Various fixes including hardening repository (3.2.0.3)

Author: rxtur

BlogEngine/BlogEngine.Core/Data/BlogRepository.cs

@@ -22,17 +22,17 @@ public class BlogRepository : IBlogRepository
         /// <param name="filter">Filter expression</param>
         /// <param name="order">Order expression</param>
         /// <returns>List of blogs</returns>
-        public IEnumerable<BlogEngine.Core.Data.Models.Blog> Find(int take = 10, int skip = 0, string filter = "", string order = "")
+        public IEnumerable<Models.Blog> Find(int take = 10, int skip = 0, string filter = "", string order = "")
         {
             // sub-blogs not allowed to see other blogs
             if (!(Blog.CurrentInstance.IsPrimary && Security.IsAdministrator))
-                throw new System.UnauthorizedAccessException();
+                throw new UnauthorizedAccessException();
 
             if (take == 0) take = Blog.Blogs.Count;
             if (string.IsNullOrEmpty(filter)) filter = "1==1";
             if (string.IsNullOrEmpty(order)) order = "Name";
 
-            var items = new List<BlogEngine.Core.Data.Models.Blog>();
+            var items = new List<Models.Blog>();
             var query = Blog.Blogs.AsQueryable().Where(filter);
 
             foreach (var item in query.OrderBy(order).Skip(skip).Take(take))
@@ -46,11 +46,11 @@ public class BlogRepository : IBlogRepository
         /// </summary>
         /// <param name="id">Id</param>
         /// <returns>Blog</returns>
-        public BlogEngine.Core.Data.Models.Blog FindById(Guid id)
+        public Models.Blog FindById(Guid id)
         {
             // sub-blogs not allowed to see other blogs
             if (!(Blog.CurrentInstance.IsPrimary && Security.IsAdministrator))
-                throw new System.UnauthorizedAccessException();
+                throw new UnauthorizedAccessException();
 
             var blog = Blog.Blogs.Where(b => b.Id == id).FirstOrDefault();
             return ToJson(blog);
@@ -61,12 +61,12 @@ public BlogEngine.Core.Data.Models.Blog FindById(Guid id)
         /// </summary>
         /// <param name="item">Blog item</param>
         /// <returns>Saved blog with new ID</returns>
-        public BlogEngine.Core.Data.Models.Blog Add(BlogItem item)
+        public Models.Blog Add(BlogItem item)
         {
             // has to be on primary blog and be an admin
             // or blog allows create new on self registration
             if (!(Blog.CurrentInstance.IsPrimary && (Security.IsAdministrator || BlogSettings.Instance.CreateBlogOnSelfRegistration)))
-                throw new System.UnauthorizedAccessException();
+                throw new UnauthorizedAccessException();
 
             string message;
             if (!BlogGenerator.ValidateProperties(item.Name, item.UserName, item.Email, out message))
@@ -85,11 +85,11 @@ public BlogEngine.Core.Data.Models.Blog Add(BlogItem item)
         /// </summary>
         /// <param name="blog">Blog to update</param>
         /// <returns>True on success</returns>
-        public bool Update(BlogEngine.Core.Data.Models.Blog blog)
+        public bool Update(Models.Blog blog)
         {
             // sub-blogs not allowed to see other blogs
             if (!(Blog.CurrentInstance.IsPrimary && Security.IsAdministrator))
-                throw new System.UnauthorizedAccessException();
+                throw new UnauthorizedAccessException();
             try
             {
                 var coreBlog = Blog.Blogs.Where(b => b.Id == blog.Id).FirstOrDefault();
@@ -110,7 +110,7 @@ public bool Remove(Guid id)
         {
             // sub-blogs not allowed to see other blogs
             if (!(Blog.CurrentInstance.IsPrimary && Security.IsAdministrator))
-                throw new System.UnauthorizedAccessException();
+                throw new UnauthorizedAccessException();
             try
             {
                 var blog = Blog.Blogs.Where(b => b.Id == id).FirstOrDefault();

BlogEngine/BlogEngine.Core/Data/CategoryRepository.cs

@@ -22,12 +22,12 @@ public class CategoryRepository : ICategoryRepository
         /// <returns>List of items</returns>
         public IEnumerable<CategoryItem> Find(int take = 10, int skip = 0, string filter = "", string order = "")
         {
-            if (!Security.IsAuthorizedTo(BlogEngine.Core.Rights.ViewPublicPosts))
-                throw new System.UnauthorizedAccessException();
+            if (!Security.IsAuthorizedTo(Rights.ViewPublicPosts))
+                throw new UnauthorizedAccessException();
 
             // get post categories with counts
             var items = new List<CategoryItem>();
-            foreach (var p in BlogEngine.Core.Post.ApplicablePosts)
+            foreach (var p in Post.ApplicablePosts)
             {
                 foreach (var c in p.Categories)
                 {
@@ -66,20 +66,20 @@ public IEnumerable<CategoryItem> Find(int take = 10, int skip = 0, string filter
         /// </summary>
         /// <param name="id">Item id</param>
         /// <returns>Object</returns>
-        public Data.Models.CategoryItem FindById(Guid id)
+        public CategoryItem FindById(Guid id)
         {
-            if (!Security.IsAuthorizedTo(BlogEngine.Core.Rights.ViewPublicPosts))
-                throw new System.UnauthorizedAccessException();
+            if (!Security.IsAuthorizedTo(Rights.ViewPublicPosts))
+                throw new UnauthorizedAccessException();
 
             // get post categories
-            var items = new List<Data.Models.CategoryItem>();
-            foreach (var p in BlogEngine.Core.Post.ApplicablePosts)
+            var items = new List<CategoryItem>();
+            foreach (var p in Post.ApplicablePosts)
             {
                 foreach (var c in p.Categories)
                 {
                     var tmp = items.FirstOrDefault(cat => cat.Id == c.Id);
                     if (tmp == null)
-                        items.Add(new Data.Models.CategoryItem { Id = c.Id, Parent = OptionById(c.Parent), Title = c.Title, Description = c.Description, Count = 1 });
+                        items.Add(new CategoryItem { Id = c.Id, Parent = OptionById(c.Parent), Title = c.Title, Description = c.Description, Count = 1 });
                     else
                         tmp.Count++;
                 }
@@ -89,7 +89,7 @@ public Data.Models.CategoryItem FindById(Guid id)
             {
                 var x = items.Where(i => i.Id == c.Id).FirstOrDefault();
                 if (x == null)
-                    items.Add(new Data.Models.CategoryItem { Id = c.Id, Parent = OptionById(c.Parent), Title = c.Title, Description = c.Description, Count = 0 });
+                    items.Add(new CategoryItem { Id = c.Id, Parent = OptionById(c.Parent), Title = c.Title, Description = c.Description, Count = 0 });
             }
             return items.Where(c => c.Id == id).FirstOrDefault();
         }
@@ -98,10 +98,10 @@ public Data.Models.CategoryItem FindById(Guid id)
         /// </summary>
         /// <param name="item">Post</param>
         /// <returns>Saved item with new ID</returns>
-        public Data.Models.CategoryItem Add(CategoryItem item)
+        public CategoryItem Add(CategoryItem item)
         {
-            if (!Security.IsAuthorizedTo(BlogEngine.Core.Rights.CreateNewPosts))
-                throw new System.UnauthorizedAccessException();
+            if (!Security.IsAuthorizedTo(Rights.CreateNewPosts))
+                throw new UnauthorizedAccessException();
 
             var cat = (from c in Category.Categories.ToList() where c.Title == item.Title select c).FirstOrDefault();
             if (cat != null)
@@ -126,8 +126,8 @@ public Data.Models.CategoryItem Add(CategoryItem item)
         /// <returns>True on success</returns>
         public bool Update(CategoryItem item)
         {
-            if (!Security.IsAuthorizedTo(BlogEngine.Core.Rights.EditOwnPosts))
-                throw new System.UnauthorizedAccessException();
+            if (!Security.IsAuthorizedTo(Rights.EditOwnPosts))
+                throw new UnauthorizedAccessException();
 
             var cat = (from c in Category.Categories.ToList() where c.Title == item.Title && c.Id != item.Id select c).FirstOrDefault();
             if (cat != null)
@@ -149,8 +149,8 @@ public bool Update(CategoryItem item)
         /// <returns>True on success</returns>
         public bool Remove(Guid id)
         {
-            if (!Security.IsAuthorizedTo(BlogEngine.Core.Rights.DeleteOwnPosts))
-                throw new System.UnauthorizedAccessException();
+            if (!Security.IsAuthorizedTo(Rights.DeleteOwnPosts))
+                throw new UnauthorizedAccessException();
             try
             {
                 var core = (from c in Category.Categories.ToList() where c.Id == id select c).FirstOrDefault();

BlogEngine/BlogEngine.Core/Data/CommentFilterRepository.cs

@@ -31,8 +31,8 @@ public class CommentFilterRepository : ICommentFilterRepository
         /// <returns>List of comment filters</returns>
         public IEnumerable<CommentFilterItem> Find(int take = 10, int skip = 0, string filter = "", string order = "")
         {
-            if (!Security.IsAuthorizedTo(BlogEngine.Core.Rights.AccessAdminPages))
-                throw new System.UnauthorizedAccessException();
+            if (!Security.IsAuthorizedTo(Rights.AccessAdminPages))
+                throw new UnauthorizedAccessException();
 
             var filterList = new List<CommentFilterItem>();
             try
@@ -89,8 +89,8 @@ public CommentFilterItem FindById(Guid id)
         /// <returns>New item</returns>
         public CommentFilterItem Add(CommentFilterItem item)
         {
-            if (!Security.IsAuthorizedTo(BlogEngine.Core.Rights.AccessAdminPages))
-                throw new System.UnauthorizedAccessException();
+            if (!Security.IsAuthorizedTo(Rights.AccessAdminPages))
+                throw new UnauthorizedAccessException();
 
             try
             {
@@ -107,7 +107,7 @@ public CommentFilterItem Add(CommentFilterItem item)
                         Filters.Parameters[4].Values[i] == item.Filter;
                     if (exists)
                     {
-                        throw new System.ApplicationException("Item already exists");
+                        throw new ApplicationException("Item already exists");
                     }
                 }
 
@@ -153,6 +153,9 @@ public bool Update(CommentFilterItem item)
         /// <returns>True on success</returns>
         public bool RemoveAll()
         {
+            if (!Security.IsAuthorizedTo(Rights.AccessAdminPages))
+                throw new UnauthorizedAccessException();
+
             try
             {
                 for (int i = 0; i < Filters.Parameters.Count; i++)
@@ -181,6 +184,9 @@ public bool RemoveAll()
         /// <returns>True on success</returns>
         public bool Remove(Guid id)
         {
+            if (!Security.IsAuthorizedTo(Rights.AccessAdminPages))
+                throw new UnauthorizedAccessException();
+
             int idx = 0;
             foreach (ExtensionParameter par in Filters.Parameters)
             {

BlogEngine/BlogEngine.Core/Data/CustomFilterRepository.cs

@@ -23,8 +23,8 @@ public class CustomFilterRepository : ICustomFilterRepository
         /// <returns>List of filters</returns>
         public IEnumerable<CustomFilter> GetCustomFilters()
         {
-            if (!Security.IsAuthorizedTo(BlogEngine.Core.Rights.AccessAdminPages))
-                throw new System.UnauthorizedAccessException();
+            if (!Security.IsAuthorizedTo(Rights.AccessAdminPages))
+                throw new UnauthorizedAccessException();
 
             var filterList = new List<CustomFilter>();
             try
@@ -63,8 +63,8 @@ public IEnumerable<CustomFilter> GetCustomFilters()
         /// <returns>Json response</returns>
         public JsonResponse ResetCounters(string filterName)
         {
-            if (!Security.IsAuthorizedTo(BlogEngine.Core.Rights.AccessAdminPages))
-                throw new System.UnauthorizedAccessException();
+            if (!Security.IsAuthorizedTo(Rights.AccessAdminPages))
+                throw new UnauthorizedAccessException();
             try
             {
                 if (!string.IsNullOrEmpty(filterName))

BlogEngine/BlogEngine.Core/Data/DashboardRepository.cs

@@ -14,6 +14,9 @@ public class DashboardRepository : IDashboardRepository
         /// <returns>Dashboard view model</returns>
         public DashboardVM Get()
         {
+            if (!Security.IsAuthorizedTo(Rights.ViewDashboard))
+                throw new System.UnauthorizedAccessException();
+
             return new DashboardVM();
         }
     }

BlogEngine/BlogEngine.Core/Data/FileManagerRepository.cs

@@ -16,6 +16,9 @@ public class FileManagerRepository : IFileManagerRepository
 
         public IEnumerable<FileInstance> Find(int take = 10, int skip = 0, string path = "", string order = "")
         {
+            if (!Security.IsAuthorizedTo(Rights.EditOwnPosts))
+                throw new UnauthorizedAccessException();
+
             var list = new List<FileInstance>();
             var rwr = Utils.RelativeWebRoot;
             var responsePath = "root";

BlogEngine/BlogEngine.Core/Data/LookupsRepository.cs

@@ -24,8 +24,8 @@ public class LookupsRepository : ILookupsRepository
         /// <returns>List of cultures</returns>
         public Lookups GetLookups()
         {
-            if (!Security.IsAuthorizedTo(BlogEngine.Core.Rights.AccessAdminPages))
-                throw new System.UnauthorizedAccessException();
+            if (!Security.IsAuthorizedTo(Rights.AccessAdminPages))
+                throw new UnauthorizedAccessException();
 
             LoadCultures();
 
@@ -178,6 +178,9 @@ void LoadEditorOptions()
         /// <param name="options">Options</param>
         public void SaveEditorOptions(EditorOptions options)
         {
+            if (!Security.IsAuthorizedTo(Rights.AccessAdminPages))
+                throw new UnauthorizedAccessException();
+
             var bs = BlogSettings.Instance;
             if (options.OptionType == "Post")
             {

BlogEngine/BlogEngine.Core/Data/SettingsRepository.cs

@@ -15,6 +15,9 @@ public class SettingsRepository : ISettingsRepository
         /// <returns>Settings object</returns>
         public SettingsVM Get()
         {
+            if (!Security.IsAuthorizedTo(Rights.AccessAdminSettingsPages))
+                throw new System.UnauthorizedAccessException();
+
             var vm = new SettingsVM();
 
             vm.Settings = GetSettings();
@@ -29,7 +32,7 @@ public SettingsVM Get()
         /// <returns>True on success</returns>
         public bool Update(Settings ns)
         {
-            if (!Security.IsAuthorizedTo(BlogEngine.Core.Rights.AccessAdminSettingsPages))
+            if (!Security.IsAuthorizedTo(Rights.AccessAdminSettingsPages))
                 throw new System.UnauthorizedAccessException();
 
             var bs = BlogSettings.Instance;

BlogEngine/BlogEngine.Core/Data/TrashRepository.cs

@@ -23,7 +23,7 @@ public class TrashRepository : ITrashRepository
         /// <returns></returns>
         public TrashVM GetTrash(TrashType trashType, int take = 10, int skip = 0, string filter = "1 == 1", string order = "DateCreated descending")
         {
-            if (!Security.IsAuthorizedTo(Rights.AccessAdminPages))
+            if (!Security.IsAuthorizedTo(Rights.ViewDashboard))
                 throw new UnauthorizedAccessException();
 
             var trash = new TrashVM();
@@ -135,8 +135,8 @@ public TrashVM GetTrash(TrashType trashType, int take = 10, int skip = 0, string
         /// <param name="id">Id</param>
         public bool Restore(string trashType, Guid id)
         {
-            if (!Security.IsAuthorizedTo(Rights.AccessAdminPages))
-                throw new System.UnauthorizedAccessException();
+            if (!Security.IsAuthorizedTo(Rights.ViewDashboard))
+                throw new UnauthorizedAccessException();
 
             switch (trashType)
             {
@@ -172,8 +172,8 @@ public bool Restore(string trashType, Guid id)
         /// <param name="id">Id</param>
         public bool Purge(string trashType, Guid id)
         {
-            if (!Security.IsAuthorizedTo(Rights.AccessAdminPages))
-                throw new System.UnauthorizedAccessException();
+            if (!Security.IsAuthorizedTo(Rights.ViewDashboard))
+                throw new UnauthorizedAccessException();
 
             switch (trashType)
             {
@@ -207,8 +207,8 @@ public bool Purge(string trashType, Guid id)
         /// </summary>
         public bool PurgeAll()
         {
-            if (!Security.IsAuthorizedTo(Rights.AccessAdminPages))
-                throw new System.UnauthorizedAccessException();
+            if (!Security.IsAuthorizedTo(Rights.ViewDashboard))
+                throw new UnauthorizedAccessException();
 
             // remove deleted comments
             foreach (var p in Post.Posts.ToArray())
@@ -248,7 +248,7 @@ public bool PurgeAll()
         /// <returns></returns>
         public JsonResponse PurgeLogfile()
         {
-            if (!Security.IsAuthorizedTo(Rights.AccessAdminPages))
+            if (!Security.IsAuthorizedTo(Rights.ViewDashboard))
                 throw new UnauthorizedAccessException();
 
             string fileLocation = System.Web.Hosting.HostingEnvironment.MapPath(System.IO.Path.Combine(BlogConfig.StorageLocation, "logger.txt"));