From 2595f537fdd792fe7124086a6510584a02e0394a Mon Sep 17 00:00:00 2001 From: pavelbannov Date: Fri, 2 Aug 2024 21:15:28 +0300 Subject: [PATCH] fix bug 69535 --- .../Security/EmailValidationKeyModelHelper.cs | 2 +- .../Security/InvitationValidator.cs | 41 ++++++++++++------- .../Core/VirtualRooms/InvitationService.cs | 10 ++--- .../Api/AuthenticationController.cs | 2 +- web/ASC.Web.Api/Api/PortalController.cs | 2 +- 5 files changed, 35 insertions(+), 22 deletions(-) diff --git a/common/ASC.Api.Core/Security/EmailValidationKeyModelHelper.cs b/common/ASC.Api.Core/Security/EmailValidationKeyModelHelper.cs index f6c8bf8c350..cd6c0693ab3 100644 --- a/common/ASC.Api.Core/Security/EmailValidationKeyModelHelper.cs +++ b/common/ASC.Api.Core/Security/EmailValidationKeyModelHelper.cs @@ -126,7 +126,7 @@ public async Task ValidateAsync(EmailValidationKeyModel inDto) break; case ConfirmType.LinkInvite: - checkKeyResult = (await invitationValidator.ValidateAsync(key, email, emplType ?? default)).Status; + checkKeyResult = (await invitationValidator.ValidateAsync(key, email, emplType ?? default, uiD)).Status; break; case ConfirmType.PortalOwnerChange: diff --git a/common/ASC.Api.Core/Security/InvitationValidator.cs b/common/ASC.Api.Core/Security/InvitationValidator.cs index 7e50b1de1fd..124ca42226f 100644 --- a/common/ASC.Api.Core/Security/InvitationValidator.cs +++ b/common/ASC.Api.Core/Security/InvitationValidator.cs @@ -38,16 +38,19 @@ public class InvitationValidator( { public TimeSpan IndividualLinkExpirationInterval => emailValidationKeyProvider.ValidEmailKeyInterval; - public string MakeIndividualLinkKey(Guid linkId) + public string MakeIndividualLinkKey(Guid linkId, Guid createBy) { - return signature.Create(linkId); + return signature.Create(linkId + "." + createBy); } - public async Task ValidateAsync(string key, string email, EmployeeType employeeType) + public async Task ValidateAsync(string key, string email, EmployeeType employeeType, Guid? userId = default) { - var result = new LinkValidationResult { Status = EmailValidationKeyProvider.ValidationResult.Invalid }; + var result = new LinkValidationResult + { + Status = EmailValidationKeyProvider.ValidationResult.Invalid + }; - var (commonWithRoomLinkResult, linkId) = ValidateCommonWithRoomLink(key); + var (commonWithRoomLinkResult, linkId) = ValidateCommonWithRoomLink(key, userId); if (commonWithRoomLinkResult != EmailValidationKeyProvider.ValidationResult.Invalid) { @@ -58,9 +61,12 @@ public async Task ValidateAsync(string key, string email, return result; } - var commonLinkResult = await emailValidationKeyProvider.ValidateEmailKeyAsync(ConfirmType.LinkInvite.ToStringFast() + (int)employeeType, - key, emailValidationKeyProvider.ValidEmailKeyInterval); - + var commonLinkResult = await emailValidationKeyProvider.ValidateEmailKeyAsync(ConfirmType.LinkInvite.ToStringFast() + (int)employeeType, key, emailValidationKeyProvider.ValidEmailKeyInterval); + if (commonLinkResult == EmailValidationKeyProvider.ValidationResult.Invalid && userId.HasValue) + { + commonLinkResult = await emailValidationKeyProvider.ValidateEmailKeyAsync(ConfirmType.LinkInvite.ToStringFast() + (int)employeeType + userId.Value, key, emailValidationKeyProvider.ValidEmailKeyInterval); + } + if (commonLinkResult != EmailValidationKeyProvider.ValidationResult.Invalid) { result.Status = commonLinkResult; @@ -70,8 +76,7 @@ public async Task ValidateAsync(string key, string email, return result; } - commonLinkResult = await emailValidationKeyProvider.ValidateEmailKeyAsync(email + ConfirmType.EmpInvite.ToStringFast() + (int)employeeType, - key, emailValidationKeyProvider.ValidEmailKeyInterval); + commonLinkResult = await emailValidationKeyProvider.ValidateEmailKeyAsync(email + ConfirmType.EmpInvite.ToStringFast() + (int)employeeType, key, emailValidationKeyProvider.ValidEmailKeyInterval); if (commonLinkResult != EmailValidationKeyProvider.ValidationResult.Invalid) { @@ -99,8 +104,7 @@ public async Task ValidateAsync(string key, string email, private async Task<(EmailValidationKeyProvider.ValidationResult, UserInfo)> ValidateIndividualLinkAsync(string email, string key, EmployeeType employeeType) { - var result = await emailValidationKeyProvider.ValidateEmailKeyAsync(email + ConfirmType.LinkInvite.ToStringFast() + employeeType.ToStringFast(), - key, IndividualLinkExpirationInterval); + var result = await emailValidationKeyProvider.ValidateEmailKeyAsync(email + ConfirmType.LinkInvite.ToStringFast() + employeeType.ToStringFast(), key, IndividualLinkExpirationInterval); if (result != EmailValidationKeyProvider.ValidationResult.Ok) { @@ -131,10 +135,19 @@ public async Task ValidateAsync(string key, string email, return (result, user); } - private (EmailValidationKeyProvider.ValidationResult, Guid) ValidateCommonWithRoomLink(string key) + private (EmailValidationKeyProvider.ValidationResult, Guid) ValidateCommonWithRoomLink(string key,Guid? userId = null) { var linkId = signature.Read(key); - + if (linkId == default && userId.HasValue) + { + var combined = signature.Read(key); + var split = combined.Split('.'); + if (split.Length == 2 && Guid.TryParse(split[0], out linkId) && Guid.TryParse(split[1], out var uId) && !Equals(uId, userId.Value)) + { + linkId = default; + } + } + return linkId == default ? (EmailValidationKeyProvider.ValidationResult.Invalid, default) : (EmailValidationKeyProvider.ValidationResult.Ok, linkId); } diff --git a/products/ASC.Files/Core/Core/VirtualRooms/InvitationService.cs b/products/ASC.Files/Core/Core/VirtualRooms/InvitationService.cs index 619e99d43c4..bf6eb97ee13 100644 --- a/products/ASC.Files/Core/Core/VirtualRooms/InvitationService.cs +++ b/products/ASC.Files/Core/Core/VirtualRooms/InvitationService.cs @@ -47,7 +47,7 @@ public class InvitationService( { public string GetInvitationLink(Guid linkId, Guid createdBy) { - var key = invitationValidator.MakeIndividualLinkKey(linkId); + var key = invitationValidator.MakeIndividualLinkKey(linkId, createdBy); return commonLinkUtility.GetConfirmationUrl(key, ConfirmType.LinkInvite, createdBy); } @@ -58,14 +58,14 @@ public async Task GetInvitationLinkAsync(string email, FileShare share, return link; } - public async Task ConfirmAsync(string key, string email, EmployeeType employeeType, string roomId = null) + public async Task ConfirmAsync(string key, string email, EmployeeType employeeType, string roomId = null, Guid? userId = default) { if (!await iPSecurity.VerifyAsync()) { throw new SecurityException(); } - var data = await GetLinkDataAsync(key, email, employeeType); + var data = await GetLinkDataAsync(key, email, employeeType, userId); var validation = new Validation { Result = data.Result }; if (data.Result is EmailValidationKeyProvider.ValidationResult.Invalid or EmailValidationKeyProvider.ValidationResult.Expired) @@ -207,9 +207,9 @@ public async Task GetInvitationDataAsync(string key, string return data; } - private async Task GetLinkDataAsync(string key, string email, EmployeeType employeeType = EmployeeType.All) + private async Task GetLinkDataAsync(string key, string email, EmployeeType employeeType = EmployeeType.All, Guid? userId = default) { - var result = await invitationValidator.ValidateAsync(key, email, employeeType); + var result = await invitationValidator.ValidateAsync(key, email, employeeType, userId); var data = new InvitationLinkData { Result = result.Status, diff --git a/web/ASC.Web.Api/Api/AuthenticationController.cs b/web/ASC.Web.Api/Api/AuthenticationController.cs index 0f86533628b..348be7f6eab 100644 --- a/web/ASC.Web.Api/Api/AuthenticationController.cs +++ b/web/ASC.Web.Api/Api/AuthenticationController.cs @@ -350,7 +350,7 @@ public async Task CheckConfirm(EmailValidationKeyModel inDto) return new ConfirmDto { Result = await emailValidationKeyModelHelper.ValidateAsync(inDto)}; } - var result = await invitationService.ConfirmAsync(inDto.Key, inDto.Email, inDto.EmplType ?? default, inDto.RoomId); + var result = await invitationService.ConfirmAsync(inDto.Key, inDto.Email, inDto.EmplType ?? default, inDto.RoomId, inDto.UiD); return mapper.Map(result); } diff --git a/web/ASC.Web.Api/Api/PortalController.cs b/web/ASC.Web.Api/Api/PortalController.cs index 8c99f76371a..4277f76c324 100644 --- a/web/ASC.Web.Api/Api/PortalController.cs +++ b/web/ASC.Web.Api/Api/PortalController.cs @@ -129,7 +129,7 @@ public async Task GeInviteLinkAsync(EmployeeType employeeType) return string.Empty; } - var link = await commonLinkUtility.GetConfirmationEmailUrlAsync(string.Empty, ConfirmType.LinkInvite, (int)employeeType, authContext.CurrentAccount.ID) + var link = await commonLinkUtility.GetConfirmationEmailUrlAsync(string.Empty, ConfirmType.LinkInvite, (int)employeeType + authContext.CurrentAccount.ID.ToString(), authContext.CurrentAccount.ID) + $"&emplType={employeeType:d}"; return await urlShortener.GetShortenLinkAsync(link);