From 9e4dfda800995d2d4b3904f5f0a212b6e66023f3 Mon Sep 17 00:00:00 2001 From: Andrey Savihin Date: Tue, 12 Dec 2023 14:30:36 +0300 Subject: [PATCH 1/3] ASC.Web.Api: PluginsDto: the array of allowed actions is divided into separate fields --- web/ASC.Web.Api/Api/Settings/SettingsController.cs | 10 +++++++++- web/ASC.Web.Api/ApiModels/ResponseDto/PluginsDto.cs | 9 ++++++--- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/web/ASC.Web.Api/Api/Settings/SettingsController.cs b/web/ASC.Web.Api/Api/Settings/SettingsController.cs index f2b2b4f5d0a..8dbda25d75c 100644 --- a/web/ASC.Web.Api/Api/Settings/SettingsController.cs +++ b/web/ASC.Web.Api/Api/Settings/SettingsController.cs @@ -228,7 +228,15 @@ public async Task GetSettingsAsync(bool? withpassword) settings.Plugins.Enabled = pluginsEnabled; } - settings.Plugins.Allow = _configuration.GetSection("plugins:allow").Get>() ?? new List(); + if (bool.TryParse(_configuration["plugins:allowUpload"], out var pluginsAllowUpload)) + { + settings.Plugins.AllowUpload = pluginsAllowUpload; + } + + if (bool.TryParse(_configuration["plugins:allowDelete"], out var pluginsAllowDelete)) + { + settings.Plugins.AllowDelete = pluginsAllowDelete; + } var formGallerySettings = _configurationExtension.GetSetting("files:oform"); settings.FormGallery = _mapper.Map(formGallerySettings); diff --git a/web/ASC.Web.Api/ApiModels/ResponseDto/PluginsDto.cs b/web/ASC.Web.Api/ApiModels/ResponseDto/PluginsDto.cs index 7d41287f853..e488385dfb0 100644 --- a/web/ASC.Web.Api/ApiModels/ResponseDto/PluginsDto.cs +++ b/web/ASC.Web.Api/ApiModels/ResponseDto/PluginsDto.cs @@ -34,8 +34,11 @@ public class PluginsDto /// System.Boolean, System public bool Enabled { get; set; } - /// The allowed actions with the plugins ("upload", "delete", etc.) - /// System.Collections.Generic.IEnumerable{System.String}, System.Collections.Generic - public IEnumerable Allow { get; set; } + /// Specifies if the plugins can be uploaded or not + /// System.Boolean, System + public bool AllowUpload { get; set; } + /// Specifies if the plugins can be deleted or not + /// System.Boolean, System + public bool AllowDelete { get; set; } } \ No newline at end of file From 3266f2f80a7f30ea62d2aee3518b693238deefb1 Mon Sep 17 00:00:00 2001 From: Andrey Savihin Date: Tue, 12 Dec 2023 14:31:22 +0300 Subject: [PATCH 2/3] ASC.Web.Core: WebPluginSettings: the array of allowed actions is divided into separate fields --- web/ASC.Web.Core/WebPluginManager.cs | 8 ++++---- web/ASC.Web.Core/WebPluginSettings.cs | 9 ++------- 2 files changed, 6 insertions(+), 11 deletions(-) diff --git a/web/ASC.Web.Core/WebPluginManager.cs b/web/ASC.Web.Core/WebPluginManager.cs index 6ab1fa1d0a8..a97cab002e3 100644 --- a/web/ASC.Web.Core/WebPluginManager.cs +++ b/web/ASC.Web.Core/WebPluginManager.cs @@ -124,14 +124,14 @@ public WebPluginManager( _log = log; } - private void DemandWebPlugins(string action = null) + private void DemandWebPlugins(bool upload = false, bool delete = false) { if (!_webPluginConfigSettings.Enabled) { throw new SecurityException("Plugins disabled"); } - if (!string.IsNullOrWhiteSpace(action) && _webPluginConfigSettings.Allow.Any() && !_webPluginConfigSettings.Allow.Contains(action)) + if ((upload && !_webPluginConfigSettings.AllowUpload) || (delete && !_webPluginConfigSettings.AllowDelete)) { throw new SecurityException("Forbidden action"); } @@ -160,7 +160,7 @@ private static async Task GetPluginUrlTemplateAsync(IDataStore storage) public async Task AddWebPluginFromFileAsync(int tenantId, IFormFile file, bool system) { - DemandWebPlugins("upload"); + DemandWebPlugins(upload: true); if (system && !_coreBaseSettings.Standalone) { @@ -461,7 +461,7 @@ private async Task UpdateWebPluginAsync(int tenantId, WebPlugin webPl public async Task DeleteWebPluginAsync(int tenantId, string name) { - DemandWebPlugins("delete"); + DemandWebPlugins(delete: true); var webPlugin = await GetWebPluginByNameAsync(tenantId, name); diff --git a/web/ASC.Web.Core/WebPluginSettings.cs b/web/ASC.Web.Core/WebPluginSettings.cs index 81d7cb21e5b..698293d56db 100644 --- a/web/ASC.Web.Core/WebPluginSettings.cs +++ b/web/ASC.Web.Core/WebPluginSettings.cs @@ -36,10 +36,11 @@ public WebPluginConfigSettings(ConfigurationExtension configuration) private long _maxSize; private string _extension; - private string[] _allow; private string[] _assetExtensions; public bool Enabled { get; set; } + public bool AllowUpload { get; set; } + public bool AllowDelete { get; set; } public long MaxSize { @@ -53,12 +54,6 @@ public string Extension set => _extension = value; } - public string[] Allow - { - get => _allow ?? Array.Empty(); - set => _allow = value; - } - public string[] AssetExtensions { get => _assetExtensions ?? Array.Empty(); From 313417ee60543a3a36fcc90aa6df9fed90f8b308 Mon Sep 17 00:00:00 2001 From: Andrey Savihin Date: Tue, 12 Dec 2023 14:43:44 +0300 Subject: [PATCH 3/3] WebPlugins: abbreviation of property names --- web/ASC.Web.Api/Api/Settings/SettingsController.cs | 8 ++++---- web/ASC.Web.Api/ApiModels/ResponseDto/PluginsDto.cs | 4 ++-- web/ASC.Web.Core/WebPluginManager.cs | 2 +- web/ASC.Web.Core/WebPluginSettings.cs | 4 ++-- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/web/ASC.Web.Api/Api/Settings/SettingsController.cs b/web/ASC.Web.Api/Api/Settings/SettingsController.cs index 8dbda25d75c..7e4efd35cc7 100644 --- a/web/ASC.Web.Api/Api/Settings/SettingsController.cs +++ b/web/ASC.Web.Api/Api/Settings/SettingsController.cs @@ -228,14 +228,14 @@ public async Task GetSettingsAsync(bool? withpassword) settings.Plugins.Enabled = pluginsEnabled; } - if (bool.TryParse(_configuration["plugins:allowUpload"], out var pluginsAllowUpload)) + if (bool.TryParse(_configuration["plugins:upload"], out var pluginsUpload)) { - settings.Plugins.AllowUpload = pluginsAllowUpload; + settings.Plugins.Upload = pluginsUpload; } - if (bool.TryParse(_configuration["plugins:allowDelete"], out var pluginsAllowDelete)) + if (bool.TryParse(_configuration["plugins:delete"], out var pluginsDelete)) { - settings.Plugins.AllowDelete = pluginsAllowDelete; + settings.Plugins.Delete = pluginsDelete; } var formGallerySettings = _configurationExtension.GetSetting("files:oform"); diff --git a/web/ASC.Web.Api/ApiModels/ResponseDto/PluginsDto.cs b/web/ASC.Web.Api/ApiModels/ResponseDto/PluginsDto.cs index e488385dfb0..f8d66f26461 100644 --- a/web/ASC.Web.Api/ApiModels/ResponseDto/PluginsDto.cs +++ b/web/ASC.Web.Api/ApiModels/ResponseDto/PluginsDto.cs @@ -36,9 +36,9 @@ public class PluginsDto /// Specifies if the plugins can be uploaded or not /// System.Boolean, System - public bool AllowUpload { get; set; } + public bool Upload { get; set; } /// Specifies if the plugins can be deleted or not /// System.Boolean, System - public bool AllowDelete { get; set; } + public bool Delete { get; set; } } \ No newline at end of file diff --git a/web/ASC.Web.Core/WebPluginManager.cs b/web/ASC.Web.Core/WebPluginManager.cs index a97cab002e3..6451e4c44ce 100644 --- a/web/ASC.Web.Core/WebPluginManager.cs +++ b/web/ASC.Web.Core/WebPluginManager.cs @@ -131,7 +131,7 @@ private void DemandWebPlugins(bool upload = false, bool delete = false) throw new SecurityException("Plugins disabled"); } - if ((upload && !_webPluginConfigSettings.AllowUpload) || (delete && !_webPluginConfigSettings.AllowDelete)) + if ((upload && !_webPluginConfigSettings.Upload) || (delete && !_webPluginConfigSettings.Delete)) { throw new SecurityException("Forbidden action"); } diff --git a/web/ASC.Web.Core/WebPluginSettings.cs b/web/ASC.Web.Core/WebPluginSettings.cs index 698293d56db..b163db830a5 100644 --- a/web/ASC.Web.Core/WebPluginSettings.cs +++ b/web/ASC.Web.Core/WebPluginSettings.cs @@ -39,8 +39,8 @@ public WebPluginConfigSettings(ConfigurationExtension configuration) private string[] _assetExtensions; public bool Enabled { get; set; } - public bool AllowUpload { get; set; } - public bool AllowDelete { get; set; } + public bool Upload { get; set; } + public bool Delete { get; set; } public long MaxSize {