public bool ExtensionIsOk(string fileName, out HttpResponseException preparedException) { if (!SecurityChecks.IsAllowedDnnExtension(fileName)) { preparedException = Http.NotAllowedFileType(fileName, "Not in whitelisted CMS file types."); return(false); } if (SecurityChecks.IsKnownRiskyExtension(fileName)) { preparedException = Http.NotAllowedFileType(fileName, "This is a known risky file type."); return(false); } preparedException = null; return(true); }
/// <summary> /// Initializes the object and performs all the initial security checks /// </summary> public AdamSecureState(SxcInstance sxcInstance, int appId, string contentType, string field, Guid guid, bool usePortalRoot, Log log) : base(sxcInstance, appId, contentType, log) { // only do checks on field/guid if it's actually accessing that, if it's on the portal root, don't. if (!usePortalRoot) { Field = field; Guid = guid; } var firstChecker = PermissionCheckers.First().Value; var userMayAdminSomeFiles = firstChecker.UserMay(GrantSets.WritePublished); UserMayAdminSiteFiles = firstChecker.GrantedBecause == ConditionType.EnvironmentGlobal || firstChecker.GrantedBecause == ConditionType.EnvironmentInstance; UserIsRestricted = !(usePortalRoot ? UserMayAdminSiteFiles : userMayAdminSomeFiles); Log.Add($"AdamSecureState - field:{field}, guid:{guid}, adminSome:{userMayAdminSomeFiles}, restricted:{UserIsRestricted}"); SecurityChecks.ThrowIfAccessingRootButNotAllowed(usePortalRoot, UserIsRestricted); Log.Add("check if feature enabled"); if (UserIsRestricted && !Feats.Enabled(FeaturesForRestrictedUsers)) { throw Http.PermissionDenied( $"low-permission users may not access this - {Feats.MsgMissingSome(FeaturesForRestrictedUsers)}"); } PrepCore(App, guid, field, usePortalRoot); if (string.IsNullOrEmpty(contentType) || string.IsNullOrEmpty(field)) { return; } Attribute = Definition(appId, contentType, field); if (!FileTypeIsOkForThisField(out var exp)) { throw exp; } }
public bool SuperUserOrAccessingItemFolder(string path, out HttpResponseException preparedException) { preparedException = null; return(!UserIsRestricted || SecurityChecks.DestinationIsInItem(Guid, Field, path, out preparedException)); }