private static IList <NavBE> FilterDisallowedNavRecords(IList <NavBE> navPages)
{
Dictionary <ulong, NavBE> pagesToCheck = new Dictionary <ulong, NavBE>();
List <NavBE> allowedPages = new List <NavBE>(navPages.Count);
Permissions userPermissions = PermissionsBL.GetUserPermissions(DekiContext.Current.User);
foreach (NavBE np in navPages)
{
ulong effectivePageRights = PermissionsBL.CalculateEffectivePageRights(new PermissionStruct((ulong)userPermissions, np.RestrictionFlags ?? ulong.MaxValue, 0));
if (!PermissionsBL.IsActionAllowed(effectivePageRights, false, Permissions.BROWSE))
{
pagesToCheck.Add(np.Id, np);
}
else
{
allowedPages.Add(np);
}
}
if (pagesToCheck.Count > 0)
{
IEnumerable <ulong> filteredOutPages;
var allowedIds = PermissionsBL.FilterDisallowed(DekiContext.Current.User, pagesToCheck.Keys.ToArray(), false, out filteredOutPages, Permissions.BROWSE);
foreach (var allowedId in allowedIds)
{
allowedPages.Add(pagesToCheck[allowedId]);
}
return(allowedPages);
}
// No changes made..
return(navPages);
}
public static XDoc BuildXmlSiteMap(PageBE rootPage, string language)
{
Dictionary <ulong, PageBE> pagesById = null;
rootPage = PageBL.PopulateDescendants(rootPage, null, out pagesById, ConfigBL.GetInstanceSettingsValueAs <int>(ConfigBL.MAX_SITEMAP_SIZE_KEY, ConfigBL.MAX_SITEMAP_SIZE));
PageBE[] allowedPages = PermissionsBL.FilterDisallowed(DekiContext.Current.User, new List <PageBE>(pagesById.Values).ToArray(), false, new Permissions[] { Permissions.BROWSE });
Dictionary <ulong, PageBE> allowedPagesById = allowedPages.AsHash(e => e.ID);
Dictionary <ulong, PageBE> addedPagesById = null;
if (!string.IsNullOrEmpty(language))
{
List <ulong> pagesToRemove = new List <ulong>();
foreach (KeyValuePair <ulong, PageBE> page in allowedPagesById)
{
if (!string.IsNullOrEmpty(page.Value.Language) && !StringUtil.EqualsInvariantIgnoreCase(page.Value.Language, language))
{
pagesToRemove.Add(page.Key);
}
}
foreach (ulong pageId in pagesToRemove)
{
allowedPagesById.Remove(pageId);
}
}
PageBL.AddParentsOfAllowedChildren(rootPage, allowedPagesById, addedPagesById);
return(BuildXmlSiteMap(rootPage, new XDoc("pages"), allowedPagesById));
}
private RoleBE GetRoleFromUrl(bool mustExist)
{
RoleBE r;
string roleid = DreamContext.Current.GetParam("roleid");
// Double decoding of name is done to work around a mod_proxy issue that strips out slashes
roleid = XUri.Decode(roleid);
if (roleid.StartsWith("="))
{
string name = roleid.Substring(1);
r = PermissionsBL.GetRoleByName(name);
if (r == null && mustExist)
{
throw new SiteRoleNameNotFoundException(name);
}
}
else
{
uint roleIdInt;
if (!uint.TryParse(roleid, out roleIdInt))
{
throw new SiteRoleIdInvalidArgumentException();
}
r = PermissionsBL.GetRoleById(roleIdInt);
if (r == null && mustExist)
{
throw new SiteRoleIdNotFoundException(roleIdInt);
}
}
return(r);
}
public Yield GetGroupUsers(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
PermissionsBL.CheckUserAllowed(DekiContext.Current.User, Permissions.READ);
GroupBE group = GetGroupFromUrl();
DreamMessage responseMsg = null;
uint totalCount;
uint queryCount;
var usersInGroup = UserBL.GetUsersByQuery(context, group.Id, out totalCount, out queryCount);
XDoc ret = new XDoc("users");
ret.Attr("count", usersInGroup.Count());
ret.Attr("querycount", queryCount);
ret.Attr("totalcount", totalCount);
ret.Attr("href", DekiContext.Current.ApiUri.At("groups", group.Id.ToString(), "users"));
foreach (UserBE member in usersInGroup)
{
ret.Add(UserBL.GetUserXml(member, null, Utils.ShowPrivateUserInfo(member)));
}
responseMsg = DreamMessage.Ok(ret);
response.Return(responseMsg);
yield break;
}
public Yield ProxyToService(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
PermissionsBL.IsUserAllowed(DekiContext.Current.User, Permissions.ADMIN);
//Private feature requires api-key
var identifier = context.GetParam("id");
ServiceRepository.IServiceInfo serviceInfo = null;
if (identifier.StartsWith("="))
{
serviceInfo = DekiContext.Current.Instance.RunningServices[XUri.Decode(identifier.Substring(1))];
}
else
{
uint serviceId;
if (uint.TryParse(identifier, out serviceId))
{
serviceInfo = DekiContext.Current.Instance.RunningServices[serviceId];
}
else
{
throw new DreamBadRequestException(string.Format("Invalid id '{0}'", identifier));
}
}
if (serviceInfo == null)
{
throw new ServiceNotFoundException(identifier);
}
var proxyUri = serviceInfo.ServiceUri.At(context.GetSuffixes(UriPathFormat.Original).Skip(1).ToArray());
yield return(context.Relay(Plug.New(proxyUri), request, response));
}
public Yield GetServiceById(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
bool privateDetails = PermissionsBL.IsUserAllowed(DekiContext.Current.User, Permissions.ADMIN);
//Private feature requires api-key
var identifier = context.GetParam("id");
uint serviceId = 0;
if (identifier.StartsWith("="))
{
var serviceInfo = DekiContext.Current.Instance.RunningServices[XUri.Decode(identifier.Substring(1))];
if (serviceInfo != null)
{
serviceId = serviceInfo.ServiceId;
}
}
else
{
if (!uint.TryParse(identifier, out serviceId))
{
throw new DreamBadRequestException(string.Format("Invalid id '{0}'", identifier));
}
}
ServiceBE service = ServiceBL.GetServiceById(serviceId);
if (service == null)
{
throw new ServiceNotFoundException(identifier);
}
response.Return(DreamMessage.Ok(ServiceBL.GetServiceXmlVerbose(DekiContext.Current.Instance, service, null, privateDetails)));
yield break;
}
public Yield PostArchiveFilesRestore(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
PermissionsBL.CheckUserAllowed(DekiContext.Current.User, Permissions.ADMIN);
// parameter parsing
PageBE destPage = null;
string to = context.GetParam("to", string.Empty);
if (to != string.Empty)
{
destPage = PageBL_GetPageFromPathSegment(false, to);
}
PageBE parentPage;
ResourceBE removedFile = GetAttachment(context, request, Permissions.NONE, true, true, out parentPage);
if (!removedFile.ResourceIsDeleted)
{
throw new AttachmentArchiveFileNotDeletedNotFoundException();
}
//Optionally move the restored file to the given page
if (null == destPage)
{
destPage = parentPage;
}
AttachmentBL.Instance.RestoreAttachment(removedFile, destPage, DateTime.UtcNow, 0);
response.Return(DreamMessage.Ok());
yield break;
}
public Yield PostFileMove(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
PageBE sourcePage = null;
PageBE destPage = null;
ResourceBE fileToMove = GetAttachmentFromUrl(context, true, out sourcePage, false, false);
// parameter parsing
string name = context.GetParam("name", null);
string to = context.GetParam("to", null);
if (string.IsNullOrEmpty(name) && string.IsNullOrEmpty(to))
{
throw new AttachmentMoveInvalidArgumentException();
}
if (name == null)
{
name = fileToMove.Name;
}
destPage = to != null?PageBL_GetPageFromPathSegment(true, to) : sourcePage;
//Check if we're actually doing anything
if (sourcePage.ID == destPage.ID && fileToMove.Name.EqualsInvariant(name))
{
throw new AttachmentNotChangedInvalidOperationException(fileToMove.Name, destPage.Title.AsUserFriendlyName());
}
//Ensure write access to source and destination pages.
IList <PageBE> pList = PermissionsBL.FilterDisallowed(DekiContext.Current.User, new PageBE[] { sourcePage, destPage }, true, Permissions.UPDATE);
// perform the move
ResourceBE ret = AttachmentBL.Instance.MoveAttachment(fileToMove, sourcePage, destPage, name, true);
response.Return(DreamMessage.Ok(AttachmentBL.Instance.GetFileXml(ret, true, null, false)));
yield break;
}
private static IList <CommentBE> ApplyPermissionFilter(IList <CommentBE> comments)
{
var ret = new List <CommentBE>();
//Collect page ids
var pageids = comments.Select(e => e.PageId);
//Determine pages to filter out due to perms
IEnumerable <ulong> filteredOutPages;
PermissionsBL.FilterDisallowed(DekiContext.Current.User, pageids, false, out filteredOutPages, Permissions.READ);
//Hash filtered out pageids
var filteredOutPagesHash = new Dictionary <ulong, object>();
foreach (ulong f in filteredOutPages)
{
filteredOutPagesHash[f] = null;
}
//Remove filtered out comments
foreach (CommentBE c in comments)
{
if (!filteredOutPagesHash.ContainsKey(c.PageId))
{
ret.Add(c);
}
}
return(ret);
}
public Yield PostUserAuth(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
uint serviceId = context.GetParam <uint>("authprovider", 0);
bool altPassword;
//This will internally fail with a 501 response if credentials are invalid.
//Anonymous accounts (no credentials/authtoken) are not allowed -> 401
UserBE u = SetContextAndAuthenticate(request, serviceId, context.Verb == Verb.POST, false, true, out altPassword);
PermissionsBL.CheckUserAllowed(u, Permissions.LOGIN);
string token = AuthBL.CreateAuthTokenForUser(u);
try {
PageBL.CreateUserHomePage(DekiContext.Current.User);
} catch { }
XUri redirectUri = XUri.TryParse(context.GetParam("redirect", null));
DreamMessage ret = BuildSetAuthTokenResponse(token, redirectUri);
DekiContext.Current.Instance.EventSink.UserLogin(DekiContext.Current.Now, DekiContext.Current.User);
//TODO Max: Set a response header or status to indicate that an alt password was used.
response.Return(ret);
yield break;
}
public Yield GetUsers(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
// TODO (steveb): add 'emailfilter' and use it to obsolete 'usernameemailfilter'; 'usernamefilter', 'fullnamefilter', and 'emailfilter'
// should be OR'ed together when they are present.
PermissionsBL.CheckUserAllowed(DekiContext.Current.User, Permissions.READ);
uint totalCount;
uint queryCount;
var users = UserBL.GetUsersByQuery(context, null, out totalCount, out queryCount);
XDoc result = new XDoc("users");
result.Attr("count", users.Count());
result.Attr("querycount", queryCount);
result.Attr("totalcount", totalCount);
result.Attr("href", DekiContext.Current.ApiUri.At("users"));
bool verbose = context.GetParam <bool>("verbose", true);
foreach (UserBE u in users)
{
if (verbose)
{
result.Add(UserBL.GetUserXmlVerbose(u, null, Utils.ShowPrivateUserInfo(u), true, true));
}
else
{
result.Add(UserBL.GetUserXml(u, null, Utils.ShowPrivateUserInfo(u)));
}
}
response.Return(DreamMessage.Ok(result));
yield break;
}
private static XDoc AppendBanXml(XDoc doc, BanBE ban)
{
UserBE createdBy = UserBL.GetUserById(ban.ByUserId);
doc.Attr("id", ban.Id);
doc.Attr("href", DekiContext.Current.ApiUri.At("site", "bans", ban.Id.ToString()));
if (createdBy != null)
{
doc.Add(UserBL.GetUserXml(createdBy, "createdby", Utils.ShowPrivateUserInfo(createdBy)));
}
doc.Elem("date.modified", ban.LastEdit);
doc.Elem("description", ban.Reason);
doc.Elem("date.expires", ban.Expires);
doc.Add(PermissionsBL.GetPermissionXml(ban.RevokeMask, "revoked"));
doc.Start("ban.addresses");
if (ban.BanAddresses != null)
{
foreach (string address in ban.BanAddresses)
{
doc.Elem("address", address);
}
}
doc.End();
doc.Start("ban.users");
if (ban.BanUserIds != null)
{
var banUsers = DbUtils.CurrentSession.Users_GetByIds(ban.BanUserIds);
foreach (UserBE u in banUsers)
{
doc.Add(UserBL.GetUserXml(u, null, Utils.ShowPrivateUserInfo(createdBy)));
}
}
doc.End();
return(doc);
}
private static BanBE ReadBanXml(XDoc doc)
{
BanBE b = new BanBE();
b.BanAddresses = new List <string>();
b.BanUserIds = new List <uint>();
try {
b.Reason = doc["description"].AsText;
b.RevokeMask = PermissionsBL.MaskFromPermissionList(PermissionsBL.PermissionListFromString(doc["permissions.revoked/operations"].AsText ?? string.Empty));
b.LastEdit = DateTime.UtcNow;
b.Expires = doc["date.expires"].AsDate;
b.ByUserId = DekiContext.Current.User.ID;
foreach (XDoc val in doc["ban.addresses/address"])
{
if (!val.IsEmpty)
{
b.BanAddresses.Add(val.AsText);
}
}
foreach (XDoc val in doc["ban.users/user"])
{
uint?id = val["@id"].AsUInt;
if (id != null)
{
b.BanUserIds.Add(id ?? 0);
}
}
} catch (ResourcedMindTouchException) {
throw;
} catch (Exception x) {
throw new MindTouchInvalidOperationException(x.Message, x);
}
return(b);
}
public Yield GetFiles(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
PermissionsBL.CheckUserAllowed(DekiContext.Current.User, Permissions.READ);
uint skip = context.GetParam <uint>("skip", 0);
uint numfiles = 100;
string numfilesStr = context.GetParam("numfiles", numfiles.ToString());
if (StringUtil.EqualsInvariantIgnoreCase(numfilesStr, "ALL"))
{
numfiles = uint.MaxValue;
}
else
{
if (!uint.TryParse(numfilesStr, out numfiles))
{
throw new AttachmentCannotParseNumFilesInvalidArgumentException();
}
}
IList <ResourceBE> files = AttachmentBL.Instance.RetrieveAttachments(skip, numfiles);
XDoc ret = AttachmentBL.Instance.GetFileXml(files, false, null, null, null);
response.Return(DreamMessage.Ok(ret));
yield break;
}
private IList <PageBE> GetTaggedPages(TagBE tag)
{
IList <ulong> pageIds = _session.Tags_GetPageIds(tag.Id);
IList <PageBE> pages = PageBL.GetPagesByIdsPreserveOrder(pageIds);
return(PermissionsBL.FilterDisallowed(_user, pages, false, Permissions.BROWSE));
}
public static XDoc GetGroupXmlVerbose(GroupBE group, string relation)
{
XDoc groupXml = GetGroupXml(group, relation);
ServiceBE authService = ServiceBL.GetServiceById(group.ServiceId);
if (authService != null)
{
groupXml.Add(ServiceBL.GetServiceXml(authService, "authentication"));
}
groupXml.Start("users");
if (group.UserIdsList != null)
{
groupXml.Attr("count", group.UserIdsList.Length);
}
groupXml.Attr("href", DekiContext.Current.ApiUri.At("groups", group.Id.ToString(), "users"));
groupXml.End();
//Permissions for the group
RoleBE role = PermissionsBL.GetRoleById(group.RoleId);
groupXml.Add(PermissionsBL.GetRoleXml(role, "group"));
return(groupXml);
}
public Yield GetArchivePageSubpages(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
PermissionsBL.CheckUserAllowed(DekiContext.Current.User, Permissions.ADMIN);
XDoc responseXml = PageArchiveBL.GetArchivedSubPagesXml(context.GetParam <uint>("pageid"));
response.Return(DreamMessage.Ok(responseXml));
yield break;
}
public Yield GetSiteRole(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
RoleBE role = GetRoleFromUrl();
XDoc ret = PermissionsBL.GetRoleXml(role, null);
response.Return(DreamMessage.Ok(ret));
yield break;
}
public Yield GetArchivePageContents(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
PermissionsBL.CheckUserAllowed(DekiContext.Current.User, Permissions.ADMIN);
DreamMessage ret = PageArchiveBL.BuildDeletedPageContents(context.GetParam <uint>("pageid"));
response.Return(ret);
yield break;
}
public Yield GetBan(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
PermissionsBL.CheckUserAllowed(DekiContext.Current.User, Permissions.ADMIN);
BanBE ban = GetBanFromRequest(context, context.GetParam <uint>("banid"));
response.Return(DreamMessage.Ok(BanningBL.GetBanXml(ban)));
yield break;
}
public Yield GetSiteStatus(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
PermissionsBL.CheckUserAllowed(DekiContext.Current.User, Permissions.UPDATE);
var status = new XDoc("status")
.Elem("state", DekiContext.Current.Instance.Status);
response.Return(DreamMessage.Ok(status));
yield break;
}
public Yield PostBans(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
PermissionsBL.CheckUserAllowed(DekiContext.Current.User, Permissions.ADMIN);
BanBE ban = BanningBL.SaveBan(request.ToDocument());
DekiContext.Current.Instance.EventSink.BanCreated(DekiContext.Current.Now, ban);
response.Return(DreamMessage.Ok(BanningBL.GetBanXml(ban)));
yield break;
}
public Yield GetSiteOperations(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
XDoc ret = new XDoc("operations");
ret.Attr("href", DekiContext.Current.ApiUri.At("site", "operations"));
ret.Value(string.Join(",", PermissionsBL.PermissionsToArray(ulong.MaxValue)));
response.Return(DreamMessage.Ok(ret));
yield break;
}
public Yield GetGroup(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
PermissionsBL.CheckUserAllowed(DekiContext.Current.User, Permissions.READ);
GroupBE group = GetGroupFromUrl();
DreamMessage responseMsg = DreamMessage.Ok(GroupBL.GetGroupXmlVerbose(group, null));
response.Return(responseMsg);
yield break;
}
public Yield PostGroupUsers(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
PermissionsBL.CheckUserAllowed(DekiContext.Current.User, Permissions.ADMIN);
GroupBE group = GetGroupFromUrl();
group = GroupBL.AddGroupMembers(group, request.ToDocument());
response.Return(DreamMessage.Ok(GroupBL.GetGroupXmlVerbose(group, null)));
yield break;
}
private static void ParseGroupXml(XDoc groupDoc, out uint?id, out string name, out ServiceBE authService, out RoleBE role, out UserBE[] userList)
{
name = groupDoc["groupname"].AsText ?? groupDoc["name"].AsText;
string authserviceidstr = groupDoc["service.authentication/@id"].AsText;
string rolestr = groupDoc["permissions.group/role"].AsText;
authService = null;
role = null;
id = null;
if (!groupDoc["@id"].IsEmpty)
{
uint id_temp;
if (!uint.TryParse(groupDoc["@id"].Contents, out id_temp))
{
throw new GroupIdAttributeInvalidArgumentException();
}
id = id_temp;
}
if (!string.IsNullOrEmpty(authserviceidstr))
{
uint serviceid;
if (!uint.TryParse(authserviceidstr, out serviceid))
{
throw new ServiceAuthIdAttrInvalidArgumentException();
}
authService = ServiceBL.GetServiceById(serviceid);
if (authService == null)
{
throw new ServiceDoesNotExistInvalidArgumentException(serviceid);
}
}
if (!string.IsNullOrEmpty(rolestr))
{
role = PermissionsBL.GetRoleByName(rolestr);
if (role == null)
{
throw new RoleDoesNotExistInvalidArgumentException(rolestr);
}
}
else
{
role = PermissionsBL.RetrieveDefaultRoleForNewAccounts();
}
if (!groupDoc["users"].IsEmpty)
{
userList = ReadUserListXml(groupDoc["users"]);
}
else
{
userList = new UserBE[] { }
};
}
public Yield DeleteGroup(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
PermissionsBL.CheckUserAllowed(DekiContext.Current.User, Permissions.ADMIN);
GroupBE group = GetGroupFromUrl();
DbUtils.CurrentSession.Groups_Delete(group.Id);
response.Return(DreamMessage.Ok());
yield break;
}
public Yield GetArchiveFiles(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
PermissionsBL.CheckUserAllowed(DekiContext.Current.User, Permissions.ADMIN);
IList <ResourceBE> removedFiles = AttachmentBL.Instance.GetDeletedAttachments(null, null);
XDoc responseXml = AttachmentBL.Instance.GetFileXml(removedFiles, true, "archive", null, null);
response.Return(DreamMessage.Ok(responseXml));
yield break;
}
public Yield GetArchive(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
PermissionsBL.CheckUserAllowed(DekiContext.Current.User, Permissions.ADMIN);
XDoc ret = new XDoc("archive");
ret.Start("pages.archive").Attr("href", DekiContext.Current.ApiUri.At("archive", "pages")).End();
ret.Start("files.archive").Attr("href", DekiContext.Current.ApiUri.At("archive", "files")).End();
response.Return(DreamMessage.Ok(ret));
yield break;
}
public Yield DeleteGroupUser(DreamContext context, DreamMessage request, Result <DreamMessage> response)
{
PermissionsBL.CheckUserAllowed(DekiContext.Current.User, Permissions.ADMIN);
GroupBE group = GetGroupFromUrl();
UserBE user = GetUserFromUrlMustExist();
group = GroupBL.RemoveGroupMember(group, user);
response.Return(DreamMessage.Ok(GroupBL.GetGroupXmlVerbose(group, null)));
yield break;
}
