public void SetSecurity(string id, bool enabled, params Guid[] subjects) { if (SettingsManager.Load <TenantAccessSettings>().Anyone) { throw new SecurityException("Security settings are disabled for an open portal"); } var securityObj = WebItemSecurityObject.Create(id, WebItemManager); // remove old aces AuthorizationManager.RemoveAllAces(securityObj); var allowToAll = new AzRecord(ASC.Core.Users.Constants.GroupEveryone.ID, Read.ID, AceType.Allow, securityObj); AuthorizationManager.RemoveAce(allowToAll); // set new aces if (subjects == null || subjects.Length == 0 || subjects.Contains(ASC.Core.Users.Constants.GroupEveryone.ID)) { if (!enabled && subjects != null && subjects.Length == 0) { // users from list with no users equals allow to all users enabled = true; } subjects = new[] { ASC.Core.Users.Constants.GroupEveryone.ID }; } foreach (var s in subjects) { var a = new AzRecord(s, Read.ID, enabled ? AceType.Allow : AceType.Deny, securityObj); AuthorizationManager.AddAce(a); } WebItemSecurityCache.Publish(TenantManager.GetCurrentTenant().TenantId); }
public void SetProductAdministrator(Guid productid, Guid userid, bool administrator) { if (productid == Guid.Empty) { productid = ASC.Core.Users.Constants.GroupAdmin.ID; } if (administrator) { if (UserManager.IsUserInGroup(userid, ASC.Core.Users.Constants.GroupVisitor.ID)) { throw new SecurityException("Collaborator can not be an administrator"); } if (productid == WebItemManager.PeopleProductID) { foreach (var ace in GetPeopleModuleActions(userid)) { AuthorizationManager.AddAce(ace); } } UserManager.AddUserIntoGroup(userid, productid); } else { if (productid == ASC.Core.Users.Constants.GroupAdmin.ID) { var groups = new List <Guid> { WebItemManager.MailProductID }; groups.AddRange(WebItemManager.GetItemsAll().OfType <IProduct>().Select(p => p.ID)); foreach (var id in groups) { UserManager.RemoveUserFromGroup(userid, id); } } if (productid == ASC.Core.Users.Constants.GroupAdmin.ID || productid == WebItemManager.PeopleProductID) { foreach (var ace in GetPeopleModuleActions(userid)) { AuthorizationManager.RemoveAce(ace); } } UserManager.RemoveUserFromGroup(userid, productid); } WebItemSecurityCache.Publish(TenantManager.GetCurrentTenant().TenantId); }
public WebItemSecurity( UserManager userManager, AuthContext authContext, PermissionContext permissionContext, AuthManager authentication, WebItemManager webItemManager, TenantManager tenantManager, AuthorizationManager authorizationManager, CoreBaseSettings coreBaseSettings, WebItemSecurityCache webItemSecurityCache, SettingsManager settingsManager) { UserManager = userManager; AuthContext = authContext; PermissionContext = permissionContext; Authentication = authentication; WebItemManager = webItemManager; TenantManager = tenantManager; AuthorizationManager = authorizationManager; CoreBaseSettings = coreBaseSettings; WebItemSecurityCache = webItemSecurityCache; SettingsManager = settingsManager; }
public bool IsAvailableForUser(Guid itemId, Guid @for) { var id = itemId.ToString(); var result = false; var tenant = TenantManager.GetCurrentTenant(); var dic = WebItemSecurityCache.GetOrInsert(tenant.TenantId); if (dic != null) { lock (dic) { if (dic.ContainsKey(id + @for)) { return(dic[id + @for]); } } } // can read or administrator var securityObj = WebItemSecurityObject.Create(id, WebItemManager); if (CoreBaseSettings.Personal && securityObj.WebItemId != WebItemManager.DocumentsProductID) { // only files visible in your-docs portal result = false; } else { var webitem = WebItemManager[securityObj.WebItemId]; if (webitem != null) { if ((webitem.ID == WebItemManager.CRMProductID || webitem.ID == WebItemManager.PeopleProductID || webitem.ID == WebItemManager.BirthdaysProductID || webitem.ID == WebItemManager.MailProductID) && UserManager.GetUsers(@for).IsVisitor(UserManager)) { // hack: crm, people, birtthday and mail products not visible for collaborators result = false; } else if ((webitem.ID == WebItemManager.CalendarProductID || webitem.ID == WebItemManager.TalkProductID) && UserManager.GetUsers(@for).IsOutsider(UserManager)) { // hack: calendar and talk products not visible for outsider result = false; } else if (webitem is IModule) { result = PermissionContext.PermissionResolver.Check(Authentication.GetAccountByID(tenant.TenantId, @for), securityObj, null, Read) && IsAvailableForUser(WebItemManager.GetParentItemID(webitem.ID), @for); } else { var hasUsers = AuthorizationManager.GetAces(Guid.Empty, Read.ID, securityObj).Any(a => a.SubjectId != ASC.Core.Users.Constants.GroupEveryone.ID); result = PermissionContext.PermissionResolver.Check(Authentication.GetAccountByID(tenant.TenantId, @for), securityObj, null, Read) || (hasUsers && IsProductAdministrator(securityObj.WebItemId, @for)); } } else { result = false; } } dic = WebItemSecurityCache.Get(tenant.TenantId); if (dic != null) { lock (dic) { dic[id + @for] = result; } } return(result); }