예제 #1
0
		/// <summary>
		/// Returns a tuple with an action result and the thread with the id specified if valid.
		/// if security check failed the action result will be set to the action to redirect to, otherwise it will return null.
		/// </summary>
		/// <param name="threadId">the threadid to check security for</param>
		/// <returns></returns>
		private async Task<(ActionResult redirectResult, ThreadEntity thread)> PerformSecurityCheckAsync(int threadId)
		{
			var thread = await ThreadGuiHelper.GetThreadAsync(threadId);
			if(thread == null)
			{
				// not found, return to start page
				return (RedirectToAction("Index", "Home"), null);
			}

			// Check credentials
			bool userHasAccess = this.HttpContext.Session.CanPerformForumActionRight(thread.ForumID, ActionRights.AccessForum);
			if(!userHasAccess)
			{
				// doesn't have access to this forum. redirect
				return (RedirectToAction("Index", "Home"), null);
			}

			// check if the user can view this thread. If not, don't continue.
			if(thread.StartedByUserID != this.HttpContext.Session.GetUserID() &&
			   !this.HttpContext.Session.CanPerformForumActionRight(thread.ForumID, ActionRights.ViewNormalThreadsStartedByOthers) &&
			   !thread.IsSticky)
			{
				// can't view this thread, it isn't visible to the user
				return (RedirectToAction("Index", "Home"), null);
			}

			if(!this.HttpContext.Session.HasSystemActionRight(ActionRights.QueueContentManagement))
			{
				return (RedirectToAction("Index", "Home"), null);
			}

			// All ok
			return (null, thread);
		}
예제 #2
0
        public async Task <ActionResult> Delete(int id = 0)
        {
            if (this.HttpContext.Session.IsAnonymousUser())
            {
                return(RedirectToAction("Index", "Home"));
            }

            var message = await MessageGuiHelper.GetMessageAsync(id);

            if (message == null)
            {
                return(RedirectToAction("Index", "Home"));
            }

            var thread = await ThreadGuiHelper.GetThreadAsync(message.ThreadID);

            if (thread == null)
            {
                return(RedirectToAction("Index", "Home"));
            }

            // Only delete if the message isn't the first in the thread (as that's not allowed), and whether the user is allowed to delete messages in that forum at all.
            var messageIsFirstInThread = await ThreadGuiHelper.CheckIfMessageIsFirstInThreadAsync(thread.ThreadID, id);

            if (!messageIsFirstInThread && this.HttpContext.Session.CanPerformForumActionRight(thread.ForumID, ActionRights.EditDeleteOtherUsersMessages))
            {
                await MessageManager.DeleteMessageAsync(id, thread.ThreadID);
            }

            return(RedirectToAction("Index", "Thread", new { threadId = thread.ThreadID, pageNo = 1 }));
        }
예제 #3
0
        /// <summary>
        /// Performs the basic security check for the logged in user if that user has any access rights to this thread at all. It doesn't check specific thread actions.
        /// </summary>
        /// <param name="threadId">the thread id</param>
        /// <param name="allowAnonymous">if set to true, anonymous users are allowed, otherwise they're denied access</param>
        /// <returns>A tuple with a redirectaction and the thread of the threadId specified.
        /// The redirectaction is set to an action result to redirect to if the current user shouldn't be here, otherwise null</returns>
        private async Task <(ActionResult redirectResult, ThreadEntity thread)> PerformSecurityCheckAsync(int threadId, bool allowAnonymous)
        {
            var thread = await ThreadGuiHelper.GetThreadAsync(threadId);

            if (thread == null || !allowAnonymous && this.HttpContext.Session.IsAnonymousUser() ||
                !this.HttpContext.Session.CanPerformForumActionRight(thread.ForumID, ActionRights.AccessForum))
            {
                return(RedirectToAction("Index", "Home"), null);
            }

            // check if the user can view this thread. If not, don't continue.
            if ((thread.StartedByUserID != this.HttpContext.Session.GetUserID()) &&
                !this.HttpContext.Session.CanPerformForumActionRight(thread.ForumID, ActionRights.ViewNormalThreadsStartedByOthers) &&
                !thread.IsSticky)
            {
                return(RedirectToAction("Index", "Home"), null);
            }

            // All OK
            return(null, thread);
        }
예제 #4
0
        private async Task <(bool userMayAddMessages, ThreadEntity thread)> PerformAddMessageSecurityChecksAsync(int threadId)
        {
            if (this.HttpContext.Session.IsAnonymousUser())
            {
                return(false, null);
            }

            var thread = await ThreadGuiHelper.GetThreadAsync(threadId);

            if (thread == null)
            {
                return(false, null);
            }

            if (!this.HttpContext.Session.CanPerformForumActionRight(thread.ForumID, ActionRights.AccessForum))
            {
                return(false, null);
            }

            var userMayAddMessages = false;

            if (!thread.IsClosed)
            {
                userMayAddMessages = this.HttpContext.Session.CanPerformForumActionRight(thread.ForumID,
                                                                                         thread.IsSticky
                                                                                                                                                                                         ? ActionRights.AddAndEditMessageInSticky
                                                                                                                                                                                         : ActionRights.AddAndEditMessage);
            }

            // check if the user can view the thread the message is in. If not, don't continue.
            if (thread.StartedByUserID != this.HttpContext.Session.GetUserID() &&
                !this.HttpContext.Session.CanPerformForumActionRight(thread.ForumID, ActionRights.ViewNormalThreadsStartedByOthers))
            {
                // can't edit this message, it's in a thread which isn't visible to the user
                userMayAddMessages = false;
            }

            return(userMayAddMessages, thread);
        }