protected void GridLetters_ItemCreated(object sender, GridItemEventArgs e)
{
if (e.Item is GridDataItem)
{
PaperLetter letter = (PaperLetter)e.Item.DataItem;
if (letter == null)
{
return;
}
Controls_v4_DocumentList docList = (Controls_v4_DocumentList)e.Item.FindControl("DocumentList");
if (docList != null)
{
docList.Documents = Documents.ForObject(letter);
}
Label labelAddress = (Label)e.Item.FindControl("LabelAddress");
labelAddress.Text = String.Join("; ", letter.ReplyAddressLines);
}
}
protected void Page_Load(object sender, EventArgs e)
{
string documentIdString = Request.QueryString["DocumentId"];
int documentId = Int32.Parse(documentIdString);
Document document = Document.FromIdentity(documentId);
//Orgid is needed to safely verify permission
int orgId = Organization.PPSEid;
bool hasPermission = false;
switch (document.DocumentType)
{
case DocumentType.FinancialTransaction:
{
//TODO: Get the orgId from foreign object
if (_authority.HasPermission(Permission.CanSeeEconomyDetails, orgId, -1, Authorization.Flag.ExactOrganization))
{
hasPermission = true;
}
}
break;
case DocumentType.ExpenseClaim:
case DocumentType.InboundInvoice:
{
int budgetId = 0;
if (document.DocumentType == DocumentType.ExpenseClaim)
{
ExpenseClaim claim = (ExpenseClaim)document.ForeignObject;
orgId = claim.Budget.OrganizationId;
budgetId = claim.BudgetId;
}
else
{
InboundInvoice invoice = (InboundInvoice)document.ForeignObject;
orgId = invoice.Budget.OrganizationId;
budgetId = invoice.BudgetId;
}
if (_authority.HasPermission(Permission.CanSeeEconomyDetails, orgId, -1, Authorization.Flag.ExactOrganization))
{
hasPermission = true;
break;
}
if (FinancialAccount.FromIdentity(budgetId).OwnerPersonId == _currentUser.Identity)
{
hasPermission = true;
}
break;
}
case DocumentType.PaperLetter:
{
PaperLetter letter = (PaperLetter)document.ForeignObject;
if (letter.Recipient.Identity == _currentUser.Identity)
{
hasPermission = true; // A letter to the viewer
}
// Otherwise, are there overriding permissions, if not addressed to him/her?
else if (!letter.Personal)
{
// Unpersonal paper letter, like a rally permit. Note that bank statements should
// be considered personal as they contain donors' information in the transaction info.
if (_authority.HasPermission(Permission.CanSeeInsensitivePaperLetters, letter.OrganizationId, -1, Authorization.Flag.Default))
{
hasPermission = true;
}
}
else if (letter.ToPersonId == 0)
{
// Addressed to the organization, not to a specific person, but still personal.
// Typical examples include political inquiries from private citizens written on
// paper.
if (_authority.HasPermission(Permission.CanSeeSensitivePaperLetters, letter.OrganizationId, -1, Authorization.Flag.Default))
{
hasPermission = true;
}
}
else
{
// Addressed to a specific individual that is not the viewer, and it's personal.
// INVOCATION OF THIS CODE IS A BREACH OF THE POSTAL SECRET and should ONLY EVER
// be done for technical, not operational, reasons and preferably NEVER.
if (_authority.HasPermission(Permission.CanBreachPostalSecretPaperLetters, letter.OrganizationId, -1, Authorization.Flag.Default))
{
hasPermission = true;
}
}
}
break;
case DocumentType.PersonPhoto:
{
// These are public
hasPermission = true;
}
break;
}
if (!hasPermission)
{
throw new Exception("Access is not allowed");
}
string serverPath = @"C:\Data\Uploads\PirateWeb"; // TODO: Read from web.config
string contentType = string.Empty;
if (document.ServerFileName.EndsWith(".pdf"))
{
contentType = MediaTypeNames.Application.Pdf;
}
else if (document.ServerFileName.EndsWith(".png"))
{
contentType = "image/png"; // why isn't this in MediaTypeNames?
}
else if (document.ServerFileName.EndsWith(".jpg"))
{
contentType = MediaTypeNames.Image.Jpeg;
}
Response.ContentType = contentType + "; filename=" + document.ClientFileName;
Response.TransmitFile(serverPath + Path.DirectorySeparatorChar + document.ServerFileName);
}
protected void Page_Load(object sender, EventArgs e)
{
string documentIdString = Request.QueryString["DocId"];
int documentId = Int32.Parse(documentIdString);
string documentDownloadName = Request.QueryString["DocName"];
documentDownloadName = documentDownloadName.Replace("\"", "'");
Document document = Document.FromIdentity(documentId);
//Orgid is needed to safely verify permission
int orgId = 0; // initialize to invalid
bool hasPermission = false;
string serverFileName = document.ServerFileName;
if (document.UploadedByPersonId == this.CurrentAuthority.Person.Identity)
{
hasPermission = true; // can always view documents you yourself uploaded
}
if (CurrentOrganization.HasOpenLedgers)
{
hasPermission = true;
}
if (!hasPermission)
{
switch (document.DocumentType)
{
case DocumentType.FinancialTransaction:
{
/*
* //TODO: Get the orgId from foreign object
* if (this.CurrentAuthority.HasPermission(Permission.CanSeeEconomyDetails, orgId, -1, Authorization.Flag.ExactOrganization))
* {
* hasPermission = true;
* }*/
}
break;
case DocumentType.ExpenseClaim:
case DocumentType.InboundInvoice:
case DocumentType.OutboundInvoice:
{
int budgetId = 0;
if (document.DocumentType == DocumentType.ExpenseClaim)
{
ExpenseClaim claim = (ExpenseClaim)document.ForeignObject;
orgId = claim.Budget.OrganizationId;
budgetId = claim.BudgetId;
}
else if (document.DocumentType == DocumentType.InboundInvoice)
{
InboundInvoice invoice = (InboundInvoice)document.ForeignObject;
orgId = invoice.Budget.OrganizationId;
budgetId = invoice.BudgetId;
}
else
{
OutboundInvoice invoice = (OutboundInvoice)document.ForeignObject;
orgId = invoice.OrganizationId;
budgetId = invoice.BudgetId;
}
FinancialAccount budget = FinancialAccount.FromIdentity(budgetId);
if (budget.OwnerPersonId == CurrentUser.Identity || budget.OwnerPersonId == 0)
{
hasPermission = true;
break;
}
// TODO: Security leak - check CurrentOrganization against Document's org
if (
CurrentAuthority.HasAccess(new Access(CurrentOrganization, AccessAspect.Financials,
AccessType.Write)))
{
hasPermission = true;
}
/*
* if (this.CurrentAuthority.HasPermission(Permission.CanSeeEconomyDetails, orgId, -1, Authorization.Flag.ExactOrganization))
* {
* hasPermission = true;
* break;
* }*/
break;
}
case DocumentType.PaperLetter:
{
PaperLetter letter = (PaperLetter)document.ForeignObject;
if (letter.Recipient.Identity == CurrentUser.Identity)
{
hasPermission = true; // A letter to the viewer
}
/*
* // Otherwise, are there overriding permissions, if not addressed to him/her?
*
* else if (!letter.Personal)
* {
* // Unpersonal paper letter, like a rally permit. Note that bank statements should
* // be considered personal as they contain donors' information in the transaction info.
*
* if (this.CurrentAuthority.HasPermission(Permission.CanSeeInsensitivePaperLetters, letter.OrganizationId, -1, Authorization.Flag.Default))
* {
* hasPermission = true;
* }
* }
* else if (letter.ToPersonId == 0)
* {
* // Addressed to the organization, not to a specific person, but still personal.
* // Typical examples include political inquiries from private citizens written on
* // paper.
*
* if (this.CurrentAuthority.HasPermission(Permission.CanSeeSensitivePaperLetters, letter.OrganizationId, -1, Authorization.Flag.Default))
* {
* hasPermission = true;
* }
* }
* else
* {
* // Addressed to a specific individual that is not the viewer, and it's personal.
* // INVOCATION OF THIS CODE IS A BREACH OF THE POSTAL SECRET and should ONLY EVER
* // be done for technical, not operational, reasons and preferably NEVER.
*
* if (this.CurrentAuthority.HasPermission(Permission.CanBreachPostalSecretPaperLetters, letter.OrganizationId, -1, Authorization.Flag.Default))
* {
* hasPermission = true;
* }
* }*/
}
break;
case DocumentType.PersonPhoto:
case DocumentType.Logo:
case DocumentType.Artwork:
{
// These are public
hasPermission = true;
}
break;
}
}
if (!hasPermission)
{
throw new Exception("Access is not allowed");
}
string contentType = string.Empty;
string clientFileNameLower = document.ClientFileName.ToLowerInvariant().Trim();
string serverFileNameLower = document.ServerFileName.ToLowerInvariant().Trim();
// The "Filename.Contains" here instead of "Filename.EndsWith" is because page counts are added to file names
if (serverFileNameLower.EndsWith(".png") && clientFileNameLower.Contains(".pdf"))
{
// Converted PDF, so cut filename to raw GUID length
serverFileName = serverFileName.Substring(0, serverFileName.Length - "-0001.png".Length);
documentDownloadName += ".pdf";
contentType = MediaTypeNames.Application.Pdf;
}
else if (clientFileNameLower.EndsWith(".png"))
{
contentType = "image/png"; // why isn't this in MediaTypeNames?
documentDownloadName += ".png";
}
else if (clientFileNameLower.EndsWith(".jpg") || clientFileNameLower.EndsWith(".jpeg"))
{
contentType = MediaTypeNames.Image.Jpeg;
documentDownloadName += ".jpg";
}
else
{
int lastDot = clientFileNameLower.LastIndexOf('.');
if (lastDot > 0)
{
documentDownloadName += clientFileNameLower.Substring(lastDot); // Adds original client extension
}
}
if (documentDownloadName.EndsWith(" 2_1") || documentDownloadName.EndsWith(" 2/1"))
{
// Mystery bug
documentDownloadName = documentDownloadName.Substring(0, documentDownloadName.Length - 4);
}
string legacyMarker = string.Empty;
if (!File.Exists(Document.StorageRoot + serverFileName))
{
legacyMarker = "legacy/"; // for some legacy installations, all older files are placed here
}
// TODO: If still doesn't exist, perhaps return a friendly error image instead?
if (!File.Exists(Document.StorageRoot + legacyMarker + serverFileName))
{
if (!Debugger.IsAttached) // if running live; ignore FNF errors when debugging
{
throw new FileNotFoundException(Document.StorageRoot + legacyMarker + serverFileName);
}
else
{
Response.StatusCode = 404;
Response.End();
return;
}
}
Response.ContentType = contentType;
Response.AppendHeader("Content-Disposition", "attachment; filename=\"" + documentDownloadName + "\"");
Response.TransmitFile(Document.StorageRoot + legacyMarker + serverFileName);
}
protected void Page_Load(object sender, EventArgs e)
{
string documentIdString = Request.QueryString["DocId"];
int documentId = Int32.Parse(documentIdString);
Document document = Document.FromIdentity(documentId);
//Orgid is needed to safely verify permission
int orgId = 0; // initialize to invalid
bool hasPermission = false;
switch (document.DocumentType)
{
case DocumentType.FinancialTransaction:
{ /*
* //TODO: Get the orgId from foreign object
* if (this.CurrentAuthority.HasPermission(Permission.CanSeeEconomyDetails, orgId, -1, Authorization.Flag.ExactOrganization))
* {
* hasPermission = true;
* }*/
}
break;
case DocumentType.ExpenseClaim:
case DocumentType.InboundInvoice:
{
int budgetId = 0;
if (document.DocumentType == DocumentType.ExpenseClaim)
{
ExpenseClaim claim = (ExpenseClaim)document.ForeignObject;
orgId = claim.Budget.OrganizationId;
budgetId = claim.BudgetId;
}
else
{
InboundInvoice invoice = (InboundInvoice)document.ForeignObject;
orgId = invoice.Budget.OrganizationId;
budgetId = invoice.BudgetId;
}
FinancialAccount budget = FinancialAccount.FromIdentity(budgetId);
if (budget.OwnerPersonId == this.CurrentUser.Identity || budget.OwnerPersonId == 0)
{
hasPermission = true;
break;
}
// TODO: Security leak - check CurrentOrganization against Document's org
if (this.CurrentUser.HasAccess(new Access(CurrentOrganization, AccessAspect.Financials, AccessType.Write)))
{
hasPermission = true;
break;
}
/*
* if (this.CurrentAuthority.HasPermission(Permission.CanSeeEconomyDetails, orgId, -1, Authorization.Flag.ExactOrganization))
* {
* hasPermission = true;
* break;
* }*/
break;
}
case DocumentType.PaperLetter:
{
PaperLetter letter = (PaperLetter)document.ForeignObject;
if (letter.Recipient.Identity == this.CurrentUser.Identity)
{
hasPermission = true; // A letter to the viewer
}
/*
* // Otherwise, are there overriding permissions, if not addressed to him/her?
*
* else if (!letter.Personal)
* {
* // Unpersonal paper letter, like a rally permit. Note that bank statements should
* // be considered personal as they contain donors' information in the transaction info.
*
* if (this.CurrentAuthority.HasPermission(Permission.CanSeeInsensitivePaperLetters, letter.OrganizationId, -1, Authorization.Flag.Default))
* {
* hasPermission = true;
* }
* }
* else if (letter.ToPersonId == 0)
* {
* // Addressed to the organization, not to a specific person, but still personal.
* // Typical examples include political inquiries from private citizens written on
* // paper.
*
* if (this.CurrentAuthority.HasPermission(Permission.CanSeeSensitivePaperLetters, letter.OrganizationId, -1, Authorization.Flag.Default))
* {
* hasPermission = true;
* }
* }
* else
* {
* // Addressed to a specific individual that is not the viewer, and it's personal.
* // INVOCATION OF THIS CODE IS A BREACH OF THE POSTAL SECRET and should ONLY EVER
* // be done for technical, not operational, reasons and preferably NEVER.
*
* if (this.CurrentAuthority.HasPermission(Permission.CanBreachPostalSecretPaperLetters, letter.OrganizationId, -1, Authorization.Flag.Default))
* {
* hasPermission = true;
* }
* }*/
}
break;
case DocumentType.PersonPhoto:
{
// These are public
hasPermission = true;
}
break;
}
if (!hasPermission)
{
throw new Exception("Access is not allowed");
}
string contentType = string.Empty;
string fileNameLower = document.ClientFileName.ToLowerInvariant();
if (fileNameLower.EndsWith(".pdf"))
{
contentType = MediaTypeNames.Application.Pdf;
}
else if (fileNameLower.EndsWith(".png"))
{
contentType = "image/png"; // why isn't this in MediaTypeNames?
}
else if (fileNameLower.EndsWith(".jpg"))
{
contentType = MediaTypeNames.Image.Jpeg;
}
string legacyMarker = string.Empty;
if (!File.Exists(StorageRoot + document.ServerFileName))
{
legacyMarker = "legacy/"; // for some legacy installations, all older files are placed here
}
// TODO: If still doesn't exist, perhaps return a friendly error image instead?
if (!File.Exists(StorageRoot + legacyMarker + document.ServerFileName))
{
throw new FileNotFoundException(StorageRoot + legacyMarker + document.ServerFileName);
}
Response.ContentType = contentType + "; filename=" + document.ClientFileName;
Response.TransmitFile(StorageRoot + legacyMarker + document.ServerFileName);
}
protected void ButtonStoreLetter_Click(object sender, EventArgs e)
{
// First, if there's an upload that the user hasn't processed, process it first.
if (this.Upload.UploadedFiles.Count > 0)
{
ProcessUpload();
}
// If args were invalid, abort
if (!Page.IsValid)
{
return;
}
// Read the form data
string from = this.TextFrom.Text;
string[] replyAddressLines = this.TextAddress.Text.Trim().Replace("\r", "").Split('\n');
int temporaryId = Int32.Parse(this.TemporaryDocumentIdentity.Text);
int organizationId = Int32.Parse(this.DropOrganizations.SelectedValue);
DateTime created = DateTime.Now;
DateTime receivedDate = (DateTime)this.DatePicker.SelectedDate;
int toPersonId = this.ComboRecipient.HasSelection ? this.ComboRecipient.SelectedPerson.Identity : 0;
RoleType roleType = RoleType.Unknown;
if (toPersonId > 0)
{
roleType = (RoleType)Int32.Parse(this.DropRoles.SelectedValue);
}
bool personal = true;
if (this.DropPersonal.SelectedValue == "NotPersonal")
{
personal = false;
}
// Create the paper letter record
PaperLetter newLetter = PaperLetter.Create(_currentUser.Identity, organizationId, from, replyAddressLines,
receivedDate, toPersonId, roleType, personal);
// Move documents to the new letter
Documents.ForObject(new TemporaryIdentity(temporaryId)).SetForeignObjectForAll(newLetter);
// Create the event for PirateBot-Mono to send off mails
Activizr.Logic.Support.PWEvents.CreateEvent(EventSource.PirateWeb, EventType.PaperLetterReceived,
_currentUser.Identity, organizationId, 1, toPersonId,
newLetter.Identity, string.Empty);
Page.ClientScript.RegisterStartupScript(typeof(Page), "OkMessage", @"alert ('Letter #" + newLetter.Identity.ToString() + " was successfully stored.');", true);
// Clear the text fields
this.TextFrom.Text = string.Empty;
this.TextAddress.Text = string.Empty;
this.ComboRecipient.Text = string.Empty;
this.DatePicker.SelectedDate = DateTime.Today;
this.TemporaryDocumentIdentity.Text = "0";
this.DropPersonal.SelectedIndex = 0;
this.DocumentList.Documents = new Documents();
}
