private static Dictionary <string, IEnumerable <Dictionary <string, object> > > BuildQueryAndRun(App app, string name, string stream, bool includeGuid, ModuleInfo module, Log log) { log.Add($"build and run query name:{name}, with module:{module?.ModuleID}"); var query = app.GetQuery(name); if (query == null) { throw HttpErr(HttpStatusCode.NotFound, "query not found", $"query '{name}' not found"); } var permissionChecker = new DnnPermissionController(query.QueryDefinition, log, module); var readExplicitlyAllowed = permissionChecker.UserMay(PermissionGrant.Read); var isAdmin = module != null && DotNetNuke.Security.Permissions .ModulePermissionController.CanAdminModule(module); // Only return query if permissions ok if (!(readExplicitlyAllowed || isAdmin)) { throw HttpErr(HttpStatusCode.Unauthorized, "Request not allowed", $"Request not allowed. User does not have read permissions for query '{name}'"); } var serializer = new Serializer { IncludeGuid = includeGuid }; return(serializer.Prepare(query, stream?.Split(','))); }
private void CheckTemplatePermissions(PortalSettings portalSettings) { // 2015-05-19 2dm: new: do security check if security exists // should probably happen somewhere else - so it doesn't throw errors when not even rendering... var permissionsOnThisTemplate = new DnnPermissionController(/*App.ZoneId, App.AppId,*/ Template.Entity /*.Guid*/, Log, ModuleInfo); // Views only use permissions to prevent access, so only check if there are any configured permissions if (!portalSettings.UserInfo.IsInRole(portalSettings.AdministratorRoleName) && permissionsOnThisTemplate.PermissionList.Any()) { if (!permissionsOnThisTemplate.UserMay(PermissionGrant.Read)) { throw new RenderingException(new UnauthorizedAccessException( "This view is not accessible for the current user. To give access, change permissions in the view settings. See http://2sxc.org/help?tag=view-permissions")); } } }