public IHttpActionResult DeleteWall(string wallId, GenericWallRequest request) { wallId = Helpers.TextSanitizer.Hypersanitize(wallId, true); if (!ModelState.IsValid) { return(BadRequest(ModelState)); } var model = DatabaseContext.Shared.WallModels.Find(wallId); if (model == null) { return(NotFound()); } if (!IsOwner(model, request)) { return(Unauthorized()); } //Delete posts first to avoid reference errors DatabaseContext.Shared.WallPosts.RemoveRange(model.Posts); //And delete the files (both references and actual files) foreach (var file in model.Files) { TryDeleteFile(file); //Remove actual files } DatabaseContext.Shared.Files.RemoveRange(model.Files); //Remove db info //And remove the wall from the user, if any var user = GetUser(); if (user != null) { user.Remove(model); _authRepo.SaveUserUpdate(); } DatabaseContext.Shared.WallModels.Remove(model); try { DatabaseContext.Shared.SaveChanges(); } catch (DbUpdateException) { if (WallModelExists(wallId)) { return(InternalServerError()); } else { throw; } } DatabaseContext.Release(); return(Ok()); }
private bool CanModerate(WallModel model, GenericWallRequest request) { //No view permission if (!IsAuthorizedToView(model, GetPassword(request))) { return(false); } //Everyone has admin if (model.UnauthorizedUserPermissionLevel == WallModel.WallAccessPermissionLevels.ViewEditModerate) { return(true); } //Owner if (IsOwner(model, request)) { return(true); } //Not authorized to do anything / aren't on authorized list if (!User.Identity.IsAuthenticated) { return(false); } //Get them if possible var mx = model.AuthorizedUsers.FirstOrDefault( (m) => m.User.UserName == User.Identity.Name && m.PermissionLevel == WallModel.WallAccessPermissionLevels.ViewEditModerate); //and verify return(mx != null); }
private string GetPublicKey(GenericWallRequest model) { var user = User.Identity.IsAuthenticated ? _authRepo.FindUserByNameSync(User.Identity.Name) : null; if (user != null) { return(_authRepo.FindUserByNameSync(User.Identity.Name).TokenKeyPublic); } else { return(model.KeyPublic); } }
public IHttpActionResult CheckPassword(string wallId, GenericWallRequest request) { wallId = Helpers.TextSanitizer.Hypersanitize(wallId, true); if (!ModelState.IsValid) { return(BadRequest()); } WallModel wallModel = DatabaseContext.Shared.WallModels.Find(wallId); if (wallModel == null) { return(NotFound()); } DatabaseContext.Release(); return(Ok(new { authenticated = request.Password == wallModel.Password })); }
private bool CanCreatePost(WallModel model, GenericWallRequest request) { //No view permission if (!IsAuthorizedToView(model, GetPassword(request))) { return(false); } if (CanModerate(model, request)) { return(true); } if (IsEditPermission(model.UnauthorizedUserPermissionLevel)) //If anyone can edit { return(true); } return(UserHasCreatePermissions(model)); }
public IHttpActionResult UploadFile(string wallId, GenericWallRequest _request) { HttpRequestMessage request = this.Request; if (!request.Content.IsMimeMultipartContent()) { return(BadRequest()); } if (!WallExists(wallId)) { return(NotFound()); } var wall = DatabaseContext.Shared.WallModels.Find(wallId); if (!CanCreatePost(wall, _request)) { return(Unauthorized()); } wallId = Helpers.TextSanitizer.Hypersanitize(wallId).ToLower(); if (wallId.Length <= 0) { return(InternalServerError()); } if (wallId.Length >= 40) //Don't allow length >=40 for wall id { wallId = wallId.Substring(0, 40); } //Get the directory to store string root = System.Web.HttpContext.Current.Server.MapPath("~/App_Data/uploads/" + wallId); System.IO.Directory.CreateDirectory(root); //And loop through and get all of the files var httpRequest = HttpContext.Current.Request; if (httpRequest.Files.Count > 0) { var locations = new List <FileLocation>(); foreach (string file in httpRequest.Files) { var postedFile = httpRequest.Files[file]; //get the filename to upload to var extension = System.IO.Path.GetExtension(postedFile.FileName); var fileName = GetFileName(36) + "." + extension; var savePath = System.IO.Path.Combine(root, fileName); //In case we generate identical names, loop until they're different while (System.IO.File.Exists(savePath)) { fileName = GetFileName(36) + "." + extension; savePath = System.IO.Path.Combine(root, fileName); } //And save postedFile.SaveAs(savePath); locations.Add(new FileLocation() { Filename = fileName, AbsolutePath = String.Format("/api/walls/retrieve/{0}/{1}", wallId, fileName) }); } //And add to the wall db foreach (var fl in locations) { var fum = DatabaseContext.Shared.Files.Create(); fum.Filename = fl.Filename; fum.Wall = wall; fum.WallId = wall.WallUrl; wall.Files.Add(fum); } DatabaseContext.Shared.SaveChanges(); //And return the info return(Ok(locations)); } else { return(BadRequest("No files to upload.")); } DatabaseContext.Release(); }
public IHttpActionResult GetUploadedFile(string wallId, string filename, GenericWallRequest request) { var sanitized = Helpers.TextSanitizer.Hypersanitize(wallId).ToLower(); if (sanitized.Length <= 0) { return(InternalServerError()); } if (!WallExists(wallId)) { return(NotFound()); } var wall = DatabaseContext.Shared.WallModels.Find(wallId); if (!CanCreatePost(wall, request)) { return(Unauthorized()); } wallId = Helpers.TextSanitizer.Hypersanitize(wallId).ToLower(); if (wallId.Length <= 0) { return(InternalServerError()); } if (sanitized.Length >= 40) //Don't allow length >=40 for wall id { sanitized = sanitized.Substring(0, 40); } //Get the directory to store string root = System.Web.HttpContext.Current.Server.MapPath("~/App_Data/uploads/" + sanitized); System.IO.Directory.CreateDirectory(root); //Sanitize the filename filename = Helpers.TextSanitizer.Hypersanitize(filename, false, true); if (!System.IO.File.Exists(System.IO.Path.Combine(root, filename))) { return(NotFound()); } try { var stream = new System.IO.FileStream(System.IO.Path.Combine(root, filename), System.IO.FileMode.Open, System.IO.FileAccess.Read); var content = new StreamContent(stream); var mimeType = MimeTypeMap.MimeTypeMap.GetMimeType(System.IO.Path.GetExtension(filename)); HttpResponseMessage result = new HttpResponseMessage(HttpStatusCode.OK); result.Content = content; result.Content.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue(mimeType); return(Ok(result)); } catch { return(NotFound()); } }
private bool IsOwner(WallModel model, GenericWallRequest request) { return(model.OwnerPrivate == GetPrivateKey(request)); }
private string GetPassword(GenericWallRequest model) { return(model.Password); }