEvent_LoginFailedStoreFrontConfigInactive(this.HttpContext, this.RouteData, storeFrontName, storeFrontId, configName, configurationId, profile, this);
AddUserMessage("Login Error", "This Store Front Configuration is inactive. Login is limited to Site Administrators only.", UserMessageType.Danger);
return(false);
}
return(true);
}
public ActionResult ViewOrder(string id, string email)
{
if (string.IsNullOrEmpty(id) || id == "0")
{
GStoreDb.LogUserActionEvent(HttpContext, RouteData, this, UserActionCategoryEnum.Orders, UserActionActionEnum.Orders_View, "Bad Url - no order id", false);
return(HttpBadRequest("Order ID cannot be null or zero"));
}
UserProfile profile = CurrentUserProfileOrNull;
Order order = null;
if (profile == null)
{
if (string.IsNullOrWhiteSpace(email))
{
GStoreDb.LogUserActionEvent(HttpContext, RouteData, this, UserActionCategoryEnum.Orders, UserActionActionEnum.Orders_View, "Bad Url - no email", false);
return(HttpBadRequest("No Email specified"));
}
order = CurrentStoreFrontOrThrow.Orders.Where(o => o.OrderNumber == id && o.Email.ToLower() == email.ToLower()).SingleOrDefault();
if (order == null)
{
GStoreDb.LogUserActionEvent(HttpContext, RouteData, this, UserActionCategoryEnum.Orders, UserActionActionEnum.Orders_NotFound, id, false, orderNumber: id);
return(HttpNotFound("Order not found. Order Id: " + id + " Email: " + email));
}
}
else
{
if (profile.AspNetIdentityUserIsInRoleSystemAdmin())
{
order = CurrentStoreFrontOrThrow.Orders.Where(o => o.OrderNumber == id).SingleOrDefault();
if (order == null)
{
GStoreDb.LogUserActionEvent(HttpContext, RouteData, this, UserActionCategoryEnum.Orders, UserActionActionEnum.Orders_NotFound, "SysAdmin Order id: " + id, false, orderNumber: id);
return(HttpNotFound("SysAdmin Order not found. Order Id: " + id));
}
}
else if (CurrentStoreFrontConfigOrThrow.OrderAdmin_UserProfileId == profile.UserProfileId)
{
order = CurrentStoreFrontOrThrow.Orders.Where(o => o.OrderNumber == id).SingleOrDefault();
if (order == null)
{
GStoreDb.LogUserActionEvent(HttpContext, RouteData, this, UserActionCategoryEnum.Orders, UserActionActionEnum.Orders_NotFound, "Order Admin Order id: " + id, false, orderNumber: id);
return(HttpNotFound("Order Admin Order not found. Order Id: " + id));
}
}
else
{
order = CurrentStoreFrontOrThrow.Orders.Where(o => o.OrderNumber == id && o.UserProfileId == profile.UserProfileId).SingleOrDefault();
if (order == null)
{
GStoreDb.LogUserActionEvent(HttpContext, RouteData, this, UserActionCategoryEnum.Orders, UserActionActionEnum.Orders_NotFound, id, false, orderNumber: id);
return(HttpNotFound("Order not found. Order Id: " + id + " User Profile Id: " + profile.UserProfileId));
}
}
}
if (order.UserProfile != null)
{
if (CurrentUserProfileOrNull == null)
{
GStoreDb.LogUserActionEvent(HttpContext, RouteData, this, UserActionCategoryEnum.Orders, UserActionActionEnum.Orders_View, "Not logged in", false, orderNumber: id);
AddUserMessage("Login Required", "You must log in to view your order.", GStoreData.AppHtmlHelpers.UserMessageType.Info);
return(RedirectToAction("Login", "Account", new { returnUrl = Request.RawUrl }));
}
else if (CurrentUserProfileOrThrow.UserProfileId != order.UserProfileId)
{
//order is for another user, ask for login
GStoreDb.LogUserActionEvent(HttpContext, RouteData, this, UserActionCategoryEnum.Orders, UserActionActionEnum.Orders_View, "Order is for another user", false, orderNumber: id);
AddUserMessage("Login Required", "This order was placed by another user. Please log in to view.", GStoreData.AppHtmlHelpers.UserMessageType.Info);
return(RedirectToAction("Login", "Account", new { returnUrl = Request.RawUrl }));
}
}
GStoreDb.LogUserActionEvent(HttpContext, RouteData, this, UserActionCategoryEnum.Orders, UserActionActionEnum.Orders_View, id, true, orderNumber: id);
return(View("View", order));
}
public ActionResult Create(NotificationCreateViewModel data)
{
Order order = null;
if (data.OrderId.HasValue)
{
//verify user has access to the order
StoreFrontConfiguration storeFrontConfig = CurrentStoreFrontConfigOrThrow;
StoreFront storeFront = storeFrontConfig.StoreFront;
UserProfile profile = CurrentUserProfileOrNull;
string trimmedEmail = (string.IsNullOrWhiteSpace(data.OrderEmail) ? "" : data.OrderEmail.Trim().ToLower());
if (profile == null)
{
order = storeFront.Orders.SingleOrDefault(o => o.OrderId == data.OrderId.Value && o.Email.ToLower() == trimmedEmail && o.UserProfileId == null);
if (order == null)
{
return(HttpBadRequest("Anonymous order not found or not authorized for order id " + data.OrderId.Value + " with email: " + data.OrderEmail));
}
}
else
{
if (profile.AspNetIdentityUserIsInRoleSystemAdmin())
{
order = storeFront.Orders.SingleOrDefault(o => o.OrderId == data.OrderId.Value);
if (order == null)
{
return(HttpBadRequest("Sys Admin order not found order id " + data.OrderId.Value));
}
}
else if (storeFrontConfig.OrderAdmin_UserProfileId == profile.UserProfileId)
{
order = storeFront.Orders.SingleOrDefault(o => o.OrderId == data.OrderId.Value);
if (order == null)
{
return(HttpBadRequest("Order Admin order not found order id " + data.OrderId.Value));
}
}
else
{
order = storeFront.Orders.SingleOrDefault(o => o.OrderId == data.OrderId.Value && o.UserProfileId == profile.UserProfileId);
if (order == null)
{
return(HttpBadRequest("Logged in order not found or no access order id " + data.OrderId.Value));
}
}
}
}
UserProfile target = GStoreDb.UserProfiles.SingleOrDefault(prof => prof.UserProfileId == data.ToUserProfileId);
if (target == null)
{
ModelState.AddModelError("", "Target recipient is not found. Please email the system administrator if you think this is an error.");
}
if (!User.IsInRole("SystemAdmin"))
{
if (!target.AllowUsersToSendSiteMessages)
{
ModelState.AddModelError("", "You are not authorized to send a message to the selected user. Please email the system administrator if you think this is an error.");
}
}
if (!ModelState.IsValid)
{
ViewBag.Importance = ImportanceItems();
ViewBag.ToUserProfileId = AllowedToProfiles();
data.UpdateOrder(order);
return(View(data));
}
Notification notification = GStoreDb.Notifications.Create();
UserProfile sender = CurrentUserProfileOrThrow;
notification.FromUserProfileId = sender.UserProfileId;
notification.From = sender.FullName;
notification.To = target.FullName;
notification.Subject = data.Subject;
notification.ToUserProfileId = data.ToUserProfileId;
notification.Importance = data.Importance;
notification.Message = data.Message;
notification.UrlHost = Request.Url.Host;
notification.Client = CurrentClientOrThrow;
notification.StoreFront = CurrentStoreFrontOrThrow;
notification.OrderId = data.OrderId;
if (!Request.Url.IsDefaultPort)
{
notification.UrlHost += ":" + Request.Url.Port;
}
notification.BaseUrl = Url.Action("Details", "Notifications", new { id = "" });
List <NotificationLink> linkCollection = new List <NotificationLink>();
if (!string.IsNullOrWhiteSpace(data.Link1Url))
{
if (string.IsNullOrWhiteSpace(data.Link1Text))
{
data.Link1Text = data.Link1Url;
}
NotificationLink newLink1 = GStoreDb.NotificationLinks.Create();
newLink1.SetDefaultsForNew(notification);
newLink1.Order = 1;
newLink1.LinkText = data.Link1Text;
newLink1.Url = data.Link1Url;
if (data.Link1Url.StartsWith("/") || data.Link1Url.StartsWith("~/"))
{
newLink1.IsExternal = false;
}
else
{
newLink1.IsExternal = true;
}
linkCollection.Add(newLink1);
}
if (!string.IsNullOrWhiteSpace(data.Link2Url))
{
if (string.IsNullOrWhiteSpace(data.Link2Text))
{
data.Link2Text = data.Link2Url;
}
NotificationLink newLink2 = GStoreDb.NotificationLinks.Create();
newLink2.SetDefaultsForNew(notification);
newLink2.Order = 2;
newLink2.LinkText = data.Link2Text;
newLink2.Url = data.Link2Url;
if (data.Link2Url.StartsWith("/") || data.Link2Url.StartsWith("~/"))
{
newLink2.IsExternal = false;
}
else
{
newLink2.IsExternal = true;
}
linkCollection.Add(newLink2);
}
if (!string.IsNullOrWhiteSpace(data.Link3Url))
{
if (string.IsNullOrWhiteSpace(data.Link3Text))
{
data.Link3Text = data.Link3Url;
}
NotificationLink newLink3 = GStoreDb.NotificationLinks.Create();
newLink3.SetDefaultsForNew(notification);
newLink3.Order = 3;
newLink3.LinkText = data.Link3Text;
newLink3.Url = data.Link3Url;
if (data.Link3Url.StartsWith("/") || data.Link3Url.StartsWith("~/"))
{
newLink3.IsExternal = false;
}
else
{
newLink3.IsExternal = true;
}
linkCollection.Add(newLink3);
}
if (!string.IsNullOrWhiteSpace(data.Link4Url))
{
if (string.IsNullOrWhiteSpace(data.Link4Text))
{
data.Link4Text = data.Link4Url;
}
NotificationLink newLink4 = GStoreDb.NotificationLinks.Create();
newLink4.SetDefaultsForNew(notification);
newLink4.Order = 4;
newLink4.LinkText = data.Link4Text;
newLink4.Url = data.Link4Url;
if (data.Link4Url.StartsWith("/") || data.Link4Url.StartsWith("~/"))
{
newLink4.IsExternal = false;
}
else
{
newLink4.IsExternal = true;
}
linkCollection.Add(newLink4);
}
if (linkCollection.Count != 0)
{
notification.NotificationLinks = linkCollection;
}
notification.IsPending = false;
notification.StartDateTimeUtc = DateTime.UtcNow;
notification.EndDateTimeUtc = DateTime.UtcNow;
GStoreDb.Notifications.Add(notification);
GStoreDb.SaveChanges();
AddUserMessage("Message sent!", "Message sent to " + notification.To.ToHtml(), UserMessageType.Success);
return(RedirectToAction("Index"));
}
// GET: Notifications/Create
public ActionResult Create(string orderNumber, string orderEmail)
{
NotificationCreateViewModel viewModel = new NotificationCreateViewModel();
if (!string.IsNullOrWhiteSpace(orderNumber))
{
//verify user has access to the order
StoreFrontConfiguration storeFrontConfig = CurrentStoreFrontConfigOrThrow;
StoreFront storeFront = storeFrontConfig.StoreFront;
UserProfile profile = CurrentUserProfileOrNull;
string trimmedOrderNumber = orderNumber.Trim().ToLower();
string trimmedEmail = orderEmail.Trim().ToLower();
Order order = null;
if (profile == null)
{
order = storeFront.Orders.SingleOrDefault(o => o.OrderNumber.ToLower() == trimmedOrderNumber && o.Email.ToLower() == trimmedEmail && o.UserProfileId == null);
if (order == null)
{
return(HttpBadRequest("Anonymous order not found or not authorized for order #" + orderNumber + " with email: " + orderEmail));
}
}
else
{
if (profile.AspNetIdentityUserIsInRoleSystemAdmin())
{
order = storeFront.Orders.SingleOrDefault(o => o.OrderNumber.ToLower() == trimmedOrderNumber);
if (order == null)
{
return(HttpBadRequest("Sys Admin order not found order #" + orderNumber));
}
}
else if (storeFrontConfig.OrderAdmin_UserProfileId == profile.UserProfileId)
{
order = storeFront.Orders.SingleOrDefault(o => o.OrderNumber.ToLower() == trimmedOrderNumber);
if (order == null)
{
return(HttpBadRequest("Order Admin order not found order id " + orderNumber));
}
}
else
{
order = storeFront.Orders.SingleOrDefault(o => o.OrderNumber.ToLower() == trimmedOrderNumber && o.UserProfileId == profile.UserProfileId);
if (order == null)
{
return(HttpBadRequest("Logged in order not found or no access order #" + orderNumber));
}
}
}
if (order != null)
{
viewModel.UpdateOrder(order);
viewModel.OrderEmail = trimmedEmail;
viewModel.Subject = "Question about order " + order.OrderNumber + " placed " + order.CreateDateTimeUtc.ToUserDateTimeString(profile, storeFrontConfig, storeFront.Client);
}
}
ViewBag.Importance = ImportanceItems();
ViewBag.ToUserProfileId = AllowedToProfiles();
return(View(viewModel));
}
