/// <summary>
/// Check if a user may do something - and throw an error if the permission is not given
/// </summary>
/// <param name="contentType"></param>
/// <param name="grant"></param>
/// <param name="autoAllowAdmin"></param>
/// <param name="specificItem"></param>
private void PerformSecurityCheck(string contentType, PermissionGrant grant, bool autoAllowAdmin = false, IEntity specificItem = null)
{
// Check if we can find this content-type
var ctc = new ContentTypeController();
ctc.SetAppIdAndUser(App.AppId);
var cache = DataSource.GetCache(null, App.AppId);
var ct = cache.GetContentType(contentType);
if (ct == null)
{
ThrowHttpError(HttpStatusCode.NotFound, "Could not find Content Type '" + contentType + "'.", "content-types");
}
// Check if the content-type has a GUID as name - only these can have permission assignments
Guid ctGuid;
var staticNameIsGuid = Guid.TryParse(ct.StaticName, out ctGuid);
if (!staticNameIsGuid)
{
ThrowHttpError(HttpStatusCode.Unauthorized, "Content Type '" + contentType + "' is not a standard Content Type - no permissions possible.");
}
// Check permissions in 2sxc - or check if the user has admin-right (in which case he's always granted access for these types of content)
var permissionChecker = new PermissionController(App.ZoneId, App.AppId, ctGuid, specificItem, Dnn.Module);
var allowed = permissionChecker.UserMay(grant);
var isAdmin = autoAllowAdmin && DotNetNuke.Security.Permissions.ModulePermissionController.CanAdminModule(Dnn.Module);
if (!(allowed || isAdmin))
{
ThrowHttpError(HttpStatusCode.Unauthorized, "Request not allowed. User needs permissions to " + grant + " for Content Type '" + contentType + "'.", "permissions");
}
}
/// <summary>
/// Check if a user may do something - and throw an error if the permission is not given
/// </summary>
/// <param name="contentType"></param>
/// <param name="grant"></param>
/// <param name="autoAllowAdmin"></param>
/// <param name="specificItem"></param>
/// <param name="useContext"></param>
/// <param name="appId"></param>
internal void PerformSecurityCheck(string contentType, PermissionGrant grant, bool autoAllowAdmin = false, IEntity specificItem = null, bool useContext = true, int?appId = null)
{
Log.Add($"security check for type:{contentType}, grant:{grant}, autoAdmin:{autoAllowAdmin}, useContext:{useContext}, app:{appId}, item:{specificItem?.EntityId}");
// make sure we have the right appId, zoneId and module-context
var contextMod = useContext ? Dnn.Module : null;
var zoneId = useContext ? App?.ZoneId : null; // App is null, when accessing admin-ui from un-initialized module
if (useContext)
{
appId = App?.AppId ?? appId;
}
if (!useContext)
{
autoAllowAdmin = false; // auto-check not possible when not using context
}
if (!appId.HasValue)
{
throw new Exception("app id doesn't have value, and apparently didn't get it from context either");
}
// Check if we can find this content-type
var ctc = new ContentTypeController();
ctc.SetAppIdAndUser(appId.Value);
var cache = DataSource.GetCache(zoneId, appId);
var ct = cache.GetContentType(contentType);
if (ct == null)
{
ThrowHttpError(HttpStatusCode.NotFound, "Could not find Content Type '" + contentType + "'.",
"content-types");
return;
}
// Check if the content-type has a GUID as name - only these can have permission assignments
// only check permissions on type if the type has a GUID as static-id
var staticNameIsGuid = Guid.TryParse(ct.StaticName, out var ctGuid);
// Check permissions in 2sxc - or check if the user has admin-right (in which case he's always granted access for these types of content)
if (staticNameIsGuid &&
new DnnPermissionController(ct, specificItem, Log, contextMod)
.UserMay(grant))
{
return;
}
// if initial test couldn't be done (non-guid) or failed, test for admin-specifically
if (autoAllowAdmin &&
DotNetNuke.Security.Permissions.ModulePermissionController.CanAdminModule(contextMod))
{
return;
}
// if the cause was not-admin and not testable, report better error
if (!staticNameIsGuid)
{
ThrowHttpError(HttpStatusCode.Unauthorized,
"Content Type '" + contentType + "' is not a standard Content Type - no permissions possible.");
}
// final case: simply not allowed
ThrowHttpError(HttpStatusCode.Unauthorized,
"Request not allowed. User needs permissions to " + grant + " for Content Type '" + contentType + "'.",
"permissions");
}