yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4069fc8d1fe77d908d9b04edfceda841b70274c3
Umbraco-CMS/src/Umbraco.Web/Security/WebSecurity.cs

388 lines
16 KiB
C#
Raw Normal View History

Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
using System;
using System.Collections.Generic;
Working on the password changer control to present the correct inputs based on the membership provider given.... nearly there.
2013-10-17 22:40:38 +11:00
using System.ComponentModel.DataAnnotations;
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
using System.Linq;
using System.Web;
using System.Web.Security;
using Umbraco.Core;
Fixes: #U4-2042 - ensures users cannot continue to user the back office after they've been disabled and ensures that the user context cache is cleared when users are saved which will work in LB environments. Changes more HttpRuntime.Cache dependencies to ApplicationContext.Current.ApplicationCache.
2013-04-04 02:11:31 +06:00
using Umbraco.Core.Cache;
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
using Umbraco.Core.Logging;
Fixes: U4-2577 Can't save umbraco user - without re-filling in the password Fixes: U4-541 Wrong dictionary key when using in backend template names This changes the way that the value that is stored in the auth cookie. Previously we just stored a GUID which was the user's contextid stored in the db, now we store encrypted values of a few necessary user objects. In 6.2 we'll actually set a real .Net user object on the HttpContext. For now, the http module will simply just ensure that the culture is set correctly for the currently logged in user.
2013-08-02 15:16:04 +10:00
using Umbraco.Core.Security;
Working on the password changer control to present the correct inputs based on the membership provider given.... nearly there.
2013-10-17 22:40:38 +11:00
using Umbraco.Web.Models;
Fixes: U4-2577 Can't save umbraco user - without re-filling in the password Fixes: U4-541 Wrong dictionary key when using in backend template names This changes the way that the value that is stored in the auth cookie. Previously we just stored a GUID which was the user's contextid stored in the db, now we store encrypted values of a few necessary user objects. In 6.2 we'll actually set a real .Net user object on the HttpContext. For now, the http module will simply just ensure that the culture is set correctly for the currently logged in user.
2013-08-02 15:16:04 +10:00
using umbraco;
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
using umbraco.BusinessLogic;
using umbraco.DataLayer;
Updates authorized web services/http handlers to use WebSecurity and implements the new base class properties available in 6.1. Updates WebSecurity with a few more helpful methods.
2013-04-09 22:11:12 +06:00
using umbraco.businesslogic.Exceptions;
Added method to WebSecurity to validate members, updated routes for umbraco api controllers
2013-02-27 00:19:48 +06:00
using umbraco.cms.businesslogic.member;
Fixes: U4-2577 Can't save umbraco user - without re-filling in the password Fixes: U4-541 Wrong dictionary key when using in backend template names This changes the way that the value that is stored in the auth cookie. Previously we just stored a GUID which was the user's contextid stored in the db, now we store encrypted values of a few necessary user objects. In 6.2 we'll actually set a real .Net user object on the HttpContext. For now, the http module will simply just ensure that the culture is set correctly for the currently logged in user.
2013-08-02 15:16:04 +10:00
using GlobalSettings = Umbraco.Core.Configuration.GlobalSettings;
using UmbracoSettings = Umbraco.Core.Configuration.UmbracoSettings;
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
namespace Umbraco.Web.Security
{
/// <summary>
publicizes MembershipHelper and exposes it on the various base classes: SurfaceController, UmbracoApiController and UmbracoUserControl as the property "Members", will add more helper methods.
2014-01-28 16:58:55 +11:00
/// A utility class used for dealing with USER security in Umbraco
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
/// </summary>
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
public class WebSecurity
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
{
Added method to WebSecurity to validate members, updated routes for umbraco api controllers
2013-02-27 00:19:48 +06:00
/// <summary>
/// Returns true or false if the currently logged in member is authorized based on the parameters provided
/// </summary>
/// <param name="allowAll"></param>
/// <param name="allowTypes"></param>
/// <param name="allowGroups"></param>
/// <param name="allowMembers"></param>
/// <returns></returns>
publicizes MembershipHelper and exposes it on the various base classes: SurfaceController, UmbracoApiController and UmbracoUserControl as the property "Members", will add more helper methods.
2014-01-28 16:58:55 +11:00
[Obsolete("Use MembershipHelper.IsMemberAuthorized instead")]
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
public bool IsMemberAuthorized(
Added method to WebSecurity to validate members, updated routes for umbraco api controllers
2013-02-27 00:19:48 +06:00
bool allowAll = false,
IEnumerable<string> allowTypes = null,
IEnumerable<string> allowGroups = null,
IEnumerable<int> allowMembers = null)
{
publicizes MembershipHelper and exposes it on the various base classes: SurfaceController, UmbracoApiController and UmbracoUserControl as the property "Members", will add more helper methods.
2014-01-28 16:58:55 +11:00
if (HttpContext.Current == null || ApplicationContext.Current == null)
Added method to WebSecurity to validate members, updated routes for umbraco api controllers
2013-02-27 00:19:48 +06:00
{
publicizes MembershipHelper and exposes it on the various base classes: SurfaceController, UmbracoApiController and UmbracoUserControl as the property "Members", will add more helper methods.
2014-01-28 16:58:55 +11:00
return false;
Added method to WebSecurity to validate members, updated routes for umbraco api controllers
2013-02-27 00:19:48 +06:00
}
publicizes MembershipHelper and exposes it on the various base classes: SurfaceController, UmbracoApiController and UmbracoUserControl as the property "Members", will add more helper methods.
2014-01-28 16:58:55 +11:00
var helper = new MembershipHelper(ApplicationContext.Current, new HttpContextWrapper(HttpContext.Current));
return helper.IsMemberAuthorized(allowAll, allowTypes, allowGroups, allowMembers);
Added method to WebSecurity to validate members, updated routes for umbraco api controllers
2013-02-27 00:19:48 +06:00
}
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
/// <summary>
/// Gets the SQL helper.
/// </summary>
/// <value>The SQL helper.</value>
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
private ISqlHelper SqlHelper
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
{
get { return Application.SqlHelper; }
}
private const long TicksPrMinute = 600000000;
Fix MemberAuthorizeAttribute for UmbracoApiControllers
2013-04-15 12:18:40 -02:00
private static readonly int UmbracoTimeOutInMinutes = GlobalSettings.TimeOutInMinutes;
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
private User _currentUser;
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
/// <summary>
/// Gets the current user.
/// </summary>
/// <value>The current user.</value>
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
/// <remarks>
/// This is internal because we don't want to expose the legacy User object on this class, instead we'll wait until IUser
/// is public. If people want to reference the current user, they can reference it from the UmbracoContext.
/// </remarks>
internal User CurrentUser
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
{
get
{
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
//only load it once per instance!
return _currentUser ?? (_currentUser = User.GetCurrent());
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
}
}
/// <summary>
/// Logs a user in.
/// </summary>
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
/// <param name="userId">The user Id</param>
public void PerformLogin(int userId)
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
{
var retVal = Guid.NewGuid();
SqlHelper.ExecuteNonQuery(
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
"insert into umbracoUserLogins (contextID, userID, timeout) values (@contextId,'" + userId + "','" +
Fix MemberAuthorizeAttribute for UmbracoApiControllers
2013-04-15 12:18:40 -02:00
(DateTime.Now.Ticks + (TicksPrMinute * UmbracoTimeOutInMinutes)) +
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
"') ",
SqlHelper.CreateParameter("@contextId", retVal));
UmbracoUserContextId = retVal.ToString();
Fixes an issue with WebSecurity logout
2013-07-31 11:10:33 +10:00
LogHelper.Info<WebSecurity>("User Id: {0} logged in", () => userId);
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
}
/// <summary>
/// Clears the current login for the currently logged in user
/// </summary>
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
public void ClearCurrentLogin()
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
{
// Added try-catch in case login doesn't exist in the database
// Either due to old cookie or running multiple sessions on localhost with different port number
try
{
SqlHelper.ExecuteNonQuery(
"DELETE FROM umbracoUserLogins WHERE contextId = @contextId",
SqlHelper.CreateParameter("@contextId", UmbracoUserContextId));
}
catch (Exception ex)
{
Fixes an issue with WebSecurity logout
2013-07-31 11:10:33 +10:00
LogHelper.Error<WebSecurity>(string.Format("Login with contextId {0} didn't exist in the database", UmbracoUserContextId), ex);
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
}
Fixes an issue with WebSecurity logout
2013-07-31 11:10:33 +10:00
//this clears the cookie
UmbracoUserContextId = "";
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
}
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
public void RenewLoginTimeout()
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
{
// only call update if more than 1/10 of the timeout has passed
SqlHelper.ExecuteNonQuery(
"UPDATE umbracoUserLogins SET timeout = @timeout WHERE contextId = @contextId",
SqlHelper.CreateParameter("@timeout", DateTime.Now.Ticks + (TicksPrMinute * UmbracoTimeOutInMinutes)),
SqlHelper.CreateParameter("@contextId", UmbracoUserContextId));
}
Updates authorized web services/http handlers to use WebSecurity and implements the new base class properties available in 6.1. Updates WebSecurity with a few more helpful methods.
2013-04-09 22:11:12 +06:00
/// <summary>
/// Validates credentials for a back office user
/// </summary>
/// <param name="username"></param>
/// <param name="password"></param>
/// <returns></returns>
internal bool ValidateBackOfficeCredentials(string username, string password)
{
Fix MemberAuthorizeAttribute for UmbracoApiControllers
2013-04-15 12:18:40 -02:00
var membershipProvider = Membership.Providers[UmbracoSettings.DefaultBackofficeProvider];
return membershipProvider != null && membershipProvider.ValidateUser(username, password);
Updates authorized web services/http handlers to use WebSecurity and implements the new base class properties available in 6.1. Updates WebSecurity with a few more helpful methods.
2013-04-09 22:11:12 +06:00
}
Moved ChangePassword method to MembershipHelper and makes it public, adds an overload.
2014-02-10 14:29:29 +11:00
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
/// <summary>
/// Validates the user node tree permissions.
/// </summary>
/// <param name="umbracoUser"></param>
/// <param name="path">The path.</param>
/// <param name="action">The action.</param>
/// <returns></returns>
internal bool ValidateUserNodeTreePermissions(User umbracoUser, string path, string action)
{
var permissions = umbracoUser.GetPermissions(path);
Fix MemberAuthorizeAttribute for UmbracoApiControllers
2013-04-15 12:18:40 -02:00
if (permissions.IndexOf(action, StringComparison.Ordinal) > -1 && (path.Contains("-20") || ("," + path + ",").Contains("," + umbracoUser.StartNodeId + ",")))
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
return true;
var user = umbracoUser;
LogHelper.Info<WebSecurity>("User {0} has insufficient permissions in UmbracoEnsuredPage: '{1}', '{2}', '{3}'", () => user.Name, () => path, () => permissions, () => action);
return false;
}
Updates authorized web services/http handlers to use WebSecurity and implements the new base class properties available in 6.1. Updates WebSecurity with a few more helpful methods.
2013-04-09 22:11:12 +06:00
/// <summary>
/// Validates the current user to see if they have access to the specified app
/// </summary>
/// <param name="app"></param>
/// <returns></returns>
internal bool ValidateUserApp(string app)
{
//if it is empty, don't validate
if (app.IsNullOrWhiteSpace())
{
return true;
}
fixes issue with legacy user.Password property and fixes comparison of sections
2014-02-13 17:19:28 +11:00
return CurrentUser.Applications.Any(uApp => uApp.alias.InvariantEquals(app));
Updates authorized web services/http handlers to use WebSecurity and implements the new base class properties available in 6.1. Updates WebSecurity with a few more helpful methods.
2013-04-09 22:11:12 +06:00
}
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
internal void UpdateLogin(long timeout)
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
{
// only call update if more than 1/10 of the timeout has passed
if (timeout - (((TicksPrMinute * UmbracoTimeOutInMinutes) * 0.8)) < DateTime.Now.Ticks)
SqlHelper.ExecuteNonQuery(
"UPDATE umbracoUserLogins SET timeout = @timeout WHERE contextId = @contextId",
SqlHelper.CreateParameter("@timeout", DateTime.Now.Ticks + (TicksPrMinute * UmbracoTimeOutInMinutes)),
SqlHelper.CreateParameter("@contextId", UmbracoUserContextId));
}
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
internal long GetTimeout(string umbracoUserContextId)
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
{
Fixes: #U4-2042 - ensures users cannot continue to user the back office after they've been disabled and ensures that the user context cache is cleared when users are saved which will work in LB environments. Changes more HttpRuntime.Cache dependencies to ApplicationContext.Current.ApplicationCache.
2013-04-04 02:11:31 +06:00
return ApplicationContext.Current.ApplicationCache.GetCacheItem(
CacheKeys.UserContextTimeoutCacheKey + umbracoUserContextId,
new TimeSpan(0, UmbracoTimeOutInMinutes / 10, 0),
() => GetTimeout(true));
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
}
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
internal long GetTimeout(bool byPassCache)
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
{
if (UmbracoSettings.KeepUserLoggedIn)
RenewLoginTimeout();
if (byPassCache)
{
return SqlHelper.ExecuteScalar<long>("select timeout from umbracoUserLogins where contextId=@contextId",
SqlHelper.CreateParameter("@contextId", new Guid(UmbracoUserContextId))
);
}
Fix MemberAuthorizeAttribute for UmbracoApiControllers
2013-04-15 12:18:40 -02:00
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
return GetTimeout(UmbracoUserContextId);
}
/// <summary>
/// Gets the user id.
/// </summary>
/// <param name="umbracoUserContextId">The umbraco user context ID.</param>
/// <returns></returns>
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
public int GetUserId(string umbracoUserContextId)
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
{
Fixes: #U4-2042 - ensures users cannot continue to user the back office after they've been disabled and ensures that the user context cache is cleared when users are saved which will work in LB environments. Changes more HttpRuntime.Cache dependencies to ApplicationContext.Current.ApplicationCache.
2013-04-04 02:11:31 +06:00
//need to parse to guid
Fix MemberAuthorizeAttribute for UmbracoApiControllers
2013-04-15 12:18:40 -02:00
Guid guid;
if (Guid.TryParse(umbracoUserContextId, out guid) == false)
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
{
return -1;
}
Fixes: #U4-2042 - ensures users cannot continue to user the back office after they've been disabled and ensures that the user context cache is cleared when users are saved which will work in LB environments. Changes more HttpRuntime.Cache dependencies to ApplicationContext.Current.ApplicationCache.
2013-04-04 02:11:31 +06:00
Fix MemberAuthorizeAttribute for UmbracoApiControllers
2013-04-15 12:18:40 -02:00
var id = ApplicationContext.Current.ApplicationCache.GetCacheItem(
Fixes: #U4-2042 - ensures users cannot continue to user the back office after they've been disabled and ensures that the user context cache is cleared when users are saved which will work in LB environments. Changes more HttpRuntime.Cache dependencies to ApplicationContext.Current.ApplicationCache.
2013-04-04 02:11:31 +06:00
CacheKeys.UserContextCacheKey + umbracoUserContextId,
Fix MemberAuthorizeAttribute for UmbracoApiControllers
2013-04-15 12:18:40 -02:00
new TimeSpan(0, UmbracoTimeOutInMinutes / 10, 0),
Fixes: #U4-2042 - ensures users cannot continue to user the back office after they've been disabled and ensures that the user context cache is cleared when users are saved which will work in LB environments. Changes more HttpRuntime.Cache dependencies to ApplicationContext.Current.ApplicationCache.
2013-04-04 02:11:31 +06:00
() => SqlHelper.ExecuteScalar<int?>(
"select userID from umbracoUserLogins where contextID = @contextId",
Fix MemberAuthorizeAttribute for UmbracoApiControllers
2013-04-15 12:18:40 -02:00
SqlHelper.CreateParameter("@contextId", guid)));
Fixes: #U4-2042 - ensures users cannot continue to user the back office after they've been disabled and ensures that the user context cache is cleared when users are saved which will work in LB environments. Changes more HttpRuntime.Cache dependencies to ApplicationContext.Current.ApplicationCache.
2013-04-04 02:11:31 +06:00
if (id == null)
return -1;
Fix MemberAuthorizeAttribute for UmbracoApiControllers
2013-04-15 12:18:40 -02:00
return id.Value;
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
}
/// <summary>
/// Validates the user context ID.
/// </summary>
/// <param name="currentUmbracoUserContextId">The umbraco user context ID.</param>
/// <returns></returns>
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
public bool ValidateUserContextId(string currentUmbracoUserContextId)
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
{
if ((currentUmbracoUserContextId != ""))
{
int uid = GetUserId(currentUmbracoUserContextId);
long timeout = GetTimeout(currentUmbracoUserContextId);
if (timeout > DateTime.Now.Ticks)
{
return true;
}
Fixes: #U4-2042 - ensures users cannot continue to user the back office after they've been disabled and ensures that the user context cache is cleared when users are saved which will work in LB environments. Changes more HttpRuntime.Cache dependencies to ApplicationContext.Current.ApplicationCache.
2013-04-04 02:11:31 +06:00
var user = User.GetUser(uid);
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
LogHelper.Info(typeof(WebSecurity), "User {0} (Id:{1}) logged out", () => user.Name, () => user.Id);
}
return false;
}
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
/// <summary>
/// Validates the current user
/// </summary>
/// <param name="httpContext"></param>
Updates authorized web services/http handlers to use WebSecurity and implements the new base class properties available in 6.1. Updates WebSecurity with a few more helpful methods.
2013-04-09 22:11:12 +06:00
/// <param name="throwExceptions">set to true if you want exceptions to be thrown if failed</param>
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
/// <returns></returns>
Updates authorized web services/http handlers to use WebSecurity and implements the new base class properties available in 6.1. Updates WebSecurity with a few more helpful methods.
2013-04-09 22:11:12 +06:00
internal ValidateRequestAttempt ValidateCurrentUser(HttpContextBase httpContext, bool throwExceptions = false)
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
{
if (UmbracoUserContextId != "")
{
var uid = GetUserId(UmbracoUserContextId);
var timeout = GetTimeout(UmbracoUserContextId);
if (timeout > DateTime.Now.Ticks)
{
var user = User.GetUser(uid);
// Check for console access
Fix MemberAuthorizeAttribute for UmbracoApiControllers
2013-04-15 12:18:40 -02:00
if (user.Disabled || (user.NoConsole && GlobalSettings.RequestIsInUmbracoApplication(httpContext) && GlobalSettings.RequestIsLiveEditRedirector(httpContext) == false))
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
{
Updates authorized web services/http handlers to use WebSecurity and implements the new base class properties available in 6.1. Updates WebSecurity with a few more helpful methods.
2013-04-09 22:11:12 +06:00
if (throwExceptions) throw new ArgumentException("You have no priviledges to the umbraco console. Please contact your administrator");
return ValidateRequestAttempt.FailedNoPrivileges;
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
}
UpdateLogin(timeout);
Updates authorized web services/http handlers to use WebSecurity and implements the new base class properties available in 6.1. Updates WebSecurity with a few more helpful methods.
2013-04-09 22:11:12 +06:00
return ValidateRequestAttempt.Success;
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
}
Updates authorized web services/http handlers to use WebSecurity and implements the new base class properties available in 6.1. Updates WebSecurity with a few more helpful methods.
2013-04-09 22:11:12 +06:00
if (throwExceptions) throw new ArgumentException("User has timed out!!");
return ValidateRequestAttempt.FailedTimedOut;
}
if (throwExceptions) throw new InvalidOperationException("The user has no umbraco contextid - try logging in");
return ValidateRequestAttempt.FailedNoContextId;
}
/// <summary>
/// Authorizes the full request, checks for SSL and validates the current user
/// </summary>
/// <param name="httpContext"></param>
/// <param name="throwExceptions">set to true if you want exceptions to be thrown if failed</param>
/// <returns></returns>
internal ValidateRequestAttempt AuthorizeRequest(HttpContextBase httpContext, bool throwExceptions = false)
{
// check for secure connection
Fix MemberAuthorizeAttribute for UmbracoApiControllers
2013-04-15 12:18:40 -02:00
if (GlobalSettings.UseSSL && httpContext.Request.IsSecureConnection == false)
Updates authorized web services/http handlers to use WebSecurity and implements the new base class properties available in 6.1. Updates WebSecurity with a few more helpful methods.
2013-04-09 22:11:12 +06:00
{
Fix MemberAuthorizeAttribute for UmbracoApiControllers
2013-04-15 12:18:40 -02:00
if (throwExceptions) throw new UserAuthorizationException("This installation requires a secure connection (via SSL). Please update the URL to include https://");
Updates authorized web services/http handlers to use WebSecurity and implements the new base class properties available in 6.1. Updates WebSecurity with a few more helpful methods.
2013-04-09 22:11:12 +06:00
return ValidateRequestAttempt.FailedNoSsl;
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
}
Updates authorized web services/http handlers to use WebSecurity and implements the new base class properties available in 6.1. Updates WebSecurity with a few more helpful methods.
2013-04-09 22:11:12 +06:00
return ValidateCurrentUser(httpContext, throwExceptions);
}
/// <summary>
/// Checks if the specified user as access to the app
/// </summary>
/// <param name="app"></param>
/// <param name="user"></param>
/// <returns></returns>
internal bool UserHasAppAccess(string app, User user)
{
return user.Applications.Any(uApp => uApp.alias == app);
}
/// <summary>
/// Checks if the specified user by username as access to the app
/// </summary>
/// <param name="app"></param>
/// <param name="username"></param>
/// <returns></returns>
internal bool UserHasAppAccess(string app, string username)
{
var uid = User.getUserId(username);
if (uid < 0) return false;
var usr = User.GetUser(uid);
if (usr == null) return false;
return UserHasAppAccess(app, usr);
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
}
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
/// <summary>
/// Gets or sets the umbraco user context ID.
/// </summary>
/// <value>The umbraco user context ID.</value>
Refactors the WebSecurity class to not be static and be part of the UmbracoContext. Makes a few methods internal on it so that it's not relying on the legacy User class. Cleans up the new BasePage and EnsuredUmbracoPage
2013-04-04 23:30:17 +06:00
public string UmbracoUserContextId
Fixes: U4-2577 Can't save umbraco user - without re-filling in the password Fixes: U4-541 Wrong dictionary key when using in backend template names This changes the way that the value that is stored in the auth cookie. Previously we just stored a GUID which was the user's contextid stored in the db, now we store encrypted values of a few necessary user objects. In 6.2 we'll actually set a real .Net user object on the HttpContext. For now, the http module will simply just ensure that the culture is set correctly for the currently logged in user.
2013-08-02 15:16:04 +10:00
{
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
get
{
Fixes: U4-2577 Can't save umbraco user - without re-filling in the password Fixes: U4-541 Wrong dictionary key when using in backend template names This changes the way that the value that is stored in the auth cookie. Previously we just stored a GUID which was the user's contextid stored in the db, now we store encrypted values of a few necessary user objects. In 6.2 we'll actually set a real .Net user object on the HttpContext. For now, the http module will simply just ensure that the culture is set correctly for the currently logged in user.
2013-08-02 15:16:04 +10:00
var authTicket = HttpContext.Current.GetUmbracoAuthTicket();
if (authTicket == null)
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
{
Fixes: U4-2577 Can't save umbraco user - without re-filling in the password Fixes: U4-541 Wrong dictionary key when using in backend template names This changes the way that the value that is stored in the auth cookie. Previously we just stored a GUID which was the user's contextid stored in the db, now we store encrypted values of a few necessary user objects. In 6.2 we'll actually set a real .Net user object on the HttpContext. For now, the http module will simply just ensure that the culture is set correctly for the currently logged in user.
2013-08-02 15:16:04 +10:00
return "";
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
}
Fixes: U4-2577 Can't save umbraco user - without re-filling in the password Fixes: U4-541 Wrong dictionary key when using in backend template names This changes the way that the value that is stored in the auth cookie. Previously we just stored a GUID which was the user's contextid stored in the db, now we store encrypted values of a few necessary user objects. In 6.2 we'll actually set a real .Net user object on the HttpContext. For now, the http module will simply just ensure that the culture is set correctly for the currently logged in user.
2013-08-02 15:16:04 +10:00
var identity = authTicket.CreateUmbracoIdentity();
if (identity == null)
{
HttpContext.Current.UmbracoLogout();
return "";
}
return identity.UserContextId;
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
}
set
{
Fixes: U4-2577 Can't save umbraco user - without re-filling in the password Fixes: U4-541 Wrong dictionary key when using in backend template names This changes the way that the value that is stored in the auth cookie. Previously we just stored a GUID which was the user's contextid stored in the db, now we store encrypted values of a few necessary user objects. In 6.2 we'll actually set a real .Net user object on the HttpContext. For now, the http module will simply just ensure that the culture is set correctly for the currently logged in user.
2013-08-02 15:16:04 +10:00
if (value.IsNullOrWhiteSpace())
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
{
Fixes: U4-2577 Can't save umbraco user - without re-filling in the password Fixes: U4-541 Wrong dictionary key when using in backend template names This changes the way that the value that is stored in the auth cookie. Previously we just stored a GUID which was the user's contextid stored in the db, now we store encrypted values of a few necessary user objects. In 6.2 we'll actually set a real .Net user object on the HttpContext. For now, the http module will simply just ensure that the culture is set correctly for the currently logged in user.
2013-08-02 15:16:04 +10:00
HttpContext.Current.UmbracoLogout();
}
else
{
var uid = GetUserId(value);
if (uid == -1)
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
{
Fixes: U4-2577 Can't save umbraco user - without re-filling in the password Fixes: U4-541 Wrong dictionary key when using in backend template names This changes the way that the value that is stored in the auth cookie. Previously we just stored a GUID which was the user's contextid stored in the db, now we store encrypted values of a few necessary user objects. In 6.2 we'll actually set a real .Net user object on the HttpContext. For now, the http module will simply just ensure that the culture is set correctly for the currently logged in user.
2013-08-02 15:16:04 +10:00
HttpContext.Current.UmbracoLogout();
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
}
else
{
Fixes: U4-2577 Can't save umbraco user - without re-filling in the password Fixes: U4-541 Wrong dictionary key when using in backend template names This changes the way that the value that is stored in the auth cookie. Previously we just stored a GUID which was the user's contextid stored in the db, now we store encrypted values of a few necessary user objects. In 6.2 we'll actually set a real .Net user object on the HttpContext. For now, the http module will simply just ensure that the culture is set correctly for the currently logged in user.
2013-08-02 15:16:04 +10:00
var user = User.GetUser(uid);
HttpContext.Current.CreateUmbracoAuthTicket(
new UserData
{
Id = uid,
AllowedApplications = user.Applications.Select(x => x.alias).ToArray(),
Culture = ui.Culture(user),
RealName = user.Name,
Roles = new string[] { user.UserType.Alias },
StartContentNode = user.StartNodeId,
StartMediaNode = user.StartMediaId,
UserContextId = value,
Username = user.LoginName
});
Working on #U4-1358 - moving Base page classes to their correct location/assembly. Migrated all installation webforms files and associated helper files to their correct locations/namespaces/assemblies and obsoleted all of the old ones and ensure the old webforms files don't exist where the obsoleted ones were. Fixes a security issue with the installer ajax service (used to be p.aspx, now is InstallerRestService.aspx)
2013-02-03 05:06:11 +06:00
}
}
}
}
}
}
Reference in New Issue Copy Permalink