/// <summary> /// Checks to see if a session has the required right to perform a permission. /// </summary> /// <param name="sessionToken">The session to check.</param> /// <param name="projectName">The project the permission is for.</param> /// <param name="permission">The permission being checked.</param> /// <param name="eventType">The event type for logging.</param> private void CheckSecurity(string sessionToken, string projectName, SecurityPermission permission, SecurityEvent? eventType) { // NASTY HACK: Bypass all security if the session override is being used if (sessionToken == SecurityOverride.SessionIdentifier) { return; } // Retrieve the project authorisation IProjectAuthorisation authorisation = null; bool requiresSession = securityManager.RequiresSession; string userName = securityManager.GetUserName(sessionToken); string displayName = securityManager.GetDisplayName(sessionToken, null) ?? userName; if (!string.IsNullOrEmpty(projectName)) { IProjectIntegrator projectIntegrator = GetIntegrator(projectName); if ((projectIntegrator != null) && (projectIntegrator.Project != null) && (projectIntegrator.Project.Security != null)) { // The project has been found and it has security authorisation = projectIntegrator.Project.Security; requiresSession = authorisation.RequiresSession(securityManager); // if "Guest" have some rights, the service must be able to check the // rights for "Guest", but without userName it wont work. if (string.IsNullOrEmpty(userName)) userName = authorisation.GuestAccountName; } else if ((projectIntegrator != null) && (projectIntegrator.Project != null) && (projectIntegrator.Project.Security == null)) { // The project is found, but security is missing - application error string errorMessage = string.Format(CultureInfo.CurrentCulture, "Security not found for project {0}", projectName); Log.Error(errorMessage); if (eventType.HasValue) { securityManager.LogEvent(projectName, userName, eventType.Value, SecurityRight.Deny, errorMessage); } throw new SecurityException(errorMessage); } else { // Couldn't find the requested project string errorMessage = string.Format(CultureInfo.CurrentCulture, "project not found {0}", projectName); Log.Error(errorMessage); if (eventType.HasValue) { securityManager.LogEvent(projectName, userName, eventType.Value, SecurityRight.Deny, errorMessage); } throw new NoSuchProjectException(projectName); } } if (!requiresSession || (userName != null)) { if (string.IsNullOrEmpty(projectName)) { // Checking server-level security if (!securityManager.CheckServerPermission(userName, permission)) { string info = string.Format(CultureInfo.CurrentCulture, "{2} [{0}] has been denied {1} permission at the server", userName, permission, displayName); Log.Warning(info); if (eventType.HasValue) { securityManager.LogEvent(projectName, userName, eventType.Value, SecurityRight.Deny, info); } throw new PermissionDeniedException(permission.ToString()); } else { string info = string.Format(CultureInfo.CurrentCulture, "{2} [{0}] has been granted {1} permission at the server", userName, permission, displayName); Log.Debug(info); if (eventType.HasValue) { securityManager.LogEvent(projectName, userName, eventType.Value, SecurityRight.Allow, info); } return; } } else { // Checking project-level security if (!authorisation.CheckPermission(securityManager, userName, permission, securityManager.GetDefaultRight(permission))) { string info = string.Format(CultureInfo.CurrentCulture, "{3} [{0}] has been denied {1} permission on '{2}'", userName, permission, projectName, displayName); Log.Warning(info); if (eventType.HasValue) { securityManager.LogEvent(projectName, userName, eventType.Value, SecurityRight.Deny, info); } throw new PermissionDeniedException(permission.ToString()); } else { Log.Debug(string.Format(CultureInfo.CurrentCulture, "{3} [{0}] has been granted {1} permission on '{2}'", userName, permission, projectName, displayName)); if (eventType.HasValue) { securityManager.LogEvent(projectName, userName, eventType.Value, SecurityRight.Allow, null); } return; } } } else { SecurityRight defaultRight = securityManager.GetDefaultRight(permission); switch (defaultRight) { case SecurityRight.Allow: Log.Debug(string.Format(CultureInfo.CurrentCulture, "{3} [{0}] has been granted {1} permission on '{2}'", userName, permission, projectName, displayName)); return; default: // Tell the user that the session is unknown var info = string.Format(CultureInfo.CurrentCulture, "Session with token '{0}' is not valid", sessionToken); Log.Warning(info); if (eventType.HasValue) { securityManager.LogEvent(projectName, null, eventType.Value, SecurityRight.Deny, info); } throw new SessionInvalidException(); } } }
/// <summary> /// Checks to see if a session has the required right to perform a permission. /// </summary> /// <param name="sessionToken">The session to check.</param> /// <param name="projectName">The project the permission is for.</param> /// <param name="permission">The permission being checked.</param> /// <param name="eventType">The event type for logging.</param> /// <returns>The display name of the user if the permission is allowed.</returns> private string CheckSecurity(string sessionToken, string projectName, SecurityPermission permission, SecurityEvent? eventType) { // Retrieve the project authorisation IProjectAuthorisation authorisation = null; bool requiresSession = securityManager.RequiresSession; string userName = securityManager.GetUserName(sessionToken); string displayName = securityManager.GetDisplayName(sessionToken, null) ?? userName; if (!string.IsNullOrEmpty(projectName)) { IProjectIntegrator projectIntegrator = GetIntegrator(projectName); if ((projectIntegrator != null) && (projectIntegrator.Project != null) && (projectIntegrator.Project.Security != null)) { // The project has been found and it has security authorisation = projectIntegrator.Project.Security; requiresSession = authorisation.RequiresSession(securityManager); } else if ((projectIntegrator != null) && (projectIntegrator.Project != null) && (projectIntegrator.Project.Security == null)) { // The project is found, but security is missing - application error string errorMessage = string.Format("Security not found for project {0}", projectName); Log.Error(errorMessage); if (eventType.HasValue) { securityManager.LogEvent(projectName, userName, eventType.Value, SecurityRight.Deny, errorMessage); } throw new SecurityException(errorMessage); } else { // Couldn't find the requested project string errorMessage = string.Format("project not found {0}", projectName); Log.Error(errorMessage); if (eventType.HasValue) { securityManager.LogEvent(projectName, userName, eventType.Value, SecurityRight.Deny, errorMessage); } throw new NoSuchProjectException(projectName); } } if (!requiresSession || (userName != null)) { if (string.IsNullOrEmpty(projectName)) { // Checking server-level security if (!securityManager.CheckServerPermission(userName, permission)) { string info = string.Format("{2} [{0}] has been denied {1} permission at the server", userName, permission, displayName); Log.Warning(info); if (eventType.HasValue) { securityManager.LogEvent(projectName, userName, eventType.Value, SecurityRight.Deny, info); } throw new PermissionDeniedException(permission.ToString()); } else { string info = string.Format("{2} [{0}] has been granted {1} permission at the server", userName, permission, displayName); Log.Debug(info); if (eventType.HasValue) { securityManager.LogEvent(projectName, userName, eventType.Value, SecurityRight.Allow, info); } return displayName; } } else { // Checking project-level security if (!authorisation.CheckPermission(securityManager, userName, permission, securityManager.GetDefaultRight(permission))) { string info = string.Format("{3} [{0}] has been denied {1} permission on '{2}'", userName, permission, projectName, displayName); Log.Warning(info); if (eventType.HasValue) { securityManager.LogEvent(projectName, userName, eventType.Value, SecurityRight.Deny, info); } throw new PermissionDeniedException(permission.ToString()); } else { Log.Debug(string.Format("{3} [{0}] has been granted {1} permission on '{2}'", userName, permission, projectName, displayName)); if (eventType.HasValue) { securityManager.LogEvent(projectName, userName, eventType.Value, SecurityRight.Allow, null); } return displayName; } } } else { SecurityRight defaultRight = securityManager.GetDefaultRight(permission); switch (defaultRight) { case SecurityRight.Allow: Log.Debug(string.Format("{3} [{0}] has been granted {1} permission on '{2}'", userName, permission, projectName, displayName)); return string.Empty; default: // Tell the user that the session is unknown var info = string.Format("Session with token '{0}' is not valid", sessionToken); Log.Warning(info); if (eventType.HasValue) { securityManager.LogEvent(projectName, null, eventType.Value, SecurityRight.Deny, info); } throw new SessionInvalidException(); } } }