public void Should_resolve_policy_violation_handler_for_exception_from_container() { // Arrange var controllerName = NameHelper.Controller<BlogController>(); const string actionName = "Index"; var events = new List<ISecurityEvent>(); SecurityDoctor.Register(events.Add); var expectedActionResult = new ViewResult { ViewName = "SomeViewName" }; var violationHandler = new DenyAnonymousAccessPolicyViolationHandler(expectedActionResult); FakeIoC.GetAllInstancesProvider = () => new List<IPolicyViolationHandler> { violationHandler }; SecurityConfigurator.Configure(policy => { policy.ResolveServicesUsing(FakeIoC.GetAllInstances); policy.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsFalse); policy.For<BlogController>(x => x.Index()).DenyAnonymousAccess(); }); var securityHandler = new SecurityHandler(); // Act var result = securityHandler.HandleSecurityFor(controllerName, actionName, SecurityContext.Current); // Assert Assert.That(result, Is.EqualTo(expectedActionResult)); Assert.That(events.Any(e => e.Message == "Handling security for {0} action {1}.".FormatWith(controllerName, actionName))); Assert.That(events.Any(e => e.Message == "Finding policy violation handler using convention {0}.".FormatWith(typeof(FindByPolicyNameConvention)))); Assert.That(events.Any(e => e.Message == "Found policy violation handler {0}.".FormatWith(violationHandler.GetType().FullName))); Assert.That(events.Any(e => e.Message == "Handling violation with {0}.".FormatWith(violationHandler.GetType().FullName))); Assert.That(events.Any(e => e.Message == "Done enforcing policies. Violation occured!")); }
public void Should_resolve_policy_violation_handler_for_exception_from_container() { // Arrange var expectedActionResult = new ViewResult { ViewName = "SomeViewName" }; var violationHandler = new DenyAnonymousAccessPolicyViolationHandler(expectedActionResult); FakeIoC.GetAllInstancesProvider = () => new List<IPolicyViolationHandler> { violationHandler }; SecurityConfigurator.Configure(policy => { policy.ResolveServicesUsing(FakeIoC.GetAllInstances); policy.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsFalse); policy.For<BlogController>(x => x.Index()).DenyAnonymousAccess(); }); var securityHandler = new SecurityHandler(); // Act var result = securityHandler.HandleSecurityFor(NameHelper.Controller<BlogController>(), "Index", SecurityContext.Current); // Assert Assert.That(result, Is.EqualTo(expectedActionResult)); }
public void Should_throw_ArgumentException_when_actionname_is_null_or_empty() { // Arrange var securityHandler = new SecurityHandler(); // Assert Assert.Throws<ArgumentException>(() => securityHandler.HandleSecurityFor("A", null, _context)); Assert.Throws<ArgumentException>(() => securityHandler.HandleSecurityFor("A", "", _context)); }
public void Should_not_throw_when_when_controllername_is_Blog_and_actionname_is_Index() { // Arrange SecurityConfigurator.Configure(policy => { policy.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsTrue); policy.For<BlogController>(x => x.Index()).DenyAnonymousAccess(); }); var securityHandler = new SecurityHandler(); // Assert Assert.DoesNotThrow(() => securityHandler.HandleSecurityFor(NameHelper.Controller<BlogController>(), "Index", SecurityContext.Current)); }
// // Constructie // private DataAccess() { sysLog.Info("DataAccess startup"); publicXmlRpcUrl = ConfigurationManager.AppSettings["PUBLIC_XML_RPC_SERVER"]; privateXmlRpcUrl = ConfigurationManager.AppSettings["PRIVATE_XML_RPC_SERVER"]; publicExchangeHandler = HandlerHelper.getPublicExchangeHandler(publicXmlRpcUrl); publicIndexHandler = HandlerHelper.getPublicIndexHandler(publicXmlRpcUrl); publicOrderHandler = HandlerHelper.getPublicOrderHandler(publicXmlRpcUrl); publicPortfolioHandler = HandlerHelper.getPublicPortfolioHandler(publicXmlRpcUrl); publicSecurityHandler = HandlerHelper.getPublicSecurityHandler(publicXmlRpcUrl); publicTransactionHandler = HandlerHelper.getPublicTransactionHandler(publicXmlRpcUrl); publicUserHandler = HandlerHelper.getPublicUserHandler(publicXmlRpcUrl); publicPointsTransactionHandler = HandlerHelper.getPublicPointsTransactionHandler(publicXmlRpcUrl); exchangeCache = new Dictionary<string, IExchange>(); }
public void Should_not_throw_ConfigurationErrorsException_when_IgnoreMissingConfigurations_is_true() { // Arrange var events = new List<ISecurityEvent>(); SecurityDoctor.Register(events.Add); SecurityConfigurator.Configure(configuration => { configuration.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsTrue); configuration.Advanced.IgnoreMissingConfiguration(); configuration.For<BlogController>(x => x.Index()).DenyAnonymousAccess(); }); var securityHandler = new SecurityHandler(); // Act & Assert Assert.DoesNotThrow(() => securityHandler.HandleSecurityFor("NonConfiguredController", "Action", SecurityContext.Current)); Assert.That(events.Any(e => e.Message == "Ignoring missing configuration.")); }
protected override void OnNodeMoved(object sender, NodeOperationEventArgs e) { // We do not have to deal with content outside of the IMS folder, because // moving local groups does not involve any membership change. if (!e.OriginalSourcePath.StartsWith(RepositoryStructure.ImsFolderPath + RepositoryPath.PathSeparator) && !e.SourceNode.Path.StartsWith(RepositoryStructure.ImsFolderPath + RepositoryPath.PathSeparator)) { return; } base.OnNodeMoved(sender, e); var movedUsers = new List <int>(); var movedGroups = new List <int>(); // if the moved content is an identity, put it into the appropriate list if (e.SourceNode is User) { movedUsers.Add(e.SourceNode.Id); } else if (e.SourceNode is Group || e.SourceNode is OrganizationalUnit) { movedGroups.Add(e.SourceNode.Id); } else { // If the moved content is an irrelevant container (e.g. a folder), collect relevant (first-level) child content (users, groups // and child orgunits even inside simple subfolders). These are already moved to the new location, but we only need their ids. using (new SystemAccount()) { CollectSecurityIdentityChildren(NodeHead.Get(e.SourceNode.Path), movedUsers, movedGroups); } } // empty collections: nothing to do if (movedUsers.Count == 0 && movedGroups.Count == 0) { return; } // find the original parent orgunit (if there was one) var parent = Node.LoadNode(RepositoryPath.GetParentPath(e.OriginalSourcePath)); var originalParentId = 0; var targetParentId = 0; if (parent is OrganizationalUnit) { originalParentId = parent.Id; } else { using (new SystemAccount()) { parent = GetFirstOrgUnitParent(parent); if (parent != null) { originalParentId = parent.Id; } } } // find the target parent orgunit (if there is one) using (new SystemAccount()) { parent = GetFirstOrgUnitParent(e.SourceNode); if (parent != null) { targetParentId = parent.Id; } } // remove relevant child content from the original parent org unit (if it is different from the target) if (originalParentId > 0 && originalParentId != targetParentId) { SecurityHandler.RemoveMembers(originalParentId, movedUsers, movedGroups); } // add the previously collected identities to the target orgunit (if it is different from the original) if (targetParentId > 0 && originalParentId != targetParentId) { SecurityHandler.AddMembers(targetParentId, movedUsers, movedGroups); } }
public void Apply() { ApplyChanges(); SecurityHandler.Reset(); }
public void Dispose() { SecurityHandler.CreateAclEditor() .ClearPermission(_entityId, _identityId, _localOnly, _permissions) .Apply(); }
private static ContentView CreateFromActualPath(SNC.Content content, System.Web.UI.Page aspNetPage, ViewMode viewMode, string viewPath) { if (content == null) { throw new ArgumentNullException("content"); } if (aspNetPage == null) { throw new ArgumentNullException("aspNetPage"); } if (viewPath == null) { throw new ArgumentNullException("viewPath"); } if (viewPath.Length == 0) { throw new ArgumentOutOfRangeException("viewPath", "Parameter 'viewPath' cannot be empty"); } if (viewMode == ViewMode.None) { throw new ArgumentOutOfRangeException("viewMode", "Parameter 'viewMode' cannot be ViewMode.None"); } string path = String.Concat("~", viewPath); if (!SecurityHandler.HasPermission(User.Current, viewPath, 0, 0, PermissionType.RunApplication)) { throw new SecurityException(path, PermissionType.RunApplication); } ContentView view = GetContentViewFromCache(path); // if not in request cache if (view == null) { var addToCache = false; try { view = aspNetPage.LoadControl(path) as ContentView; addToCache = true; } catch (Exception e) //logged { Logger.WriteException(e); var errorContentViewPath = RepositoryPath.Combine(Repository.ContentViewFolderName, "Error.ascx"); var resolvedErrorContentViewPath = SkinManager.Resolve(errorContentViewPath); path = String.Concat("~", resolvedErrorContentViewPath); view = aspNetPage.LoadControl(path) as ContentView; view.ContentException = e; } if (view == null) { throw new ApplicationException(string.Format("ContentView instantiation via LoadControl for path '{0}' failed.", path)); } if (addToCache) { AddContentViewToCache(path, view); } } view.Initialize(content, viewMode); return(view); }
void OnAuthorizeRequest(object sender, EventArgs e) { PortalContext currentPortalContext = PortalContext.Current; var d = NodeHead.Get("/Root"); if (currentPortalContext != null && currentPortalContext.IsRequestedResourceExistInRepository) { var authMode = currentPortalContext.AuthenticationMode; //install time if (string.IsNullOrEmpty(authMode) && currentPortalContext.Site == null) { authMode = "None"; } if (string.IsNullOrEmpty(authMode)) { authMode = WebConfigurationManager.AppSettings["DefaultAuthenticationMode"]; } bool appPerm = false; if (authMode == "Forms") { appPerm = currentPortalContext.CurrentAction.CheckPermission(); } else if (authMode == "Windows") { currentPortalContext.CurrentAction.AssertPermissions(); appPerm = true; } else { throw new NotSupportedException("None authentication is not supported"); } var application = sender as HttpApplication; var currentUser = application.Context.User.Identity as User; var path = currentPortalContext.RepositoryPath; var nodeHead = NodeHead.Get(path); var isOwner = nodeHead.CreatorId == currentUser.Id; var permissionValue = SecurityHandler.GetPermission(nodeHead, PermissionType.Open); if (permissionValue != PermissionValue.Allow || !appPerm) { switch (authMode) { case "Forms": if (User.Current.IsAuthenticated) { // user is authenticated, but has no permissions: return 403 application.Context.Response.StatusCode = 403; application.Context.Response.Flush(); application.Context.Response.Close(); } else { // user is not authenticated and visitor has no permissions: redirect to login page // Get the login page Url (eg. http://localhost:1315/home/login) string loginPageUrl = currentPortalContext.GetLoginPageUrl(); // Append trailing slash if (loginPageUrl != null && !loginPageUrl.EndsWith("/")) { loginPageUrl = loginPageUrl + "/"; } // Cut down the querystring (eg. drop ?Param1=value1@Param2=value2) string currentRequestUrlWithoutQueryString = currentPortalContext.OriginalUri.GetComponents(UriComponents.Scheme | UriComponents.Host | UriComponents.Port | UriComponents.Path, UriFormat.Unescaped); // Append trailing slash if (!currentRequestUrlWithoutQueryString.EndsWith("/")) { currentRequestUrlWithoutQueryString = currentRequestUrlWithoutQueryString + "/"; } // Redirect to the login page, if neccessary. if (currentRequestUrlWithoutQueryString != loginPageUrl) { application.Context.Response.Redirect(loginPageUrl + "?OriginalUrl=" + System.Web.HttpUtility.UrlEncode(currentPortalContext.OriginalUri.ToString()), true); } } break; //case "Windows": // application.Context.Response.Clear(); // application.Context.Response.Buffer = true; // application.Context.Response.Status = "401 Unauthorized"; // application.Context.Response.AddHeader("WWW-Authenticate", "NTLM"); // application.Context.Response.End(); // break; default: AuthenticationHelper.DenyAccess(application); break; } } } }
/// <summary> /// Gets the text content from a given path and processes it. Override this method if you want to implement custom logic when each file is loaded. /// </summary> /// <param name="path">The path from which to the content should be retrieved.</param> /// <returns>The processed text content of the given path, or null if it was not found.</returns> protected virtual string GetTextFromPath(string path) { if (path[0] == '/') { // This is a repository URL var fsPath = HostingEnvironment.MapPath(path); var fileNodeHead = NodeHead.Get(path); var fileNode = fileNodeHead != null && SecurityHandler.HasPermission(fileNodeHead, PermissionType.Open) ? Node.Load <File>(path) : null; System.IO.Stream stream = null; if ((RepositoryPathProvider.DiskFSSupportMode == DiskFSSupportMode.Prefer || fileNode == null) && System.IO.File.Exists(fsPath)) { // If DiskFsSupportMode is Prefer and the file exists, or it's fallback but the node doesn't exist in the repo get it from the file system stream = new System.IO.FileStream(fsPath, System.IO.FileMode.Open, System.IO.FileAccess.Read); } else if (path[0] == '/' && fileNode != null) { // If the node exists, get it from the repo stream = fileNode.Binary.GetStream(); } else if (path.StartsWith("/" + ResourceHandler.UrlPart + "/")) { // Special case, this is a resource URL, we will just render the resource script here var parsed = ResourceHandler.ParseUrl(path); if (parsed == null) { return(null); } var className = parsed.Item2; var culture = CultureInfo.GetCultureInfo(parsed.Item1); try { return(ResourceScripter.RenderResourceScript(className, culture)); } catch (Exception exc) { Logger.WriteException(exc); return(null); } } try { return(stream != null?Tools.GetStreamString(stream) : null); } finally { if (stream != null) { stream.Dispose(); } } } if (path.StartsWith("http://") || path.StartsWith("https://")) { // This is a web URL try { HttpWebRequest req; if (PortalContext.IsKnownUrl(path)) { string url; var ub = new UriBuilder(path); var origHost = ub.Host; ub.Host = "127.0.0.1"; url = ub.Uri.ToString(); req = (HttpWebRequest)HttpWebRequest.Create(url); req.Host = origHost; } else { req = (HttpWebRequest)HttpWebRequest.Create(path); } req.AutomaticDecompression = DecompressionMethods.Deflate | DecompressionMethods.GZip; var res = req.GetResponse(); using (var st = res.GetResponseStream()) using (var stream = new System.IO.MemoryStream()) { st.CopyTo(stream); var arr = stream.ToArray(); var result = Encoding.UTF8.GetString(arr); return(result); } } catch (Exception exc) { Logger.WriteError(EventId.Bundling.ContentLoadError, "Error during bundle request: " + exc, properties: new Dictionary <string, object> { { "Path", path } }); return(null); } } return(null); }
public void NodeEvent_PermissionChanging() { var content = Content.CreateNew("Car", _testRoot, Guid.NewGuid().ToString()); content.Save(); var expectedLog = String.Concat("TestObserver.OnPermissionChanging", Environment.NewLine, "TestObserver.OnPermissionChanged", Environment.NewLine); //---- 1 LoggedTestObserver.ResetLog(); content.Security.BreakInheritance(); Assert.IsTrue(LoggedTestObserver.GetLog() == expectedLog, "#1"); //---- 2 LoggedTestObserver.ResetLog(); content.Security.SetPermission(Group.Everyone, true, PermissionType.RunApplication, PermissionValue.Allow); Assert.IsTrue(LoggedTestObserver.GetLog() == expectedLog, "#2"); //---- 3 LoggedTestObserver.ResetLog(); content.Security.SetPermissions(Group.Everyone.Id, true, new[] { PermissionValue.Allow, PermissionValue.Allow, PermissionValue.Allow, PermissionValue.Allow }); Assert.IsTrue(LoggedTestObserver.GetLog() == expectedLog, "#3"); //---- 4 LoggedTestObserver.ResetLog(); content.Security.SetAcl(content.Security.GetAcl()); Assert.IsTrue(LoggedTestObserver.GetLog() == expectedLog, "#4a"); LoggedTestObserver.ResetLog(); SecurityHandler.SetAcl(content.Security.GetAcl(), content.Id); Assert.IsTrue(LoggedTestObserver.GetLog() == expectedLog, "#4b"); LoggedTestObserver.ResetLog(); SecurityHandler.SetAcl(content.Security.GetAcl(), content.Path); Assert.IsTrue(LoggedTestObserver.GetLog() == expectedLog, "#4c"); //---- 5 content = Content.Load(content.Id); LoggedTestObserver.ResetLog(); content.Security.RemoveBreakInheritance(); Assert.IsTrue(LoggedTestObserver.GetLog() == expectedLog, "#5"); //---- 6 var sb = new StringBuilder(); var settings = new XmlWriterSettings { Indent = true, IndentChars = " " }; using (var xmlWriter = XmlWriter.Create(sb, settings)) { xmlWriter.WriteStartDocument(); xmlWriter.WriteStartElement("Permissions"); content.Security.ExportPermissions(xmlWriter); xmlWriter.WriteEndElement(); xmlWriter.WriteEndDocument(); } var xml = new XmlDocument(); xml.LoadXml(sb.ToString()); var permissionNode = xml.DocumentElement; LoggedTestObserver.ResetLog(); content.Security.ImportPermissions(permissionNode, "####"); Assert.IsTrue(LoggedTestObserver.GetLog() == expectedLog, "#6"); //---- 7 LoggedTestObserver.ResetLog(); content.Security.RemoveExplicitEntries(); Assert.IsTrue(LoggedTestObserver.GetLog() == expectedLog, "#7"); }
/// <summary> /// Sets the callback URL of the ActionMenu. It represents the service url with correct parameters for the actions. /// </summary> private void SetServiceUrl() { var scParams = GetReplacedScenarioParameters(); var context = UITools.FindContextInfo(this, ContextInfoID); var path = !string.IsNullOrEmpty(ContextInfoID) ? context.Path : NodePath; var encodedReturnUrl = Uri.EscapeDataString(PortalContext.Current.RequestedUri.PathAndQuery); var encodedParams = Uri.EscapeDataString(scParams ?? string.Empty); if (string.IsNullOrEmpty(path)) { path = ContentView.GetContentPath(this); } if (string.IsNullOrEmpty(path)) { this.Visible = false; return; } var head = NodeHead.Get(path); if (head == null || !SecurityHandler.HasPermission(head, PermissionType.See)) { this.Visible = false; return; } this.Content = Content.Load(path); // Pre-check action count. If empty, hide the action menu. if (CheckActionCount) { var actionCount = 0; if (!string.IsNullOrEmpty(Scenario)) { actionCount = ActionFramework.GetActions(this.Content, Scenario, scParams, null).Count(); } if (actionCount < 2 && string.Equals(Scenario, "new", StringComparison.CurrentCultureIgnoreCase)) { ClickDisabled = true; } else if (actionCount == 0) { this.Visible = false; return; } } // Pre-check required permissions var permissions = SenseNet.ContentRepository.Fields.PermissionChoiceField.ConvertToPermissionTypes(RequiredPermissions).ToArray(); if (permissions.Length > 0 && !SecurityHandler.HasPermission(head, permissions)) { this.Visible = false; return; } ServiceUrl = string.Format(ODataTools.GetODataOperationUrl(path, "SmartAppGetActions") + "?scenario={0}&back={1}¶meters={2}", Scenario, encodedReturnUrl, encodedParams); }
protected void btLogin_Click(object sender, EventArgs e) { try { if (Session["check"] == null) { this.tbCaptcha.Text = string.Empty; Page.ClientScript.RegisterClientScriptBlock(this.GetType(), "message", "<script language=\"javascript\">alert(\"验证码失效!\")</script>"); return; } if (tbCaptcha.Text != Session["check"].ToString()) { Page.ClientScript.RegisterClientScriptBlock(this.GetType(), "message", "<script language=\"javascript\">alert(\"验证码错误!\")</script>"); this.tbCaptcha.Text = string.Empty; return; } string usercode = Server.HtmlEncode(tbUserName.Text); string passWord = tbPassWord.Text; //进行用户登录,security.LoginResult为null或者security.LoginResult.IsPassed && security.LoginResult.AuthorizationCode != "" //都是登录失败 SecurityHandler security = SecurityHandler.Login(usercode, passWord); if (security.LoginResult.SystemCode == null) //判断存不存在 { Page.ClientScript.RegisterClientScriptBlock(this.GetType(), "message", "<script language=\"javascript\">alert(\"用户名或密码错误!\")</script>"); this.tbUserName.Text = string.Empty; this.tbPassWord.Text = string.Empty; this.tbCaptcha.Text = string.Empty; return; } var aa = SecurityHandler.LoginOn(security.LoginResult.AuthorizationCode).GetCurrentUserInfo(); Dictuser user = new Dictuser(); user.Usercode = aa.USERNAME; user = new DictuserService().GetDictuserInfoByUserCode(user); if (user != null) { UserInfo userInfo = new UserInfo(); userInfo.AuthorizationCode = security.LoginResult.AuthorizationCode; userInfo.userCode = user.Usercode; userInfo.userName = user.Username; userInfo.userId = Convert.ToInt32(user.Dictuserid); userInfo.loginTime = DateTime.Now; userInfo.joinLabidstr = user.Joinlabid; userInfo.dictlabid = user.Dictlabid; userInfo.joinDeptstr = user.Joindeptid; userInfo.dictlabdeptid = user.Dictlabdeptid; userInfo.sysSetting = GetSysSetting(); Session["UserInfo"] = userInfo; } if (security.LoginResult.IsPassed && security.LoginResult.AuthorizationCode != "") { //这里的Cookie名字不能更改 HttpCookie cookie = new HttpCookie("authorizationcode"); cookie.Value = security.LoginResult.AuthorizationCode; TimeSpan ts = new TimeSpan(1, 0, 0, 0); cookie.Expires = DateTime.Now.Add(ts);//添加作用时间 Response.AppendCookie(cookie); if (!RegexPassWordSecurity(passWord)) { ClientScript.RegisterStartupScript(this.GetType(), "redirectToChangePassword", "<script> alert('您的密码安全性较弱,请重新修改密码'); window.location.href='EditPassword.aspx';</script>"); return; } Response.Redirect("Main.aspx", false); //////PageContext.RegisterStartupScript("top.location.href = 'Main.aspx';"); //Page.ClientScript.RegisterClientScriptBlock(this.GetType(), "message", "<script language=\"javascript\">top.location.href = 'Main.aspx';</script>"); } else { Page.ClientScript.RegisterClientScriptBlock(this.GetType(), "message", "<script language=\"javascript\">alert(\"用户名或密码错误!\")</script>"); this.tbUserName.Text = string.Empty; this.tbPassWord.Text = string.Empty; this.tbCaptcha.Text = string.Empty; return; } } catch (Exception ex) { Alert.ShowInTop(ex.Message, "体检系统"); } }
public IActionResult GetRootContainer() { var authorizationHeader = HttpContext.Request.Headers["Authorization"]; var ecosystemOperation = HttpContext.Request.Headers[WopiHeaders.EcosystemOperation]; string wopiSrc = HttpContext.Request.Headers[WopiHeaders.WopiSrc].FirstOrDefault(); if (ValidateAuthorizationHeader(authorizationHeader)) { //TODO: supply user var user = "******"; //TODO: implement bootstrap BootstrapRootContainerInfo bootstrapRoot = new BootstrapRootContainerInfo { Bootstrap = new BootstrapInfo { EcosystemUrl = GetWopiUrl("ecosystem", accessToken: "TODO"), SignInName = "", UserFriendlyName = "", UserId = "" } }; if (ecosystemOperation == "GET_ROOT_CONTAINER") { var resourceId = StorageProvider.RootContainerPointer.Identifier; var token = SecurityHandler.GenerateAccessToken(user, resourceId); bootstrapRoot.RootContainerInfo = new RootContainerInfo { ContainerPointer = new ChildContainer { Name = StorageProvider.RootContainerPointer.Name, Url = GetWopiUrl("containers", resourceId, SecurityHandler.WriteToken(token)) } }; } else if (ecosystemOperation == "GET_NEW_ACCESS_TOKEN") { var token = SecurityHandler.GenerateAccessToken(user, GetIdFromUrl(wopiSrc)); bootstrapRoot.AccessTokenInfo = new AccessTokenInfo { AccessToken = SecurityHandler.WriteToken(token), AccessTokenExpiry = token.ValidTo.ToUnixTimestamp() }; } else { return(new NotImplementedResult()); } return(new JsonResult(bootstrapRoot)); } else { //TODO: implement WWW-authentication header https://wopirest.readthedocs.io/en/latest/bootstrapper/Bootstrap.html#www-authenticate-header string authorizationUri = "https://contoso.com/api/oauth2/authorize"; string tokenIssuanceUri = "https://contoso.com/api/oauth2/token"; string providerId = "tp_contoso"; string urlSchemes = Uri.EscapeDataString("{\"iOS\" : [\"contoso\",\"contoso - EMM\"], \"Android\" : [\"contoso\",\"contoso - EMM\"], \"UWP\": [\"contoso\",\"contoso - EMM\"]}"); Response.Headers.Add("WWW-Authenticate", $"Bearer authorization_uri=\"{authorizationUri}\",tokenIssuance_uri=\"{tokenIssuanceUri}\",providerId=\"{providerId}\", UrlSchemes=\"{urlSchemes}\""); return(new UnauthorizedResult()); } }
public RestoreResult restore(DirectoryInfo destination, List <string> only_these) { cancel_restore = false; TranslatingProgressHandler.setTranslatedMessage("CheckingDestination"); // The files get extracted to the temp folder, so this sets up our ability to read them DirectoryInfo from_here = new DirectoryInfo(TempFolder); // If it's a destination that doesn't yet exist if (!destination.Exists) { try { destination.Create(); // This sets the permissions on the folder to be for everyone DirectorySecurity everyone = destination.GetAccessControl(); string everyones_name = @"Everyone"; everyone.AddAccessRule(new FileSystemAccessRule(everyones_name, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow)); destination.SetAccessControl(everyone); } catch { // This is if the folder creation fails // It means we have to run as admin, but we check here if we already are if (!SecurityHandler.amAdmin()) { // If we aren't we elevate ourselves RestoreResult res = restoreElevation(destination.FullName); if (res != RestoreResult.Success) { return(res); } } else { throw new TranslateableException("UnableToCreateOutputFolder", destination.FullName); } } } if (cancel_restore) { return(RestoreResult.Cancel); } TranslatingProgressHandler.setTranslatedMessage("ExtractingArchive"); ProgressHandler.state = ProgressState.Indeterminate; if (only_these == null) { ProgressHandler.max = file_count; extract(true); } else { ProgressHandler.max = only_these.Count; extract(only_these, true); } ProgressHandler.value = 0; ProgressHandler.state = ProgressState.Normal; // Clean up the masgau archive ID if (File.Exists(Path.Combine(TempFolder, "masgau.xml"))) { File.Delete(Path.Combine(TempFolder, "masgau.xml")); } if (cancel_restore) { return(RestoreResult.Cancel); } TranslatingProgressHandler.setTranslatedMessage("CopyingFilesToDestination"); if (!canWrite(destination)) { Directory.Delete(TempFolder, true); RestoreResult res = restoreElevation(destination.FullName); if (res != RestoreResult.Success) { return(res); } cancel_restore = true; } if (cancel_restore) { return(RestoreResult.Cancel); } copyFolders(from_here, destination, true); if (cancel_restore) { return(RestoreResult.Cancel); } purgeTemp(); ProgressHandler.state = ProgressState.None; return(RestoreResult.Success); }
public void ConfigureAuth(IAppBuilder app) { // Configure the db context, user manager and signin manager to use a single instance per request app.CreatePerOwinContext(ProviderContext.Create); app.CreatePerOwinContext <LtiUserManager>(LtiUserManager.Create); app.CreatePerOwinContext <ApplicationSignInManager>(ApplicationSignInManager.Create); // The app also uses a RoleManager app.CreatePerOwinContext <ApplicationRoleManager>(ApplicationRoleManager.Create); app.UseLtiAuthentication(new LtiAuthenticationOptions { Provider = new LtiAuthenticationProvider { // Look up the secret for the consumer OnAuthenticate = async context => { // Make sure the request is not being replayed var timeout = TimeSpan.FromMinutes(5); var oauthTimestampAbsolute = OAuthConstants.Epoch.AddSeconds(context.LtiRequest.Timestamp); if (DateTime.UtcNow - oauthTimestampAbsolute > timeout) { throw new LtiException("Expired " + OAuthConstants.TimestampParameter); } var db = context.OwinContext.Get <ProviderContext>(); var consumer = await db.Consumers.SingleOrDefaultAsync(c => c.Key == context.LtiRequest.ConsumerKey); if (consumer == null) { throw new LtiException("Invalid " + OAuthConstants.ConsumerKeyParameter); } var signature = context.LtiRequest.GenerateSignature(consumer.Secret); if (!signature.Equals(context.LtiRequest.Signature)) { throw new LtiException("Invalid " + OAuthConstants.SignatureParameter); } // If we made it this far the request is valid }, // Sign in using application authentication. This handler will create a new application // user if no matching application user is found. OnAuthenticated = async context => { var db = context.OwinContext.Get <ProviderContext>(); var consumer = await db.Consumers.SingleOrDefaultAsync(c => c.Key.Equals(context.LtiRequest.ConsumerKey)); if (consumer == null) { return; } // Record the request for logging purposes and as reference for outcomes var providerRequest = new ProviderRequest { Received = DateTime.UtcNow, LtiRequest = JsonConvert.SerializeObject(context.LtiRequest, Formatting.None, new JsonSerializerSettings { NullValueHandling = NullValueHandling.Ignore }) }; db.ProviderRequests.Add(providerRequest); db.SaveChanges(); // Add the requst ID as a claim var claims = new List <Claim> { new Claim("ProviderRequestId", providerRequest.ProviderRequestId.ToString(CultureInfo.InvariantCulture)) }; // Outcomes can live a long time to give the teacher enough // time to grade the assignment. So they are stored in a separate table. var lisOutcomeServiceUrl = ((IOutcomesManagementRequest)context.LtiRequest).LisOutcomeServiceUrl; var lisResultSourcedid = ((IOutcomesManagementRequest)context.LtiRequest).LisResultSourcedId; if (!string.IsNullOrWhiteSpace(lisOutcomeServiceUrl) && !string.IsNullOrWhiteSpace(lisResultSourcedid)) { var outcome = await db.Outcomes.SingleOrDefaultAsync(o => o.ConsumerId == consumer.ConsumerId && o.LisResultSourcedId == lisResultSourcedid); if (outcome == null) { outcome = new Outcome { ConsumerId = consumer.ConsumerId, LisResultSourcedId = lisResultSourcedid }; db.Outcomes.Add(outcome); await db.SaveChangesAsync(); // Assign OutcomeId; } outcome.ContextTitle = context.LtiRequest.ContextTitle; outcome.ServiceUrl = lisOutcomeServiceUrl; await db.SaveChangesAsync(); // Add the outcome ID as a claim claims.Add(new Claim("OutcomeId", outcome.OutcomeId.ToString(CultureInfo.InvariantCulture))); } // Sign in await SecurityHandler.OnAuthenticated <LtiUserManager, LtiUser>( context, claims); }, // Generate a username using the LisPersonEmailPrimary from the LTI request OnGenerateUserName = async context => await SecurityHandler.OnGenerateUserName(context) }, //ChallengeResultUrl = new PathString("/Manage/ToolConsumerLogins"), SignInAsAuthenticationType = DefaultAuthenticationTypes.ApplicationCookie }); }
private static object GetPermissionInfo(Content content, string identity, bool singleContent) { // This method assembles an object containing identity information (basic fields and all groups), // inherited and subtree permissions that can be serialized and sent to the client. // If the singleContent parameter is true, permissions will be collected and returned // only for the provided content. Otherwise the result object will contain permission infos for // the children of the provided content and not the root. if (string.IsNullOrEmpty(identity)) { throw new ArgumentException("Please provide an identity path"); } var user = Node.Load <User>(identity); if (user == null) { throw new ArgumentException("Identity must be an existing user."); } // collect all groups for the user var groups = Node.LoadNodes(SecurityHandler.GetGroupsWithOwnership(content.Id, user)).Select(n => Content.Create(n)).ToArray(); var identityInfo = new IdentityInfo { Path = user.Path, Name = user.Name, DisplayName = user.DisplayName, Groups = groups.Select(g => new GroupInfo { DisplayName = g.DisplayName, Name = g.Name, Path = g.Path }).ToArray() }; // identities include all groups and the user itself var identities = groups.Select(g => g.Id).Concat(new[] { user.Id }).ToArray(); // If we have to collect permissions for the provided content, we will need its parent // to check inherited permissions. If children are in the focus than the parent is the // provided content itself. var parent = singleContent ? content.ContentHandler.Parent : content.ContentHandler; var effectiveParentEntries = parent == null || !parent.Security.HasPermission(PermissionType.SeePermissions) ? new AceInfo[0] : parent.Security.GetEffectiveEntries(EntryType.Normal).Where(e => identities.Contains(e.IdentityId) && !e.LocalOnly).ToArray(); var permissionsTypes = PermissionType.BuiltInPermissionTypes.Select(p => new PermissionInfo { Index = p.Index, Name = p.Name }).ToArray(); // Collect all entries on the parent that are not local-only therefore // have effect on children. foreach (var entry in permissionsTypes) { if (effectiveParentEntries.Any(e => e.GetPermissionValues()[entry.Index] == PermissionValue.Denied)) { entry.Type = "effectivedeny"; } else if (effectiveParentEntries.Any(e => e.GetPermissionValues()[entry.Index] == PermissionValue.Allowed)) { entry.Type = "effectiveallow"; } else { entry.Type = "off"; } } if (singleContent) { // collect permissions for the provided single content return(new { d = new { identity = identityInfo, permissionInfo = GetPermissionInfo(content, identities, permissionsTypes) } }); } // alternatively, collect permissions for child elements return(new { d = new { identity = identityInfo, results = content.Children.DisableAutofilters().AsEnumerable() .Select(child => GetPermissionInfo(child, identities, permissionsTypes)).ToArray() } }); }
public void Should_not_throw_exception_when_the_user_is_authenticated_with_role_Owner() { // Arrange SecurityConfigurator.Configure(policy => { policy.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsTrue); policy.GetRolesFrom(StaticHelper.GetRolesIncludingOwner); policy.For<BlogController>(x => x.DeletePost(0)).RequireRole(UserRole.Owner); }); var securityHandler = new SecurityHandler(); // Act & Assert Assert.DoesNotThrow(() => securityHandler.HandleSecurityFor(NameHelper.Controller<BlogController>(), "DeletePost", SecurityContext.Current)); }
public void Should_not_throw_exception_when_the_user_is_authenticated() { // Arrange SecurityConfigurator.Configure(policy => { policy.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsTrue); policy.For<BlogController>(x => x.Index()).DenyAnonymousAccess(); }); var securityHandler = new SecurityHandler(); // Act & Assert Assert.DoesNotThrow(() => securityHandler.HandleSecurityFor(NameHelper<BlogController>.Controller(), "Index")); }
public void Should_not_throw_ConfigurationErrorsException_when_IgnoreMissingConfigurations_is_true() { // Arrange SecurityConfigurator.Configure(policy => { policy.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsTrue); policy.IgnoreMissingConfiguration(); policy.For<BlogController>(x => x.Index()).DenyAnonymousAccess(); }); var securityHandler = new SecurityHandler(); // Act & Assert Assert.DoesNotThrow(() => securityHandler.HandleSecurityFor("NonConfiguredController", "Action", SecurityContext.Current)); }
public void Should_throw_when_the_user_is_anonymous() { // Arrange SecurityConfigurator.Configure(policy => { policy.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsFalse); policy.For<BlogController>(x => x.Index()).DenyAnonymousAccess(); }); var securityHandler = new SecurityHandler(); // Act var exception = Assert.Throws<PolicyViolationException>(() => securityHandler.HandleSecurityFor(NameHelper<BlogController>.Controller(), "Index")); // Assert Assert.That(exception.PolicyType, Is.EqualTo(typeof(DenyAnonymousAccessPolicy))); Assert.That(exception.Message, Is.StringContaining("Anonymous access denied")); }
public void ProcessRequest(HttpContext context, string httpMethod, Stream inputStream) { ODataRequest odataReq = null; ODataFormatter formatter = null; var portalContext = (PortalContext)context.Items[PortalContext.CONTEXT_ITEM_KEY]; try { Content content; odataReq = portalContext.ODataRequest; if (odataReq == null) { formatter = ODataFormatter.Create("json", portalContext); throw new ODataException("The Request is not an OData request.", ODataExceptionCode.RequestError); } this.ODataRequest = portalContext.ODataRequest; Exception requestError = this.ODataRequest.RequestError; formatter = ODataFormatter.Create(portalContext, odataReq); if (formatter == null) { formatter = ODataFormatter.Create("json", portalContext); throw new ODataException(ODataExceptionCode.InvalidFormatParameter); } if (requestError != null) { var innerOdataError = requestError as ODataException; var message = "An error occured during request parsing. " + requestError.Message + " See inner exception for details."; var code = innerOdataError?.ODataExceptionCode ?? ODataExceptionCode.RequestError; throw new ODataException(message, code, requestError); } odataReq.Format = formatter.FormatName; formatter.Initialize(odataReq); // Cross-Origin Resource Sharing (CORS) // Do this after the formatter was initialized to be able to provide a proper error message. if (!HttpHeaderTools.IsOriginHeaderAllowed()) { throw new ODataException(ODataExceptionCode.Forbidden); } var exists = Node.Exists(odataReq.RepositoryPath); if (!exists && !odataReq.IsServiceDocumentRequest && !odataReq.IsMetadataRequest && !AllowedMethodNamesWithoutContent.Contains(httpMethod)) { ContentNotFound(context, odataReq.RepositoryPath); return; } JObject model = null; switch (httpMethod) { case "GET": if (odataReq.IsServiceDocumentRequest) { formatter.WriteServiceDocument(portalContext, odataReq); } else if (odataReq.IsMetadataRequest) { formatter.WriteMetadata(context, odataReq); } else { if (!Node.Exists(odataReq.RepositoryPath)) { ContentNotFound(context, odataReq.RepositoryPath); } else if (odataReq.IsCollection) { formatter.WriteChildrenCollection(odataReq.RepositoryPath, portalContext, odataReq); } else if (odataReq.IsMemberRequest) { formatter.WriteContentProperty(odataReq.RepositoryPath, odataReq.PropertyName, odataReq.IsRawValueRequest, portalContext, odataReq); } else { formatter.WriteSingleContent(odataReq.RepositoryPath, portalContext); } } break; case "PUT": // update if (odataReq.IsMemberRequest) { throw new ODataException("Cannot access a member with HTTP PUT.", ODataExceptionCode.IllegalInvoke); } else { model = Read(inputStream); content = LoadContentOrVirtualChild(odataReq); if (content == null) { ContentNotFound(context, odataReq.RepositoryPath); return; } ResetContent(content); UpdateContent(content, model, odataReq); formatter.WriteSingleContent(content, portalContext); } break; case "MERGE": case "PATCH": // update if (odataReq.IsMemberRequest) { throw new ODataException( String.Concat("Cannot access a member with HTTP ", httpMethod, "."), ODataExceptionCode.IllegalInvoke); } else { model = Read(inputStream); content = LoadContentOrVirtualChild(odataReq); if (content == null) { ContentNotFound(context, odataReq.RepositoryPath); return; } UpdateContent(content, model, odataReq); formatter.WriteSingleContent(content, portalContext); } break; case "POST": // invoke an action, create content if (odataReq.IsMemberRequest) { formatter.WriteOperationResult(inputStream, portalContext, odataReq); } else { // parent must exist if (!Node.Exists(odataReq.RepositoryPath)) { ContentNotFound(context, odataReq.RepositoryPath); return; } model = Read(inputStream); content = CreateContent(model, odataReq); formatter.WriteSingleContent(content, portalContext); } break; case "DELETE": if (odataReq.IsMemberRequest) { throw new ODataException( String.Concat("Cannot access a member with HTTP ", httpMethod, "."), ODataExceptionCode.IllegalInvoke); } else { content = LoadContentOrVirtualChild(odataReq); if (content != null) { content.Delete(); } } break; case "OPTIONS": // set allowed methods and headers HttpHeaderTools.SetPreflightResponse(); break; } } catch (ContentNotFoundException e) { var oe = new ODataException(ODataExceptionCode.ResourceNotFound, e); formatter.WriteErrorResponse(context, oe); } catch (ODataException e) { if (e.HttpStatusCode == 500) { SnLog.WriteException(e); } formatter.WriteErrorResponse(context, e); } catch (SenseNetSecurityException e) { // In case of a visitor we should not expose the information that this content actually exists. We return // a simple 404 instead to provide exactly the same response as the regular 404, where the content // really does not exist. But do this only if the visitor really does not have permission for the // requested content (because security exception could be thrown by an action or something else too). if (odataReq != null && User.Current.Id == User.Visitor.Id) { var head = NodeHead.Get(odataReq.RepositoryPath); if (head != null && !SecurityHandler.HasPermission(head, PermissionType.Open)) { ContentNotFound(context, odataReq.RepositoryPath); return; } } var oe = new ODataException(ODataExceptionCode.NotSpecified, e); SnLog.WriteException(oe); formatter.WriteErrorResponse(context, oe); } catch (InvalidContentActionException ex) { var oe = new ODataException(ODataExceptionCode.NotSpecified, ex); if (ex.Reason != InvalidContentActionReason.NotSpecified) { oe.ErrorCode = Enum.GetName(typeof(InvalidContentActionReason), ex.Reason); } // it is unnecessary to log this exception as this is not a real error formatter.WriteErrorResponse(context, oe); } catch (ContentRepository.Storage.Data.NodeAlreadyExistsException nae) { var oe = new ODataException(ODataExceptionCode.ContentAlreadyExists, nae); formatter.WriteErrorResponse(context, oe); } catch (System.Threading.ThreadAbortException tae) { if (!context.Response.IsRequestBeingRedirected) { var oe = new ODataException(ODataExceptionCode.RequestError, tae); formatter.WriteErrorResponse(context, oe); } // specific redirect response so do nothing } catch (Exception ex) { var oe = new ODataException(ODataExceptionCode.NotSpecified, ex); SnLog.WriteException(oe); formatter.WriteErrorResponse(context, oe); } finally { context.Response.End(); } }
public void Should_throw_when_the_user_does_not_have_the_role_Owner() { // Arrange SecurityConfigurator.Configure(policy => { policy.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsTrue); policy.GetRolesFrom(StaticHelper.GetRolesExcludingOwner); policy.For<BlogController>(x => x.DeletePost(0)).RequireRole(UserRole.Owner); }); var securityHandler = new SecurityHandler(); // Act var exception = Assert.Throws<PolicyViolationException>(() => securityHandler.HandleSecurityFor(NameHelper<BlogController>.Controller(), "DeletePost")); // Assert Assert.That(exception.PolicyType, Is.EqualTo(typeof(RequireRolePolicy))); Assert.That(exception.Message, Is.StringContaining("Access requires one of the following roles: Owner.")); }
void OnAuthorizeRequest(object sender, EventArgs e) { PortalContext currentPortalContext = PortalContext.Current; var d = NodeHead.Get("/Root"); // deny access for visitors in case of webdav or office protocol requests, if they have no See access to the content if (currentPortalContext != null) { var application = sender as HttpApplication; var currentUser = application != null ? application.Context.User.Identity as User : null; if (currentUser != null && currentUser.Id == RepositoryConfiguration.VisitorUserId && (currentPortalContext.IsOfficeProtocolRequest || currentPortalContext.IsWebdavRequest)) { if (!currentPortalContext.IsRequestedResourceExistInRepository || currentPortalContext.ContextNodeHead == null || !SecurityHandler.HasPermission(currentPortalContext.ContextNodeHead, PermissionType.See)) { AuthenticationHelper.ForceBasicAuthentication(HttpContext.Current); } } } if (currentPortalContext != null && currentPortalContext.IsRequestedResourceExistInRepository) { var authMode = currentPortalContext.AuthenticationMode; //install time if (string.IsNullOrEmpty(authMode) && currentPortalContext.Site == null) { authMode = "None"; } if (string.IsNullOrEmpty(authMode)) { authMode = WebConfigurationManager.AppSettings["DefaultAuthenticationMode"]; } bool appPerm = false; if (authMode == "Forms") { appPerm = currentPortalContext.CurrentAction.CheckPermission(); } else if (authMode == "Windows") { currentPortalContext.CurrentAction.AssertPermissions(); appPerm = true; } else { throw new NotSupportedException("None authentication is not supported"); } var application = sender as HttpApplication; var currentUser = application.Context.User.Identity as User; var path = currentPortalContext.RepositoryPath; var nodeHead = NodeHead.Get(path); var isOwner = nodeHead.CreatorId == currentUser.Id; var permissionValue = SecurityHandler.GetPermission(nodeHead, PermissionType.Open); if (permissionValue == PermissionValue.Allow && DocumentPreviewProvider.Current.IsPreviewOrThumbnailImage(nodeHead)) { // In case of preview images we need to make sure that they belong to a content version that // is accessible by the user (e.g. must not serve images for minor versions if the user has // access only to major versions of the content). if (!DocumentPreviewProvider.Current.IsPreviewAccessible(nodeHead)) { permissionValue = PermissionValue.Deny; } } else if (permissionValue != PermissionValue.Allow && appPerm && DocumentPreviewProvider.Current.HasPreviewPermission(nodeHead)) { // In case Open permission is missing: check for Preview permissions. If the current Document // Preview Provider allows access to a preview, we should allow the user to access the content. permissionValue = PermissionValue.Allow; } if (permissionValue != PermissionValue.Allow || !appPerm) { switch (authMode) { case "Forms": if (User.Current.IsAuthenticated) { // user is authenticated, but has no permissions: return 403 application.Context.Response.StatusCode = 403; application.Context.Response.Flush(); application.Context.Response.Close(); } else { // let webdav and office protocol handle authentication - in these cases redirecting to a login page makes no sense if (PortalContext.Current.IsWebdavRequest || PortalContext.Current.IsOfficeProtocolRequest) { return; } // user is not authenticated and visitor has no permissions: redirect to login page // Get the login page Url (eg. http://localhost:1315/home/login) string loginPageUrl = currentPortalContext.GetLoginPageUrl(); // Append trailing slash if (loginPageUrl != null && !loginPageUrl.EndsWith("/")) { loginPageUrl = loginPageUrl + "/"; } // Cut down the querystring (eg. drop ?Param1=value1@Param2=value2) string currentRequestUrlWithoutQueryString = currentPortalContext.OriginalUri.GetComponents(UriComponents.Scheme | UriComponents.Host | UriComponents.Port | UriComponents.Path, UriFormat.Unescaped); // Append trailing slash if (!currentRequestUrlWithoutQueryString.EndsWith("/")) { currentRequestUrlWithoutQueryString = currentRequestUrlWithoutQueryString + "/"; } // Redirect to the login page, if neccessary. if (currentRequestUrlWithoutQueryString != loginPageUrl) { application.Context.Response.Redirect(loginPageUrl + "?OriginalUrl=" + System.Web.HttpUtility.UrlEncode(currentPortalContext.OriginalUri.ToString()), true); } } break; //case "Windows": // application.Context.Response.Clear(); // application.Context.Response.Buffer = true; // application.Context.Response.Status = "401 Unauthorized"; // application.Context.Response.AddHeader("WWW-Authenticate", "NTLM"); // application.Context.Response.End(); // break; default: AuthenticationHelper.DenyAccess(application); break; } } } }
private static void CreateContentRecursive(Content sourceContent, Node targetContainer) { var sourceNode = sourceContent.ContentHandler; var alreadyExisting = Node.LoadNode(targetContainer.Path + "/" + sourceNode.Name); if (alreadyExisting != null && alreadyExisting.NodeType.Name != sourceNode.NodeType.Name) { throw new Exception("The target node already exists with a different type."); } var target = alreadyExisting ?? NodeType.CreateInstance(sourceNode.NodeType.Name, targetContainer); target.Name = sourceNode.Name; target.DisplayName = sourceNode.DisplayName; target.Index = sourceNode.Index; target.NodeOperation = NodeOperation.TemplateChildCopy; var targetContent = Content.Create(target); // We do not want to set the current user here but the user we 'inherited' // from the parent (the template). In case of user profiles (my site) the // creator and the owner will be the user itself. var realCreatorUser = targetContainer.CreatedBy; var realModifierUser = targetContainer.ModifiedBy; var now = DateTime.UtcNow; target.CreatedBy = realCreatorUser; target.VersionCreatedBy = realCreatorUser; target.ModificationDate = now; target.ModifiedBy = realModifierUser; target.VersionModificationDate = now; target.VersionModifiedBy = realModifierUser; target.Owner = realCreatorUser; foreach (var propertyType in sourceNode.PropertyTypes.Where(pt => !pt.IsContentListProperty)) { switch (propertyType.DataType) { case DataType.Binary: var sourceBinaryData = sourceNode.GetBinary(propertyType); var targetBinaryData = new BinaryData(); targetBinaryData.CopyFrom(sourceBinaryData); target.SetBinary(propertyType.Name, targetBinaryData); break; default: target[propertyType] = sourceNode[propertyType]; break; } } // Iterate through content list fields and set their value on the target node separately. // This is needed because the same content list fields may have a different property name // (e.g. #String_0 and #String_1) in the source and target content lists. foreach (var field in sourceContent.Fields.Values.Where(f => f.Name.StartsWith("#"))) { // this should give us the name of the source property (e.g. #String_0) var sourcePropertyName = field.FieldSetting.Bindings.FirstOrDefault(); if (string.IsNullOrEmpty(sourcePropertyName)) { continue; } // this should give us the name of the target property (e.g. #String_1) var targetPropertyName = targetContent.Fields[field.Name].FieldSetting.Bindings.FirstOrDefault(); if (string.IsNullOrEmpty(targetPropertyName)) { continue; } if (field is BinaryField) { var sourceBinaryData = sourceNode.GetBinary(sourcePropertyName); var targetBinaryData = new BinaryData(); targetBinaryData.CopyFrom(sourceBinaryData); target.SetBinary(targetPropertyName, targetBinaryData); } else { target[targetPropertyName] = sourceNode[sourcePropertyName]; } } // workaround for content lists: content list type needs to be refreshed var contentList = target as ContentList; if (contentList != null) { contentList.ContentListDefinition = contentList.ContentListDefinition; } target.Save(); // inherit explicit permissions from template using (new SystemAccount()) { var entries = SecurityHandler.GetExplicitEntriesAsSystemUser(sourceNode.Id, null, EntryType.Normal); if (entries.Count > 0) { var aclEdit = SecurityHandler.CreateAclEditor(); foreach (var ace in entries) { aclEdit.SetEntry(target.Id, ace, true); } aclEdit.Apply(); } } // This is to make sure that only those children are copied // that are really under this content. E.g. SmartFolder may // contain real children and queried children too. foreach (var childNode in sourceNode.PhysicalChildArray.Where(ch => ch.InFolder(sourceNode.Path))) { CreateContentRecursive(Content.Create(childNode), target); } }
private static string ResolveContentViewPath(SNC.Content content, ViewMode mode, string path) { // ways to call this function: // - absolute actual: "/Root/Global/contentviews/Book/Edit.ascx" // - relative actual: "$skin/contentviews/Book/Edit.ascx" // - absolute root: "/Root/Global/contentviews" // - relative root: "$skin/contentviews" // - empty string: "" if (string.IsNullOrEmpty(path)) { path = Repository.ContentViewFolderName; } var isActual = path.EndsWith(".ascx"); // - relative with custom name --> convert to relative actual if (isActual && !path.Contains(RepositoryPath.PathSeparator)) { path = string.Format("{0}/{1}/{2}", Repository.ContentViewFolderName, content.ContentType.Name, path); } var isAbsolute = SkinManager.IsNotSkinRelativePath(path); // - absolute actual: "/Root/Global/contentviews/Book/Edit.ascx" if (isAbsolute && isActual) { return(path); // "/Root/Global/contentviews/Book/Edit.ascx" } // - relative actual: "$skin/contentviews/Book/Edit.ascx" if (!isAbsolute && isActual) { return(SkinManager.Resolve(path)); // "/Root/{skin/global}/contentviews/Book/Edit.ascx" } // - absolute root: "/Root/Global/contentviews" if (isAbsolute && !isActual) { var probePath = GetTypeDependentPath(content, mode, path); var node = Node.LoadNode(probePath); if (node != null) { return(probePath); } // "/Root/Global/contentviews/Book/Edit.ascx" probePath = GetGenericPath(content, mode, path); node = Node.LoadNode(probePath); if (node != null) { return(probePath); } // "/Root/Global/contentviews/Edit.ascx" return(string.Empty); } // - relative root: "$skin/contentviews" if (!isAbsolute && !isActual) { var typedPath = GetTypeDependentPath(content, mode, path); var resolvedPath = string.Empty; if (SkinManager.TryResolve(typedPath, out resolvedPath)) { return(resolvedPath); } // "/Root/{skin}/contentviews/Book/Edit.ascx" var genericPath = GetGenericPath(content, mode, path); if (SkinManager.TryResolve(genericPath, out resolvedPath)) { return(resolvedPath); } // "/Root/{skin}/contentviews/Edit.ascx" var probePath = SkinManager.Resolve(typedPath); var viewHead = !string.IsNullOrEmpty(probePath) ? NodeHead.Get(probePath) : null; if (viewHead != null && SecurityHandler.HasPermission(viewHead, PermissionType.RunApplication)) { return(probePath); } // "/Root/Global/contentviews/Book/Edit.ascx" probePath = SkinManager.Resolve(genericPath); viewHead = !string.IsNullOrEmpty(probePath) ? NodeHead.Get(probePath) : null; if (viewHead != null && SecurityHandler.HasPermission(viewHead, PermissionType.RunApplication)) { return(probePath); } // "/Root/Global/contentviews/Edit.ascx" return(string.Empty); } return(string.Empty); }
private static void SetPermissions(Node templateRoot, Node targetRoot) { if (templateRoot == null) { throw new ArgumentNullException("templateRoot"); } if (targetRoot == null) { throw new ArgumentNullException("targetRoot"); } using (new SystemAccount()) { IEnumerable <Node> sourceNodes; if (SearchManager.ContentQueryIsAllowed) { sourceNodes = ContentQuery.Query(SafeQueries.InTreeOrderByPath, new QuerySettings { EnableAutofilters = FilterStatus.Disabled, EnableLifespanFilter = FilterStatus.Disabled }, templateRoot.Path).Nodes; } else { var sourceNodeList = NodeQuery.QueryNodesByPath(templateRoot.Path, true).Nodes.ToList(); var first = sourceNodeList.FirstOrDefault(); // we have to add the tenplate node manually because the query above does not return the root itself if (first == null || first.Id != templateRoot.Id) { sourceNodeList.Insert(0, templateRoot); } sourceNodes = sourceNodeList; } var ctx = SecurityHandler.SecurityContext; var aclEditor = SecurityHandler.CreateAclEditor(ctx); foreach (var sourceNode in sourceNodes) { var expEntries = ctx.GetExplicitEntries(sourceNode.Id); // no need to do anyithing: no explicit entries and no inheritance break here if (expEntries.Count == 0 && sourceNode.IsInherited) { continue; } var targetNodePath = sourceNode.Path.Replace(templateRoot.Path, targetRoot.Path); var targetNode = Node.LoadNode(targetNodePath); if (!sourceNode.IsInherited) { targetNode.Security.BreakInheritance(); targetNode.Security.RemoveExplicitEntries(); } foreach (var ace in expEntries) { var sourcePrincHead = NodeHead.Get(ace.IdentityId); if (sourcePrincHead.Path.StartsWith(templateRoot.Path)) { // local groups: we need to change the permission // setting to map to the newly created local group var targetGroupPath = sourcePrincHead.Path.Replace(templateRoot.Path, targetRoot.Path); var targetGroup = NodeHead.Get(targetGroupPath); if (targetGroup == null) { throw new InvalidOperationException("Target local group was not found: " + targetGroupPath); } // set permissions for target local group aclEditor.Set(targetNode.Id, targetGroup.Id, ace.LocalOnly, ace.AllowBits, ace.DenyBits); // clear original permissions aclEditor.Reset(targetNode.Id, ace.IdentityId, ace.LocalOnly, PermissionBitMask.All); } else { // normal groups or users // targetNode.Security.SetPermissions(se.PrincipalId, se.Propagates, se.PermissionValues); aclEditor.SetEntry(targetNode.Id, ace, true); } } } aclEditor.Apply(); } }
/* ============================================================================ DATABASE AND INDEX BUILDER */ public static void GenerateInMemoryDatabaseFromImport(Arguments arguments) { //Providers.PropertyCollectorClassName = typeof(EventPropertyCollector).FullName; var builder = CreateRepositoryBuilder(); //Indexing.IsOuterSearchEngineEnabled = false; builder.StartIndexingEngine = false; using (Repository.Start(builder)) { // IMPORT new Installer(CreateRepositoryBuilder()).Import(arguments.ImportPath); // Copy importlog using (var reader = new StreamReader(Logger.GetLogFileName())) using (var writer = new StreamWriter(Path.Combine(arguments.OutputPath, "_importlog.log"), false, Encoding.UTF8)) writer.WriteLine(reader.ReadToEnd()); // Re-set initial object User.Current = User.Administrator; // Add Admin* permissions on the /Root Console.WriteLine("Set Root permissions."); using (new SystemAccount()) SecurityHandler.CreateAclEditor() .Allow(Identifiers.PortalRootId, Identifiers.AdministratorUserId, false, PermissionType.BuiltInPermissionTypes) .Allow(Identifiers.PortalRootId, Identifiers.AdministratorsGroupId, false, PermissionType.BuiltInPermissionTypes) .Apply(); // Use the path-blacklist Console.WriteLine("Remove unnecessary subtrees ({0}):", arguments.SkippedPathArray.Length); RemoveSkippedPaths(arguments); // Save database to separated files. Console.Write("Saving data..."); SaveData(arguments.OutputPath); SavePermissions(Providers.Instance.SecurityDataProvider, arguments.OutputPath); Console.WriteLine("ok."); // Build index Console.WriteLine("Building index."); Indexing.IsOuterSearchEngineEnabled = true; var nodeCount = DataStore.GetNodeCountAsync(CancellationToken.None) .ConfigureAwait(false).GetAwaiter().GetResult(); var count = 0; Console.Write($"{count} / {nodeCount} \r"); using (new SystemAccount()) { var populator = SearchManager.GetIndexPopulator(); populator.IndexDocumentRefreshed += (sender, e) => { Console.Write($"{++count} / {nodeCount} \r"); }; populator.RebuildIndexDirectlyAsync("/Root", CancellationToken.None, IndexRebuildLevel.DatabaseAndIndex) .ConfigureAwait(false).GetAwaiter().GetResult(); Console.WriteLine(); } // Save index Console.Write("Saving index..."); var indexFileName = Path.Combine(arguments.OutputPath, "index.txt"); if (SearchManager.SearchEngine is InMemorySearchEngine searchEngine) { searchEngine.Index.Save(indexFileName); } Console.WriteLine("ok."); } }
// =================================================================================== IUser Members public bool IsInGroup(IGroup group) { return(SecurityHandler.IsInGroup(this.Id, group.Id)); }
/// <summary> /// Returns a new <see cref="TrashBag"/> instance that packages the /// given <see cref="GenericContent"/> instance. /// </summary> /// <param name="node">The <see cref="GenericContent"/> instance that will be wrapped.</param> public static TrashBag BagThis(GenericContent node) { var bin = TrashBin.Instance; if (bin == null) { return(null); } if (node == null) { throw new ArgumentNullException("node"); } // creating a bag has nothing to do with user permissions: Move will handle that TrashBag bag = null; var wsId = 0; var wsRelativePath = string.Empty; var ws = SystemAccount.Execute(() => node.Workspace); if (ws != null) { wsId = ws.Id; wsRelativePath = node.Path.Substring(ws.Path.Length); } using (new SystemAccount()) { bag = new TrashBag(bin) { KeepUntil = DateTime.UtcNow.AddDays(bin.MinRetentionTime), OriginalPath = RepositoryPath.GetParentPath(node.Path), WorkspaceRelativePath = wsRelativePath, WorkspaceId = wsId, DisplayName = node.DisplayName, Link = node, Owner = node.Owner }; bag.Save(); CopyPermissions(node, bag); // add delete permission for the owner SecurityHandler.CreateAclEditor() .Allow(bag.Id, node.OwnerId, false, PermissionType.Delete) .Apply(); } try { Node.Move(node.Path, bag.Path); } catch (Exception ex) { SnLog.WriteException(ex); bag.Destroy(); throw new InvalidOperationException("Error moving item to the trash", ex); } return(bag); }
public bool IsInOrganizationalUnit(IOrganizationalUnit orgUnit) { return(SecurityHandler.IsInGroup(this.Id, orgUnit.Id)); }
public void Should_not_throw_exception_when_the_user_is_authenticated() { // Arrange var controllerName = NameHelper.Controller<BlogController>(); const string actionName = "Index"; var events = new List<ISecurityEvent>(); SecurityDoctor.Register(events.Add); SecurityConfigurator.Configure(policy => { policy.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsTrue); policy.For<BlogController>(x => x.Index()).DenyAnonymousAccess(); }); var securityHandler = new SecurityHandler(); // Act & Assert Assert.DoesNotThrow(() => securityHandler.HandleSecurityFor(controllerName, actionName, SecurityContext.Current)); Assert.That(events.Any(e => e.Message == "Handling security for {0} action {1}.".FormatWith(controllerName, actionName))); Assert.That(events.Any(e => e.Message == "Done enforcing policies. Success!")); }
static void Main(string[] args) { PDFNet.Initialize(); // Relative path to the folder containing test files. string input_path = "../../TestFiles/"; string output_path = "../../TestFiles/Output/"; // Example 1: Securing a document with password protection and adjusting permissions // on the document. try { // Open the test file Console.WriteLine("-------------------------------------------------"); Console.WriteLine("Securing an existing document..."); using (PDFDoc doc = new PDFDoc(input_path + "fish.pdf")) { if (!doc.InitSecurityHandler()) { Console.WriteLine("Document authentication error..."); return; } // Perform some operation on the document. In this case we use low level SDF API // to replace the content stream of the first page with contents of file 'my_stream.txt' if (true) // Optional { Console.WriteLine("Replacing the content stream, use flate compression..."); // Get the first page dictionary using the following path: trailer/Root/Pages/Kids/0 Obj page_dict = doc.GetTrailer().Get("Root").Value(). Get("Pages").Value().Get("Kids").Value().GetAt(0); // Embed a custom stream (file mystream.txt) using Flate compression. MappedFile embed_file = new MappedFile(input_path + "my_stream.txt"); FilterReader mystm = new FilterReader(embed_file); page_dict.Put("Contents", doc.CreateIndirectStream(mystm)); embed_file.Close(); } // Apply a new security handler with given security settings. // In order to open saved PDF you will need a user password 'test'. SecurityHandler new_handler = new SecurityHandler(); // Set a new password required to open a document string my_password = "******"; new_handler.ChangeUserPassword(my_password); // Set Permissions new_handler.SetPermission(SecurityHandler.Permission.e_print, true); new_handler.SetPermission(SecurityHandler.Permission.e_extract_content, false); // Note: document takes the ownership of new_handler. doc.SetSecurityHandler(new_handler); // Save the changes. Console.WriteLine("Saving modified file..."); doc.Save(output_path + "secured.pdf", 0); } Console.WriteLine("Done. Result saved in secured.pdf"); } catch (PDFNetException e) { Console.WriteLine(e.Message); } // Example 2: Reading password protected document without user feedback. try { // In this sample case we will open an encrypted document that // requires a user password in order to access the content. Console.WriteLine("-------------------------------------------------"); Console.WriteLine("Open the password protected document from the first example..."); using (PDFDoc doc = new PDFDoc(output_path + "secured.pdf")) // Open the encrypted document that we saved in the first example. { Console.WriteLine("Initializing security handler without any user interaction..."); // At this point MySecurityHandler callbacks will be invoked. // MySecurityHandler.GetAuthorizationData() should collect the password and // AuthorizeFailed() is called if user repeatedly enters a wrong password. if (!doc.InitStdSecurityHandler("test")) { Console.WriteLine("Document authentication error..."); Console.WriteLine("The password is not valid."); return; } else { Console.WriteLine("The password is correct! Document can now be used for reading and editing"); // Remove the password security and save the changes to a new file. doc.RemoveSecurity(); doc.Save(output_path + "secured_nomore1.pdf", 0); Console.WriteLine("Done. Result saved in secured_nomore1.pdf"); } } } catch (PDFNetException e) { Console.WriteLine(e.Message); } Console.WriteLine("Tests completed."); }
internal async Task ProcessRequestAsync(HttpContext httpContext, ODataRequest odataRequest) { httpContext.SetODataRequest(odataRequest); var request = httpContext.Request; var httpMethod = request.Method; var inputStream = request.Body; ODataWriter odataWriter = null; try { Content content; if (odataRequest == null) { odataWriter = new ODataJsonWriter(); throw new ODataException("The Request is not an OData request.", ODataExceptionCode.RequestError); } odataWriter = ODataWriter.Create(httpContext, odataRequest); if (odataWriter == null) { odataWriter = new ODataJsonWriter(); odataWriter.Initialize(odataRequest); throw new ODataException(ODataExceptionCode.InvalidFormatParameter); } odataWriter.Initialize(odataRequest); var requestError = odataRequest.RequestError; if (requestError != null) { var innerOdataError = requestError as ODataException; var message = "An error occured during request parsing. " + requestError.Message + " See inner exception for details."; var code = innerOdataError?.ODataExceptionCode ?? ODataExceptionCode.RequestError; throw new ODataException(message, code, requestError); } odataRequest.Format = odataWriter.FormatName; var requestedContent = LoadContentByVersionRequest(odataRequest.RepositoryPath, httpContext); var exists = requestedContent != null; if (!exists && !odataRequest.IsServiceDocumentRequest && !odataRequest.IsMetadataRequest && !AllowedMethodNamesWithoutContent.Contains(httpMethod)) { ContentNotFound(httpContext); return; } JObject model; switch (httpMethod) { case "GET": if (odataRequest.IsServiceDocumentRequest) { await odataWriter.WriteServiceDocumentAsync(httpContext, odataRequest) .ConfigureAwait(false); } else if (odataRequest.IsMetadataRequest) { await odataWriter.WriteMetadataAsync(httpContext, odataRequest) .ConfigureAwait(false); } else { if (!Node.Exists(odataRequest.RepositoryPath)) { ContentNotFound(httpContext); } else if (odataRequest.IsCollection) { await odataWriter.WriteChildrenCollectionAsync(odataRequest.RepositoryPath, httpContext, odataRequest) .ConfigureAwait(false); } else if (odataRequest.IsMemberRequest) { await odataWriter.WriteContentPropertyAsync( odataRequest.RepositoryPath, odataRequest.PropertyName, odataRequest.IsRawValueRequest, httpContext, odataRequest) .ConfigureAwait(false); } else { await odataWriter.WriteSingleContentAsync(requestedContent, httpContext) .ConfigureAwait(false); } } break; case "PUT": // update if (odataRequest.IsMemberRequest) { throw new ODataException("Cannot access a member with HTTP PUT.", ODataExceptionCode.IllegalInvoke); } else { model = await ReadToJsonAsync(httpContext).ConfigureAwait(false); content = LoadContentOrVirtualChild(odataRequest); if (content == null) { ContentNotFound(httpContext); return; } ResetContent(content); UpdateContent(content, model, odataRequest); await odataWriter.WriteSingleContentAsync(content, httpContext) .ConfigureAwait(false); } break; case "MERGE": case "PATCH": // update if (odataRequest.IsMemberRequest) { throw new ODataException( String.Concat("Cannot access a member with HTTP ", httpMethod, "."), ODataExceptionCode.IllegalInvoke); } else { model = await ReadToJsonAsync(httpContext).ConfigureAwait(false); content = LoadContentOrVirtualChild(odataRequest); if (content == null) { ContentNotFound(httpContext); return; } UpdateContent(content, model, odataRequest); await odataWriter.WriteSingleContentAsync(content, httpContext) .ConfigureAwait(false); } break; case "POST": // invoke an action, create content if (odataRequest.IsMemberRequest) { // MEMBER REQUEST await odataWriter.WritePostOperationResultAsync(httpContext, odataRequest) .ConfigureAwait(false); } else { // CREATION if (!Node.Exists(odataRequest.RepositoryPath)) { // parent does not exist ContentNotFound(httpContext); return; } model = await ReadToJsonAsync(httpContext).ConfigureAwait(false); var newContent = CreateNewContent(model, odataRequest); await odataWriter.WriteSingleContentAsync(newContent, httpContext) .ConfigureAwait(false); } break; case "DELETE": if (odataRequest.IsMemberRequest) { throw new ODataException( String.Concat("Cannot access a member with HTTP ", httpMethod, "."), ODataExceptionCode.IllegalInvoke); } else { content = LoadContentOrVirtualChild(odataRequest); if (content != null) { var x = httpContext.Request.Query["permanent"].ToString(); if (x.Equals("true", StringComparison.OrdinalIgnoreCase)) { content.DeletePhysical(); } else { content.Delete(); } } } break; } } catch (ContentNotFoundException e) { var oe = new ODataException(ODataExceptionCode.ResourceNotFound, e); await odataWriter.WriteErrorResponseAsync(httpContext, oe) .ConfigureAwait(false); } catch (ODataException e) { if (e.HttpStatusCode == 500) { SnLog.WriteException(e); } await odataWriter.WriteErrorResponseAsync(httpContext, e) .ConfigureAwait(false); } catch (AccessDeniedException e) { var oe = new ODataException(ODataExceptionCode.Forbidden, e); await odataWriter.WriteErrorResponseAsync(httpContext, oe) .ConfigureAwait(false); } catch (UnauthorizedAccessException e) { var oe = new ODataException(ODataExceptionCode.Unauthorized, e); await odataWriter.WriteErrorResponseAsync(httpContext, oe) .ConfigureAwait(false); } catch (SenseNetSecurityException e) { // In case of a visitor we should not expose the information that this content actually exists. We return // a simple 404 instead to provide exactly the same response as the regular 404, where the content // really does not exist. But do this only if the visitor really does not have permission for the // requested content (because security exception could be thrown by an action or something else too). if (odataRequest != null && User.Current.Id == Identifiers.VisitorUserId) { var head = NodeHead.Get(odataRequest.RepositoryPath); if (head != null && !SecurityHandler.HasPermission(head, PermissionType.Open)) { ContentNotFound(httpContext); return; } } var oe = new ODataException(ODataExceptionCode.NotSpecified, e); SnLog.WriteException(oe); await odataWriter.WriteErrorResponseAsync(httpContext, oe) .ConfigureAwait(false); } catch (InvalidContentActionException ex) { var oe = new ODataException(ODataExceptionCode.NotSpecified, ex); if (ex.Reason != InvalidContentActionReason.NotSpecified) { oe.ErrorCode = Enum.GetName(typeof(InvalidContentActionReason), ex.Reason); } // it is unnecessary to log this exception as this is not a real error await odataWriter.WriteErrorResponseAsync(httpContext, oe) .ConfigureAwait(false); } catch (ContentRepository.Storage.Data.NodeAlreadyExistsException nae) { var oe = new ODataException(ODataExceptionCode.ContentAlreadyExists, nae); await odataWriter.WriteErrorResponseAsync(httpContext, oe) .ConfigureAwait(false); } catch (Exception ex) { var oe = new ODataException(ODataExceptionCode.NotSpecified, ex); SnLog.WriteException(oe); await odataWriter.WriteErrorResponseAsync(httpContext, oe) .ConfigureAwait(false); } }
public void ContentProtector_DeleteUser() { Test(() => { CreateUserAndGroupStructure(); // add permissions for the users to let them perform the Delete operation var user1 = Node.Load <User>("/Root/IMS/Public/TestOrg/user1"); var user2 = Node.Load <User>("/Root/IMS/Public/TestOrg/user2"); var testOrg = Node.Load <OrganizationalUnit>("/Root/IMS/Public/TestOrg"); SecurityHandler.CreateAclEditor() .Allow(testOrg.Id, user1.Id, false, PermissionType.Save, PermissionType.Delete) .Allow(testOrg.Id, user2.Id, false, PermissionType.Save, PermissionType.Delete) .Apply(); var originalUser = AccessProvider.Current.GetOriginalUser(); try { AccessProvider.Current.SetCurrentUser(user1); // delete user2 without a problem user2.ForceDelete(); } finally { AccessProvider.Current.SetCurrentUser(originalUser); } var thrown = false; try { AccessProvider.Current.SetCurrentUser(user1); // try to delete themselves user1.ForceDelete(); } catch (ApplicationException ex) { if (ex.Message.Contains("Users cannot delete")) { thrown = true; } } finally { AccessProvider.Current.SetCurrentUser(originalUser); } Assert.IsTrue(thrown, "Exception was not thrown."); thrown = false; try { AccessProvider.Current.SetCurrentUser(user1); // try to delete parent testOrg.ForceDelete(); } catch (ApplicationException ex) { if (ex.Message.Contains("Users cannot delete")) { thrown = true; } } finally { AccessProvider.Current.SetCurrentUser(originalUser); } Assert.IsTrue(thrown, "Exception was not thrown."); }); }
public void Should_throw_when_the_user_is_anonymous() { // Arrange SecurityConfigurator.Configure(policy => { policy.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsFalse); policy.GetRolesFrom(StaticHelper.GetRolesExcludingOwner); policy.For<BlogController>(x => x.DeletePost(0)).RequireRole(UserRole.Owner); }); var securityHandler = new SecurityHandler(); // Act var exception = Assert.Throws<PolicyViolationException>(() => securityHandler.HandleSecurityFor(NameHelper.Controller<BlogController>(), "DeletePost", SecurityContext.Current)); // Assert Assert.That(exception.PolicyType, Is.EqualTo(typeof(RequireRolePolicy))); Assert.That(exception.Message, Is.StringContaining("Anonymous access denied")); }
public List <int> GetGroups() { return(SecurityHandler.GetGroups(this)); }
public void Should_throw_ConfigurationErrorsException_when_IgnoreMissingConfigurations_is_false() { // Arrange ExceptionFactory.RequestDescriptionProvider = () => TestDataFactory.CreateRequestDescription(); SecurityConfigurator.Configure(policy => { policy.GetAuthenticationStatusFrom(StaticHelper.IsAuthenticatedReturnsTrue); policy.For<BlogController>(x => x.Index()).DenyAnonymousAccess(); }); var securityHandler = new SecurityHandler(); // Act & Assert Assert.Throws<ConfigurationErrorsException>(() => securityHandler.HandleSecurityFor("NonConfiguredController", "Action", SecurityContext.Current)); }
protected override void CreateChildControls() { if (this.ContextNode == null) { return; } if (ShowExecutionTime) { Timer.Start(); } System.Web.UI.Control control = null; try { var viewHead = NodeHead.Get(ControlPath); if (viewHead != null && SecurityHandler.HasPermission(viewHead, PermissionType.RunApplication)) { control = Page.LoadControl(ControlPath); this.Controls.Add(control); } } catch (Exception ex) { SnLog.WriteException(ex); this.Controls.Add(new System.Web.UI.LiteralControl(ex.Message)); return; } if (control == null) { return; } _workspaceIsWallContainer = control.FindControlRecursive("WorkspaceIsWallContainer") as PlaceHolder; var portletContextNodeLink = control.FindControlRecursive("PortletContextNodeLink") as System.Web.UI.WebControls.HyperLink; var configureWorkspaceWall = control.FindControlRecursive("ConfigureWorkspaceWall") as Button; if (_workspaceIsWallContainer != null && configureWorkspaceWall != null) { _workspaceIsWallContainer.Visible = false; var ws = this.ContextNode as Workspace; if (ws != null && !ws.IsWallContainer && ws.Security.HasPermission(PermissionType.Save)) { _workspaceIsWallContainer.Visible = true; if (portletContextNodeLink != null) { portletContextNodeLink.Text = System.Web.HttpUtility.HtmlEncode(Content.Create(ws).DisplayName); portletContextNodeLink.NavigateUrl = ws.Path; } configureWorkspaceWall.Click += ConfigureWorkspaceWall_Click; } } var postsPlaceholder = control.FindControlRecursive("Posts"); List <PostInfo> posts; var postInfos = GatherPosts(); posts = postInfos == null ? new List <PostInfo>() : postInfos.Take(PageSize).ToList(); postsPlaceholder.Controls.Add(new Literal { Text = WallHelper.GetWallPostsMarkup(this.ContextNode.Path, posts) }); if (ShowExecutionTime) { Timer.Stop(); } base.CreateChildControls(); this.ChildControlsCreated = true; }
public bool IsInContainer(ISecurityContainer container) { return(SecurityHandler.IsInGroup(this.Id, container.Id)); }
// Voting View private void AddVotingView() { var votingNode = ContextNode as Voting; if (votingNode == null) { Controls.Add(new Literal { Text = SenseNetResourceManager.Current.GetString("Voting", "ContextNodeError") }); return; } if (votingNode.IsVotingAvailable) { if (votingNode.VotingPageContentView != null) { var contentView = ContentView.Create(_currentContent, Page, ViewMode.Browse, votingNode.VotingPageContentView.Path); if (contentView == null) { Controls.Add(new Literal { Text = SenseNetResourceManager.Current.GetString("Voting", "ContentViewCreateError") }); return; } //add ContentView to the Controls collection Controls.Add(contentView); var qph = contentView.FindControlRecursive("QuestionPlaceHolder") as PlaceHolder; if (qph == null) { Controls.Clear(); Controls.Add(new Literal { Text = SenseNetResourceManager.Current.GetString("Voting", "PlaceHolderError") }); return; } var args = new object[0]; // Checks if Foldering is enabled and sets the parent depending on it var parent = FolderingEnabled ? GetFolder(ContextNode) : ContextNode; var votingItem = Content.CreateNew("VotingItem", parent, null, args); // If there is no question in the Voting (question is avalaible on the Voting Items under the Voting) var isQuestionExist = votingItem.Fields.Any(a => a.Value.Name.StartsWith("#")); if (!isQuestionExist) { Controls.Add(new Literal { Text = SenseNetResourceManager.Current.GetString("Voting", "NoQuestion") }); return; } var votingItemNewContentView = ContentView.Create(votingItem, Page, ViewMode.InlineNew); if (votingItemNewContentView == null) { Controls.Add(new Literal { Text = SenseNetResourceManager.Current.GetString("Voting", "ContentViewCreateError") }); return; } votingItemNewContentView.ID = "VotingItenContentView"; votingItemNewContentView.UserAction += VotingItemNewContentViewUserAction; qph.Controls.Add(votingItemNewContentView); if (!SecurityHandler.HasPermission(votingItemNewContentView.ContentHandler, PermissionType.AddNew)) { var btn = votingItemNewContentView.FindControlRecursive("ActButton1") as Button; if (btn != null) { btn.Visible = false; } } if (MoreFilingIsEnabled && IsResultAvalaibleBefore && VotingPortletMode == PortletMode.VoteAndGotoResult) { var lb = contentView.FindControl("VotingAndResult") as LinkButton; if (lb == null) { Controls.Add(new Literal { Text = SenseNetResourceManager.Current.GetString("Voting", "CannotFindLink") }); return; } lb.Text = SenseNetResourceManager.Current.GetString("Voting", "GoToResultLink"); lb.Click += LbClick; lb.Visible = true; } return; } // No content view is set Controls.Add(new Literal { Text = SenseNetResourceManager.Current.GetString("Voting", "NoContentView") }); } else { // When the user can only Vote once Controls.Add(new Literal { Text = SenseNetResourceManager.Current.GetString("Voting", "OnlyOneVoteError") }); } }
public void Should_throw_ArgumentNulllException_when_security_context_is_null() { // Arrange var securityHandler = new SecurityHandler(); const ISecurityContext securityContext = null; // Assert Assert.Throws<ArgumentNullException>(() => securityHandler.HandleSecurityFor("A", "A", securityContext)); }
public bool IsInGroup(int securityGroupId) { return(SecurityHandler.IsInGroup(this.Id, securityGroupId)); }