private static bool VerifyModifyPermissions(HttpContext context, Models.Users.UserProfile up, int courseID) { OSBLEContext _db = new OSBLEContext(); CourseUser courseUser = ( from cu in _db.CourseUsers where cu.UserProfileID == up.ID && cu.AbstractCourse is AbstractCourse && cu.AbstractCourseID == courseID select cu ).FirstOrDefault(); if (null == courseUser || !courseUser.AbstractRole.CanModify) { // User cannot modify this course WriteErrorResponse(context, "The specified user does not have permission to modify course with ID=" + courseID.ToString() + "."); return(false); } return(true); }
private void HandleCourseFileListingRequest(HttpContext context, Models.Users.UserProfile up, int courseID) { // Get the attributable file storage OSBLEDirectory attrFiles = Models.FileSystem.Directories.GetCourseDocs(courseID); if (null == attrFiles) { WriteErrorResponse(context, "Internal error: could not get attributable files manager for course files."); return; } // The permission-oriented attributes depend on the course user OSBLEContext db = new OSBLEContext(); CourseUser courseUser = (from cu in db.CourseUsers where cu.UserProfileID == up.ID && cu.AbstractCourse is AbstractCourse && cu.AbstractCourseID == courseID select cu).FirstOrDefault(); if (null == courseUser) { WriteErrorResponse(context, "User does not have permission to see files in this course."); return; } // Get XML file listing packaged up and return it to the client context.Response.Write( "<CourseFilesOpsResponse success=\"true\">" + attrFiles.GetXMLListing(courseUser, true) + "</CourseFilesOpsResponse>"); }
private void HandleFileDeletionRequest(HttpContext context, Models.Users.UserProfile up, int courseID) { // Make sure they have access to this course. Right now we only let // people who can modify the course have access to this service function. if (!VerifyModifyPermissions(context, up, courseID)) { return; } // The permission-oriented attributes depend on the course user OSBLEContext db = new OSBLEContext(); CourseUser courseUser = (from cu in db.CourseUsers where cu.UserProfileID == up.ID && cu.AbstractCourse is AbstractCourse && cu.AbstractCourseID == courseID select cu).FirstOrDefault(); if (null == courseUser) { WriteErrorResponse(context, "User does not have permission to view or modify files in this course."); return; } // Make sure the file name parameter is present string fileName = string.Empty; if (!VerifyStringParam(context, "file_name", ref fileName)) { return; } if (string.IsNullOrEmpty(fileName)) { WriteErrorResponse(context, "The following parameter cannot be an empty string: file_name"); return; } // Make sure the file path name is OK (doesn't go up a level with ../ or // other things like that) if (!VerifyPath(context, ref fileName)) { return; } // Get the attributable file storage OSBLEDirectory courseFiles = Models.FileSystem.Directories.GetCourseDocs(courseID); OSBLEDirectory attrFiles = courseFiles; if (null == attrFiles) { WriteErrorResponse(context, "Internal error: could not get attributable files manager for course files."); return; } int slashIndex = fileName.LastIndexOf('\\'); if (-1 == slashIndex) { slashIndex = fileName.LastIndexOf('/'); } if (-1 != slashIndex) { // If the file exists in some nested folders then get the // correct directory object first. attrFiles = (OSBLEDirectory)attrFiles.GetDir(fileName.Substring(0, slashIndex)); // Also remove the path from the beginning of the file name fileName = fileName.Substring(slashIndex + 1); } // Perform the actual deletion attrFiles.DeleteFile(fileName); // Return success message with new file listing context.Response.Write( "<CourseFilesOpsResponse success=\"true\">" + courseFiles.GetXMLListing(courseUser, true) + "</CourseFilesOpsResponse>"); }
public void ProcessRequest(HttpContext context) { // This web service returns XML in most cases context.Response.ContentType = "text/xml"; // We need a "cmd" parameter to tell us what to deliver string cmdParam = context.Request.Params["cmd"]; if (string.IsNullOrEmpty(cmdParam)) { WriteErrorResponse(context, "Course file operations service requires a \"cmd\" parameter."); return; } // We need a "courseID" parameter int courseID = -1; if (!VerifyIntParam(context, "courseID", ref courseID)) { // Can't operate without this value return; } // Try to get the current OSBLE user Models.Users.UserProfile up = OSBLE.Utility.OsbleAuthentication.CurrentUser; if (null == up) { // In the future what I'd like to do here is look for a user name and // password in the request headers. This would allow this web service to // be used by other sources, but for now it requires a logged in OSBLE user. WriteErrorResponse(context, "Could not get active OSBLE user for request. Please login."); return; } // The permissions for service actions depend on the course user OSBLEContext db = new OSBLEContext(); CourseUser courseUser = (from cu in db.CourseUsers where cu.UserProfileID == up.ID && cu.AbstractCourse is AbstractCourse && cu.AbstractCourseID == courseID select cu).FirstOrDefault(); if (null == courseUser) { WriteErrorResponse(context, "User does not have permission to perform this action."); return; } // Now look at the command and handle it appropriately if ("course_files_list" == cmdParam) { HandleCourseFileListingRequest(context, up, courseID); return; } else if ("assignment_files_list" == cmdParam) { // Make sure they have access to this course. Right now we only let // people who can modify the course have access to this service. if (!VerifyModifyPermissions(context, up, courseID)) { return; } // The client wants a list of files from the attributable storage location // for the assignment. // First make sure we have the "assignmentID" parameter int aID = -1; if (!VerifyIntParam(context, "assignmentID", ref aID)) { return; } // Get the attributable file storage OSBLEDirectory attrFiles = Models.FileSystem.Directories.GetAssignment(courseID, aID).AttributableFiles; if (null == attrFiles) { WriteErrorResponse(context, "Internal error: could not get attributable files manager for assignment"); return; } // Get XML file listing packaged up and return it to the client context.Response.Write( "<CourseFilesOpsResponse success=\"true\">" + attrFiles.GetXMLListing(courseUser, false) + "</CourseFilesOpsResponse>"); return; } else if ("assignment_file_download" == cmdParam) { // First make sure we have the "assignmentID" parameter int aID = -1; if (!VerifyIntParam(context, "assignmentID", ref aID)) { return; } // Now make sure we have the "filename" parameter string fileName = context.Request.Params["filename"]; if (string.IsNullOrEmpty(fileName)) { WriteErrorResponse(context, "Missing required parameter: \"filename\""); return; } fileName = System.IO.Path.GetFileName(fileName); // Get the attributable file storage OSBLEDirectory attrFiles = Models.FileSystem.Directories.GetAssignment(courseID, aID).AttributableFiles; if (null == attrFiles) { WriteErrorResponse(context, "Internal error: could not get attributable files manager for assignment"); return; } // Make sure the file exists OSBLEFile af = attrFiles.GetFile(fileName); if (null == af) { WriteErrorResponse(context, "Internal error: could not get attributable file"); return; } // Make sure the user has permission to download, if the user is not able to modify the course or the assignment date is not // past the due time plus the hours late window if (null == courseUser || (!af.CanUserDownload(courseUser) && !DBHelper.AssignmentDueDatePast(aID, courseUser.AbstractCourseID))) { WriteErrorResponse(context, "User does not have permission to download this file"); return; } if (fileName.ToLower().EndsWith(".pdf")) { context.Response.ContentType = "application/pdf"; } else { context.Response.ContentType = "application/octet-stream"; } context.Response.AddHeader("Content-Disposition", "attachment; filename=\"" + fileName + "\""); // Transmit file data context.Response.TransmitFile(af.DataFileName); return; } else if ("assignment_file_delete" == cmdParam) { // First make sure we have the "assignmentID" parameter int aID = -1; if (!VerifyIntParam(context, "assignmentID", ref aID)) { return; } // Now make sure we have the "filename" parameter string fileName = context.Request.Params["filename"]; if (string.IsNullOrEmpty(fileName)) { WriteErrorResponse(context, "Missing required parameter: \"filename\""); return; } fileName = System.IO.Path.GetFileName(fileName); // Get the attributable file storage OSBLEDirectory attrFiles = Models.FileSystem.Directories.GetAssignment(courseID, aID).AttributableFiles; if (null == attrFiles) { WriteErrorResponse(context, "Internal error: could not get attributable files manager for assignment"); return; } // Make sure the file exists OSBLEFile af = attrFiles.GetFile(fileName); if (null == af) { WriteErrorResponse(context, "Internal error: could not get attributable file"); return; } //Delete file attrFiles.DeleteFile(fileName); // Return success message with new file listing /*context.Response.Write( * "<CourseFilesOpsResponse success=\"true\">" + * attrFiles.GetXMLListing(courseUser, true) + * "</CourseFilesOpsResponse>");*/ //TODO: fix this... this is a hack... //without redirecting to this page, the user is directed to an XML error page, and has to hit 'back' in order to see the file deleted //This also introduces a bug where the assignment timestamp is now -7 of what it previously was... //this code should redirect back to the page that called this event. //context.Response.Redirect("/AssignmentWizard/Basics"); string referrer = context.Request.UrlReferrer.ToString(); if (!String.IsNullOrEmpty(referrer)) { context.Response.Redirect(context.Request.UrlReferrer.ToString()); } return; } else if ("create_folder" == cmdParam) { // Make sure they have access to this course. Right now we only let // people who can modify the course have access to this service function. if (!VerifyModifyPermissions(context, up, courseID)) { return; } // Make sure the folder name parameter is present string folderName = string.Empty; if (!VerifyStringParam(context, "folder_name", ref folderName)) { return; } if (string.IsNullOrEmpty(folderName)) { WriteErrorResponse(context, "The following parameter cannot be an empty string: folder_name"); return; } // Make sure the folder name is OK if (!VerifyPath(context, ref folderName)) { return; } // Get the attributable file storage OSBLEDirectory attrFiles = Models.FileSystem.Directories.GetCourseDocs(courseID); if (null == attrFiles) { WriteErrorResponse(context, "Internal error: could not get attributable files manager for course files."); return; } // Create the directory attrFiles.CreateDir(folderName); // Return success message with new file listing context.Response.Write( "<CourseFilesOpsResponse success=\"true\">" + attrFiles.GetXMLListing(courseUser, true) + "</CourseFilesOpsResponse>"); return; } else if ("delete_file" == cmdParam) { HandleFileDeletionRequest(context, up, courseID); } else if ("delete_folder" == cmdParam) { HandleFolderDeletionRequest(context, up, courseID); return; } else if ("rename_file" == cmdParam) { HandleFileRenameRequest(context, up, courseID, courseUser); } else if ("rename_folder" == cmdParam) { // Make sure they have access to this course. Right now we only let // people who can modify the course have access to this service function. if (!VerifyModifyPermissions(context, up, courseID)) { return; } // Make sure the folder name parameter is present string folderName = string.Empty; if (!VerifyStringParam(context, "folder_name", ref folderName)) { return; } if (string.IsNullOrEmpty(folderName)) { WriteErrorResponse(context, "The following parameter cannot be an empty string: folder_name"); return; } // Make sure the folder name is OK if (!VerifyPath(context, ref folderName)) { return; } // Get the attributable file storage OSBLEDirectory attrFiles = Models.FileSystem.Directories.GetCourseDocs(courseID); if (null == attrFiles) { WriteErrorResponse(context, "Internal error: could not get attributable files manager for course files."); return; } // Combine the relative path from the request (which has been checked // to make sure it's ok) with the path of the course files. string path = System.IO.Path.Combine(attrFiles.GetPath(), folderName); if (!System.IO.Directory.Exists(path)) { // We can't rename a directory that doesn't exist WriteErrorResponse(context, "Error: Could not find folder to rename: " + folderName); return; } // Now make sure we have the new_name parameter string newName = string.Empty; if (!VerifyStringParam(context, "new_name", ref newName)) { return; } // Verify that it's OK if (!VerifyPath(context, ref newName)) { return; } // Also it must be just the folder name and not have / or \ if (newName.Contains('/') || newName.Contains('\\')) { WriteErrorResponse(context, "New folder name must not contain a path, just the new folder name."); return; } // Lastly, it must not be empty if (string.IsNullOrEmpty(newName)) { WriteErrorResponse(context, "New folder name cannot be empty."); return; } string newNameFull = System.IO.Path.Combine( System.IO.Path.GetDirectoryName(path), newName); // Do the actual rename (move) System.IO.Directory.Move(path, newNameFull); // Do the same for the corresponding folder in the attributable // files directory path = System.IO.Path.Combine(attrFiles.AttrFilesPath, folderName); if (System.IO.Directory.Exists(path)) { newNameFull = System.IO.Path.Combine( System.IO.Path.GetDirectoryName(path), newName); System.IO.Directory.Move(path, newNameFull); } // Return success message with new file listing context.Response.Write( "<CourseFilesOpsResponse success=\"true\">" + attrFiles.GetXMLListing(courseUser, true) + "</CourseFilesOpsResponse>"); return; } else { // Coming here implies an unknown command WriteErrorResponse(context, "Unknown command: " + cmdParam); } }
private void HandleFileRenameRequest(HttpContext context, Models.Users.UserProfile up, int courseID, CourseUser courseUser) { // Make sure they have access to this course. Right now we only let // people who can modify the course have access to this service function. if (!VerifyModifyPermissions(context, up, courseID)) { return; } // Make sure the file name parameter is present string fileName = string.Empty; if (!VerifyStringParam(context, "file_name", ref fileName)) { return; } if (string.IsNullOrEmpty(fileName)) { WriteErrorResponse(context, "The following parameter cannot be an empty string: file_name"); return; } // Make sure the path name is OK if (!VerifyPath(context, ref fileName)) { return; } // Get the attributable file storage OSBLEDirectory courseFiles = Models.FileSystem.Directories.GetCourseDocs(courseID); OSBLEDirectory attrFiles = courseFiles; if (null == attrFiles) { WriteErrorResponse(context, "Internal error: could not get attributable files manager for course files."); return; } int slashIndex = fileName.LastIndexOf('\\'); if (-1 == slashIndex) { slashIndex = fileName.LastIndexOf('/'); } if (-1 != slashIndex) { // If the file exists in some nested folders then get the // correct directory object first. attrFiles = (OSBLEDirectory)attrFiles.GetDir(fileName.Substring(0, slashIndex)); // Also remove the path from the beginning of the file name fileName = fileName.Substring(slashIndex + 1); } // Now make sure we have the new_name parameter string newName = string.Empty; if (!VerifyStringParam(context, "new_name", ref newName)) { return; } // Verify that it's OK if (!VerifyPath(context, ref newName)) { return; } // Also it must be just the new file name and not have / or \ if (newName.Contains('/') || newName.Contains('\\')) { WriteErrorResponse(context, "New file name must not contain a path, just the new file name."); return; } // Lastly, it must not be empty if (string.IsNullOrEmpty(newName)) { WriteErrorResponse(context, "New file name cannot be empty."); return; } // Tell the file storage to do the rename if (attrFiles.RenameFile(fileName, newName)) { // Return success message with new file listing context.Response.Write( "<CourseFilesOpsResponse success=\"true\">" + courseFiles.GetXMLListing(courseUser, true) + "</CourseFilesOpsResponse>"); } else { WriteErrorResponse(context, "Failed to rename file."); } }
public void ProcessRequest(HttpContext context) { HttpFileCollection coll; //yc: set the max upload size try { coll = context.Request.Files; context.Response.ContentType = "text/xml"; if (0 == coll.Count) { WriteErrorResponse(context, "Course file upload service requires one or more files in the request. " + "It's possible that your browser did not correctly send the file data " + "and you may need to update your browser if the problem persists."); return; } // We're expecting the course ID to be in a parameter (required) string courseIDParam = context.Request.Params["courseID"]; if (string.IsNullOrEmpty(courseIDParam)) { WriteErrorResponse(context, "Course file upload service requires a \"courseID\" parameter."); return; } // Make sure the course ID is an integer and a valid course ID at that int courseID; if (!int.TryParse(courseIDParam, out courseID)) { WriteErrorResponse(context, "The course ID must be a valid integer value."); return; } // There might be an optional "target_folder" parameter string targetFolderParam = context.Request.Params["target_folder"]; // Try to get the current OSBLE user Models.Users.UserProfile up = OSBLE.Utility.OsbleAuthentication.CurrentUser; if (null == up) { // In the future what I'd like to do here is look for a user name and // password in the request headers. This would allow this web service to // be used by other sources, but for now it requires a logged in OSBLE user. WriteErrorResponse(context, "Could not get active OSBLE user for request. Please login."); return; } // Make sure this user has permission to upload to this course OSBLEContext _db = new OSBLEContext(); CourseUser courseUser = ( from cu in _db.CourseUsers where cu.UserProfileID == up.ID && cu.AbstractCourse is AbstractCourse && cu.AbstractCourseID == courseID select cu ).FirstOrDefault(); if (null == courseUser || !courseUser.AbstractRole.CanUploadFiles) { // User cannot upload files for this course context.Response.Write( "<CourseFilesUploaderResponse success=\"false\">" + " <Message>The specified user does not have access to course with ID=" + courseID.ToString() + ". User must be " + "a course owner to access this service.</Message>" + "</CourseFilesUploaderResponse>"); return; } // We will look for an optional "fileusage" parameter that tells us where // the file(s) will go. By default we use "generic" if the parameter is // absent. string fileUsage = context.Request.Params["fileusage"]; if (string.IsNullOrEmpty(fileUsage)) { // Default to "generic", which puts files in the CourseDocs folder. fileUsage = "generic"; } else { fileUsage = fileUsage.ToLower(); } // Save based on the usage if ("generic" == fileUsage) { OSBLEDirectory location = Models.FileSystem.Directories.GetCourseDocs(courseID); // For now the target folder parameter is only allowed for generic files if (!string.IsNullOrEmpty(targetFolderParam) && "\\" != targetFolderParam && "/" != targetFolderParam) { // We can't let it start with / or \ while (targetFolderParam.StartsWith("\\")) { targetFolderParam = targetFolderParam.Substring(1); } while (targetFolderParam.StartsWith("/")) { targetFolderParam = targetFolderParam.Substring(1); } location = location.GetDir(targetFolderParam); if (null == location) { WriteErrorResponse(context, "Could not upload to target folder: " + targetFolderParam); return; } } // Save each file to the target directory for (int i = 0; i < coll.Count; i++) { HttpPostedFile postedFile = coll[i]; //yc: check the file size in MB int size = postedFile.ContentLength / 1024 / 1024; //contentLenght(BYTES)/ 1024 (gets KB) / 1024 (GETS MB) if (size < 30) { } else { //too large } string fileName = Path.GetFileName(postedFile.FileName); location.AddFile(fileName, postedFile.InputStream); } context.Response.Write(string.Format( "<CourseFilesUploaderResponse success=\"true\">" + " <Message>Successfully uploaded {0} files</Message>" + "</CourseFilesUploaderResponse>", coll.Count)); return; } else if ("assignment_description" == fileUsage || "assignment_solution" == fileUsage) { // In this case we also need an assignment ID parameter string aIDString = context.Request.Params["assignmentID"]; if (string.IsNullOrEmpty(aIDString)) { WriteErrorResponse(context, "An \"assignmentID\" parameter is required when uploading a " + "file for an assignment " + (("assignment_description" == fileUsage) ? "description." : "solution.")); return; } int aID; if (!int.TryParse(aIDString, out aID)) { WriteErrorResponse(context, "The \"assignmentID\" parameter must be an integer value."); return; } // Assignment must exist Models.FileSystem.AssignmentFilePath afs = Models.FileSystem.Directories.GetAssignment(courseID, aID); if (null == afs) { WriteErrorResponse(context, "Could not get assignment file path for assignment: " + aIDString); return; } // Get the attributable files storage for this assignment OSBLE.Models.FileSystem.OSBLEDirectory attrFiles = afs.AttributableFiles; if (null == attrFiles) { WriteErrorResponse(context, "Internal error: could not get attributable files manager for assignment"); return; } // Set up the system attributes for this file Dictionary <string, string> sys = new Dictionary <string, string>(); sys.Add("created", DateTime.Now.ToString()); sys.Add(fileUsage, aIDString); sys.Add("uploadedby", up.UserName); if ("assignment_solution" != fileUsage) { sys.Add("any_course_user_can_download", null); } // Save each file to the target directory for (int i = 0; i < coll.Count; i++) { HttpPostedFile postedFile = coll[i]; string fileName = Path.GetFileName(postedFile.FileName); attrFiles.AddFile(fileName, postedFile.InputStream, sys, null); } context.Response.Write(string.Format( "<CourseFilesUploaderResponse success=\"true\">" + " <Message>Successfully uploaded {0} files</Message>" + "</CourseFilesUploaderResponse>", coll.Count)); return; } // Coming here implies we didn't recognize the file usage WriteErrorResponse(context, "Unsupported file usage: " + fileUsage); } catch (HttpException ex) { if (ex.WebEventCode == 3004) { WriteErrorResponse(context, "File exceeds 30MB upload limit"); return; } } // This web service returns XML }