private static bool CanPostItemsToPublicFolder(Folder publicFolder, ClientSecurityContext userContext) { RawSecurityDescriptor rawSecurityDescriptor = publicFolder.TryGetProperty(FolderSchema.SecurityDescriptor) as RawSecurityDescriptor; int grantedAccess = userContext.GetGrantedAccess(rawSecurityDescriptor, AccessMask.DeleteChild); MailPublicFolderPermissionHandler.Diag.TraceDebug <int, Folder>(0L, "Granted access {0} for user on public folder {1}", grantedAccess, publicFolder); return((grantedAccess & 2) != 0); }
private bool HasReadAccessInAd(ServiceSecurityContext context) { SecurityIdentifier user = context.WindowsIdentity.User; bool result; using (ClientSecurityContext clientSecurityContext = new ClientSecurityContext(context.WindowsIdentity)) { AccessMask accessMask = (AccessMask)131220; try { AccessMask grantedAccess = (AccessMask)clientSecurityContext.GetGrantedAccess(this.GetSecurityDescriptorToCheckAgainst(), user, accessMask); if ((grantedAccess & accessMask) == AccessMask.Open) { this.TraceAndLogError(ExTraceGlobals.DiagnosticsAggregationTracer, "Access check failed for {0}. Response={1}", new object[] { context.WindowsIdentity.Name, grantedAccess }); result = false; } else { result = true; } } catch (ADTransientException ex) { this.TraceAndLogError(ExTraceGlobals.DiagnosticsAggregationTracer, "AD Transient Exception. Details {0}", new object[] { ex }); result = false; } catch (AuthzException ex2) { this.TraceAndLogError(ExTraceGlobals.DiagnosticsAggregationTracer, "Authorization check failed. Details {0}", new object[] { ex2 }); result = false; } } return(result); }
private static bool CallerHasFullPermission(ClientSecurityContext clientSecurityContext, FreeBusyQuery freeBusyQuery) { SecurityIdentifier sid = freeBusyQuery.RecipientData.Sid; SecurityIdentifier masterAccountSid = freeBusyQuery.RecipientData.MasterAccountSid; bool flag = (sid != null && sid.Equals(clientSecurityContext.UserSid)) || (masterAccountSid != null && masterAccountSid.Equals(clientSecurityContext.UserSid)); if (flag) { FreeBusyPermission.SecurityTracer.TraceDebug(0L, "{0}: Caller {1} is owner of mailbox {2}, mailbox user SID {3}, master account SID {4}.", new object[] { TraceContext.Get(), clientSecurityContext, freeBusyQuery.Email, sid, masterAccountSid }); return(true); } RawSecurityDescriptor exchangeSecurityDescriptor = freeBusyQuery.RecipientData.ExchangeSecurityDescriptor; if (exchangeSecurityDescriptor != null) { if (FreeBusyPermission.SecurityTracer.IsTraceEnabled(TraceType.DebugTrace)) { string sddlForm = exchangeSecurityDescriptor.GetSddlForm(AccessControlSections.All); FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress, string>(0L, "{0}: The SDDL form of mailbox security descriptor of mailbox {1} is: {2}.", TraceContext.Get(), freeBusyQuery.Email, sddlForm); } if (clientSecurityContext.GetGrantedAccess(exchangeSecurityDescriptor, AccessMask.CreateChild) == 1 || clientSecurityContext.GetGrantedAccess(exchangeSecurityDescriptor, AccessMask.List) == 4) { FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress>(0L, "{0}: Caller does have 'owner' rights in mailbox {1}.", TraceContext.Get(), freeBusyQuery.Email); return(true); } } else { FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress>(0L, "{0}: User does not have an ExchangeSecurityDescriptor.", TraceContext.Get(), freeBusyQuery.Email); } FreeBusyPermission.SecurityTracer.TraceDebug <object, EmailAddress>(0L, "{0}: Caller does NOT have 'owner' rights in mailbox {1}.", TraceContext.Get(), freeBusyQuery.Email); return(false); }
public static FreeBusyPermissionLevel AccessCheck(RawSecurityDescriptor securityDescriptor, ClientSecurityContext clientContext) { int grantedAccess = clientContext.GetGrantedAccess(securityDescriptor, AccessMask.MaximumAllowed); FreeBusyPermissionLevel freeBusyPermissionLevel = FreeBusyPermissionLevel.None; if ((grantedAccess & 2) != 0) { freeBusyPermissionLevel = FreeBusyPermissionLevel.Detail; } else if ((grantedAccess & 1) != 0) { freeBusyPermissionLevel = FreeBusyPermissionLevel.Simple; } FreeBusyPermission.SecurityTracer.TraceDebug(0L, "{0}: Access check for {1} resulted in granted access {2}, permission level {3}", new object[] { TraceContext.Get(), clientContext, grantedAccess, freeBusyPermissionLevel }); return(freeBusyPermissionLevel); }