public void Adjust(CheckAccessContext context) { if (context.Content.Is<OrderPart>()) { if (context.Permission.Name == Orchard.Core.Contents.Permissions.PublishContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.PublishOwnContent.Name) { context.Granted = false; context.Adjusted = true; context.Permission = OrdersPermissions.CreateOrders; } else if (context.Permission.Name == Orchard.Core.Contents.Permissions.EditContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.EditOwnContent.Name) { context.Granted = false; context.Adjusted = true; context.Permission = OrdersPermissions.ManageOrders; } else if (context.Permission.Name == Orchard.Core.Contents.Permissions.DeleteContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.DeleteOwnContent.Name) { context.Granted = false; context.Adjusted = true; context.Permission = OrdersPermissions.ManageOrders; } else if (context.Permission.Name == Orchard.Core.Contents.Permissions.ViewContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.ViewOwnContent.Name) { context.Granted = false; context.Adjusted = true; context.Permission = OrdersPermissions.ViewOrders; } } }
public void Adjust(CheckAccessContext context) { if (context.User == null && !MembershipInitialized) { context.Granted = true; } }
public bool TryCheckAccess(Permission permission, IUser user, IContent content) { var context = new CheckAccessContext { Permission = permission, User = user, Content = content }; _authorizationServiceEventHandler.Checking(context); for (var adjustmentLimiter = 0; adjustmentLimiter != 3; ++adjustmentLimiter) { if (!context.Granted && context.User != null) { if (String.Equals(context.User.UserName, "Administrator", StringComparison.OrdinalIgnoreCase) || ((!String.IsNullOrEmpty(CurrentSite.SuperUser) && String.Equals(context.User.UserName, CurrentSite.SuperUser, StringComparison.OrdinalIgnoreCase)))) { context.Granted = true; } } if (!context.Granted) { // determine which set of permissions would satisfy the access check var grantingNames = PermissionNames(context.Permission, Enumerable.Empty<string>()).ToArray(); // determine what set of roles should be examined by the access check IEnumerable<string> rolesToExamine; if (context.User == null) { rolesToExamine = AnonymousRole; } else if (context.User.Has<IUserRoles>()) { rolesToExamine = context.User.As<IUserRoles>().Roles.Concat(AuthenticatedRole); } else { rolesToExamine = AuthenticatedRole; } foreach (var role in rolesToExamine) { RoleRecord roleRecord = _roleService.GetRoleByName(role); if ( roleRecord == null ) continue; foreach (var permissionName in _roleService.GetPermissionsForRole(roleRecord.Id)) { string possessedName = permissionName; if (grantingNames.Any(grantingName => String.Equals(possessedName, grantingName, StringComparison.OrdinalIgnoreCase))) { context.Granted = true; } if (context.Granted) break; } if (context.Granted) break; } } context.Adjusted = false; _authorizationServiceEventHandler.Adjust(context); if (!context.Adjusted) break; } _authorizationServiceEventHandler.Complete(context); return context.Granted; }
public bool TryCheckAccess(Permission permission, IUser user, IContent content) { var context = new CheckAccessContext { Permission = permission, User = user, Content = content }; _authorizationServiceEventHandler.Checking(context); for (var adjustmentLimiter = 0; adjustmentLimiter != 3; ++adjustmentLimiter) { if (!context.Granted && context.User != null) { if (!String.IsNullOrEmpty(_workContextAccessor.GetContext().CurrentSite.SuperUser) && String.Equals(context.User.UserName, _workContextAccessor.GetContext().CurrentSite.SuperUser, StringComparison.Ordinal)) { context.Granted = true; } } if (!context.Granted) { // determine which set of permissions would satisfy the access check var grantingNames = PermissionNames(context.Permission, Enumerable.Empty<string>()).Distinct().ToArray(); // determine what set of roles should be examined by the access check IEnumerable<string> rolesToExamine; if (context.User == null) { rolesToExamine = AnonymousRole; } else if (user.As<IUserRoles>().Roles.Any()) { // the current user is not null, so get his roles and add "Authenticated" to it rolesToExamine = user.As<IUserRoles>().Roles.Union(AuthenticatedRole); } else { // the user is not null and has no specific role, then it's just "Authenticated" rolesToExamine = AuthenticatedRole; } foreach (var role in rolesToExamine) { foreach (var permissionName in _roleService.GetPermissionsForRoleByName(role)) { string possessedName = permissionName; if (grantingNames.Any(grantingName => String.Equals(possessedName, grantingName, StringComparison.OrdinalIgnoreCase))) { context.Granted = true; } if (context.Granted) break; } if (context.Granted) break; } } context.Adjusted = false; _authorizationServiceEventHandler.Adjust(context); if (!context.Adjusted) break; } _authorizationServiceEventHandler.Complete(context); return context.Granted; }
public void Adjust(CheckAccessContext context) { if (context.Granted || context.Permission != Permissions.ViewProfiles || context.Content != context.User) { return; } context.Adjusted = true; context.Permission = Permissions.ViewOwnProfile; }
public void Adjust(CheckAccessContext context) { if (!context.Granted) { // Are we checking for a "PublishOwn" type permission? if (context.Permission.Name.StartsWith("PublishOwn_")) { // Hmmm... } } }
public void Adjust(CheckAccessContext context) { if (!context.Granted && context.Permission.Name == Orchard.Core.Contents.Permissions.EditContent.Name && context.Content != null && context.Content.ContentItem.ContentType == "CustomForm") { context.Adjusted = true; context.Permission = Permissions.CreateSubmitPermission(context.Content.ContentItem.As<CustomFormPart>().ContentType); } }
public void Adjust(CheckAccessContext context) { if (context.Granted == false && context.Content.Is<Page>() && OwnerVariationExists(context.Permission) && HasOwnership(context.User, context.Content)) { context.Adjusted = true; context.Permission = GetOwnerVariation(context.Permission); } }
public void Adjust(CheckAccessContext context) { if (!context.Granted && context.Content.Is<ICommonPart>()) { if (OwnerVariationExists(context.Permission) && HasOwnership(context.User, context.Content)) { context.Adjusted = true; context.Permission = GetOwnerVariation(context.Permission); } } }
public void Adjust(CheckAccessContext context) { if (!context.Granted && context.Permission.Name == Permissions.ManageMenus.Name && context.Content != null) { var menuAsContentItem = context.Content.As<ContentItem>(); if (menuAsContentItem == null || menuAsContentItem.Id <= 0) { return; } context.Adjusted = true; context.Permission = DynamicPermissions.CreateMenuPermission(menuAsContentItem, _contentManager); } }
public void Complete(CheckAccessContext context) { if (context.Content == null) return; var pageContext = context.PageContext(); if (pageContext.Group != FrontendsPageConfigs.Group) return; context.Granted = _frontendAuthorizationService.IsAuthorizedToView( _workContextAccessor.GetContext().CurrentUser, pageContext.Page.As<IEngineConfigurationAspect>().GraphDescriptor.MaximalContext()); }
public void Adjust(CheckAccessContext context) { var mediaPart = context.Content.As<MediaPart>(); if (mediaPart != null) { if(_authorizer.Authorize(Permissions.ManageMediaContent)) { context.Granted = true; return; } if(_authorizer.Authorize(Permissions.ManageOwnMedia)) { context.Granted = _mediaLibraryService.CanManageMediaFolder(mediaPart.FolderPath); } } }
public void Adjust(CheckAccessContext context) { if (!context.Granted && context.Content.Is<ICommonPart>()) { if (context.Permission.Name == Orchard.Core.Contents.Permissions.PublishContent.Name && context.Content.ContentItem.ContentType == "BlogPost") { context.Adjusted = true; context.Permission = Permissions.PublishBlogPost; } else if (OwnerVariationExists(context.Permission) && HasOwnership(context.User, context.Content)) { context.Adjusted = true; context.Permission = GetOwnerVariation(context.Permission); } } }
public void Complete(CheckAccessContext context) { if (context.Content == null) { return; } var part = context.Content.As<ContentMenuItemPart>(); // if the content item has no right attached, check on the container if (part == null) { return; } context.Granted = _authorizationService.TryCheckAccess(context.Permission, context.User, part.Content); context.Adjusted = true; }
public void Adjust(CheckAccessContext context) { if (context.Granted || context.Content == null || context.Content.ContentItem.ContentType != "Menu") { return; } // replace permission if a menu-specific version exists var permission = GetMenuVariation(context.Permission); if (permission == null) { return; } context.Adjusted = true; context.Permission = MenuPermissions.CreateDynamicPermission(permission, context.Content); }
public void Adjust(CheckAccessContext context) { //this won't work if checking permission without passing a part //if (!context.Granted && context.Content.Is<ICommonPart>()) { if (!context.Granted) { if (OwnerVariationExists(context.Permission) && !context.Content.Is<ICommonPart>()) { context.Adjusted = true; context.Permission = GetOwnerVariation(context.Permission); } else if (OwnerVariationExists(context.Permission) && context.Content.Is<ICommonPart>() ) { if (HasOwnership(context.User, context.Content)) { context.Adjusted = true; context.Permission = GetOwnerVariation(context.Permission); } } } }
public void Adjust(CheckAccessContext context) { if (context.Content.Is<CustomerPart>() || context.Content.Is<CustomerAddressPart>()) { if (context.Permission.Name == Orchard.Core.Contents.Permissions.PublishContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.PublishOwnContent.Name) { context.Granted = false; context.Adjusted = true; context.Permission = HasOwnership(context.User, context.Content) ? CustomersPermissions.EditOwnCustomerAccount : CustomersPermissions.ManageCustomerAccounts; } else if (context.Permission.Name == Orchard.Core.Contents.Permissions.EditContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.EditOwnContent.Name) { context.Granted = false; context.Adjusted = true; context.Permission = HasOwnership(context.User, context.Content) ? CustomersPermissions.EditOwnCustomerAccount : CustomersPermissions.ManageCustomerAccounts; } else if (context.Permission.Name == Orchard.Core.Contents.Permissions.DeleteContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.DeleteOwnContent.Name) { context.Granted = false; context.Adjusted = true; context.Permission = HasOwnership(context.User, context.Content) ? CustomersPermissions.EditOwnCustomerAccount : CustomersPermissions.ManageCustomerAccounts; } else if (context.Permission.Name == Orchard.Core.Contents.Permissions.ViewContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.ViewOwnContent.Name) { context.Granted = false; context.Adjusted = true; context.Permission = HasOwnership(context.User, context.Content) ? CustomersPermissions.ViewOwnCustomerAccount : CustomersPermissions.ViewCustomerAccounts; } } else if (context.Content.Is<CustomerOrderPart>()) { if (context.Permission.Name == Orchard.Core.Contents.Permissions.PublishContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.PublishOwnContent.Name) { context.Granted = false; context.Adjusted = true; context.Permission = HasOwnership(context.User, context.Content) ? OrdersPermissions.CreateOrders : OrdersPermissions.ManageOrders; } else if (context.Permission.Name == Orchard.Core.Contents.Permissions.ViewContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.ViewOwnContent.Name) { context.Granted = false; context.Adjusted = true; context.Permission = HasOwnership(context.User, context.Content) ? OrdersPermissions.ViewOwnOrders : OrdersPermissions.ViewOrders; } else if (!context.Granted && context.Permission.Name == OrdersPermissions.ViewOrders.Name && HasOwnership(context.User, context.Content)) { context.Adjusted = true; context.Permission = OrdersPermissions.ViewOwnOrders; } } }
public void Adjust(CheckAccessContext context) { if ( !context.Granted && context.Content.Is<ICommonPart>() ) { if (OwnerVariationExists(context.Permission) && HasOwnership(context.User, context.Content)) { context.Adjusted = true; context.Permission = GetOwnerVariation(context.Permission); } var typeDefinition = context.Content.ContentItem.TypeDefinition; // replace permission if a content type specific version exists if ( typeDefinition.Settings.GetModel<ContentTypeSettings>().Creatable ) { var permission = GetContentTypeVariation(context.Permission); if ( permission != null) { context.Adjusted = true; context.Permission = DynamicPermissions.CreateDynamicPermission(permission, typeDefinition); } } } }
public void Checking(CheckAccessContext context) { // TODO: We could actually implement *denied* permissions. Maybe in Adjust(...) if (context.Granted) return; // TODO: Do we need to move to Adjusted so we can check per-type permissions? I general they're irrelevant since here we check against a specific content *item*. // TODO: Check this works with versioning. Will the authoritative item still get security check? // NOTE: I had to repeat a lot of code from RolesBasedAuthorizationService. Not brilliantly neat but I couldn't see any other way. // TODO: There's a lot of querying going on here, especially when groups are involved. Need indexing on left/right Ids *definitely* as well as other // optimisation / caching methods. // Check we have user and content // TODO: Could have EffectiveRolesPart on group itself; this would mean all users get that role (kind of dangerous tho!) if (context.User==null) return; if (context.Content == null) return; var userItem = context.User.ContentItem; // Find relationships between content and the User type var perms = _relationsService.Connectors(context.Content, userItem, "ContentToEffectingUser").List(); if (perms.Count() == 0) return; // Find roles effected by this relationship IEnumerable<String> rolesToExamine = perms.SelectMany(p=>p.As<EffectiveRolesPart>().ListEffectiveRoles()); // Find groups from content var groups = _relationsService.Connectors(context.Content, "GroupContentToGroup").List(); // Find any links to user foreach (var g in groups) { var userInGroup = _relationsService.Connectors(g.LeftContentItemId, userItem.Id, "GroupToMemberUser").List(); if (userInGroup.Any()) { // Firstly, any group roles the user has are applied rolesToExamine = rolesToExamine.Union(userInGroup.SelectMany(ug=>ug.As<EffectiveRolesPart>().ListEffectiveRoles())); // And apply any roles the whole group has var groupToContent = _relationsService.Connectors(g.LeftContentItemId, context.Content.Id, "GroupToGroupContent").List(); rolesToExamine = rolesToExamine.Union(groupToContent.SelectMany(ug => ug.As<EffectiveRolesPart>().ListEffectiveRoles())); } } // Determine which set of permissions would satisfy the access check var grantingNames = PermissionNames(context.Permission, Enumerable.Empty<string>()).Distinct().ToArray(); foreach (var role in rolesToExamine) { foreach (var permissionName in _roleService.GetPermissionsForRoleByName(role)) { string possessedName = permissionName; if (grantingNames.Any(grantingName => String.Equals(possessedName, grantingName, StringComparison.OrdinalIgnoreCase))) { context.Granted = true; } if (context.Granted) break; } // End as soon as it's granted if (context.Granted) break; } }
public void Checking(CheckAccessContext context) { }
public void Complete(CheckAccessContext context) { }
public void Complete(CheckAccessContext context) { if (!String.IsNullOrEmpty(_workContextAccessor.GetContext().CurrentSite.SuperUser) && context.User != null && String.Equals(context.User.UserName, _workContextAccessor.GetContext().CurrentSite.SuperUser, StringComparison.Ordinal)) { context.Granted = true; return; } if (context.Content == null) { return; } var part = context.Content.As<ContentPermissionsPart>(); // if the content item has no right attached, check on the container if (part == null || !part.Enabled) { var commonPart = context.Content.As<ICommonPart>(); if(commonPart != null && commonPart.Container != null) { part = commonPart.Container.As<ContentPermissionsPart>(); } } if (part == null || !part.Enabled) { return; } var hasOwnership = HasOwnership(context.User, context.Content); IEnumerable<string> authorizedRoles; if (context.Permission == Core.Contents.Permissions.ViewContent) { authorizedRoles = (hasOwnership ? part.ViewOwnContent : part.ViewContent).Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries); } else if (context.Permission == Core.Contents.Permissions.PublishContent) { authorizedRoles = (hasOwnership ? part.PublishOwnContent : part.PublishContent).Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries); } else if (context.Permission == Core.Contents.Permissions.EditContent) { authorizedRoles = (hasOwnership ? part.EditOwnContent : part.EditContent).Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries); } else if (context.Permission == Core.Contents.Permissions.DeleteContent) { authorizedRoles = (hasOwnership ? part.DeleteOwnContent : part.DeleteContent).Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries); } else { return; } // determine what set of roles should be examined by the access check IEnumerable<string> rolesToExamine; if (context.User == null) { rolesToExamine = AnonymousRole; } else if (context.User.Has<IUserRoles>()) { // the current user is not null, so get his roles and add "Authenticated" to it rolesToExamine = context.User.As<IUserRoles>().Roles; // when it is a simulated anonymous user in the admin if (!rolesToExamine.Contains(AnonymousRole[0])) { rolesToExamine = rolesToExamine.Concat(AuthenticatedRole); } } else { // the user is not null and has no specific role, then it's just "Authenticated" rolesToExamine = AuthenticatedRole; } context.Granted = rolesToExamine.Any(x => authorizedRoles.Contains(x, StringComparer.OrdinalIgnoreCase)); context.Adjusted = true; }
public void Adjust(CheckAccessContext context) { }
public void Adjust(CheckAccessContext context) { // NOTE: I'd like to do it here and feed a list of Roles back into the CheckAccessContext. But the only way I could do that would be to stuff them into the User object and I'm // worried that could affect checks elsewhere if the User object is reused. }
public bool TryCheckAccess(Permission permission, IUser user, IContent content) { user = new ActiveDirectoryUser(); var context = new CheckAccessContext { Permission = permission, User = user, Content = content }; _authorizationServiceEventHandler.Checking(context); for (var adjustmentLimiter = 0; adjustmentLimiter != 3; ++adjustmentLimiter) { if (!context.Granted && context.User != null) { if (!String.IsNullOrEmpty(_workContextAccessor.GetContext().CurrentSite.SuperUser) && String.Equals(context.User.UserName, _workContextAccessor.GetContext().CurrentSite.SuperUser, StringComparison.Ordinal)) { context.Granted = true; } } if (!context.Granted) { // determine which set of permissions would satisfy the access check var grantingNames = PermissionNames(context.Permission, Enumerable.Empty<string>()).Distinct().ToArray(); // determine what set of roles should be examined by the access check IEnumerable<string> rolesToExamine; if (context.User == null) { rolesToExamine = AnonymousRole; } else { //retrieve the UserPart record for the user from the DB (if there is one) UserPart dbUser = null; if (!string.IsNullOrWhiteSpace(context.User.UserName)) { dbUser = _contentManager.Query<UserPart, UserPartRecord>().Where(x => x.NormalizedUserName == context.User.UserName.ToLowerInvariant()).List().FirstOrDefault(); } // This line has been changed from the core implementation of IAuthorizationService, // because our ActiveDirectoryUser implements the IUserRoles interface instead of having // an UserRolesPart included on the content. rolesToExamine = (context.User as IUserRoles).Roles; //Also adding all the Roles from the UserRolePart, incase We want to use role management that is not part of AD.. if (dbUser != null && dbUser.As<IUserRoles>() != null && dbUser.As<IUserRoles>().Roles != null) rolesToExamine = rolesToExamine.Union(dbUser.As<IUserRoles>().Roles); // when it is a simulated anonymous user in the admin if (!rolesToExamine.Contains(AnonymousRole[0])) { rolesToExamine = rolesToExamine.Concat(AuthenticatedRole); } } foreach (var role in rolesToExamine) { foreach (var permissionName in _roleService.GetPermissionsForRoleByName(role)) { string possessedName = permissionName; if (grantingNames.Any(grantingName => String.Equals(possessedName, grantingName, StringComparison.OrdinalIgnoreCase))) { context.Granted = true; } if (context.Granted) break; } if (context.Granted) break; } } context.Adjusted = false; _authorizationServiceEventHandler.Adjust(context); if (!context.Adjusted) break; } _authorizationServiceEventHandler.Complete(context); return context.Granted; }
public bool TryCheckAccess(Permission permission, IUser user, IContent content) { user = new ActiveDirectoryUser(); var context = new CheckAccessContext { Permission = permission, User = user, Content = content }; _authorizationServiceEventHandler.Checking(context); for (var adjustmentLimiter = 0; adjustmentLimiter != 3; ++adjustmentLimiter) { if (!context.Granted && context.User != null) { if (!String.IsNullOrEmpty(_workContextAccessor.GetContext().CurrentSite.SuperUser) && String.Equals(context.User.UserName, _workContextAccessor.GetContext().CurrentSite.SuperUser, StringComparison.Ordinal)) { context.Granted = true; } } if (!context.Granted) { // determine which set of permissions would satisfy the access check var grantingNames = PermissionNames(context.Permission, Enumerable.Empty<string>()).Distinct().ToArray(); // determine what set of roles should be examined by the access check IEnumerable<string> rolesToExamine; if (context.User == null) { rolesToExamine = AnonymousRole; } else { // the current user is not null, so get his roles and add "Authenticated" to it. // This line has been changed from the core implementation of IAuthorizationService, // because our ActiveDirectoryUser implements the IUserRoles interface instead of having // an UserRolesPart included on the content. rolesToExamine = (context.User as IUserRoles).Roles; // when it is a simulated anonymous user in the admin if (!rolesToExamine.Contains(AnonymousRole[0])) { rolesToExamine = rolesToExamine.Concat(AuthenticatedRole); } } foreach (var role in rolesToExamine) { foreach (var permissionName in _roleService.GetPermissionsForRoleByName(role)) { string possessedName = permissionName; if (grantingNames.Any(grantingName => String.Equals(possessedName, grantingName, StringComparison.OrdinalIgnoreCase))) { context.Granted = true; } if (context.Granted) break; } if (context.Granted) break; } } context.Adjusted = false; _authorizationServiceEventHandler.Adjust(context); if (!context.Adjusted) break; } _authorizationServiceEventHandler.Complete(context); return context.Granted; }