open-source-mirrors
/
Ombi
mirror of https://github.com/Ombi-app/Ombi
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixed #656 and more work on #218

Browse Source
pull/780/head
Jamie.Rees 9 years ago
parent e39512905a
commit e46c43610f
11 changed files with 157 additions and 98 deletions
Show Stats Download Patch File Download Diff File

5
PlexRequests.Helpers/Permissions/Permissions.cs
Unescape View File

@ -46,6 +46,9 @@ namespace PlexRequests.Helpers.Permissions
RequestMusic = 8,
[Display(Name = "Report Issue")]
ReportIssue = 16
ReportIssue = 16,
[Display(Name = "Read Only User")]
ReadOnlyUser = 32,
}
}

4
PlexRequests.Helpers/PlexRequests.Helpers.csproj
Unescape View File

@ -39,6 +39,10 @@
<HintPath>..\packages\Newtonsoft.Json.9.0.1\lib\net45\Newtonsoft.Json.dll</HintPath>
<Private>True</Private>
</Reference>
<Reference Include="Ninject, Version=3.2.0.0, Culture=neutral, PublicKeyToken=c7192dc5380945e7, processorArchitecture=MSIL">
<HintPath>..\packages\Ninject.3.2.0.0\lib\net45-full\Ninject.dll</HintPath>
<Private>True</Private>
</Reference>
<Reference Include="NLog, Version=4.0.0.0, Culture=neutral, PublicKeyToken=5120e14c03d0593c, processorArchitecture=MSIL">
<HintPath>..\packages\NLog.4.3.6\lib\net45\NLog.dll</HintPath>
<Private>True</Private>

1
PlexRequests.Helpers/packages.config
Unescape View File

@ -2,6 +2,7 @@
<packages>
<package id="Nancy" version="1.4.3" targetFramework="net45" />
<package id="Newtonsoft.Json" version="9.0.1" targetFramework="net45" />
<package id="Ninject" version="3.2.0.0" targetFramework="net45" />
<package id="NLog" version="4.3.6" targetFramework="net45" />
<package id="Owin" version="1.0" targetFramework="net45" />
</packages>

6
PlexRequests.Store/Repository/UserRepository.cs
Unescape View File

@ -49,21 +49,21 @@ namespace PlexRequests.Store.Repository
public UsersModel GetUser(string userGuid)
{
var sql = @"SELECT * FROM UsersModel
var sql = @"SELECT * FROM Users
WHERE Userguid = @UserGuid";
return Db.QueryFirstOrDefault<UsersModel>(sql, new {UserGuid = userGuid});
}
public UsersModel GetUserByUsername(string username)
{
var sql = @"SELECT * FROM UsersModel
var sql = @"SELECT * FROM Users
WHERE UserName = @UserName";
return Db.QueryFirstOrDefault<UsersModel>(sql, new {UserName = username});
}
public async Task<UsersModel> GetUserAsync(string userguid)
{
var sql = @"SELECT * FROM UsersModel
var sql = @"SELECT * FROM Users
WHERE UserGuid = @UserGuid";
return await Db.QueryFirstOrDefaultAsync<UsersModel>(sql, new {UserGuid = userguid});
}

25
PlexRequests.UI/Helpers/HtmlSecurityHelper.cs
Unescape View File

@ -27,23 +27,36 @@
using Nancy.Security;
using Nancy.ViewEngines.Razor;
using Ninject;
using PlexRequests.Helpers.Permissions;
using PlexRequests.Store.Repository;
namespace PlexRequests.UI.Helpers
{
public static class HtmlSecurityHelper
{
public static bool HasAnyPermission(this HtmlHelpers helper, params string[] claims)
private static SecurityExtensions Security
{
if (!helper.CurrentUser.IsAuthenticated())
get
{
return false;
var userRepo = ServiceLocator.Instance.Resolve<IUserRepository>();
return _security ?? (_security = new SecurityExtensions(userRepo, null));
}
return helper.CurrentUser.HasAnyClaim(claims);
}
public static bool DoesNotHaveAnyPermission(this HtmlHelpers helper, params string[] claims)
private static SecurityExtensions _security;
public static bool HasAnyPermission(this HtmlHelpers helper, int permission)
{
return helper.CurrentUser.IsAuthenticated()
&& Security.HasPermissions(helper.CurrentUser, (Permissions) permission);
}
public static bool DoesNotHavePermission(this HtmlHelpers helper, int permission)
{
return SecurityExtensions.DoesNotHaveClaims(claims, helper.CurrentUser);
return Security.DoesNotHavePermissions(permission, helper.CurrentUser);
}
}
}

116
PlexRequests.UI/Helpers/SecurityExtensions.cs
Unescape View File

@ -31,14 +31,25 @@ using System.Linq;
using Nancy;
using Nancy.Extensions;
using Nancy.Security;
using Ninject;
using PlexRequests.Helpers.Permissions;
using PlexRequests.Store.Repository;
using PlexRequests.UI.Models;
namespace PlexRequests.UI.Helpers
{
public static class SecurityExtensions
public class SecurityExtensions
{
public SecurityExtensions(IUserRepository userRepository, NancyModule context)
{
UserRepository = userRepository;
Module = context;
}
private IUserRepository UserRepository { get; }
private NancyModule Module { get; }
public static bool IsLoggedIn(this NancyContext context)
public bool IsLoggedIn(NancyContext context)
{
var userName = context.Request.Session[SessionKeys.UsernameKey];
var realUser = false;
@ -52,7 +63,7 @@ namespace PlexRequests.UI.Helpers
return realUser || plexUser;
}
public static bool IsPlexUser(this NancyContext context)
public bool IsPlexUser(NancyContext context)
{
var userName = context.Request.Session[SessionKeys.UsernameKey];
var plexUser = userName != null;
@ -62,7 +73,7 @@ namespace PlexRequests.UI.Helpers
return plexUser && !isAuth;
}
public static bool IsNormalUser(this NancyContext context)
public bool IsNormalUser(NancyContext context)
{
var userName = context.Request.Session[SessionKeys.UsernameKey];
var plexUser = userName != null;
@ -72,63 +83,72 @@ namespace PlexRequests.UI.Helpers
return isAuth && !plexUser;
}
/// <summary>
/// This module requires authentication and NO certain claims to be present.
/// Creates a hook to be used in a pipeline before a route handler to ensure
/// that the request was made by an authenticated user does not have the claims.
/// </summary>
/// <param name="module">Module to enable</param>
/// <param name="requiredClaims">Claim(s) required</param>
public static void DoesNotHaveClaim(this INancyModule module, params string[] bannedClaims)
{
module.AddBeforeHookOrExecute(SecurityHooks.RequiresAuthentication(), "Requires Authentication");
module.AddBeforeHookOrExecute(DoesNotHaveClaims(bannedClaims), "Has Banned Claims");
}
public static bool DoesNotHaveClaimCheck(this INancyModule module, params string[] bannedClaims)
{
if (!module.Context?.CurrentUser?.IsAuthenticated() ?? false)
{
return false;
}
if (DoesNotHaveClaims(bannedClaims, module.Context))
/// <param name="perm">Claims the authenticated user needs to have</param>
/// <returns>Hook that returns an Unauthorized response if the user is not
/// authenticated or does have the claims, null otherwise</returns>
private Func<NancyContext, Response> DoesNotHavePermissions(int perm)
{
return ForbiddenIfNot(ctx =>
{
return false;
}
return true;
var dbUser = UserRepository.GetUserByUsername(ctx.CurrentUser.UserName);
if (dbUser == null) return false;
var permissions = (Permissions)dbUser.Permissions;
var result = permissions.HasFlag((Permissions)perm);
return !result;
});
}
public static bool DoesNotHaveClaimCheck(this NancyContext context, params string[] bannedClaims)
public bool DoesNotHavePermissions(int perm, IUserIdentity currentUser)
{
if (!context?.CurrentUser?.IsAuthenticated() ?? false)
{
return false;
}
if (DoesNotHaveClaims(bannedClaims, context))
{
return false;
}
return true;
return DoesNotHavePermissions((Permissions) perm, currentUser);
}
/// <summary>
/// Creates a hook to be used in a pipeline before a route handler to ensure
/// that the request was made by an authenticated user does not have the claims.
/// </summary>
/// <param name="claims">Claims the authenticated user needs to have</param>
/// <returns>Hook that returns an Unauthorized response if the user is not
/// authenticated or does have the claims, null otherwise</returns>
private static Func<NancyContext, Response> DoesNotHaveClaims(IEnumerable<string> claims)
public bool DoesNotHavePermissions(Permissions perm, IUserIdentity currentUser)
{
return ForbiddenIfNot(ctx => !ctx.CurrentUser.HasAnyClaim(claims));
var dbUser = UserRepository.GetUserByUsername(currentUser.UserName);
if (dbUser == null) return false;
var permissions = (Permissions)dbUser.Permissions;
var result = permissions.HasFlag((Permissions)perm);
return !result;
}
public static bool DoesNotHaveClaims(IEnumerable<string> claims, NancyContext ctx)
public bool HasPermissions(IUserIdentity user, Permissions perm)
{
return !ctx.CurrentUser.HasAnyClaim(claims);
if (user == null) return false;
var dbUser = UserRepository.GetUserByUsername(user.UserName);
if (dbUser == null) return false;
var permissions = (Permissions)dbUser.Permissions;
var result = permissions.HasFlag(perm);
return result;
}
public static bool DoesNotHaveClaims(IEnumerable<string> claims, IUserIdentity identity)
public void HasPermissionsResponse(Permissions perm)
{
return !identity?.HasAnyClaim(claims) ?? true;
Module.AddBeforeHookOrExecute(
ForbiddenIfNot(ctx =>
{
if (ctx.CurrentUser == null) return false;
var dbUser = UserRepository.GetUserByUsername(ctx.CurrentUser.UserName);
if (dbUser == null) return false;
var permissions = (Permissions)dbUser.Permissions;
var result = permissions.HasFlag(perm);
return result;
}), "Requires Claims");
}
@ -140,7 +160,7 @@ namespace PlexRequests.UI.Helpers
/// </summary>
/// <param name="test">Test that must return true for the request to continue</param>
/// <returns>Hook that returns an Forbidden response if the test fails, null otherwise</returns>
private static Func<NancyContext, Response> ForbiddenIfNot(Func<NancyContext, bool> test)
public Func<NancyContext, Response> ForbiddenIfNot(Func<NancyContext, bool> test)
{
return HttpStatusCodeIfNot(HttpStatusCode.Forbidden, test);
}
@ -152,7 +172,7 @@ namespace PlexRequests.UI.Helpers
/// <param name="statusCode">HttpStatusCode to use for the response</param>
/// <param name="test">Test that must return true for the request to continue</param>
/// <returns>Hook that returns a response with a specific HttpStatusCode if the test fails, null otherwise</returns>
private static Func<NancyContext, Response> HttpStatusCodeIfNot(HttpStatusCode statusCode, Func<NancyContext, bool> test)
public Func<NancyContext, Response> HttpStatusCodeIfNot(HttpStatusCode statusCode, Func<NancyContext, bool> test)
{
return ctx =>
{

6
PlexRequests.UI/Modules/AdminModule.cs
Unescape View File

@ -56,6 +56,7 @@ using PlexRequests.Core.SettingModels;
using PlexRequests.Helpers;
using PlexRequests.Helpers.Analytics;
using PlexRequests.Helpers.Exceptions;
using PlexRequests.Helpers.Permissions;
using PlexRequests.Services.Interfaces;
using PlexRequests.Services.Jobs;
using PlexRequests.Services.Notification;
@ -153,7 +154,7 @@ namespace PlexRequests.UI.Modules
NotifySettings = notifyService;
RecentlyAdded = recentlyAdded;
this.RequiresClaims(UserClaims.Admin);
Security.HasPermissionsResponse(Permissions.Administrator);
Get["/"] = _ => Admin();
@ -849,7 +850,8 @@ namespace PlexRequests.UI.Modules
private Response CreateApiKey()
{
this.RequiresClaims(UserClaims.Admin);
Security.HasPermissionsResponse(Permissions.Administrator);
Analytics.TrackEventAsync(Category.Admin, Action.Create, "Created API Key", Username, CookieHelper.GetAnalyticClientId(Cookies));
var apiKey = Guid.NewGuid().ToString("N");
var settings = PrService.GetSettings();

25
PlexRequests.UI/Modules/BaseModule.cs
Unescape View File

@ -30,6 +30,7 @@ using System.Linq;
using System.Threading;
using Nancy;
using Nancy.Security;
using Ninject;
using PlexRequests.Core;
using PlexRequests.Core.SettingModels;
@ -121,10 +122,6 @@ namespace PlexRequests.UI.Modules
protected IDictionary<string, string> Cookies => Request?.Cookies;
// This is not ideal, but it's cleaner than having to pass it down through each module.
[Inject]
protected IUserRepository UserRepository { get; set; }
protected bool IsAdmin
{
get
@ -134,7 +131,9 @@ namespace PlexRequests.UI.Modules
return false;
}
var user = UserRepository.GetUserByUsername(Context?.CurrentUser?.UserName);
var userRepo = ServiceLocator.Instance.Resolve<IUserRepository>();
var user = userRepo.GetUserByUsername(Context?.CurrentUser?.UserName);
if (user == null) return false;
@ -144,6 +143,22 @@ namespace PlexRequests.UI.Modules
}
}
protected IUserIdentity User => Context?.CurrentUser;
protected SecurityExtensions Security
{
get
{
var userRepo = ServiceLocator.Instance.Resolve<IUserRepository>();
return _security ?? (_security = new SecurityExtensions(userRepo, this));
}
}
private SecurityExtensions _security;
protected bool LoggedIn => Context?.CurrentUser != null;
protected string Culture { get; set; }

5
PlexRequests.UI/Modules/SearchModule.cs
Unescape View File

@ -55,6 +55,7 @@ using PlexRequests.Api.Models.Sonarr;
using PlexRequests.Api.Models.Tv;
using PlexRequests.Core.Models;
using PlexRequests.Helpers.Analytics;
using PlexRequests.Helpers.Permissions;
using PlexRequests.Store.Models;
using PlexRequests.Store.Repository;
@ -444,7 +445,7 @@ namespace PlexRequests.UI.Modules
private async Task<Response> RequestMovie(int movieId)
{
if (this.DoesNotHaveClaimCheck(UserClaims.ReadOnlyUser))
if (Security.DoesNotHavePermissions(Permissions.ReadOnlyUser, User))
{
return
Response.AsJson(new JsonResponseModel()
@ -553,7 +554,7 @@ namespace PlexRequests.UI.Modules
/// <returns></returns>
private async Task<Response> RequestTvShow(int showId, string seasons)
{
if (this.DoesNotHaveClaimCheck(UserClaims.ReadOnlyUser))
if (Security.DoesNotHavePermissions(Permissions.ReadOnlyUser, User))
{
return
Response.AsJson(new JsonResponseModel()

3
PlexRequests.UI/Startup.cs
Unescape View File

@ -33,7 +33,6 @@ using NLog;
using Owin;
using PlexRequests.Core.Migration;
using PlexRequests.Services.Jobs;
using PlexRequests.UI.Helpers;
using PlexRequests.UI.Jobs;
using PlexRequests.UI.NinjectModules;
@ -57,7 +56,7 @@ namespace PlexRequests.UI
Debug.WriteLine("Modules found finished.");
var kernel = new StandardKernel(modules);
var kernel = new StandardKernel(new NinjectSettings { InjectNonPublic = true }, modules);
Debug.WriteLine("Created Kernel and Injected Modules");
Debug.WriteLine("Added Contravariant Binder");

59
PlexRequests.UI/Views/Admin/Settings.cshtml
Unescape View File

@ -57,7 +57,8 @@
<div class="form-group">
<label for="ApiKey" class="control-label">Api Key</label>
<div class="input-group">
<input type="text" disabled="disabled" class="form-control form-control-custom" id="apiKey" name="ApiKey" value="@Model.ApiKey">
<input type="text" hidden="hidden" name="ApiKey" value="@Model.ApiKey"/>
<input type="text" disabled="disabled" class="form-control form-control-custom" id="ApiKey" name="ApiKey" value="@Model.ApiKey">
<div class="input-group-addon">
<div id="refreshKey" class="fa fa-refresh" title="Reset API Key"></div>
@ -65,16 +66,16 @@
</div>
</div>
<div class="form-group">
<label for="select" class="control-label">Theme</label>
<div id="themes">
<select class="form-control form-control-custom" id="select">
<option @plexTheme class="form-control form-control-custom" value="@Themes.PlexTheme">Plex</option>
<option @originalTheme class="form-control form-control-custom" value="@Themes.OriginalTheme">Original Blue</option>
</select>
<div class="form-group">
<label for="select" class="control-label">Theme</label>
<div id="themes">
<select class="form-control form-control-custom" id="select">
<option @plexTheme class="form-control form-control-custom" value="@Themes.PlexTheme">Plex</option>
<option @originalTheme class="form-control form-control-custom" value="@Themes.OriginalTheme">Original Blue</option>
</select>
</div>
</div>
</div>
<div class="form-group">
<div class="form-group">
<div class="checkbox">
@if (Model.SearchForMovies)
@ -192,7 +193,7 @@
}
</div>
</div>
<div class="form-group">
<div class="checkbox">
@ -278,12 +279,12 @@
<input type="text" class="form-control-custom form-control " id="CustomDonationMessage" name="CustomDonationMessage" placeholder="Donation button message" value="@Model.CustomDonationMessage">
</div>
</div>
<p class="form-group">A comma separated list of users whose requests do not require approval (These users also do not have a request limit).</p>
<p class="form-group">A comma separated list of users whose requests do not require approval (These users also do not have a request limit).</p>
<div class="form-group">
<label for="NoApprovalUsers" class="control-label">Approval White listed Users</label>
<div>
@ -293,23 +294,23 @@
<p class="form-group">If the request limits are set to 0 then no request limit is applied.</p>
<div class="form-group">
<label for="MovieWeeklyRequestLimit" class="control-label">Movie Weekly Request Limit</label>
<div>
<label>
<input type="number" id="MovieWeeklyRequestLimit" name="MovieWeeklyRequestLimit" class="form-control form-control-custom " value="@Model.MovieWeeklyRequestLimit">
</label>
<div class="form-group">
<label for="MovieWeeklyRequestLimit" class="control-label">Movie Weekly Request Limit</label>
<div>
<label>
<input type="number" id="MovieWeeklyRequestLimit" name="MovieWeeklyRequestLimit" class="form-control form-control-custom " value="@Model.MovieWeeklyRequestLimit">
</label>
</div>
</div>
</div>
<div class="form-group">
<label for="TvWeeklyRequestLimit" class="control-label">TV Show Weekly Request Limit</label>
<div>
<label>
<input type="number" id="TvWeeklyRequestLimit" name="TvWeeklyRequestLimit" class="form-control form-control-custom " value="@Model.TvWeeklyRequestLimit">
</label>
<div class="form-group">
<label for="TvWeeklyRequestLimit" class="control-label">TV Show Weekly Request Limit</label>
<div>
<label>
<input type="number" id="TvWeeklyRequestLimit" name="TvWeeklyRequestLimit" class="form-control form-control-custom " value="@Model.TvWeeklyRequestLimit">
</label>
</div>
</div>
</div>
<div class="form-group">
<label for="AlbumWeeklyRequestLimit" class="control-label">Album Weekly Request Limit</label>
@ -320,7 +321,7 @@
</div>
</div>
<div>
<div>
</div>
<div class="form-group">
<div>
@ -373,7 +374,7 @@
success: function(response) {
if (response) {
generateNotify("Success!", "success");
$('#apiKey').val(response);
$('#ApiKey').val(response);
}
},
error: function(e) {

Write Preview
Loading…
Cancel
Save