I have this small app that loads plugin type components that other users can freely upload to the server. But I don't want the users to be able to access other users files. I need to set the access of each plugin component to a restricted access.
I tried to set the access inside the plugin classes base class but even then the loaded plugin classes seem to have full file access.
I can't set the permission with a attribute because the path changes depending on who loads the page.
Here is a code snippest:
public abstract class PluginBase<T>
{
public PluginBase
{
PermissionSet ps = new PermissionSet(System.Security.Permissions.PermissionState.None);
ps.AddPermission(new System.Security.Permissions.FileIOPermission(System.Security.Permissions.FileIOPermissionAccess.PathDiscovery | System.Security.Permissions.FileIOPermissionAccess.Read, HttpContext.Current.Server.MapPath("/app_data/www_somesite_com")));
ps.PermitOnly();
}
}
public class SomePlugin : PluginBase<SomePlugin>
{
public SomePlugin
{
File.WriteAllText("c:\test.txt", "This should not be possible, but it is.. why?");
}
}
Many thanks in advance!
The solution is actually quite simple, as you can implement your own attribute (which allows you to resolve the allowed path programmatically instead of having to use a constant for the decorator attribute).
using System.Security;
using System.Security.Permissions;
public sealed class CustomFileIOPermission : CodeAccessSecurityAttribute
{
public CustomFileIOPermission(SecurityAction action)
: base(action)
{
}
public override IPermission CreatePermission()
{
// You can use your `HttpContext` or similar at this point to resolve the path
string allowedPath = #"D:\test";
return new FileIOPermission(FileIOPermissionAccess.Write, allowedPath);
}
}
The class above will enable use of [CustomFileIOPermission(SecurityAction.PermitOnly)] and will effectively protect files elsewhere.
Related
Can anybody help me with explaining this error message please:
system.componentmodel.composition.changerejectedexception
The composition remains unchanged. The changes were rejected because of the following error(s): The composition produced a single composition error.
The root cause is provided below. Review the CompositionException.Errors property for more detailed information.
1) No exports were found that match the constraint:
ContractName Itok.BusinessLogic.Interfaces.IFolderService
RequiredTypeIdentity Itok.BusinessLogic.Interfaces.IFolderService
Resulting in: Cannot set import 'Itok.Web.Photos.Presenters.DefaultPresenter._folderService (ContractName="Itok.BusinessLogic.Interfaces.IFolderService")' on part 'Itok.Web.Photos.Presenters.DefaultPresenter'.
Element: Itok.Web.Photos.Presenters.DefaultPresenter._folderService (ContractName="Itok.BusinessLogic.Interfaces.IFolderService") --> Itok.Web.Photos.Presenters.DefaultPresenter
Here is the IFolderService.cs:
using System;
using System.Collections.Generic;
using Itok.Entities;
namespace Itok.BusinessLogic.Interfaces
{
public interface IFolderService
{
List<Folder> GetFriendsFolders(Int32 AccountID);
void DeleteFolder(Folder folder);
List<Folder> GetFoldersByAccountID(Int32 AccountID);
Folder GetFolderByID(Int64 FolderID);
Int64 SaveFolder(Folder folder);
}
}
And this is the exporting class definition, FolderService.cs:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using Itok.BusinessLogic.Interfaces;
using System.ComponentModel.Composition;
using Itok.DataAccess.Interfaces;
using Itok.Common;
using Itok.DataAccess;
using Itok.Interfaces;
using Itok.Entities;
namespace Itok.BusinessLogic
{
[Export(typeof(IFolderService))]
[Export(typeof(ICache))]
public class FolderService : IFolderService
{
[Import]
private IFriendRepository _friendRepository;
[Import]
private IFolderRepository _folderRepository;
[Import]
private ICache _cacheService;
public FolderService()
{
MEFManager.Compose(this);
}
public List<Folder> GetFriendsFolders(Int32 AccountID)
{
List<Friend> friends = _friendRepository.GetFriendsByAccountID(AccountID);
List<Folder> folders = _folderRepository.GetFriendsFolders(friends);
folders.OrderBy(f => f.CreateDate).Reverse();
return folders;
}
public void DeleteFolder(Folder folder)
{
if (_cacheService.Exists(folder.AccountID.ToString()))
{
_cacheService.Delete(folder.AccountID.ToString());
}
_folderRepository.DeleteFolder(folder);
}
public List<Folder> GetFoldersByAccountID(int AccountID)
{
List<Folder> cachedFolders = _cacheService.Get(AccountID.ToString()) as List<Folder>;
if (cachedFolders != null)
{
return cachedFolders;
}
else
{
cachedFolders = _folderRepository.GetFoldersByAccountID(AccountID);
_cacheService.Set(AccountID.ToString(), cachedFolders);
return cachedFolders;
}
}
public Folder GetFolderByID(Int64 FolderID)
{
return _folderRepository.GetFolderByID(FolderID);
}
public Int64 SaveFolder(Folder folder)
{
return _folderRepository.SaveFolder(folder);
}
}
}
I thank you prior to any help for saving my time.
The error message means that MEF is looking for a class that is exported with the interface IFolderService but there isn't one in the container.
To investigate this, firstly check that there is a class that exports that interface and if there is, then look into whether that class being picked up by the container or not and thirdly, if neither of those resolve the issue, look into whether the class that is exported with the interface IFolderService has some other imports that can't be satisfied.
Finally, I found the Solution for the problem. It has got has nothing to do directly with IFolderService that MEF was pointing to. The App has dependencies on a component (FolderService) in the business logic, which in turn is dependent upon an interface ICache, and an implementation wrapper, Cache.cs. ICache, specified by a contract name Itok.Interfaces.ICache, had been exported FOUR times (on just one Import). This was left unnoticed while I was trying to scale the solution. MEF couldn't tell which Export to use. The real problem is that MEF was pointing to a class two levels upper the chain!
Thanks TomDoesCode for looking at the problem, and I hope this will help others who'll get a similar problem.
A long term solution for this problem would be if you have many Exports that will satisfy an Import, you'll probably have two options:
I) Change the [Import] with [ImportMany]. Then during runtime, decide which import to use for the contract. Ask yourself if just picking up the first available, or using one at a time in random.
II) Use [ImportMany] in conjunction with Metadata in order to decide which Import to use.
I'm adding a custom control dynamically in master page code-behind:
try
{
// Add custom sidenav menu control dynamically
SideNavMenu sidenav = new SideNavMenu();
tempPath = Request.RawUrl.ToLower();
path = tempPath.Contains(#"/sitename") ? tempPath.Substring(7) : tempPath;
sidenav.MenuPath = path;
menuPlaceHolder.Controls.Add(sidenav);
}
catch
{
// Handle this - custom error form and email
// Master page needs access to base page LogError method
}
This is the base page with ErrorLog() method, which actually generates an email:
public partial class BasePage : System.Web.UI.Page
{
public void LogError(Exception error)
{
...
smtpClient.Send(message);
}
}
How can I call ErrorLog from master page code-behind? Or is there a better place to put the "common" ErrorLog method? Can someone suggest correct syntax or a better approach?
Place the LogError function in a class in your App_Code folder and probably make it a static function. If it's reusable through multiple projects, then place it in a seperate class library. Your BasePage class has no business implementing the details of logging errors and sending emails. Remember Separation of Concerns (SoC).
In fact, a library already exists to do this for you, called Elmah.
I highly recommend NLog for your purposes. It allows for configurable logging, including via SMTP. Your code would look like:
using Nlog;
public partial class BasePage : System.Web.UI.Page
{
private static Logger bpLogger = LogManager.GetCurrentClassLogger();
public void LogError(Exception error)
{
bpLogger.LogException(
LogLevel.Error,
"ruh roh",
error
);
...
//smtpClient.Send(message);
}
}
Because NLog is pretty efficient, you can instantiate a private static Logger object per page you are logging on. Additionally, the logger will automatically record which class it came from, and various configuration options allow you to change where it logs, how it logs and when it logs without changing any other code.
Here is a link to the configuration for sending errors via SMTP, for example:
https://github.com/nlog/NLog/wiki/Mail-target
It's a mature project that has been around for a very long time and can grow with your project as your logging needs grow.
I created a website and would like to have a class to centralize all the code that I use frequently in the entire project, for instance, a method to connect to the database. Question: after I create this class, on the App_Code folder, how can I use it in the aspx.cs pages? I mean, should a reference it? Should I inform add a namespace?
Thanks!
Create the class file as public and you will be able to access the class file at any part of your project.
namespace applicationName
{
public class DataManager
{
public static DataTable GetData(StringBuilder sql)
{
}
}
}
you can access the DataManager from your code.
DataManager.GetData(SQL);
Yes, put your class in a namespace and consider making the class static if possible, that way it can be used in code throughout your project without instantiating the class. This is common for utility classes that pass in objects and do work with them, but do not need the actual utility method to be part of a class instance.
For example:
namespace My.Utilities
{
public class static ConnectionStringHelper
{
public static string GetConnectionString()
{
// Logic here to actually get connection string
return yourConnectionString;
}
}
}
Now, code in your project just needs to reference the My.Utilities namespace and then can use the GetConnectionString() method, like this:
using My.Utilities;
string connString = ConnectionStringHelper.GetConnectionString();
You can do it a number of ways. Technically you can drop the namespace completely and your code becomes a free for all (accessible from anywhere naturally). I prefer to use namespaces personally, but I have seem people just avoid them.
If your class Foo is in Some.Namespace, you can reference it as such:
Way one:
Some.Namespace.Foo foo = new Some.Namespace.Foo()
Way two: Use the "Use" command
If your class is inside of Some.Namespace and you don't want all the junk preceding your class name, you can add:
using Some.Namespace;
to the top of your file.
I may be miss understanding what you are saying. If you are talking about setup, you can make a centralized class that manages everything. This class can be a singliton. For instance:
class MyClass
{
public static MyClas Singliton;
static MyClass()
{
Singliton = new MyClass();
}
public void someFunction()
{
}
}
This will create and manage a single reference to your class so that everything is managed out of there (hence being called a "singleton"). As a result, you can access it by:
MyClass.Singliton.someFunction();
There are ways to protect your singliton instance from being overwritten, but this is the basic idea. If you want to manage stuff out of a single location without recreating classes, singletons are the way!
http://msdn.microsoft.com/en-us/library/ff650316.aspx
If the class is wrapped in a namespace, then yes, you'll need a using statement that matches your namespace. For instance, if your class is wrapped in a namespace like so:
namespace My.Namespace
{
public class Foo
{
//Methods, properties, etc.
}
}
then anywhere you want to use that class you'll need to add
using My.Namespace;
to the top of the files where you want to utilize the class(es) you've defined. Then you can use your class as you would expect:
Foo foo = new Foo(); //for a new instance
Foo.Bar(); //for a static method
This is, of course, assuming that the class is in the same assembly and you don't want to mess with adding it to the GAC.
Alternatively, if for some reason you don't to use a using statement you can use the fully qualified name of the class:
My.Namespace.Foo foo = new My.Namespace.Foo(); //for a new instance
My.Namespace.Foo.Bar(); //for a static method
This is most useful if you have namespaces that conflict, for instance if you had
namespace My.Namespace
{
public class Foo
{
//Methods, properties, etc.
}
}
somewhere, and
namespace MyOther.Namespace
{
public class Foo
{
//Methods, properties, etc.
}
}
somewhere else, but needed to use them both in the same scope.
I am using VS2008 and have a solution file which contains 1 Website and 1 Class Library Project.
The Class Library is a Custom Control which derives from Label. The Website contains a reference to the control - it builds successfully and the compiled .dll gets added to the Website's /bin folder. I can then use it in any of the website's .aspx pages without error.
What I cannot do, however, is reference any of the Website's data access methods that are in static classes in /App_Code from within the custom control.
I don't want to repeat the website data access logic all over again within the custom control when I know it will already exist in the website - I just want to be able to call a method from a class in /App_Code . If I try and reference anything in /App_Code from within the Class Library, it fails to build and says it can't find the Namespace or that it doesn't exist in the current context.
How can I achieve this so that the Custom Control builds as a standalone control, but can make use of classes in the website it gets used in? Delegates, possibly? Was hoping it might be more straightforward than that.
EDIT: I should add that the reason the control is in a separate Class Library is so that I can include JavaScript as an embedded resource within the Control. So when it's used in a .aspx page, it adds a WebResource.axd? style link to the page instead of a load of plaintext JavaScript in the <head> section.
EDIT 2:
In the website App_Code folder, I have a static class that handles data access (snippet):
[DataObject]
public static class DBAccess
{
[DataObjectMethod(DataObjectMethodType.Select)]
public static DataTable GetSomeData(Int32 SomeParam, DateTime OtherParam)
{
SqlConnection cn = SqlLibrary.GetConnection(DBConnectionString);
DataTable _dt;
SqlLibrary.SProcFill(out _dt, cn, "usp_SomeData_Select", SomeParam, OtherParam);
return _dt;
}
}
In the Class Library's custom control (which I want to build independently of the website's existence, yet be capable of calling its methods when used as a control in an .aspx page):
namespace MyCustomControls
{
public class StatusControl : Label
{
private Int32 _someProperty = -1;
private DateTime _otherProperty = DateTime.Now;
public StatusControl()
{
//some constructor logic
}
public void FetchData()
{
//what I'd **like** to do here is:
DBAccess.GetSomeData(_someProperty, _otherProperty);
//...but DBAccess isn't "visible" to this control at build time
}
}
}
I have the following code:
Unity Container:
Settings settings = CreateSettings();
container.RegisterInstance(settings)
.RegisterType<MyHttpHandler>(new InjectionProperty[]
{
// How do I tell Unity to inject my settings created above?
new InjectionProperty("Settings", new ResolvedParameter(????))
});
MyHttpHandler:
public class MyHttpHandler: IHttpHandler
{
public MyHttpHandler()
{
IoC.Inject(this);
}
public Settings Settings
{
get;
set;
}
}
How do I tell Unity to inject the settings? This works just fine with interfaces but not sure how to proceed here.
Any help is appreciated.
It just goes off the type. You've registered an instance for the Settings class, so you just need to tell it to inject that type:
container.RegisterInstance(settings)
.RegisterType<MyHttpHandler>(
new InjectionProperty("Settings", new ResolvedParameter<Settings>());
(Note that you don't need the extra array, RegisterType takes a variable parameter list.)
Since this is a common requirement, there are shorthands you can use. First off, if you're resolving a dependency and you just need the default (non-named) registration, you don't need to use ResovledParameter, you can just pass the type object:
container.RegisterType(settings)
.RegisterType<MyHttpHandler>(
new InjectionProperty("Settings", typeof(Settings));
But, we can also go simpler than that. If you're using the default for a property based on the type, you don't need to pass the value at all - the container will simply use the type of the property. So you can just say:
container.RegisterType(settings)
.RegisterType<MyHttpHandler>(
new InjectionProperty("Settings"));
and the container will figure it out.