Merge pull request #1099 from ONLYOFFICE/bugfix/room-admin-permissions
Bugfix/room admin permissions
This commit is contained in:
commit
7d0cc5a396
@ -40,6 +40,7 @@ public sealed class Role : IRole
|
|||||||
public string AuthenticationType => "ASC";
|
public string AuthenticationType => "ASC";
|
||||||
public bool IsAuthenticated => false;
|
public bool IsAuthenticated => false;
|
||||||
|
|
||||||
|
public string Key => ID.ToString();
|
||||||
|
|
||||||
public Role(Guid id, string name)
|
public Role(Guid id, string name)
|
||||||
{
|
{
|
||||||
|
@ -26,4 +26,4 @@
|
|||||||
|
|
||||||
namespace ASC.Common.Security.Authorizing;
|
namespace ASC.Common.Security.Authorizing;
|
||||||
|
|
||||||
public interface IRole : ISubject { }
|
public interface IRole : ISubject, IRuleData { }
|
||||||
|
32
common/ASC.Common/Security/RuleData.cs
Normal file
32
common/ASC.Common/Security/RuleData.cs
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
// (c) Copyright Ascensio System SIA 2010-2022
|
||||||
|
//
|
||||||
|
// This program is a free software product.
|
||||||
|
// You can redistribute it and/or modify it under the terms
|
||||||
|
// of the GNU Affero General Public License (AGPL) version 3 as published by the Free Software
|
||||||
|
// Foundation. In accordance with Section 7(a) of the GNU AGPL its Section 15 shall be amended
|
||||||
|
// to the effect that Ascensio System SIA expressly excludes the warranty of non-infringement of
|
||||||
|
// any third-party rights.
|
||||||
|
//
|
||||||
|
// This program is distributed WITHOUT ANY WARRANTY, without even the implied warranty
|
||||||
|
// of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. For details, see
|
||||||
|
// the GNU AGPL at: http://www.gnu.org/licenses/agpl-3.0.html
|
||||||
|
//
|
||||||
|
// You can contact Ascensio System SIA at Lubanas st. 125a-25, Riga, Latvia, EU, LV-1021.
|
||||||
|
//
|
||||||
|
// The interactive user interfaces in modified source and object code versions of the Program must
|
||||||
|
// display Appropriate Legal Notices, as required under Section 5 of the GNU AGPL version 3.
|
||||||
|
//
|
||||||
|
// Pursuant to Section 7(b) of the License you must retain the original Product logo when
|
||||||
|
// distributing the program. Pursuant to Section 7(e) we decline to grant you any rights under
|
||||||
|
// trademark law for use of our trademarks.
|
||||||
|
//
|
||||||
|
// All the Product's GUI elements, including illustrations and icon sets, as well as technical writing
|
||||||
|
// content are licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0
|
||||||
|
// International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
|
||||||
|
|
||||||
|
namespace ASC.Common.Security;
|
||||||
|
|
||||||
|
public interface IRuleData
|
||||||
|
{
|
||||||
|
public string Key { get; }
|
||||||
|
}
|
@ -74,6 +74,12 @@ public class UserServiceCache
|
|||||||
{
|
{
|
||||||
var key = GetUserCacheKey(userInfo.Tenant);
|
var key = GetUserCacheKey(userInfo.Tenant);
|
||||||
Cache.Remove(key);
|
Cache.Remove(key);
|
||||||
|
|
||||||
|
if (Guid.TryParse(userInfo.Id, out var userId))
|
||||||
|
{
|
||||||
|
var userKey = GetUserCacheKey(userInfo.Tenant, userId);
|
||||||
|
Cache.Remove(userKey);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
private void InvalidateCache(GroupCacheItem groupCacheItem)
|
private void InvalidateCache(GroupCacheItem groupCacheItem)
|
||||||
|
@ -64,6 +64,7 @@ public class UserManager
|
|||||||
private readonly TenantQuotaFeatureCheckerCount<CountRoomAdminFeature> _countRoomAdminChecker;
|
private readonly TenantQuotaFeatureCheckerCount<CountRoomAdminFeature> _countRoomAdminChecker;
|
||||||
private readonly TenantQuotaFeatureCheckerCount<CountUserFeature> _activeUsersFeatureChecker;
|
private readonly TenantQuotaFeatureCheckerCount<CountUserFeature> _activeUsersFeatureChecker;
|
||||||
private readonly Constants _constants;
|
private readonly Constants _constants;
|
||||||
|
private readonly UserFormatter _userFormatter;
|
||||||
|
|
||||||
private Tenant _tenant;
|
private Tenant _tenant;
|
||||||
private Tenant Tenant => _tenant ??= _tenantManager.GetCurrentTenant();
|
private Tenant Tenant => _tenant ??= _tenantManager.GetCurrentTenant();
|
||||||
@ -86,7 +87,8 @@ public class UserManager
|
|||||||
ILogger<UserManager> log,
|
ILogger<UserManager> log,
|
||||||
ICache cache,
|
ICache cache,
|
||||||
TenantQuotaFeatureCheckerCount<CountRoomAdminFeature> countRoomAdrminChecker,
|
TenantQuotaFeatureCheckerCount<CountRoomAdminFeature> countRoomAdrminChecker,
|
||||||
TenantQuotaFeatureCheckerCount<CountUserFeature> activeUsersFeatureChecker
|
TenantQuotaFeatureCheckerCount<CountUserFeature> activeUsersFeatureChecker,
|
||||||
|
UserFormatter userFormatter
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
_userService = service;
|
_userService = service;
|
||||||
@ -103,6 +105,7 @@ public class UserManager
|
|||||||
_countRoomAdminChecker = countRoomAdrminChecker;
|
_countRoomAdminChecker = countRoomAdrminChecker;
|
||||||
_activeUsersFeatureChecker = activeUsersFeatureChecker;
|
_activeUsersFeatureChecker = activeUsersFeatureChecker;
|
||||||
_constants = _userManagerConstants.Constants;
|
_constants = _userManagerConstants.Constants;
|
||||||
|
_userFormatter = userFormatter;
|
||||||
}
|
}
|
||||||
|
|
||||||
public UserManager(
|
public UserManager(
|
||||||
@ -119,8 +122,9 @@ public class UserManager
|
|||||||
ICache cache,
|
ICache cache,
|
||||||
TenantQuotaFeatureCheckerCount<CountRoomAdminFeature> tenantQuotaFeatureChecker,
|
TenantQuotaFeatureCheckerCount<CountRoomAdminFeature> tenantQuotaFeatureChecker,
|
||||||
TenantQuotaFeatureCheckerCount<CountUserFeature> activeUsersFeatureChecker,
|
TenantQuotaFeatureCheckerCount<CountUserFeature> activeUsersFeatureChecker,
|
||||||
IHttpContextAccessor httpContextAccessor)
|
IHttpContextAccessor httpContextAccessor,
|
||||||
: this(service, tenantManager, permissionContext, userManagerConstants, coreBaseSettings, coreSettings, instanceCrypto, radicaleClient, cardDavAddressbook, log, cache, tenantQuotaFeatureChecker, activeUsersFeatureChecker)
|
UserFormatter userFormatter)
|
||||||
|
: this(service, tenantManager, permissionContext, userManagerConstants, coreBaseSettings, coreSettings, instanceCrypto, radicaleClient, cardDavAddressbook, log, cache, tenantQuotaFeatureChecker, activeUsersFeatureChecker, userFormatter)
|
||||||
{
|
{
|
||||||
_accessor = httpContextAccessor;
|
_accessor = httpContextAccessor;
|
||||||
}
|
}
|
||||||
@ -353,7 +357,8 @@ public class UserManager
|
|||||||
return SystemUsers[u.Id];
|
return SystemUsers[u.Id];
|
||||||
}
|
}
|
||||||
|
|
||||||
_permissionContext.DemandPermissions(Constants.Action_AddRemoveUser);
|
_permissionContext.DemandPermissions(new UserSecurityProvider(u.Id, isVisitor ? EmployeeType.User : EmployeeType.RoomAdmin),
|
||||||
|
Constants.Action_AddRemoveUser);
|
||||||
|
|
||||||
if (!_coreBaseSettings.Personal)
|
if (!_coreBaseSettings.Personal)
|
||||||
{
|
{
|
||||||
@ -631,12 +636,15 @@ public class UserManager
|
|||||||
{
|
{
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
_permissionContext.DemandPermissions(Constants.Action_EditGroups);
|
|
||||||
|
var user = GetUsers(userId);
|
||||||
|
|
||||||
|
_permissionContext.DemandPermissions(new UserGroupObject(new UserAccount(user, _tenantManager.GetCurrentTenant().Id, _userFormatter), groupId),
|
||||||
|
Constants.Action_EditGroups);
|
||||||
|
|
||||||
_userService.SaveUserGroupRef(Tenant.Id, new UserGroupRef(userId, groupId, UserGroupRefType.Contains));
|
_userService.SaveUserGroupRef(Tenant.Id, new UserGroupRef(userId, groupId, UserGroupRefType.Contains));
|
||||||
|
|
||||||
ResetGroupCache(userId);
|
ResetGroupCache(userId);
|
||||||
var user = GetUsers(userId);
|
|
||||||
if (groupId == Constants.GroupUser.ID)
|
if (groupId == Constants.GroupUser.ID)
|
||||||
{
|
{
|
||||||
var tenant = _tenantManager.GetCurrentTenant();
|
var tenant = _tenantManager.GetCurrentTenant();
|
||||||
@ -658,7 +666,10 @@ public class UserManager
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
_permissionContext.DemandPermissions(Constants.Action_EditGroups);
|
var user = GetUsers(userId);
|
||||||
|
|
||||||
|
_permissionContext.DemandPermissions(new UserGroupObject(new UserAccount(user, _tenantManager.GetCurrentTenant().Id, _userFormatter), groupId),
|
||||||
|
Constants.Action_EditGroups);
|
||||||
|
|
||||||
_userService.RemoveUserGroupRef(Tenant.Id, userId, groupId, UserGroupRefType.Contains);
|
_userService.RemoveUserGroupRef(Tenant.Id, userId, groupId, UserGroupRefType.Contains);
|
||||||
|
|
||||||
|
@ -71,4 +71,5 @@ public class GroupInfo : IRole, IRecipientsGroup
|
|||||||
string IRecipient.Name => Name;
|
string IRecipient.Name => Name;
|
||||||
public string AuthenticationType => "ASC";
|
public string AuthenticationType => "ASC";
|
||||||
public bool IsAuthenticated => false;
|
public bool IsAuthenticated => false;
|
||||||
|
public string Key => ID.ToString();
|
||||||
}
|
}
|
||||||
|
@ -57,7 +57,8 @@ public class AzManager
|
|||||||
|
|
||||||
internal AzManagerAcl GetAzManagerAcl(ISubject subject, IAction action, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider)
|
internal AzManagerAcl GetAzManagerAcl(ISubject subject, IAction action, ISecurityObjectId objectId, ISecurityObjectProvider securityObjProvider)
|
||||||
{
|
{
|
||||||
if (action.AdministratorAlwaysAllow && (Constants.DocSpaceAdmin.ID == subject.ID || _roleProvider.IsSubjectInRole(subject, Constants.DocSpaceAdmin)))
|
if (action.AdministratorAlwaysAllow && (Constants.DocSpaceAdmin.ID == subject.ID || _roleProvider.IsSubjectInRole(subject, Constants.DocSpaceAdmin)
|
||||||
|
|| (objectId is SecurityObject obj && obj.IsMatchDefaultRules(subject, action, _roleProvider))))
|
||||||
{
|
{
|
||||||
return AzManagerAcl.Allow;
|
return AzManagerAcl.Allow;
|
||||||
}
|
}
|
||||||
|
57
common/ASC.Core.Common/Security/Rule.cs
Normal file
57
common/ASC.Core.Common/Security/Rule.cs
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
// (c) Copyright Ascensio System SIA 2010-2022
|
||||||
|
//
|
||||||
|
// This program is a free software product.
|
||||||
|
// You can redistribute it and/or modify it under the terms
|
||||||
|
// of the GNU Affero General Public License (AGPL) version 3 as published by the Free Software
|
||||||
|
// Foundation. In accordance with Section 7(a) of the GNU AGPL its Section 15 shall be amended
|
||||||
|
// to the effect that Ascensio System SIA expressly excludes the warranty of non-infringement of
|
||||||
|
// any third-party rights.
|
||||||
|
//
|
||||||
|
// This program is distributed WITHOUT ANY WARRANTY, without even the implied warranty
|
||||||
|
// of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. For details, see
|
||||||
|
// the GNU AGPL at: http://www.gnu.org/licenses/agpl-3.0.html
|
||||||
|
//
|
||||||
|
// You can contact Ascensio System SIA at Lubanas st. 125a-25, Riga, Latvia, EU, LV-1021.
|
||||||
|
//
|
||||||
|
// The interactive user interfaces in modified source and object code versions of the Program must
|
||||||
|
// display Appropriate Legal Notices, as required under Section 5 of the GNU AGPL version 3.
|
||||||
|
//
|
||||||
|
// Pursuant to Section 7(b) of the License you must retain the original Product logo when
|
||||||
|
// distributing the program. Pursuant to Section 7(e) we decline to grant you any rights under
|
||||||
|
// trademark law for use of our trademarks.
|
||||||
|
//
|
||||||
|
// All the Product's GUI elements, including illustrations and icon sets, as well as technical writing
|
||||||
|
// content are licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0
|
||||||
|
// International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
|
||||||
|
|
||||||
|
namespace ASC.Core.Common.Security;
|
||||||
|
|
||||||
|
public class Rule
|
||||||
|
{
|
||||||
|
public Guid ActionId { get; }
|
||||||
|
public IRuleData Data { get; }
|
||||||
|
private readonly string _key;
|
||||||
|
|
||||||
|
public Rule(Guid actionId, IRuleData data)
|
||||||
|
{
|
||||||
|
ActionId = actionId;
|
||||||
|
Data = data;
|
||||||
|
_key = actionId.ToString() + data?.Key;
|
||||||
|
}
|
||||||
|
|
||||||
|
public Rule(Guid actionId)
|
||||||
|
{
|
||||||
|
ActionId = actionId;
|
||||||
|
_key = actionId.ToString();
|
||||||
|
}
|
||||||
|
|
||||||
|
public override int GetHashCode()
|
||||||
|
{
|
||||||
|
return _key.GetHashCode();
|
||||||
|
}
|
||||||
|
|
||||||
|
public override bool Equals(object obj)
|
||||||
|
{
|
||||||
|
return obj is Rule action && action._key == _key;
|
||||||
|
}
|
||||||
|
}
|
56
common/ASC.Core.Common/Security/Security.cs
Normal file
56
common/ASC.Core.Common/Security/Security.cs
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
// (c) Copyright Ascensio System SIA 2010-2022
|
||||||
|
//
|
||||||
|
// This program is a free software product.
|
||||||
|
// You can redistribute it and/or modify it under the terms
|
||||||
|
// of the GNU Affero General Public License (AGPL) version 3 as published by the Free Software
|
||||||
|
// Foundation. In accordance with Section 7(a) of the GNU AGPL its Section 15 shall be amended
|
||||||
|
// to the effect that Ascensio System SIA expressly excludes the warranty of non-infringement of
|
||||||
|
// any third-party rights.
|
||||||
|
//
|
||||||
|
// This program is distributed WITHOUT ANY WARRANTY, without even the implied warranty
|
||||||
|
// of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. For details, see
|
||||||
|
// the GNU AGPL at: http://www.gnu.org/licenses/agpl-3.0.html
|
||||||
|
//
|
||||||
|
// You can contact Ascensio System SIA at Lubanas st. 125a-25, Riga, Latvia, EU, LV-1021.
|
||||||
|
//
|
||||||
|
// The interactive user interfaces in modified source and object code versions of the Program must
|
||||||
|
// display Appropriate Legal Notices, as required under Section 5 of the GNU AGPL version 3.
|
||||||
|
//
|
||||||
|
// Pursuant to Section 7(b) of the License you must retain the original Product logo when
|
||||||
|
// distributing the program. Pursuant to Section 7(e) we decline to grant you any rights under
|
||||||
|
// trademark law for use of our trademarks.
|
||||||
|
//
|
||||||
|
// All the Product's GUI elements, including illustrations and icon sets, as well as technical writing
|
||||||
|
// content are licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0
|
||||||
|
// International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
|
||||||
|
|
||||||
|
using UserConstants = ASC.Core.Users.Constants;
|
||||||
|
using Constants = ASC.Common.Security.Authorizing.Constants;
|
||||||
|
|
||||||
|
namespace ASC.Core.Common.Security;
|
||||||
|
|
||||||
|
public static class Security
|
||||||
|
{
|
||||||
|
public static readonly Dictionary<Guid, Dictionary<Guid, HashSet<Rule>>> Rules = new Dictionary<Guid, Dictionary<Guid, HashSet<Rule>>>
|
||||||
|
{
|
||||||
|
{
|
||||||
|
Constants.RoomAdmin.ID, new Dictionary<Guid, HashSet<Rule>>()
|
||||||
|
{
|
||||||
|
{
|
||||||
|
Constants.User.ID, new HashSet<Rule>()
|
||||||
|
{
|
||||||
|
new Rule(UserConstants.Action_EditGroups.ID, Constants.User),
|
||||||
|
new Rule(UserConstants.Action_AddRemoveUser.ID),
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
Constants.RoomAdmin.ID, new HashSet<Rule>()
|
||||||
|
{
|
||||||
|
new Rule(UserConstants.Action_EditGroups.ID, Constants.User),
|
||||||
|
new Rule(UserConstants.Action_AddRemoveUser.ID),
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
};
|
||||||
|
}
|
75
common/ASC.Core.Common/Security/SecurityObject.cs
Normal file
75
common/ASC.Core.Common/Security/SecurityObject.cs
Normal file
@ -0,0 +1,75 @@
|
|||||||
|
// (c) Copyright Ascensio System SIA 2010-2022
|
||||||
|
//
|
||||||
|
// This program is a free software product.
|
||||||
|
// You can redistribute it and/or modify it under the terms
|
||||||
|
// of the GNU Affero General Public License (AGPL) version 3 as published by the Free Software
|
||||||
|
// Foundation. In accordance with Section 7(a) of the GNU AGPL its Section 15 shall be amended
|
||||||
|
// to the effect that Ascensio System SIA expressly excludes the warranty of non-infringement of
|
||||||
|
// any third-party rights.
|
||||||
|
//
|
||||||
|
// This program is distributed WITHOUT ANY WARRANTY, without even the implied warranty
|
||||||
|
// of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. For details, see
|
||||||
|
// the GNU AGPL at: http://www.gnu.org/licenses/agpl-3.0.html
|
||||||
|
//
|
||||||
|
// You can contact Ascensio System SIA at Lubanas st. 125a-25, Riga, Latvia, EU, LV-1021.
|
||||||
|
//
|
||||||
|
// The interactive user interfaces in modified source and object code versions of the Program must
|
||||||
|
// display Appropriate Legal Notices, as required under Section 5 of the GNU AGPL version 3.
|
||||||
|
//
|
||||||
|
// Pursuant to Section 7(b) of the License you must retain the original Product logo when
|
||||||
|
// distributing the program. Pursuant to Section 7(e) we decline to grant you any rights under
|
||||||
|
// trademark law for use of our trademarks.
|
||||||
|
//
|
||||||
|
// All the Product's GUI elements, including illustrations and icon sets, as well as technical writing
|
||||||
|
// content are licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0
|
||||||
|
// International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
|
||||||
|
|
||||||
|
namespace ASC.Core.Common.Security;
|
||||||
|
|
||||||
|
public abstract class SecurityObject : ISecurityObject
|
||||||
|
{
|
||||||
|
public object SecurityId { get; protected set; }
|
||||||
|
public Type ObjectType { get; protected set; }
|
||||||
|
public string FullId { get; protected set; }
|
||||||
|
public bool InheritSupported { get; protected set; }
|
||||||
|
public bool ObjectRolesSupported { get; protected set; }
|
||||||
|
|
||||||
|
public virtual IEnumerable<IRole> GetObjectRoles(ISubject account, ISecurityObjectId objectId, SecurityCallContext callContext)
|
||||||
|
{
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
public virtual ISecurityObjectId InheritFrom(ISecurityObjectId objectId)
|
||||||
|
{
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool IsMatchDefaultRules(ISubject subject, IAction action, IRoleProvider roleProvider)
|
||||||
|
{
|
||||||
|
var subjectRoles = roleProvider.GetRoles(subject);
|
||||||
|
var targetRoles = GetTargetRoles(roleProvider);
|
||||||
|
|
||||||
|
foreach (var subjectRole in subjectRoles)
|
||||||
|
{
|
||||||
|
if (Security.Rules.TryGetValue(subjectRole.ID, out var value))
|
||||||
|
{
|
||||||
|
foreach (var targetRole in targetRoles)
|
||||||
|
{
|
||||||
|
if (value.TryGetValue(targetRole.ID, out var value1))
|
||||||
|
{
|
||||||
|
var act = new Rule(action.ID, GetRuleData());
|
||||||
|
if (value1.Contains(act))
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
protected abstract IEnumerable<IRole> GetTargetRoles(IRoleProvider roleProvider);
|
||||||
|
protected abstract IRuleData GetRuleData();
|
||||||
|
}
|
52
common/ASC.Core.Common/Security/UserGroupObject.cs
Normal file
52
common/ASC.Core.Common/Security/UserGroupObject.cs
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
// (c) Copyright Ascensio System SIA 2010-2022
|
||||||
|
//
|
||||||
|
// This program is a free software product.
|
||||||
|
// You can redistribute it and/or modify it under the terms
|
||||||
|
// of the GNU Affero General Public License (AGPL) version 3 as published by the Free Software
|
||||||
|
// Foundation. In accordance with Section 7(a) of the GNU AGPL its Section 15 shall be amended
|
||||||
|
// to the effect that Ascensio System SIA expressly excludes the warranty of non-infringement of
|
||||||
|
// any third-party rights.
|
||||||
|
//
|
||||||
|
// This program is distributed WITHOUT ANY WARRANTY, without even the implied warranty
|
||||||
|
// of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. For details, see
|
||||||
|
// the GNU AGPL at: http://www.gnu.org/licenses/agpl-3.0.html
|
||||||
|
//
|
||||||
|
// You can contact Ascensio System SIA at Lubanas st. 125a-25, Riga, Latvia, EU, LV-1021.
|
||||||
|
//
|
||||||
|
// The interactive user interfaces in modified source and object code versions of the Program must
|
||||||
|
// display Appropriate Legal Notices, as required under Section 5 of the GNU AGPL version 3.
|
||||||
|
//
|
||||||
|
// Pursuant to Section 7(b) of the License you must retain the original Product logo when
|
||||||
|
// distributing the program. Pursuant to Section 7(e) we decline to grant you any rights under
|
||||||
|
// trademark law for use of our trademarks.
|
||||||
|
//
|
||||||
|
// All the Product's GUI elements, including illustrations and icon sets, as well as technical writing
|
||||||
|
// content are licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0
|
||||||
|
// International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
|
||||||
|
|
||||||
|
namespace ASC.Core.Common.Security;
|
||||||
|
|
||||||
|
public class UserGroupObject : SecurityObject
|
||||||
|
{
|
||||||
|
private ISubject User { get; set; }
|
||||||
|
private Guid GroupId { get; set; }
|
||||||
|
|
||||||
|
public UserGroupObject(ISubject user, Guid groupId)
|
||||||
|
{
|
||||||
|
SecurityId = user.ID;
|
||||||
|
User = user;
|
||||||
|
GroupId = groupId;
|
||||||
|
ObjectType = typeof(UserGroupObject);
|
||||||
|
FullId = $"{ObjectType.FullName}|{User.ID}|{GroupId}";
|
||||||
|
}
|
||||||
|
|
||||||
|
protected override IEnumerable<IRole> GetTargetRoles(IRoleProvider roleProvider)
|
||||||
|
{
|
||||||
|
return roleProvider.GetRoles(User);
|
||||||
|
}
|
||||||
|
|
||||||
|
protected override IRuleData GetRuleData()
|
||||||
|
{
|
||||||
|
return new Role(GroupId, "ruleData");
|
||||||
|
}
|
||||||
|
}
|
@ -24,37 +24,51 @@
|
|||||||
// content are licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0
|
// content are licensed under the terms of the Creative Commons Attribution-ShareAlike 4.0
|
||||||
// International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
|
// International. See the License terms at http://creativecommons.org/licenses/by-sa/4.0/legalcode
|
||||||
|
|
||||||
|
using AuthConstants = ASC.Common.Security.Authorizing.Constants;
|
||||||
|
|
||||||
namespace ASC.Core.Users;
|
namespace ASC.Core.Users;
|
||||||
|
|
||||||
public class UserSecurityProvider : ISecurityObject
|
public class UserSecurityProvider : SecurityObject
|
||||||
{
|
{
|
||||||
public Type ObjectType { get; private set; }
|
private readonly EmployeeType _employeeType;
|
||||||
public object SecurityId { get; private set; }
|
|
||||||
public string FullId => AzObjectIdHelper.GetFullObjectId(this);
|
|
||||||
|
|
||||||
public UserSecurityProvider(Guid userId)
|
public UserSecurityProvider(Guid userId)
|
||||||
{
|
{
|
||||||
SecurityId = userId;
|
SecurityId = userId;
|
||||||
ObjectType = typeof(UserInfo);
|
ObjectType = typeof(UserInfo);
|
||||||
|
FullId = AzObjectIdHelper.GetFullObjectId(this);
|
||||||
|
ObjectRolesSupported = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
public bool ObjectRolesSupported => true;
|
public UserSecurityProvider(Guid userId, EmployeeType employeeType) : this(userId)
|
||||||
|
{
|
||||||
|
_employeeType = employeeType;
|
||||||
|
}
|
||||||
|
|
||||||
public IEnumerable<IRole> GetObjectRoles(ISubject account, ISecurityObjectId objectId, SecurityCallContext callContext)
|
public override IEnumerable<IRole> GetObjectRoles(ISubject account, ISecurityObjectId objectId, SecurityCallContext callContext)
|
||||||
{
|
{
|
||||||
var roles = new List<IRole>();
|
var roles = new List<IRole>();
|
||||||
if (account.ID.Equals(objectId.SecurityId))
|
if (account.ID.Equals(objectId.SecurityId))
|
||||||
{
|
{
|
||||||
roles.Add(ASC.Common.Security.Authorizing.Constants.Self);
|
roles.Add(AuthConstants.Self);
|
||||||
}
|
}
|
||||||
|
|
||||||
return roles;
|
return roles;
|
||||||
}
|
}
|
||||||
|
|
||||||
public bool InheritSupported => false;
|
protected override IEnumerable<IRole> GetTargetRoles(IRoleProvider roleProvider)
|
||||||
|
|
||||||
public ISecurityObjectId InheritFrom(ISecurityObjectId objectId)
|
|
||||||
{
|
{
|
||||||
throw new NotImplementedException();
|
return _employeeType switch
|
||||||
|
{
|
||||||
|
EmployeeType.DocSpaceAdmin => new[] { AuthConstants.DocSpaceAdmin },
|
||||||
|
EmployeeType.RoomAdmin => new[] { AuthConstants.RoomAdmin },
|
||||||
|
EmployeeType.User => new[] { AuthConstants.User },
|
||||||
|
_ => throw new NotImplementedException(),
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
protected override IRuleData GetRuleData()
|
||||||
|
{
|
||||||
|
return null;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -96,6 +96,11 @@ public static class UserExtensions
|
|||||||
return !string.IsNullOrEmpty(ui.SsoNameId);
|
return !string.IsNullOrEmpty(ui.SsoNameId);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static EmployeeType GetUserType(this UserManager userManager, Guid id)
|
||||||
|
{
|
||||||
|
return userManager.IsDocSpaceAdmin(id) ? EmployeeType.DocSpaceAdmin : userManager.IsUser(id) ? EmployeeType.User : EmployeeType.RoomAdmin;
|
||||||
|
}
|
||||||
|
|
||||||
private const string _extMobPhone = "extmobphone";
|
private const string _extMobPhone = "extmobphone";
|
||||||
private const string _mobPhone = "mobphone";
|
private const string _mobPhone = "mobphone";
|
||||||
private const string _extMail = "extmail";
|
private const string _extMail = "extmail";
|
||||||
|
@ -72,9 +72,12 @@ public abstract class PeopleControllerBase : ApiControllerBase
|
|||||||
return user;
|
return user;
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void UpdateContacts(IEnumerable<Contact> contacts, UserInfo user)
|
protected void UpdateContacts(IEnumerable<Contact> contacts, UserInfo user, bool checkPermissions = true)
|
||||||
{
|
{
|
||||||
_permissionContext.DemandPermissions(new UserSecurityProvider(user.Id), Constants.Action_EditUser);
|
if (checkPermissions)
|
||||||
|
{
|
||||||
|
_permissionContext.DemandPermissions(new UserSecurityProvider(user.Id), Constants.Action_EditUser);
|
||||||
|
}
|
||||||
|
|
||||||
if (contacts == null)
|
if (contacts == null)
|
||||||
{
|
{
|
||||||
|
@ -206,15 +206,14 @@ public class UserController : PeopleControllerBase
|
|||||||
{
|
{
|
||||||
_apiContext.AuthByClaim();
|
_apiContext.AuthByClaim();
|
||||||
|
|
||||||
_permissionContext.DemandPermissions(Constants.Action_AddRemoveUser);
|
|
||||||
|
|
||||||
var options = inDto.FromInviteLink ? await _roomLinkService.GetOptionsAsync(inDto.Key, inDto.Email, inDto.Type) : null;
|
var options = inDto.FromInviteLink ? await _roomLinkService.GetOptionsAsync(inDto.Key, inDto.Email, inDto.Type) : null;
|
||||||
|
|
||||||
if (options != null && !options.IsCorrect)
|
if (options != null && !options.IsCorrect)
|
||||||
{
|
{
|
||||||
throw new SecurityException(FilesCommonResource.ErrorMessage_InvintationLink);
|
throw new SecurityException(FilesCommonResource.ErrorMessage_InvintationLink);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
_permissionContext.DemandPermissions(new UserSecurityProvider(Guid.Empty, inDto.Type) ,Constants.Action_AddRemoveUser);
|
||||||
|
|
||||||
inDto.Type = options != null ? options.EmployeeType : inDto.Type;
|
inDto.Type = options != null ? options.EmployeeType : inDto.Type;
|
||||||
|
|
||||||
var user = new UserInfo();
|
var user = new UserInfo();
|
||||||
@ -264,9 +263,9 @@ public class UserController : PeopleControllerBase
|
|||||||
user.BirthDate = inDto.Birthday != null && inDto.Birthday != DateTime.MinValue ? _tenantUtil.DateTimeFromUtc(inDto.Birthday) : null;
|
user.BirthDate = inDto.Birthday != null && inDto.Birthday != DateTime.MinValue ? _tenantUtil.DateTimeFromUtc(inDto.Birthday) : null;
|
||||||
user.WorkFromDate = inDto.Worksfrom != null && inDto.Worksfrom != DateTime.MinValue ? _tenantUtil.DateTimeFromUtc(inDto.Worksfrom) : DateTime.UtcNow.Date;
|
user.WorkFromDate = inDto.Worksfrom != null && inDto.Worksfrom != DateTime.MinValue ? _tenantUtil.DateTimeFromUtc(inDto.Worksfrom) : DateTime.UtcNow.Date;
|
||||||
|
|
||||||
UpdateContacts(inDto.Contacts, user);
|
UpdateContacts(inDto.Contacts, user, !inDto.FromInviteLink);
|
||||||
_cache.Insert("REWRITE_URL" + _tenantManager.GetCurrentTenant().Id, HttpContext.Request.GetUrlRewriter().ToString(), TimeSpan.FromMinutes(5));
|
_cache.Insert("REWRITE_URL" + _tenantManager.GetCurrentTenant().Id, HttpContext.Request.GetUrlRewriter().ToString(), TimeSpan.FromMinutes(5));
|
||||||
user = await _userManagerWrapper.AddUser(user, inDto.PasswordHash, inDto.FromInviteLink, true, inDto.Type == EmployeeType.User, inDto.FromInviteLink, true, true, byEmail, inDto.Type == EmployeeType.DocSpaceAdmin);
|
user = await _userManagerWrapper.AddUser(user, inDto.PasswordHash, inDto.FromInviteLink, true, inDto.Type == EmployeeType.User, inDto.FromInviteLink && options.IsCorrect, true, true, byEmail, inDto.Type == EmployeeType.DocSpaceAdmin);
|
||||||
|
|
||||||
await UpdateDepartments(inDto.Department, user);
|
await UpdateDepartments(inDto.Department, user);
|
||||||
|
|
||||||
@ -302,6 +301,11 @@ public class UserController : PeopleControllerBase
|
|||||||
{
|
{
|
||||||
foreach (var invite in inDto.Invitations)
|
foreach (var invite in inDto.Invitations)
|
||||||
{
|
{
|
||||||
|
if (!_permissionContext.CheckPermissions(new UserSecurityProvider(Guid.Empty, invite.Type), Constants.Action_AddRemoveUser))
|
||||||
|
{
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
var user = await _userManagerWrapper.AddInvitedUserAsync(invite.Email, invite.Type);
|
var user = await _userManagerWrapper.AddInvitedUserAsync(invite.Email, invite.Type);
|
||||||
var link = _roomLinkService.GetInvitationLink(user.Email, invite.Type, _authContext.CurrentAccount.ID);
|
var link = _roomLinkService.GetInvitationLink(user.Email, invite.Type, _authContext.CurrentAccount.ID);
|
||||||
|
|
||||||
|
@ -143,9 +143,9 @@ public class PortalController : ControllerBase
|
|||||||
[HttpGet("users/invite/{employeeType}")]
|
[HttpGet("users/invite/{employeeType}")]
|
||||||
public object GeInviteLink(EmployeeType employeeType)
|
public object GeInviteLink(EmployeeType employeeType)
|
||||||
{
|
{
|
||||||
if (!_webItemSecurity.IsProductAdministrator(WebItemManager.PeopleProductID, _authContext.CurrentAccount.ID))
|
if (!_permissionContext.CheckPermissions(new UserSecurityProvider(Guid.Empty, employeeType), ASC.Core.Users.Constants.Action_AddRemoveUser))
|
||||||
{
|
{
|
||||||
throw new SecurityException("Method not available");
|
return string.Empty;
|
||||||
}
|
}
|
||||||
|
|
||||||
return _commonLinkUtility.GetConfirmationEmailUrl(string.Empty, ConfirmType.LinkInvite, (int)employeeType, _authContext.CurrentAccount.ID)
|
return _commonLinkUtility.GetConfirmationEmailUrl(string.Empty, ConfirmType.LinkInvite, (int)employeeType, _authContext.CurrentAccount.ID)
|
||||||
|
@ -117,12 +117,7 @@ public sealed class UserManagerWrapper
|
|||||||
|
|
||||||
if (_userManager.GetUserByEmail(mail.Address).Id != Constants.LostUser.Id)
|
if (_userManager.GetUserByEmail(mail.Address).Id != Constants.LostUser.Id)
|
||||||
{
|
{
|
||||||
throw new InvalidOperationException($"User with email {mail.Address} already exists or is invited");
|
throw new Exception(_customNamingPeople.Substitute<Resource>("ErrorEmailAlreadyExists"));
|
||||||
}
|
|
||||||
|
|
||||||
if (type is EmployeeType.RoomAdmin or EmployeeType.DocSpaceAdmin)
|
|
||||||
{
|
|
||||||
await _countManagerChecker.CheckAppend();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
var user = new UserInfo
|
var user = new UserInfo
|
||||||
@ -135,7 +130,9 @@ public sealed class UserManagerWrapper
|
|||||||
Status = EmployeeStatus.Active,
|
Status = EmployeeStatus.Active,
|
||||||
};
|
};
|
||||||
|
|
||||||
var newUser = await _userManager.SaveUserInfo(user);
|
user.UserName = MakeUniqueName(user);
|
||||||
|
|
||||||
|
var newUser = await _userManager.SaveUserInfo(user, type == EmployeeType.User);
|
||||||
|
|
||||||
var groupId = type switch
|
var groupId = type switch
|
||||||
{
|
{
|
||||||
@ -226,11 +223,11 @@ public sealed class UserManagerWrapper
|
|||||||
|
|
||||||
if (isUser)
|
if (isUser)
|
||||||
{
|
{
|
||||||
await _userManager.AddUserIntoGroup(newUserInfo.Id, Constants.GroupUser.ID);
|
await _userManager.AddUserIntoGroup(newUserInfo.Id, Constants.GroupUser.ID, true);
|
||||||
}
|
}
|
||||||
else if (isAdmin)
|
else if (isAdmin)
|
||||||
{
|
{
|
||||||
await _userManager.AddUserIntoGroup(newUserInfo.Id, Constants.GroupAdmin.ID);
|
await _userManager.AddUserIntoGroup(newUserInfo.Id, Constants.GroupAdmin.ID, true);
|
||||||
}
|
}
|
||||||
|
|
||||||
return newUserInfo;
|
return newUserInfo;
|
||||||
|
Loading…
Reference in New Issue
Block a user