Security stuff

donker · donker · commit 7b1c18dcff28 · 2021-07-04T14:20:43.000+02:00
diff --git a/Server/LanguagePackManager/Common/ContextSecurity.cs b/Server/LanguagePackManager/Common/ContextSecurity.cs
@@ -13,6 +13,7 @@ public class ContextSecurity
         public bool CanView { get; set; }
         public bool CanEdit { get; set; }
         public bool IsAdmin { get; set; }
+        public bool IsTranslator { get; set; }
         private UserInfo user { get; set; }
         public int UserId
         {
@@ -41,19 +42,20 @@ public ContextSecurity(ModuleInfo objModule, UserInfo user)
             this.user = user;
             if (user.IsSuperUser)
             {
-                CanView = CanEdit = IsAdmin = true;
+                CanView = CanEdit = IsAdmin = IsTranslator = true;
             }
             else
             {
                 IsAdmin = PortalSecurity.IsInRole(PortalSettings.Current.AdministratorRoleName);
                 if (IsAdmin)
                 {
-                    CanView = CanEdit = true;
+                    CanView = CanEdit = IsTranslator = true;
                 }
                 else
                 {
                     CanView = ModulePermissionController.CanViewModule(objModule);
                     CanEdit = ModulePermissionController.HasModulePermission(objModule.ModulePermissions, "EDIT");
+                    IsTranslator = ModulePermissionController.HasModulePermission(objModule.ModulePermissions, "TRANSLATOR");
                 }
             }
         }
diff --git a/Server/LanguagePackManager/Common/LpmAuthorizeAttribute.cs b/Server/LanguagePackManager/Common/LpmAuthorizeAttribute.cs
@@ -0,0 +1,66 @@
+﻿using DotNetNuke.Common;
+using DotNetNuke.Entities.Users;
+using DotNetNuke.Instrumentation;
+using DotNetNuke.Web.Api;
+
+namespace Connect.LanguagePackManager.Presentation.Common
+{
+    public enum SecurityAccessLevel
+    {
+        Anonymous = 0,
+        Authenticated = 1,
+        View = 2,
+        Edit = 3,
+        Admin = 4,
+        Host = 5,
+        Translator = 6
+    }
+
+    public class LpmAuthorizeAttribute : AuthorizeAttributeBase, IOverrideDefaultAuthLevel
+    {
+        private static readonly ILog Logger = LoggerSource.Instance.GetLogger(typeof(LpmAuthorizeAttribute));
+        public SecurityAccessLevel SecurityLevel { get; set; }
+        public UserInfo User { get; set; }
+        public bool AllowApiKeyAccess { get; set; } = false;
+
+        public LpmAuthorizeAttribute()
+        {
+            SecurityLevel = SecurityAccessLevel.Admin;
+        }
+
+        public LpmAuthorizeAttribute(SecurityAccessLevel accessLevel)
+        {
+            SecurityLevel = accessLevel;
+        }
+
+        public override bool IsAuthorized(AuthFilterContext context)
+        {
+            Logger.Trace("IsAuthorized");
+            if (SecurityLevel == SecurityAccessLevel.Anonymous)
+            {
+                Logger.Trace("Anonymous");
+                return true;
+            }
+            User = HttpContextSource.Current.Request.IsAuthenticated ? UserController.Instance.GetCurrentUserInfo() : new UserInfo();
+            Logger.Trace("UserId " + User.UserID.ToString());
+            ContextSecurity security = new ContextSecurity(context.ActionContext.Request.FindModuleInfo(), User);
+            Logger.Trace(security.ToString());
+            switch (SecurityLevel)
+            {
+                case SecurityAccessLevel.Authenticated:
+                    return User.UserID != -1;
+                case SecurityAccessLevel.Host:
+                    return User.IsSuperUser;
+                case SecurityAccessLevel.Admin:
+                    return security.IsAdmin;
+                case SecurityAccessLevel.Edit:
+                    return security.CanEdit;
+                case SecurityAccessLevel.View:
+                    return security.CanView;
+                case SecurityAccessLevel.Translator:
+                    return security.IsTranslator;
+            }
+            return false;
+        }
+    }
+}
diff --git a/Server/LanguagePackManager/Controllers/HomeController.cs b/Server/LanguagePackManager/Controllers/HomeController.cs
@@ -6,6 +6,7 @@ namespace Connect.LanguagePackManager.Presentation.Controllers
     public class HomeController : LanguagePackManagerMvcController
     {
         [HttpGet]
+        [LpmAuthorize(SecurityLevel = SecurityAccessLevel.View)]
         public ActionResult Index()
         {
             return View();
diff --git a/Server/LanguagePackManager/Controllers/LinksController.cs b/Server/LanguagePackManager/Controllers/LinksController.cs
@@ -9,21 +9,24 @@ namespace Connect.LanguagePackManager.Presentation.Controllers
     public class LinksController : LanguagePackManagerMvcController
     {
         [HttpGet]
+        [LpmAuthorize(SecurityLevel = SecurityAccessLevel.Edit)]
         public ActionResult Index()
         {
             return View();
         }
 
         [HttpGet]
+        [LpmAuthorize(SecurityLevel = SecurityAccessLevel.Edit)]
         public ActionResult Edit(int linkId)
         {
             var link = PackageLinkRepository.Instance.GetPackageLink(ModuleContext.ModuleId, linkId);
-            if (link == null) link = new Core.Models.PackageLinks.PackageLink();
+            if (link == null) link = new PackageLink();
             return View(link);
         }
 
         [HttpPost]
         [ValidateAntiForgeryToken]
+        [LpmAuthorize(SecurityLevel = SecurityAccessLevel.Edit)]
         public ActionResult Edit(int linkId, PackageLink link)
         {
             link.Name = link.Name.Trim();
diff --git a/Server/LanguagePackManager/Controllers/PacksController.cs b/Server/LanguagePackManager/Controllers/PacksController.cs
@@ -13,19 +13,15 @@ namespace Connect.LanguagePackManager.Presentation.Controllers
     public class PacksController : LanguagePackManagerMvcController
     {
         [HttpGet]
-        public ActionResult Index(string locale)
-        {
-            return View();
-        }
-
-        [HttpGet]
+        [LpmAuthorize(SecurityLevel = SecurityAccessLevel.Translator)]
         public ActionResult Upload()
         {
             return View();
         }
 
         [HttpPost]
         [ValidateAntiForgeryToken]
+        [LpmAuthorize(SecurityLevel = SecurityAccessLevel.Translator)]
         public ActionResult Upload(object data)
         {
             var generic = this.Request.Form["GenericLanguage"].OnOffToBool();
diff --git a/Server/LanguagePackManager/Controllers/SettingsController.cs b/Server/LanguagePackManager/Controllers/SettingsController.cs
@@ -1,12 +1,11 @@
-using DotNetNuke.Security;
 using DotNetNuke.Web.Mvc.Framework.ActionFilters;
 using Connect.LanguagePackManager.Presentation.Common;
 using System.Web.Mvc;
 using Connect.LanguagePackManager.Core.Common;
 
 namespace Connect.LanguagePackManager.Presentation.Controllers
 {
-    [DnnModuleAuthorize(AccessLevel = SecurityAccessLevel.Edit)]
+    [LpmAuthorize(SecurityLevel = SecurityAccessLevel.View)]
     [DnnHandleError]
     public class SettingsController : LanguagePackManagerMvcController
     {
diff --git a/Server/LanguagePackManager/Views/Home/Index.cshtml b/Server/LanguagePackManager/Views/Home/Index.cshtml
@@ -1,12 +1,45 @@
 @inherits LanguagePackManagerWebPage
-@using Connect.LanguagePackManager.Presentation.Common
+@using Connect.LanguagePackManager.Core.Common;
+@using Connect.LanguagePackManager.Core.Repositories;
+@using Connect.LanguagePackManager.Presentation.Common;
+@using System.Linq;
 @{
+  LanguagePackManagerModuleContext.AddModuleScript();
+  var knownGenericLocales = LocaleRepository.Instance.GetLocales().Where(l => l.Code.Length == 2).Select(l => l.Code).ToList();
+  var locales = System.Globalization.CultureInfo.GetCultures(System.Globalization.CultureTypes.SpecificCultures)
+      .Where(l => knownGenericLocales.Contains(l.TwoLetterISOLanguageName))
+      .Select(l => new { Key = l.Name, Value = l.ParseRegion() });
+  var genlocales = System.Globalization.CultureInfo.GetCultures(System.Globalization.CultureTypes.NeutralCultures)
+    .Where(l => knownGenericLocales.Contains(l.TwoLetterISOLanguageName))
+    .Select(l => new { Key = l.Name, Value = l.EnglishName });
+  var packageList = PackageVersionRepository.Instance.GetPackageVersions(Dnn.ModuleContext.ModuleId)
+      .Where(p => p.ContainedInPackageVersionId == null)
+      .Select(p => new { Key = p.PackageId, Value = p.FriendlyName })
+      .Distinct()
+      .OrderBy(p => p.Value);
 }
 
-<h1>LanguagePack Manager</h1>
+<h1>@Dnn.LocalizeString("LanguagePacks")</h1>
+
+<div class="connectlpm packs"
+     data-locale="@System.Threading.Thread.CurrentThread.CurrentCulture.TwoLetterISOLanguageName"
+     data-moduleid="@Dnn.ActiveModule.ModuleID"
+     data-tabid="@Dnn.ActiveModule.TabID"
+     data-portalid="@Dnn.PortalSettings.PortalId"
+     data-resources="@SerializedResources()"
+     data-security="@(Newtonsoft.Json.JsonConvert.SerializeObject(LanguagePackManagerModuleContext.Security))"
+     data-genlocales="@(Newtonsoft.Json.JsonConvert.SerializeObject(genlocales))"
+     data-locales="@(Newtonsoft.Json.JsonConvert.SerializeObject(locales))"
+     data-packages="@(Newtonsoft.Json.JsonConvert.SerializeObject(packageList))">
+</div>
 
 <div>
-  <a href="@Url.Action("Index", "Links")" class="dnnSecondaryAction">@Dnn.LocalizeString("Links")</a>
-  <a href="@Url.Action("Upload", "Packs")" class="dnnSecondaryAction">@Dnn.LocalizeString("Upload")</a>
-  <a href="@Url.Action("Index", "Packs")" class="dnnSecondaryAction">@Dnn.LocalizeString("Packs")</a>
+  @if (LanguagePackManagerModuleContext.Security.CanEdit)
+  {
+    <a href="@Url.Action("Index", "Links")" class="dnnSecondaryAction">@Dnn.LocalizeString("Links")</a>
+  }
+  @if (LanguagePackManagerModuleContext.Security.IsTranslator)
+  {
+    <a href="@Url.Action("Upload", "Packs")" class="dnnSecondaryAction">@Dnn.LocalizeString("Upload")</a>
+  }
 </div>
diff --git a/Server/LanguagePackManager/Views/Packs/Index.cshtml b/Server/LanguagePackManager/Views/Packs/Index.cshtml

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@ public class ContextSecurity`
`13`	`13`	`public bool CanView { get; set; }`
`14`	`14`	`public bool CanEdit { get; set; }`
`15`	`15`	`public bool IsAdmin { get; set; }`
	`16`	`+ public bool IsTranslator { get; set; }`
`16`	`17`	`private UserInfo user { get; set; }`
`17`	`18`	`public int UserId`
`18`	`19`	`{`
`@@ -41,19 +42,20 @@ public ContextSecurity(ModuleInfo objModule, UserInfo user)`
`41`	`42`	`this.user = user;`
`42`	`43`	`if (user.IsSuperUser)`
`43`	`44`	`{`
`44`		`- CanView = CanEdit = IsAdmin = true;`
	`45`	`+ CanView = CanEdit = IsAdmin = IsTranslator = true;`
`45`	`46`	`}`
`46`	`47`	`else`
`47`	`48`	`{`
`48`	`49`	`IsAdmin = PortalSecurity.IsInRole(PortalSettings.Current.AdministratorRoleName);`
`49`	`50`	`if (IsAdmin)`
`50`	`51`	`{`
`51`		`- CanView = CanEdit = true;`
	`52`	`+ CanView = CanEdit = IsTranslator = true;`
`52`	`53`	`}`
`53`	`54`	`else`
`54`	`55`	`{`
`55`	`56`	`CanView = ModulePermissionController.CanViewModule(objModule);`
`56`	`57`	`CanEdit = ModulePermissionController.HasModulePermission(objModule.ModulePermissions, "EDIT");`
	`58`	`+ IsTranslator = ModulePermissionController.HasModulePermission(objModule.ModulePermissions, "TRANSLATOR");`
`57`	`59`	`}`
`58`	`60`	`}`
`59`	`61`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ namespace Connect.LanguagePackManager.Presentation.Controllers`
`6`	`6`	`public class HomeController : LanguagePackManagerMvcController`
`7`	`7`	`{`
`8`	`8`	`[HttpGet]`
	`9`	`+ [LpmAuthorize(SecurityLevel = SecurityAccessLevel.View)]`
`9`	`10`	`public ActionResult Index()`
`10`	`11`	`{`
`11`	`12`	`return View();`
Original file line number	Diff line number	Diff line change
`@@ -9,21 +9,24 @@ namespace Connect.LanguagePackManager.Presentation.Controllers`
`9`	`9`	`public class LinksController : LanguagePackManagerMvcController`
`10`	`10`	`{`
`11`	`11`	`[HttpGet]`
	`12`	`+ [LpmAuthorize(SecurityLevel = SecurityAccessLevel.Edit)]`
`12`	`13`	`public ActionResult Index()`
`13`	`14`	`{`
`14`	`15`	`return View();`
`15`	`16`	`}`
`16`	`17`
`17`	`18`	`[HttpGet]`
	`19`	`+ [LpmAuthorize(SecurityLevel = SecurityAccessLevel.Edit)]`
`18`	`20`	`public ActionResult Edit(int linkId)`
`19`	`21`	`{`
`20`	`22`	`var link = PackageLinkRepository.Instance.GetPackageLink(ModuleContext.ModuleId, linkId);`
`21`		`- if (link == null) link = new Core.Models.PackageLinks.PackageLink();`
	`23`	`+ if (link == null) link = new PackageLink();`
`22`	`24`	`return View(link);`
`23`	`25`	`}`
`24`	`26`
`25`	`27`	`[HttpPost]`
`26`	`28`	`[ValidateAntiForgeryToken]`
	`29`	`+ [LpmAuthorize(SecurityLevel = SecurityAccessLevel.Edit)]`
`27`	`30`	`public ActionResult Edit(int linkId, PackageLink link)`
`28`	`31`	`{`
`29`	`32`	`link.Name = link.Name.Trim();`
Original file line number	Diff line number	Diff line change
`@@ -13,19 +13,15 @@ namespace Connect.LanguagePackManager.Presentation.Controllers`
`13`	`13`	`public class PacksController : LanguagePackManagerMvcController`
`14`	`14`	`{`
`15`	`15`	`[HttpGet]`
`16`		`- public ActionResult Index(string locale)`
`17`		`- {`
`18`		`- return View();`
`19`		`- }`
`20`		`-`
`21`		`- [HttpGet]`
	`16`	`+ [LpmAuthorize(SecurityLevel = SecurityAccessLevel.Translator)]`
`22`	`17`	`public ActionResult Upload()`
`23`	`18`	`{`
`24`	`19`	`return View();`
`25`	`20`	`}`
`26`	`21`
`27`	`22`	`[HttpPost]`
`28`	`23`	`[ValidateAntiForgeryToken]`
	`24`	`+ [LpmAuthorize(SecurityLevel = SecurityAccessLevel.Translator)]`
`29`	`25`	`public ActionResult Upload(object data)`
`30`	`26`	`{`
`31`	`27`	`var generic = this.Request.Form["GenericLanguage"].OnOffToBool();`
Original file line number	Diff line number	Diff line change
`@@ -1,12 +1,11 @@`
`1`		`-using DotNetNuke.Security;`
`2`	`1`	`using DotNetNuke.Web.Mvc.Framework.ActionFilters;`
`3`	`2`	`using Connect.LanguagePackManager.Presentation.Common;`
`4`	`3`	`using System.Web.Mvc;`
`5`	`4`	`using Connect.LanguagePackManager.Core.Common;`
`6`	`5`
`7`	`6`	`namespace Connect.LanguagePackManager.Presentation.Controllers`
`8`	`7`	`{`
`9`		`- [DnnModuleAuthorize(AccessLevel = SecurityAccessLevel.Edit)]`
	`8`	`+ [LpmAuthorize(SecurityLevel = SecurityAccessLevel.View)]`
`10`	`9`	`[DnnHandleError]`
`11`	`10`	`public class SettingsController : LanguagePackManagerMvcController`
`12`	`11`	`{`