public static void SetHyperLink(string adminSectionPageId, string querystring, HyperLink hyperlink) { AdminSectionPage adminSectionPage = AdminNavigationManager.GetAdminSectionPageById(adminSectionPageId); string url = (adminSectionPage == null) ? "#" : string.Format("{0}{1}", adminSectionPage.Url, querystring); hyperlink.NavigateUrl = url; }
/// <summary> /// Searches the AdminSectionPage and all its subpages for a page /// matching the specified url. Returns page if found. Otherwise, null. /// </summary> private static AdminSectionPage Search(AdminSectionPage page, string url) { if (StringUtils.IgnoreCaseCompare(page.Url, url)) { return(page); } return(page.Pages.Select(subPage => Search(subPage, url)).FirstOrDefault(p => p != null)); }
public static void SetHyperLink(User user, string adminSectionPageId, string querystring, HyperLink hyperlink) { AdminSectionPage adminSectionPage = AdminNavigationManager.GetAdminSectionPageById(adminSectionPageId); if (adminSectionPage == null) { hyperlink.Visible = false; } else { hyperlink.Visible = SecurityManager.UserHasAccess(user, adminSectionPage); hyperlink.NavigateUrl = string.Format("{0}{1}", adminSectionPage.Url, querystring); } }
/// <summary> /// Checks if the user is in a role that has access to the requested page /// </summary> public static bool UserHasAccess(User user, AdminSectionPage adminSectionPage) { if (user.IsNull) { return(false); } if (adminSectionPage == null) { return(user.UserRole == UserRole.SuperAdministrator); } if (adminSectionPage.RestrictToEngineers && !user.IsEngineer) { return(false); } return(adminSectionPage.UserRoleList.Contains(user.UserRole)); }
public AdminSectionPage(XmlNode node) : base(node) { if (node.Attributes == null) { throw new SystemException("Node does not have any attributes"); } // Get the page URL, using the ID if no URL is specified XmlNode urlNode = node.Attributes.GetNamedItem("Url"); Url = (urlNode == null) ? string.Format("~/Admin/{0}.aspx", Id.Replace('.', '/')) : urlNode.Value; // Get the minimum role and/or allowed roles to access this page XmlNode minimumRoleNode = node.Attributes.GetNamedItem("MinimumRole"); XmlNode allowedRolesNode = node.Attributes.GetNamedItem(("AllowedRoles")); // If no minimum role or allowed roles are specified, then search through // the parents until we find this information. if (minimumRoleNode == null && allowedRolesNode == null) { // Get the parent node. This will be another <Page> node or a <Section> node XmlNode parentNode = node.ParentNode; while (parentNode != null && parentNode.Attributes != null) { // Get the nodes minimumRoleNode = parentNode.Attributes.GetNamedItem("MinimumRole"); allowedRolesNode = parentNode.Attributes.GetNamedItem(("AllowedRoles")); // Drop out if we found valid nodes. Otherwise, keep searching upwards if (minimumRoleNode != null || allowedRolesNode != null) { break; } // Set parent to this parent and keep searching parentNode = parentNode.ParentNode; } } if (minimumRoleNode == null) { UserRoleList.Add(UserRole.SuperAdministrator); } else { foreach (UserRole userRole in Enum.GetValues(typeof(UserRole))) { int userRoleId = (int)userRole; int minimumRoleId = (int)EnumUtils.GetEnumFromValue <UserRole>(minimumRoleNode.Value); if (userRoleId >= minimumRoleId) { UserRoleList.Add(userRole); } } } if (allowedRolesNode != null) { string[] allowedRoles = allowedRolesNode.Value.Split(','); foreach (string role in allowedRoles) { UserRole userRole = EnumUtils.GetEnumFromValue <UserRole>(role); if (userRole != 0 && !UserRoleList.Contains(userRole)) { UserRoleList.Add(userRole); } } } XmlNodeList pages = node.SelectNodes("Page"); if (pages != null) { foreach (XmlNode pageNode in pages) { AdminSectionPage page = new AdminSectionPage(pageNode); Pages.Add(page); } } // Add all user roles from children pages to this too // (Otherwise, this node won't show up in navigation // and the children won't be accessible). UserRoleList.AddRange(GetUserRoleList()); }
/// <summary> /// Checks if the user has access to the requested path. /// This method is the 'big kahuna', and does various security checks. It's main /// purpose is to ensure that the admin area pages are correctly restricted, and it /// ensures that upload users and brand admins cannot access entities to /// which their role does not have permission (ie. those outside their brand). /// </summary> /// <param name="user">The user requesting access</param> /// <param name="path">The path to which access is being requested</param> /// <returns>[True] if user can access path. Otherwise [False].</returns> public static bool UserHasAccess(User user, Uri path) { // Turn the path into a relative one (eg. /AppVirtualDir/Admin/Default.aspx -> ~/Admin/Default.aspx) string relativePath = VirtualPathUtility.ToAppRelative(path.AbsolutePath).ToLower(); // Always allow NeatUpload stuff through if (relativePath.StartsWith("~/neatupload/")) { return(true); } // Login and registration pages open to all. Admin homepage open to // any user belonging to any role greater than normal. switch (relativePath) { case "~/login.aspx": case "~/register.aspx": case "~/changepassword.aspx": case "~/reactivate.aspx": case "~/viewcontactsheet.aspx": case "~/popups/termsconditions.aspx": case "~/popups/privacypolicy.aspx": return(true); case "~/admin/default.aspx": return(user.UserRoleId > Convert.ToInt32(UserRole.Normal)); } // Allow access to non-existent pages so we can redirect to 404 if (!File.Exists(HttpContext.Current.Server.MapPath(relativePath))) { return(true); } // Everything from here on needs a user if (user.IsNull) { return(false); } // Ensure that the asset popup can only be viewed by authorised users if (relativePath.StartsWith("~/popups/assetinfo.aspx")) { int assetId = GetQuerystringValue(path.Query, "assetId", -1); if (assetId != -1) { Asset asset = Asset.Get(assetId); if (asset.IsNull || !EntitySecurityManager.CanViewAssetInfo(user, asset)) { return(false); } HttpContext.Current.Items.Add("Asset", asset); } } if (relativePath.StartsWith("~/admin/")) { // Get the admin section page by the URL AdminSectionPage adminSectionPage = AdminNavigationManager.GetAdminSectionPageByUrl(relativePath); // Ensure that we found it in the admin page list if (adminSectionPage == null) { throw new SystemException(string.Format("Unknown admin page: '{0}'. Please check AdminNavigation.Config", relativePath)); } // Ensure that the page being accessed is available to the user role. // No point continuing if their role is too weak if (!adminSectionPage.UserRoleList.Contains(user.UserRole)) { return(false); } // Do role specific processing, as some roles can access pages, but // only when editing certain entities - ie. a Brand Admin can // access the user pages, but only when managing users from their own // brand. Here, we check the querystring for values, get the // matching entity, and then ensure that it's from the same BU as // the requesting user. if (user.UserRole == UserRole.SuperAdministrator) { return(true); } if (user.UserRole == UserRole.Normal) { throw new SecurityException("Access to admin area denied"); } if (GeneralUtils.ValueIsInList(user.UserRole, UserRole.BrandAdministrator, UserRole.UploadUser)) { // Assume page is okay, as querystring might be blank bool ok = true; // Check for user ID, and if it exists, ensure the user // can be accessed by the requesting user int userId = GetQuerystringValue(path.Query, "userId", -1); if (userId != -1) { User u = User.Get(userId); if (user.IsNull || !EntitySecurityManager.CanManageUser(user, u)) { ok = false; } else { HttpContext.Current.Items.Add("User", u); } } // Check for asset Id, and if it exists, ensure the // asset can be accessed by the requesting user if (ok) { int assetId = GetQuerystringValue(path.Query, "assetId", -1); if (assetId != -1) { Asset asset = Asset.Get(assetId); if (asset.IsNull || !EntitySecurityManager.CanManageAsset(user, asset)) { ok = false; } else { HttpContext.Current.Items.Add("Asset", asset); } } } // Check for AssetWorkflowId, and if it exists, ensure the // AssetWorkflow can be accessed by the requesting user if (ok) { int assetWorkflowId = GetQuerystringValue(path.Query, "assetWorkflowId", -1); if (assetWorkflowId != -1) { AssetWorkflow assetWorkflow = AssetWorkflow.Get(assetWorkflowId); if (assetWorkflow.IsNull || !EntitySecurityManager.CanParticipateInAssetWorkflow(user, assetWorkflow)) { ok = false; } else { HttpContext.Current.Items.Add("AssetWorkflow", assetWorkflow); } } } return(ok); } throw new SecurityException("Unable to check permissions for user role: " + user.UserRole); } return(true); }