protected void GridLetters_ItemCreated(object sender, GridItemEventArgs e) { if (e.Item is GridDataItem) { PaperLetter letter = (PaperLetter)e.Item.DataItem; if (letter == null) { return; } Controls_v4_DocumentList docList = (Controls_v4_DocumentList)e.Item.FindControl("DocumentList"); if (docList != null) { docList.Documents = Documents.ForObject(letter); } Label labelAddress = (Label)e.Item.FindControl("LabelAddress"); labelAddress.Text = String.Join("; ", letter.ReplyAddressLines); } }
protected void Page_Load(object sender, EventArgs e) { string documentIdString = Request.QueryString["DocumentId"]; int documentId = Int32.Parse(documentIdString); Document document = Document.FromIdentity(documentId); //Orgid is needed to safely verify permission int orgId = Organization.PPSEid; bool hasPermission = false; switch (document.DocumentType) { case DocumentType.FinancialTransaction: { //TODO: Get the orgId from foreign object if (_authority.HasPermission(Permission.CanSeeEconomyDetails, orgId, -1, Authorization.Flag.ExactOrganization)) { hasPermission = true; } } break; case DocumentType.ExpenseClaim: case DocumentType.InboundInvoice: { int budgetId = 0; if (document.DocumentType == DocumentType.ExpenseClaim) { ExpenseClaim claim = (ExpenseClaim)document.ForeignObject; orgId = claim.Budget.OrganizationId; budgetId = claim.BudgetId; } else { InboundInvoice invoice = (InboundInvoice)document.ForeignObject; orgId = invoice.Budget.OrganizationId; budgetId = invoice.BudgetId; } if (_authority.HasPermission(Permission.CanSeeEconomyDetails, orgId, -1, Authorization.Flag.ExactOrganization)) { hasPermission = true; break; } if (FinancialAccount.FromIdentity(budgetId).OwnerPersonId == _currentUser.Identity) { hasPermission = true; } break; } case DocumentType.PaperLetter: { PaperLetter letter = (PaperLetter)document.ForeignObject; if (letter.Recipient.Identity == _currentUser.Identity) { hasPermission = true; // A letter to the viewer } // Otherwise, are there overriding permissions, if not addressed to him/her? else if (!letter.Personal) { // Unpersonal paper letter, like a rally permit. Note that bank statements should // be considered personal as they contain donors' information in the transaction info. if (_authority.HasPermission(Permission.CanSeeInsensitivePaperLetters, letter.OrganizationId, -1, Authorization.Flag.Default)) { hasPermission = true; } } else if (letter.ToPersonId == 0) { // Addressed to the organization, not to a specific person, but still personal. // Typical examples include political inquiries from private citizens written on // paper. if (_authority.HasPermission(Permission.CanSeeSensitivePaperLetters, letter.OrganizationId, -1, Authorization.Flag.Default)) { hasPermission = true; } } else { // Addressed to a specific individual that is not the viewer, and it's personal. // INVOCATION OF THIS CODE IS A BREACH OF THE POSTAL SECRET and should ONLY EVER // be done for technical, not operational, reasons and preferably NEVER. if (_authority.HasPermission(Permission.CanBreachPostalSecretPaperLetters, letter.OrganizationId, -1, Authorization.Flag.Default)) { hasPermission = true; } } } break; case DocumentType.PersonPhoto: { // These are public hasPermission = true; } break; } if (!hasPermission) { throw new Exception("Access is not allowed"); } string serverPath = @"C:\Data\Uploads\PirateWeb"; // TODO: Read from web.config string contentType = string.Empty; if (document.ServerFileName.EndsWith(".pdf")) { contentType = MediaTypeNames.Application.Pdf; } else if (document.ServerFileName.EndsWith(".png")) { contentType = "image/png"; // why isn't this in MediaTypeNames? } else if (document.ServerFileName.EndsWith(".jpg")) { contentType = MediaTypeNames.Image.Jpeg; } Response.ContentType = contentType + "; filename=" + document.ClientFileName; Response.TransmitFile(serverPath + Path.DirectorySeparatorChar + document.ServerFileName); }
protected void Page_Load(object sender, EventArgs e) { string documentIdString = Request.QueryString["DocId"]; int documentId = Int32.Parse(documentIdString); string documentDownloadName = Request.QueryString["DocName"]; documentDownloadName = documentDownloadName.Replace("\"", "'"); Document document = Document.FromIdentity(documentId); //Orgid is needed to safely verify permission int orgId = 0; // initialize to invalid bool hasPermission = false; string serverFileName = document.ServerFileName; if (document.UploadedByPersonId == this.CurrentAuthority.Person.Identity) { hasPermission = true; // can always view documents you yourself uploaded } if (CurrentOrganization.HasOpenLedgers) { hasPermission = true; } if (!hasPermission) { switch (document.DocumentType) { case DocumentType.FinancialTransaction: { /* * //TODO: Get the orgId from foreign object * if (this.CurrentAuthority.HasPermission(Permission.CanSeeEconomyDetails, orgId, -1, Authorization.Flag.ExactOrganization)) * { * hasPermission = true; * }*/ } break; case DocumentType.ExpenseClaim: case DocumentType.InboundInvoice: case DocumentType.OutboundInvoice: { int budgetId = 0; if (document.DocumentType == DocumentType.ExpenseClaim) { ExpenseClaim claim = (ExpenseClaim)document.ForeignObject; orgId = claim.Budget.OrganizationId; budgetId = claim.BudgetId; } else if (document.DocumentType == DocumentType.InboundInvoice) { InboundInvoice invoice = (InboundInvoice)document.ForeignObject; orgId = invoice.Budget.OrganizationId; budgetId = invoice.BudgetId; } else { OutboundInvoice invoice = (OutboundInvoice)document.ForeignObject; orgId = invoice.OrganizationId; budgetId = invoice.BudgetId; } FinancialAccount budget = FinancialAccount.FromIdentity(budgetId); if (budget.OwnerPersonId == CurrentUser.Identity || budget.OwnerPersonId == 0) { hasPermission = true; break; } // TODO: Security leak - check CurrentOrganization against Document's org if ( CurrentAuthority.HasAccess(new Access(CurrentOrganization, AccessAspect.Financials, AccessType.Write))) { hasPermission = true; } /* * if (this.CurrentAuthority.HasPermission(Permission.CanSeeEconomyDetails, orgId, -1, Authorization.Flag.ExactOrganization)) * { * hasPermission = true; * break; * }*/ break; } case DocumentType.PaperLetter: { PaperLetter letter = (PaperLetter)document.ForeignObject; if (letter.Recipient.Identity == CurrentUser.Identity) { hasPermission = true; // A letter to the viewer } /* * // Otherwise, are there overriding permissions, if not addressed to him/her? * * else if (!letter.Personal) * { * // Unpersonal paper letter, like a rally permit. Note that bank statements should * // be considered personal as they contain donors' information in the transaction info. * * if (this.CurrentAuthority.HasPermission(Permission.CanSeeInsensitivePaperLetters, letter.OrganizationId, -1, Authorization.Flag.Default)) * { * hasPermission = true; * } * } * else if (letter.ToPersonId == 0) * { * // Addressed to the organization, not to a specific person, but still personal. * // Typical examples include political inquiries from private citizens written on * // paper. * * if (this.CurrentAuthority.HasPermission(Permission.CanSeeSensitivePaperLetters, letter.OrganizationId, -1, Authorization.Flag.Default)) * { * hasPermission = true; * } * } * else * { * // Addressed to a specific individual that is not the viewer, and it's personal. * // INVOCATION OF THIS CODE IS A BREACH OF THE POSTAL SECRET and should ONLY EVER * // be done for technical, not operational, reasons and preferably NEVER. * * if (this.CurrentAuthority.HasPermission(Permission.CanBreachPostalSecretPaperLetters, letter.OrganizationId, -1, Authorization.Flag.Default)) * { * hasPermission = true; * } * }*/ } break; case DocumentType.PersonPhoto: case DocumentType.Logo: case DocumentType.Artwork: { // These are public hasPermission = true; } break; } } if (!hasPermission) { throw new Exception("Access is not allowed"); } string contentType = string.Empty; string clientFileNameLower = document.ClientFileName.ToLowerInvariant().Trim(); string serverFileNameLower = document.ServerFileName.ToLowerInvariant().Trim(); // The "Filename.Contains" here instead of "Filename.EndsWith" is because page counts are added to file names if (serverFileNameLower.EndsWith(".png") && clientFileNameLower.Contains(".pdf")) { // Converted PDF, so cut filename to raw GUID length serverFileName = serverFileName.Substring(0, serverFileName.Length - "-0001.png".Length); documentDownloadName += ".pdf"; contentType = MediaTypeNames.Application.Pdf; } else if (clientFileNameLower.EndsWith(".png")) { contentType = "image/png"; // why isn't this in MediaTypeNames? documentDownloadName += ".png"; } else if (clientFileNameLower.EndsWith(".jpg") || clientFileNameLower.EndsWith(".jpeg")) { contentType = MediaTypeNames.Image.Jpeg; documentDownloadName += ".jpg"; } else { int lastDot = clientFileNameLower.LastIndexOf('.'); if (lastDot > 0) { documentDownloadName += clientFileNameLower.Substring(lastDot); // Adds original client extension } } if (documentDownloadName.EndsWith(" 2_1") || documentDownloadName.EndsWith(" 2/1")) { // Mystery bug documentDownloadName = documentDownloadName.Substring(0, documentDownloadName.Length - 4); } string legacyMarker = string.Empty; if (!File.Exists(Document.StorageRoot + serverFileName)) { legacyMarker = "legacy/"; // for some legacy installations, all older files are placed here } // TODO: If still doesn't exist, perhaps return a friendly error image instead? if (!File.Exists(Document.StorageRoot + legacyMarker + serverFileName)) { if (!Debugger.IsAttached) // if running live; ignore FNF errors when debugging { throw new FileNotFoundException(Document.StorageRoot + legacyMarker + serverFileName); } else { Response.StatusCode = 404; Response.End(); return; } } Response.ContentType = contentType; Response.AppendHeader("Content-Disposition", "attachment; filename=\"" + documentDownloadName + "\""); Response.TransmitFile(Document.StorageRoot + legacyMarker + serverFileName); }
protected void Page_Load(object sender, EventArgs e) { string documentIdString = Request.QueryString["DocId"]; int documentId = Int32.Parse(documentIdString); Document document = Document.FromIdentity(documentId); //Orgid is needed to safely verify permission int orgId = 0; // initialize to invalid bool hasPermission = false; switch (document.DocumentType) { case DocumentType.FinancialTransaction: { /* * //TODO: Get the orgId from foreign object * if (this.CurrentAuthority.HasPermission(Permission.CanSeeEconomyDetails, orgId, -1, Authorization.Flag.ExactOrganization)) * { * hasPermission = true; * }*/ } break; case DocumentType.ExpenseClaim: case DocumentType.InboundInvoice: { int budgetId = 0; if (document.DocumentType == DocumentType.ExpenseClaim) { ExpenseClaim claim = (ExpenseClaim)document.ForeignObject; orgId = claim.Budget.OrganizationId; budgetId = claim.BudgetId; } else { InboundInvoice invoice = (InboundInvoice)document.ForeignObject; orgId = invoice.Budget.OrganizationId; budgetId = invoice.BudgetId; } FinancialAccount budget = FinancialAccount.FromIdentity(budgetId); if (budget.OwnerPersonId == this.CurrentUser.Identity || budget.OwnerPersonId == 0) { hasPermission = true; break; } // TODO: Security leak - check CurrentOrganization against Document's org if (this.CurrentUser.HasAccess(new Access(CurrentOrganization, AccessAspect.Financials, AccessType.Write))) { hasPermission = true; break; } /* * if (this.CurrentAuthority.HasPermission(Permission.CanSeeEconomyDetails, orgId, -1, Authorization.Flag.ExactOrganization)) * { * hasPermission = true; * break; * }*/ break; } case DocumentType.PaperLetter: { PaperLetter letter = (PaperLetter)document.ForeignObject; if (letter.Recipient.Identity == this.CurrentUser.Identity) { hasPermission = true; // A letter to the viewer } /* * // Otherwise, are there overriding permissions, if not addressed to him/her? * * else if (!letter.Personal) * { * // Unpersonal paper letter, like a rally permit. Note that bank statements should * // be considered personal as they contain donors' information in the transaction info. * * if (this.CurrentAuthority.HasPermission(Permission.CanSeeInsensitivePaperLetters, letter.OrganizationId, -1, Authorization.Flag.Default)) * { * hasPermission = true; * } * } * else if (letter.ToPersonId == 0) * { * // Addressed to the organization, not to a specific person, but still personal. * // Typical examples include political inquiries from private citizens written on * // paper. * * if (this.CurrentAuthority.HasPermission(Permission.CanSeeSensitivePaperLetters, letter.OrganizationId, -1, Authorization.Flag.Default)) * { * hasPermission = true; * } * } * else * { * // Addressed to a specific individual that is not the viewer, and it's personal. * // INVOCATION OF THIS CODE IS A BREACH OF THE POSTAL SECRET and should ONLY EVER * // be done for technical, not operational, reasons and preferably NEVER. * * if (this.CurrentAuthority.HasPermission(Permission.CanBreachPostalSecretPaperLetters, letter.OrganizationId, -1, Authorization.Flag.Default)) * { * hasPermission = true; * } * }*/ } break; case DocumentType.PersonPhoto: { // These are public hasPermission = true; } break; } if (!hasPermission) { throw new Exception("Access is not allowed"); } string contentType = string.Empty; string fileNameLower = document.ClientFileName.ToLowerInvariant(); if (fileNameLower.EndsWith(".pdf")) { contentType = MediaTypeNames.Application.Pdf; } else if (fileNameLower.EndsWith(".png")) { contentType = "image/png"; // why isn't this in MediaTypeNames? } else if (fileNameLower.EndsWith(".jpg")) { contentType = MediaTypeNames.Image.Jpeg; } string legacyMarker = string.Empty; if (!File.Exists(StorageRoot + document.ServerFileName)) { legacyMarker = "legacy/"; // for some legacy installations, all older files are placed here } // TODO: If still doesn't exist, perhaps return a friendly error image instead? if (!File.Exists(StorageRoot + legacyMarker + document.ServerFileName)) { throw new FileNotFoundException(StorageRoot + legacyMarker + document.ServerFileName); } Response.ContentType = contentType + "; filename=" + document.ClientFileName; Response.TransmitFile(StorageRoot + legacyMarker + document.ServerFileName); }
protected void ButtonStoreLetter_Click(object sender, EventArgs e) { // First, if there's an upload that the user hasn't processed, process it first. if (this.Upload.UploadedFiles.Count > 0) { ProcessUpload(); } // If args were invalid, abort if (!Page.IsValid) { return; } // Read the form data string from = this.TextFrom.Text; string[] replyAddressLines = this.TextAddress.Text.Trim().Replace("\r", "").Split('\n'); int temporaryId = Int32.Parse(this.TemporaryDocumentIdentity.Text); int organizationId = Int32.Parse(this.DropOrganizations.SelectedValue); DateTime created = DateTime.Now; DateTime receivedDate = (DateTime)this.DatePicker.SelectedDate; int toPersonId = this.ComboRecipient.HasSelection ? this.ComboRecipient.SelectedPerson.Identity : 0; RoleType roleType = RoleType.Unknown; if (toPersonId > 0) { roleType = (RoleType)Int32.Parse(this.DropRoles.SelectedValue); } bool personal = true; if (this.DropPersonal.SelectedValue == "NotPersonal") { personal = false; } // Create the paper letter record PaperLetter newLetter = PaperLetter.Create(_currentUser.Identity, organizationId, from, replyAddressLines, receivedDate, toPersonId, roleType, personal); // Move documents to the new letter Documents.ForObject(new TemporaryIdentity(temporaryId)).SetForeignObjectForAll(newLetter); // Create the event for PirateBot-Mono to send off mails Activizr.Logic.Support.PWEvents.CreateEvent(EventSource.PirateWeb, EventType.PaperLetterReceived, _currentUser.Identity, organizationId, 1, toPersonId, newLetter.Identity, string.Empty); Page.ClientScript.RegisterStartupScript(typeof(Page), "OkMessage", @"alert ('Letter #" + newLetter.Identity.ToString() + " was successfully stored.');", true); // Clear the text fields this.TextFrom.Text = string.Empty; this.TextAddress.Text = string.Empty; this.ComboRecipient.Text = string.Empty; this.DatePicker.SelectedDate = DateTime.Today; this.TemporaryDocumentIdentity.Text = "0"; this.DropPersonal.SelectedIndex = 0; this.DocumentList.Documents = new Documents(); }