/// <summary>
/// Handles the Click event of the btnSave control.
/// </summary>
/// <param name="sender">The source of the event.</param>
/// <param name="e">The <see cref="EventArgs"/> instance containing the event data.</param>
protected void btnSave_Click(object sender, EventArgs e)
{
var highProfile = RoleCache.Get(ddlHighRoles.SelectedValue.AsInteger());
var extremeProfile = RoleCache.Get(ddlExtremeRoles.SelectedValue.AsInteger());
if (highProfile == null || extremeProfile == null)
{
return;
}
_securitySettingsService.SecuritySettings.AccountProtectionProfilesForDuplicateDetectionToIgnore =
cblIgnoredAccountProtectionProfiles.SelectedValuesAsInt.Select(a => ( AccountProtectionProfile )a).ToList();
_securitySettingsService.SecuritySettings.DisableTokensForAccountProtectionProfiles =
cblDisableTokensForAccountProtectionProfiles.SelectedValuesAsInt.Select(a => ( AccountProtectionProfile )a).ToList();
_securitySettingsService.SecuritySettings.AccountProtectionProfileSecurityGroup.AddOrReplace(AccountProtectionProfile.Extreme, extremeProfile);
_securitySettingsService.SecuritySettings.AccountProtectionProfileSecurityGroup.AddOrReplace(AccountProtectionProfile.High, highProfile);
if (_securitySettingsService.Save())
{
nbSaveResult.Text = "Your Security Settings have been saved.";
nbSaveResult.NotificationBoxType = NotificationBoxType.Success;
nbSaveResult.Visible = true;
}
else
{
var errors = "<li>" + _securitySettingsService.ValidationResults.Select(r => r.ErrorMessage).JoinStrings("</li><li>") + "</li>";
errors = errors.Replace("<li></li>", string.Empty);
nbSaveResult.Text = $"The following errors occurred while trying to save:<ul>{errors}</ul>";
nbSaveResult.NotificationBoxType = NotificationBoxType.Danger;
nbSaveResult.Visible = true;
}
}
/// <summary>
/// Gets the ordered explicit authorization rules for an entity. The first rule in the list
/// should be checked first, and so on. The order follows from the first explicit rule on the
/// entity to the last explicit rule on the entity, then the first explicit rule on the parent
/// entity to the last explicit rule on the parent entity and so on.
/// </summary>
/// <param name="entity">The entity.</param>
/// <returns>A collection of explicit authorization rules in the proper order.</returns>
private static List <string> GetOrderedExplicitAuthorizationRules(ISecured entity)
{
var explicitRules = new List <string>();
if (entity == null)
{
return(explicitRules);
}
//
// Get the ancestor authorization rules.
//
var parentEntity = entity.ParentAuthority;
if (parentEntity != null)
{
explicitRules = GetOrderedExplicitAuthorizationRules(parentEntity);
}
var authRules = Authorization.AuthRules(entity.TypeId, entity.Id, Authorization.VIEW);
//
// Walk each rule in descending order so that the final order is correct
// since we insert rules at index 0.
//
foreach (var rule in authRules.OrderByDescending(a => a.Order))
{
string entityIdentifier;
if (rule.SpecialRole != SpecialRole.None)
{
entityIdentifier = $"S:{( int ) rule.SpecialRole}";
}
else if (rule.GroupId.HasValue)
{
var role = RoleCache.Get(rule.GroupId.Value);
if (role == null)
{
continue;
}
entityIdentifier = $"G:{role.Guid}";
}
else if (rule.PersonId.HasValue)
{
/* Not currently supported, maybe in the future. -dsh */
continue;
}
else
{
continue;
}
explicitRules.Insert(0, $"{entityIdentifier}:{rule.AllowOrDeny}");
}
return(explicitRules);
}
/// <summary>
/// Initializes a new instance of the <see cref="SecuritySettingsService"/> class.
/// </summary>
public SecuritySettingsService()
{
_validationResults = new List <ValidationResult>();
var securitySettings = SystemSettings.GetValue(SYSTEM_SETTING_KEY).FromJsonOrNull <SecuritySettings>();
if (securitySettings == null)
{
securitySettings = GetDefaultSecuritySettings();
}
else
{
var keys = securitySettings.AccountProtectionProfileSecurityGroup.Keys.ToList();
foreach (var key in keys)
{
var roleCache = securitySettings.AccountProtectionProfileSecurityGroup[key];
securitySettings.AccountProtectionProfileSecurityGroup[key] = RoleCache.Get(roleCache.Id);
}
}
SecuritySettings = securitySettings;
}
/// <summary>
/// Gets the or add existing.
/// </summary>
/// <param name="key">The key.</param>
/// <param name="valueFactory">The value factory.</param>
/// <returns></returns>
public static Role GetOrAddExisting(string key, Func <Role> valueFactory)
{
// This mehod should not have been public, but it was, so leaving it with just a get.
return(new Role(RoleCache.Get(key.AsInteger())));
}
/// <summary>
/// Returns Role object from cache. If role does not already exist in cache, it
/// will be read and added to cache
/// </summary>
/// <param name="id">The id.</param>
/// <returns></returns>
public static Role Read(int id)
{
return(new Role(RoleCache.Get(id)));
}
/// <summary>
/// Find the matching Auth record for this entity, action and person combination. Only explicit
/// Auth records are checked.
/// </summary>
/// <param name="entity">The entity whose Auth records we are going to search for.</param>
/// <param name="action">The type of action that is to be authenticated.</param>
/// <param name="person">The person that is requesting permission.</param>
/// <returns>An Auth object if an explicit permission was found, otherwise null.</returns>
Auth MatchingAuth(ISecured entity, string action, Person person)
{
var rockContext = new RockContext();
var authService = new AuthService(rockContext);
var rules = authService.Get(entity.TypeId, entity.Id).Where(a => a.Action == action).ToList();
bool matchFound = false;
bool authorized = false;
foreach (var authRule in rules)
{
// All Users
if (authRule.SpecialRole == SpecialRole.AllUsers)
{
matchFound = true;
authorized = authRule.AllowOrDeny == "A";
return(authRule);
}
// All Authenticated Users
if (!matchFound && authRule.SpecialRole == SpecialRole.AllAuthenticatedUsers && person != null)
{
matchFound = true;
authorized = authRule.AllowOrDeny == "A";
return(authRule);
}
// All Unauthenticated Users
if (!matchFound && authRule.SpecialRole == SpecialRole.AllUnAuthenticatedUsers && person == null)
{
matchFound = true;
authorized = authRule.AllowOrDeny == "A";
return(authRule);
}
if (!matchFound && authRule.SpecialRole == SpecialRole.None && person != null)
{
// See if person has been authorized to entity
if (authRule.PersonAliasId.HasValue &&
person.Aliases.Where(a => a.Id == authRule.PersonAliasId.Value).Any())
{
matchFound = true;
authorized = authRule.AllowOrDeny == "A";
return(authRule);
}
// See if person is in role authorized
if (!matchFound && authRule.GroupId.HasValue)
{
var role = RoleCache.Get(authRule.GroupId.Value);
if (role != null && role.IsPersonInRole(person.Guid))
{
matchFound = true;
authorized = authRule.AllowOrDeny == "A";
return(authRule);
}
}
}
}
return(null);
}
