internal bool ExtensionIsOk(string fileName, out HttpExceptionAbstraction preparedException) { if (!SiteAllowsExtension(fileName)) { preparedException = HttpException.NotAllowedFileType(fileName, "Not in whitelisted CMS file types."); return(false); } if (AdamSecurityCheckHelpers.IsKnownRiskyExtension(fileName)) { preparedException = HttpException.NotAllowedFileType(fileName, "This is a known risky file type."); return(false); } preparedException = null; return(true); }
/// <summary> /// Initializes the object and performs all the initial security checks /// </summary> public virtual AdamState Init(IContextOfApp context, string contentType, string fieldName, Guid entityGuid, bool usePortalRoot, ILog parentLog) { Log.LinkTo(parentLog); var appId = context.AppState.AppId; var callLog = Log.Call <AdamState>($"app: {context.AppState.Show()}, field:{fieldName}, guid:{entityGuid}"); Context = context; Permissions = ServiceProvider.Build <MultiPermissionsTypes>() .Init(context, context.AppState, contentType, Log); // only do checks on field/guid if it's actually accessing that, if it's on the portal root, don't. UseSiteRoot = usePortalRoot; if (!usePortalRoot) { ItemField = fieldName; ItemGuid = entityGuid; } Security = ServiceProvider.Build <AdamSecurityChecksBase>().Init(this, usePortalRoot, Log); AdamSecurityCheckHelpers.ThrowIfAccessingRootButNotAllowed(usePortalRoot, Security.UserIsRestricted); Log.Add("check if feature enabled"); if (Security.UserIsRestricted && !Eav.Configuration.Features.Enabled(FeaturesForRestrictedUsers)) { throw HttpException.PermissionDenied( $"low-permission users may not access this - {Eav.Configuration.Features.MsgMissingSome(FeaturesForRestrictedUsers)}"); } if (string.IsNullOrEmpty(contentType) || string.IsNullOrEmpty(fieldName)) { return(callLog(null, this)); } Attribute = Definition(appId, contentType, fieldName); if (!Security.FileTypeIsOkForThisField(out var exp)) { throw exp; } return(callLog(null, this)); }
internal bool SuperUserOrAccessingItemFolder(string path, out HttpExceptionAbstraction preparedException) { preparedException = null; return(!UserIsRestricted || AdamSecurityCheckHelpers.DestinationIsInItem(AdamState.ItemGuid, AdamState.ItemField, path, out preparedException)); }