private UpdateResult CheckSelfUpdate(IIdentity actor, UserUpdateInfo update, IUser target) { if (update.ChangedDomain(target)) { return(new UpdateResult { IsError = true, ErrorMessage = "cannot change domain" }); } if (Roles.IsInRole(actor, SecurityConst.ROLE_DOMAIN_ADMIN)) { if (update.ChangedActive(target) && !target.Active) { return(new UpdateResult { IsError = true, ErrorMessage = "cannot reactivate yourself" }); } if (update.ChangedLogable(target) && !target.Logable) { return(new UpdateResult { IsError = true, ErrorMessage = "cannot reactivate logability" }); } return(new UpdateResult { Ok = true }); } if (update.ChangedCustom(target)) { if (update.Custom.stringify().ToUpper().Contains("SECURE_")) { return(new UpdateResult { IsError = true, ErrorMessage = "cannot manage secure customs" }); } } if (update.ChangedEmail(target)) { return(new UpdateResult { IsError = true, ErrorMessage = "cannot change email" }); } if (update.ChangedRoles(target)) { return(new UpdateResult { IsError = true, ErrorMessage = "cannot change roles" }); } if (update.ChangedGroups(target)) { return(new UpdateResult { IsError = true, ErrorMessage = "cannot change groups" }); } if (update.ChangedExpire(target)) { return(new UpdateResult { IsError = true, ErrorMessage = "cannot change expire" }); } return(new UpdateResult { Ok = true }); }
private UpdateResult CheckCommons(IIdentity actor, UserUpdateInfo update, IUser target) { if (null == Roles) { throw new Exception("cannot work without roles"); } if (null == Users) { throw new Exception("cannot work without users"); } var id = actor as Identity; var u = target as User; if (null != u) { if (null != u.UserSource) { var ws = u.UserSource as IWriteableUserSource; if (null == ws || !ws.WriteUsersEnabled) { return(new UpdateResult { IsError = true, ErrorMessage = "no storage" }); } } } if (null == id) { return(new UpdateResult { IsError = true, ErrorMessage = "no actor" }); } if (!id.IsAuthenticated) { return(new UpdateResult { IsError = true, ErrorMessage = "not auth" }); } if (id.IsAdmin) { return(new UpdateResult { Ok = true }); } #region Q543 // >>> #Q-543 implementation ROLE_SECURITY_ADMIN can do anything except ADMIN and SECURITY_ADMIN management if (null != update.IsAdmin && update.IsAdmin != target.IsAdmin) { return(new UpdateResult { IsError = true, ErrorMessage = "cannot set admin" }); } if (update.ChangedRoles(target)) { if (update.Roles.Any(_ => _.Contains(SecurityConst.ROLE_SECURITY_ADMIN))) { return(new UpdateResult { IsError = true, ErrorMessage = $"cannot manage {SecurityConst.ROLE_SECURITY_ADMIN} role" }); } } if (Roles.IsInRole(id, SecurityConst.ROLE_SECURITY_ADMIN)) { return(new UpdateResult { Ok = true }); } #endregion if (update.ChangedRoles(target)) { if (update.Roles.Any(_ => _.ToUpper().Contains("SECURE_"))) { return(new UpdateResult { IsError = true, ErrorMessage = "cannot manage secure roles" }); } } if (update.ChangedGroups(target)) { if (update.Groups.Any(_ => _.ToUpper().Contains("SECURE_"))) { return(new UpdateResult { IsError = true, ErrorMessage = "cannot manage secure groups" }); } } if (update.ChangedPublicKey(target)) { return(new UpdateResult { IsError = true, ErrorMessage = "cannot set public key" }); } if (null != update.IsGroup) { return(new UpdateResult { IsError = true, ErrorMessage = "cannot manage groups" }); } if (!string.IsNullOrWhiteSpace(update.Email) && !Regex.IsMatch(update.Email, @"^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$")) { return(new UpdateResult { IsError = true, ErrorMessage = "mailformed email" }); } return(null); }