public static void SetHyperLink(string adminSectionPageId, string querystring, HyperLink hyperlink) { AdminSectionPage adminSectionPage = AdminNavigationManager.GetAdminSectionPageById(adminSectionPageId); string url = (adminSectionPage == null) ? "#" : string.Format("{0}{1}", adminSectionPage.Url, querystring); hyperlink.NavigateUrl = url; }
public static void SetHyperLink(User user, string adminSectionPageId, string querystring, HyperLink hyperlink) { AdminSectionPage adminSectionPage = AdminNavigationManager.GetAdminSectionPageById(adminSectionPageId); if (adminSectionPage == null) { hyperlink.Visible = false; } else { hyperlink.Visible = SecurityManager.UserHasAccess(user, adminSectionPage); hyperlink.NavigateUrl = string.Format("{0}{1}", adminSectionPage.Url, querystring); } }
/// <summary> /// Checks if the user has access to the requested path. /// This method is the 'big kahuna', and does various security checks. It's main /// purpose is to ensure that the admin area pages are correctly restricted, and it /// ensures that upload users and brand admins cannot access entities to /// which their role does not have permission (ie. those outside their brand). /// </summary> /// <param name="user">The user requesting access</param> /// <param name="path">The path to which access is being requested</param> /// <returns>[True] if user can access path. Otherwise [False].</returns> public static bool UserHasAccess(User user, Uri path) { // Turn the path into a relative one (eg. /AppVirtualDir/Admin/Default.aspx -> ~/Admin/Default.aspx) string relativePath = VirtualPathUtility.ToAppRelative(path.AbsolutePath).ToLower(); // Always allow NeatUpload stuff through if (relativePath.StartsWith("~/neatupload/")) { return(true); } // Login and registration pages open to all. Admin homepage open to // any user belonging to any role greater than normal. switch (relativePath) { case "~/login.aspx": case "~/register.aspx": case "~/changepassword.aspx": case "~/reactivate.aspx": case "~/viewcontactsheet.aspx": case "~/popups/termsconditions.aspx": case "~/popups/privacypolicy.aspx": return(true); case "~/admin/default.aspx": return(user.UserRoleId > Convert.ToInt32(UserRole.Normal)); } // Allow access to non-existent pages so we can redirect to 404 if (!File.Exists(HttpContext.Current.Server.MapPath(relativePath))) { return(true); } // Everything from here on needs a user if (user.IsNull) { return(false); } // Ensure that the asset popup can only be viewed by authorised users if (relativePath.StartsWith("~/popups/assetinfo.aspx")) { int assetId = GetQuerystringValue(path.Query, "assetId", -1); if (assetId != -1) { Asset asset = Asset.Get(assetId); if (asset.IsNull || !EntitySecurityManager.CanViewAssetInfo(user, asset)) { return(false); } HttpContext.Current.Items.Add("Asset", asset); } } if (relativePath.StartsWith("~/admin/")) { // Get the admin section page by the URL AdminSectionPage adminSectionPage = AdminNavigationManager.GetAdminSectionPageByUrl(relativePath); // Ensure that we found it in the admin page list if (adminSectionPage == null) { throw new SystemException(string.Format("Unknown admin page: '{0}'. Please check AdminNavigation.Config", relativePath)); } // Ensure that the page being accessed is available to the user role. // No point continuing if their role is too weak if (!adminSectionPage.UserRoleList.Contains(user.UserRole)) { return(false); } // Do role specific processing, as some roles can access pages, but // only when editing certain entities - ie. a Brand Admin can // access the user pages, but only when managing users from their own // brand. Here, we check the querystring for values, get the // matching entity, and then ensure that it's from the same BU as // the requesting user. if (user.UserRole == UserRole.SuperAdministrator) { return(true); } if (user.UserRole == UserRole.Normal) { throw new SecurityException("Access to admin area denied"); } if (GeneralUtils.ValueIsInList(user.UserRole, UserRole.BrandAdministrator, UserRole.UploadUser)) { // Assume page is okay, as querystring might be blank bool ok = true; // Check for user ID, and if it exists, ensure the user // can be accessed by the requesting user int userId = GetQuerystringValue(path.Query, "userId", -1); if (userId != -1) { User u = User.Get(userId); if (user.IsNull || !EntitySecurityManager.CanManageUser(user, u)) { ok = false; } else { HttpContext.Current.Items.Add("User", u); } } // Check for asset Id, and if it exists, ensure the // asset can be accessed by the requesting user if (ok) { int assetId = GetQuerystringValue(path.Query, "assetId", -1); if (assetId != -1) { Asset asset = Asset.Get(assetId); if (asset.IsNull || !EntitySecurityManager.CanManageAsset(user, asset)) { ok = false; } else { HttpContext.Current.Items.Add("Asset", asset); } } } // Check for AssetWorkflowId, and if it exists, ensure the // AssetWorkflow can be accessed by the requesting user if (ok) { int assetWorkflowId = GetQuerystringValue(path.Query, "assetWorkflowId", -1); if (assetWorkflowId != -1) { AssetWorkflow assetWorkflow = AssetWorkflow.Get(assetWorkflowId); if (assetWorkflow.IsNull || !EntitySecurityManager.CanParticipateInAssetWorkflow(user, assetWorkflow)) { ok = false; } else { HttpContext.Current.Items.Add("AssetWorkflow", assetWorkflow); } } } return(ok); } throw new SecurityException("Unable to check permissions for user role: " + user.UserRole); } return(true); }