/// <summary> /// Overrides API base class validate, uses website user rather than HTTP Basic /// </summary> /// <param name="type">The transaction type to validate</param> /// <param name="co">the content object to validate the operation on</param> /// <returns>True if the user may perform this operation on the contentobject</returns> public override bool DoValidate(Security.TransactionType type, vwarDAL.ContentObject co) { vwarDAL.PermissionsManager prm = new vwarDAL.PermissionsManager(); vwarDAL.ModelPermissionLevel Permission = prm.GetPermissionLevel(username, co.PID); prm.Dispose(); if (type == Security.TransactionType.Query && Permission >= vwarDAL.ModelPermissionLevel.Searchable) { return true; } if (type == Security.TransactionType.Access && Permission >= vwarDAL.ModelPermissionLevel.Fetchable) { return true; } if (type == Security.TransactionType.Modify && Permission >= vwarDAL.ModelPermissionLevel.Editable) { return true; } if (type == Security.TransactionType.Delete && Permission >= vwarDAL.ModelPermissionLevel.Admin) { return true; } if (type == Security.TransactionType.Create && Permission >= vwarDAL.ModelPermissionLevel.Admin) { return true; } return false; }
//Do the business logic related to checking a url against the auth string, and checking if the user is allowed //to do the operation on the content object public static bool ValidateUserTransaction(string url, string auth, TransactionType type, vwarDAL.ContentObject co) { //For now, anyone can query if (type == TransactionType.Query) { return true; } if (type == TransactionType.Access) { //No auth control for Access transactions return true; } if (type == TransactionType.Create) { //The user exists in the provider and gave the correct url+password hash //Here we assume that any user can create content return ValidateURL(url, GetUsernameFromHeader(auth), GetHashFromHeader(auth)); } if (type == TransactionType.Modify) { //The user exists in the provider and gave the correct url+password hash if (ValidateURL(url, GetUsernameFromHeader(auth), GetHashFromHeader(auth))) { //the user must be the owner of the content object if (Security.GetProvider().GetUser(GetUsernameFromHeader(auth), false).Email == co.SubmitterEmail || GetUsernameFromHeader(auth) == "API_USER") { return true; } } return false; } if (type == TransactionType.Delete) { //The user exists in the provider and gave the correct url+password hash if (ValidateURL(url, GetUsernameFromHeader(auth), GetHashFromHeader(auth))) { //the user must be the owner of the content object if (Security.GetProvider().GetUser(GetUsernameFromHeader(auth), false).Email == co.SubmitterEmail || GetUsernameFromHeader(auth) == "API_USER") { return true; } } return false; } return false; }
public static void SendModelUploaded(vwarDAL.ContentObject co) { if (!System.Convert.ToBoolean(ConfigurationManager.AppSettings["EMAIL_UploadedEnabled"])) return; string body = ConfigurationManager.AppSettings["EMAIL_UploadedBody"]; string subject = ConfigurationManager.AppSettings["EMAIL_UploadedSubject"]; string Uploader = HttpContext.Current.User.Identity.Name; body = body.Replace("{pid}", co.PID); body = body.Replace("{username}", Uploader); body = body.Replace("{title}", co.Title); subject = subject.Replace("{pid}", co.PID); subject = subject.Replace("{username}", Uploader); subject = subject.Replace("{title}", co.Title); Website.Mail.SendSingleMessage(body,ConfigurationManager.AppSettings["SupportEmail"], subject,ConfigurationManager.AppSettings["SupportEmail"], ConfigurationManager.AppSettings["SiteName"], "", "", false, ""); }
private static void CopyContentObjectData(Metadata md, vwarDAL.ContentObject co) { //Copy the data from the input object co.Title = md.Title; co.Keywords = md.Keywords; co.Format = md.Format; //co.CreativeCommonsLicenseURL = md.License; //Need to add logic to change values of texture references co.DeveloperName = md.DeveloperName; co.Description = md.Description; co.ArtistName = md.ArtistName; co.AssetType = md.AssetType; co.NumPolygons = System.Convert.ToInt32(md.NumPolygons); co.NumTextures = System.Convert.ToInt32(md.NumTextures); co.SponsorName = md.SponsorName; co.CreativeCommonsLicenseURL = md.License; co.Distribution_Contolling_Office = md.Distribution_Contolling_Office; co.Distribution_Determination_Date = DateTime.Parse(md.Distribution_Determination_Date); co.Distribution_Grade = (vwarDAL.DistributionGrade)Enum.Parse(typeof(vwarDAL.DistributionGrade), md.Distribution_Grade); co.Distribution_Reason = md.Distribution_Reason; co.Distribution_Regulation = co.Distribution_Regulation; co.UnitScale = md.UnitScale; co.UpAxis = md.UpAxis; co.RequireResubmit = md.RequiresResubmit; co.MoreInformationURL = md.MoreInformationURL; }
/// <summary> /// User basic HTTP authorization, reads the header and does the auth /// </summary> /// <param name="type">The transaction type to validate</param> /// <param name="co">the content object to validate the operation on</param> /// <returns>True if the user may perform this operation on the contentobject</returns> public virtual bool DoValidate(Security.TransactionType type, vwarDAL.ContentObject co) { //Return note about the authorization scheme used WebOperationContext.Current.OutgoingResponse.Headers[System.Net.HttpResponseHeader.WwwAuthenticate] = "BASIC realm=\"3DR API\""; //Start by assuming anonymous string username = vwarDAL.DefaultUsers.Anonymous[0]; string password = ""; //if there is an auth header, check it if (WebOperationContext.Current.IncomingRequest.Headers[System.Net.HttpRequestHeader.Authorization] != null) { //string should start with "BASIC ", remove this string auth = WebOperationContext.Current.IncomingRequest.Headers[System.Net.HttpRequestHeader.Authorization].Substring(6); System.Text.Encoding enc = System.Text.Encoding.ASCII; //Decode from base64 auth = enc.GetString( System.Convert.FromBase64String(auth)); username = auth.Split(new char[] { ':' })[0]; password = auth.Split(new char[] { ':' })[1]; //Dont bother checking password for anonymous if (username != vwarDAL.DefaultUsers.Anonymous[0]) { //Get the membership provider Simple.Providers.MySQL.MysqlMembershipProvider provider = (Simple.Providers.MySQL.MysqlMembershipProvider)System.Web.Security.Membership.Providers["MysqlMembershipProvider"]; //Check if the suer is logged in correctly bool validate = provider.ValidateUser(username, password); //if they did not validate, then return false and send 401 if (!validate) { WebOperationContext.Current.OutgoingResponse.StatusCode = System.Net.HttpStatusCode.Unauthorized; return false; } } } if (!Convert.ToBoolean(ConfigurationManager.AppSettings["AssumeAnonymousUserWhenMissingAuthHeader"])) { //This will force uses to enter the username AnonymousUser! if you want to just assume it when there is no //header, just remove this block, if (WebOperationContext.Current.IncomingRequest.Headers[System.Net.HttpRequestHeader.Authorization] == null) { WebOperationContext.Current.OutgoingResponse.StatusCode = System.Net.HttpStatusCode.Unauthorized; return false; } } //Do the actual check of permissions vwarDAL.PermissionsManager prm = new vwarDAL.PermissionsManager(); if (type != Security.TransactionType.Create) { vwarDAL.ModelPermissionLevel Permission = prm.GetPermissionLevel(username, co.PID); prm.Dispose(); if (type == Security.TransactionType.Query && Permission >= vwarDAL.ModelPermissionLevel.Searchable) { return true; } if (type == Security.TransactionType.Access && Permission >= vwarDAL.ModelPermissionLevel.Fetchable) { return true; } if (type == Security.TransactionType.Modify && Permission >= vwarDAL.ModelPermissionLevel.Editable) { return true; } if (type == Security.TransactionType.Delete && Permission >= vwarDAL.ModelPermissionLevel.Admin) { return true; } if (type == Security.TransactionType.Create && Permission >= vwarDAL.ModelPermissionLevel.Admin) { return true; } } prm.Dispose(); //If asking for create permission, and got here,then it must be a valid user. But, can't be anon. if (type == Security.TransactionType.Create) { if (username == vwarDAL.DefaultUsers.Anonymous[0]) { WebOperationContext.Current.OutgoingResponse.StatusCode = System.Net.HttpStatusCode.Unauthorized; return false; } else return true; } //Set the status if they are not authourized WebOperationContext.Current.OutgoingResponse.StatusCode = System.Net.HttpStatusCode.Unauthorized; return false; }
private static void CopyContentObjectData(Metadata md, vwarDAL.ContentObject co) { //Copy the data from the input object co.Title = md.Title; co.Keywords = md.Keywords; co.Format = md.Format; //co.CreativeCommonsLicenseURL = md.License; //Need to add logic to change values of texture references co.DeveloperName = md.DeveloperName; co.Description = md.Description; co.ArtistName = md.ArtistName; co.AssetType = md.AssetType; co.NumPolygons = System.Convert.ToInt32(md.NumPolygons); co.NumTextures = System.Convert.ToInt32(md.NumTextures); co.SponsorName = md.SponsorName; co.UnitScale = md.UnitScale; co.UpAxis = md.UpAxis; co.MoreInformationURL = md.MoreInformationURL; }