/// <summary>
/// Determine if the user has the appropriate permission for the specified album. The user may be anonymous or logged on.
/// When the the user is logged on (i.e. <paramref name="isAuthenticated"/> = true), this method determines whether the user is authorized by
/// validating that at least one role has the requested permission to the specified album. When the user is anonymous,
/// the <paramref name="roles"/> parameter is ignored and instead the <paramref name="isPrivateAlbum"/> parameter is used.
/// Anonymous users do not have any access to private albums. When the the user is logged on (i.e. <paramref name="isAuthenticated"/> = true),
/// the <paramref name="roles"/> parameter must contain the roles belonging to the user.
/// </summary>
/// <param name="securityRequests">The requested permissions.</param>
/// <param name="roles">A collection of Gallery Server roles to which the currently logged-on user belongs. This parameter is ignored
/// for anonymous users (i.e. <paramref name="isAuthenticated"/>=false). The parameter may be null.</param>
/// <param name="albumId">The album for which the requested permission applies.</param>
/// <param name="isAuthenticated">A value indicating whether the current user is logged on. If true, the
/// <paramref name="roles"/> parameter should contain the names of the roles for the current user. If <paramref name="isAuthenticated"/>=true
/// and the <paramref name="roles"/> parameter is either null or an empty collection, this method returns false.</param>
/// <param name="isPrivateAlbum">A value indicating whether the album is hidden from anonymous users. This parameter is ignored for
/// logged-on users.</param>
/// <returns>Returns true if the user has the requested permission; returns false if not.</returns>
/// <remarks>This method handles both anonymous and logged on users. Note that when <paramref name="isAuthenticated"/>=true, the
/// <paramref name="isPrivateAlbum"/> parameter is ignored. When it is false, the roles parameter is ignored.</remarks>
public static bool IsUserAuthorized(SecurityActions securityRequests, IGalleryServerRoleCollection roles, int albumId, bool isAuthenticated, bool isPrivateAlbum)
{
#region Validation
if (isAuthenticated && ((roles == null) || (roles.Count == 0)))
{
return(false);
}
#endregion
// Handle anonymous users.
if (!isAuthenticated)
{
return(IsAnonymousUserAuthorized(securityRequests, isPrivateAlbum));
}
// If we get here we are dealing with an authenticated (logged on) user. Authorization for authenticated users is
// given if the user is a member of at least one role that provides permission.
if (SecurityActionEnumHelper.IsSingleSecurityAction(securityRequests))
{
// Iterate through each GalleryServerRole. If at least one allows the action, return true. Note that the
// AdministerSite security action, if granted, applies to all albums and allows all actions (except HideWatermark).
foreach (IGalleryServerRole role in roles)
{
if (IsAuthenticatedUserAuthorized(securityRequests, role, albumId))
{
return(true);
}
}
return(false);
}
else
{
// There are multiple security actions in securityRequest enum. User is authorized only if EVERY security request
// is authorized.
foreach (SecurityActions securityAction in SecurityActionEnumHelper.ParseSecurityAction(securityRequests))
{
// Iterate through each GalleryServerRole. If at least role allows the action, return true. Note that the
// AdministerSite security action, if granted, applies to all albums and allows all actions (except HideWatermark).
bool securityActionIsAuthorized = false;
foreach (IGalleryServerRole role in roles)
{
if (IsAuthenticatedUserAuthorized(securityAction, role, albumId))
{
securityActionIsAuthorized = true;
break;
}
}
if (!securityActionIsAuthorized)
{
return(false);
}
}
// If we get to this point then every security request has been authorized, so we can authorize the entire request.
return(true);
}
}
private static bool IsAnonymousUserAuthorized(SecurityActions securityRequests, bool isPrivateAlbum, int galleryId, SecurityActionsOption secActionsOption)
{
// Anonymous user. Return true for viewing-related permission requests on PUBLIC albums; return false for all others.
IGallerySettings gallerySettings = Factory.LoadGallerySetting(galleryId);
if (SecurityActionEnumHelper.IsSingleSecurityAction(securityRequests))
{
return(IsAnonymousUserAuthorizedForSingleSecurityAction(securityRequests, isPrivateAlbum, gallerySettings));
}
else
{
return(IsAnonymousUserAuthorizedForMultipleSecurityActions(securityRequests, isPrivateAlbum, gallerySettings, secActionsOption));
}
}
private static bool IsAnonymousUserAuthorized(SecurityActions securityAction, bool isPrivateAlbum)
{
// Anonymous user. Return true for viewing-related permission requests on PUBLIC albums; return false for all others.
if (SecurityActionEnumHelper.IsSingleSecurityAction(securityAction))
{
if ((securityAction == SecurityActions.ViewAlbumOrMediaObject) && !isPrivateAlbum)
{
return(true);
}
if ((securityAction == SecurityActions.ViewOriginalImage) && !isPrivateAlbum && ConfigManager.GetGalleryServerProConfigSection().Core.AllowAnonymousHiResViewing)
{
return(true);
}
}
else
{
// There are multiple security actions in securityAction enum. User is authorized only if EVERY security request
// is authorized.
bool isAuthorized = true;
foreach (SecurityActions securityRequest in SecurityActionEnumHelper.ParseSecurityAction(securityAction))
{
bool securityActionIsAuthorized = false;
if ((securityRequest == SecurityActions.ViewAlbumOrMediaObject) && !isPrivateAlbum)
{
securityActionIsAuthorized = true;
}
if ((securityRequest == SecurityActions.ViewOriginalImage) && !isPrivateAlbum && ConfigManager.GetGalleryServerProConfigSection().Core.AllowAnonymousHiResViewing)
{
securityActionIsAuthorized = true;
}
if (!securityActionIsAuthorized)
{
isAuthorized = false;
break;
}
}
return(isAuthorized);
}
return(false);
}
private static bool IsAnonymousUserAuthorizedForMultipleSecurityActions(SecurityActions securityRequests, bool isPrivateAlbum, IGallerySettings gallerySettings, SecurityActionsOption secActionsOption)
{
// There are multiple security actions in securityAction enum. Iterate through each one and determine if the user
// has permission for it.
List <bool> authResults = new List <bool>();
foreach (SecurityActions securityAction in SecurityActionEnumHelper.ParseSecurityAction(securityRequests))
{
authResults.Add(IsAnonymousUserAuthorizedForSingleSecurityAction(securityAction, isPrivateAlbum, gallerySettings));
}
if (secActionsOption == SecurityActionsOption.RequireAll)
{
return(authResults.Count > 0 ? authResults.TrueForAll(delegate(bool value) { return value; }) : false);
}
else if (secActionsOption == SecurityActionsOption.RequireOne)
{
return(authResults.Contains(true));
}
else
{
throw new InvalidEnumArgumentException("secActionsOption", (int)secActionsOption, typeof(SecurityActionsOption));
}
}
/// <summary>
/// Determine whether the user belonging to the specified <paramref name="roles" /> has permission to perform all of the specified security
/// actions against the specified <paramref name="albumId" />. The user may be anonymous or logged on.
/// When the the user is logged on (i.e. <paramref name="isAuthenticated"/> = true), this method determines whether the user is authorized by
/// validating that at least one role has the requested permission to the specified album. When the user is anonymous,
/// the <paramref name="roles"/> parameter is ignored and instead the <paramref name="isPrivateAlbum"/> parameter is used.
/// Anonymous users do not have any access to private albums. When the the user is logged on (i.e. <paramref name="isAuthenticated"/> = true),
/// the <paramref name="roles"/> parameter must contain the roles belonging to the user.
/// </summary>
/// <param name="securityRequests">Represents the permission or permissions being requested. Multiple actions can be specified by using
/// a bitwise OR between them (example: <see cref="SecurityActions.AdministerSite" /> | <see cref="SecurityActions.AdministerGallery" />).
/// If multiple actions are specified, use <paramref name="secActionsOption" /> to specify whether all of the actions must be satisfied
/// to be successful or only one item must be satisfied.</param>
/// <param name="roles">A collection of Gallery Server roles to which the currently logged-on user belongs. This parameter is ignored
/// for anonymous users (i.e. <paramref name="isAuthenticated"/>=false). The parameter may be null.</param>
/// <param name="albumId">The album for which the requested permission applies. This parameter does not apply when the requested permission
/// is <see cref="SecurityActions.AdministerSite" /> or <see cref="SecurityActions.AdministerGallery" />.</param>
/// <param name="galleryId">The ID for the gallery the user is requesting permission in. The <paramref name="albumId" /> must exist in this
/// gallery. This parameter is not required <paramref name="securityRequests" /> is SecurityActions.AdministerSite (you can specify
/// <see cref="int.MinValue" />).</param>
/// <param name="isAuthenticated">A value indicating whether the current user is logged on. If true, the
/// <paramref name="roles"/> parameter should contain the names of the roles for the current user. If <paramref name="isAuthenticated"/>=true
/// and the <paramref name="roles"/> parameter is either null or an empty collection, this method returns false.</param>
/// <param name="isPrivateAlbum">A value indicating whether the album is hidden from anonymous users. This parameter is ignored for
/// logged-on users.</param>
/// <param name="secActionsOption">Specifies whether the user must have permission for all items in <paramref name="securityRequests" />
/// to be successful or just one. This parameter defaults to SecurityActionsOption.RequireAll when not specified, and is applicable only
/// when <paramref name="securityRequests" /> contains more than one item.</param>
/// <returns>
/// Returns true if the user has the requested permission; returns false if not.
/// </returns>
/// <remarks>This method handles both anonymous and logged on users. Note that when <paramref name="isAuthenticated"/>=true, the
/// <paramref name="isPrivateAlbum"/> parameter is ignored. When it is false, the <paramref name="roles" /> parameter is ignored.</remarks>
public static bool IsUserAuthorized(SecurityActions securityRequests, IGalleryServerRoleCollection roles, int albumId, int galleryId, bool isAuthenticated, bool isPrivateAlbum, SecurityActionsOption secActionsOption)
{
#region Validation
if (isAuthenticated && ((roles == null) || (roles.Count == 0)))
{
return(false);
}
if (galleryId == int.MinValue)
{
bool isMoreThanOnePermissionRequest = !SecurityActionEnumHelper.IsSingleSecurityAction(securityRequests);
bool userIsRequestingSysAdminPermission = (securityRequests == SecurityActions.AdministerSite);
if (isMoreThanOnePermissionRequest || !userIsRequestingSysAdminPermission)
{
throw new ArgumentOutOfRangeException("galleryId", String.Format(CultureInfo.CurrentCulture, "A valid gallery ID must be specified. Instead, the value was {0}.", galleryId));
}
}
#endregion
// Handle anonymous users.
if (!isAuthenticated)
{
return(IsAnonymousUserAuthorized(securityRequests, isPrivateAlbum, galleryId, secActionsOption));
}
// If we get here we are dealing with an authenticated (logged on) user. Authorization for authenticated users is
// given if the user is a member of at least one role that provides permission.
if (SecurityActionEnumHelper.IsSingleSecurityAction(securityRequests))
{
// Iterate through each GalleryServerRole. If at least one allows the action, return true. Note that the
// AdministerSite security action, if granted, applies to all albums and allows all actions (except HideWatermark).
foreach (IGalleryServerRole role in roles)
{
if (IsAuthenticatedUserAuthorized(securityRequests, role, albumId, galleryId))
{
return(true);
}
}
return(false);
}
else
{
// There are multiple security actions in securityRequest enum. Iterate through each one and determine if the user
// has permission for it.
List <bool> authResults = new List <bool>();
foreach (SecurityActions securityAction in SecurityActionEnumHelper.ParseSecurityAction(securityRequests))
{
// Iterate through each role. If at least one role allows the action, permission is granted.
foreach (IGalleryServerRole role in roles)
{
bool authResult = IsAuthenticatedUserAuthorized(securityAction, role, albumId, galleryId);
authResults.Add(authResult);
if (authResult)
{
break; // We found a role that provides permission, so no need to check the other roles. Just move on to the next security request.
}
}
}
// Determine the return value based on what the calling method wanted.
if (secActionsOption == SecurityActionsOption.RequireAll)
{
return(authResults.Count > 0 ? authResults.TrueForAll(delegate(bool value) { return value; }) : false);
}
else if (secActionsOption == SecurityActionsOption.RequireOne)
{
return(authResults.Contains(true));
}
else
{
throw new InvalidEnumArgumentException("secActionsOption", (int)secActionsOption, typeof(SecurityActionsOption));
}
}
}
