From 80672a555f88c0eece9649be5584a32f6002966d Mon Sep 17 00:00:00 2001
From: robvde <robvde@ROBVDE912.europe.corp.microsoft.com>
Date: Wed, 11 Jul 2012 20:28:33 +0400
Subject: [PATCH] This change allows you to specify which role is allowed to
 login to the panel

Add the element ExcludedRolesToLogin tp the SiteSettings.config and specify
comma separate which roles are not allowed to login to the panel. e.g.:

<ExcludedRolesToLogin>Administrator,Reseller</ExcludedRolesToLogin>

By doing this you can eliminate the attack surface by publishing the portal
twice. One for the organization administrators and an internal one for the
adminsitrators and reseller admins
---
 .../Common/BusinessErrorCodes.cs              |  1 +
 .../WebsitePanel_SharedResources.ascx.resx    |  7 +++++
 .../Code/PortalUtils.cs                       | 31 ++++++++++++++++---
 .../WebsitePanel.WebPortal.csproj             |  8 +++--
 4 files changed, 41 insertions(+), 6 deletions(-)

diff --git a/WebsitePanel/Sources/WebsitePanel.EnterpriseServer.Base/Common/BusinessErrorCodes.cs b/WebsitePanel/Sources/WebsitePanel.EnterpriseServer.Base/Common/BusinessErrorCodes.cs
index 703eae8a..59af6fe0 100644
--- a/WebsitePanel/Sources/WebsitePanel.EnterpriseServer.Base/Common/BusinessErrorCodes.cs
+++ b/WebsitePanel/Sources/WebsitePanel.EnterpriseServer.Base/Common/BusinessErrorCodes.cs
@@ -63,6 +63,7 @@ namespace WebsitePanel.EnterpriseServer
         public const int ERROR_USER_WRONG_PASSWORD = -110;
         public const int ERROR_INVALID_USER_NAME = -111;
         public const int ERROR_USER_ACCOUNT_NOT_ENOUGH_PERMISSIONS = -112;
+        public const int ERROR_USER_ACCOUNT_ROLE_NOT_ALLOWED = -113;
         #endregion
 
         #region Packages
diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/App_GlobalResources/WebsitePanel_SharedResources.ascx.resx b/WebsitePanel/Sources/WebsitePanel.WebPortal/App_GlobalResources/WebsitePanel_SharedResources.ascx.resx
index d0195f36..63eeffa6 100644
--- a/WebsitePanel/Sources/WebsitePanel.WebPortal/App_GlobalResources/WebsitePanel_SharedResources.ascx.resx
+++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/App_GlobalResources/WebsitePanel_SharedResources.ascx.resx
@@ -5134,4 +5134,11 @@
   <data name="Error.LYNC_ADD_PLAN" xml:space="preserve">
     <value>Error creating organization plan. See audit log for more details.</value>
   </data>
+  <data name="Error.ERROR_USER_ACCOUNT_NOT_ENOUGH_PERMISSIONS" xml:space="preserve">
+    <value>User has not enough permissions to do this task.</value>
+  </data>
+  <data name="Error.ERROR_USER_ACCOUNT_ROLE_NOT_ALLOWED" xml:space="preserve">
+    <value>Wrong user name or password have been specified or account is locked.</value>
+  </data>
+
 </root>
\ No newline at end of file
diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/Code/PortalUtils.cs b/WebsitePanel/Sources/WebsitePanel.WebPortal/Code/PortalUtils.cs
index 2b5eb4b0..7993bf01 100644
--- a/WebsitePanel/Sources/WebsitePanel.WebPortal/Code/PortalUtils.cs
+++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/Code/PortalUtils.cs
@@ -331,11 +331,15 @@ namespace WebsitePanel.Portal
                     UserInfo user = authService.GetUserByUsernamePassword(username, password, ipAddress);
                     if (user != null)
                     {
-                        // issue authentication ticket
-                        FormsAuthenticationTicket ticket = CreateAuthTicket(user.Username, user.Password, user.Role, rememberLogin);
-                        SetAuthTicket(ticket, rememberLogin);
+                        if (IsRoleAllowedToLogin(user.Role))
+                        {
+                            // issue authentication ticket
+                            FormsAuthenticationTicket ticket = CreateAuthTicket(user.Username, user.Password, user.Role, rememberLogin);
+                            SetAuthTicket(ticket, rememberLogin);
 
-                        CompleteUserLogin(username, rememberLogin, preferredLocale, theme);
+                            CompleteUserLogin(username, rememberLogin, preferredLocale, theme);
+                        }
+                        else return BusinessErrorCodes.ERROR_USER_ACCOUNT_ROLE_NOT_ALLOWED;
                     }
 
                     return 0;
@@ -347,6 +351,25 @@ namespace WebsitePanel.Portal
             }
         }
 
+        private static bool IsRoleAllowedToLogin(UserRole role)
+        {
+
+            string tmp = GetExcludedRolesToLogin();
+
+            if (tmp == null) tmp = string.Empty;
+
+            string roleKey = ((UserRole)role).ToString();
+
+            return !tmp.Contains(roleKey);
+        }
+
+
+        public static string GetExcludedRolesToLogin()
+        {
+            return PortalConfiguration.SiteSettings["ExcludedRolesToLogin"];
+        }
+
+
         private static int GetAuthenticationFormsTimeout()
         {
             //default
diff --git a/WebsitePanel/Sources/WebsitePanel.WebPortal/WebsitePanel.WebPortal.csproj b/WebsitePanel/Sources/WebsitePanel.WebPortal/WebsitePanel.WebPortal.csproj
index 2f0e726b..b23fee08 100644
--- a/WebsitePanel/Sources/WebsitePanel.WebPortal/WebsitePanel.WebPortal.csproj
+++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/WebsitePanel.WebPortal.csproj
@@ -221,8 +221,12 @@
     <None Include="App_Data\SupportedThemes.config" />
     <None Include="App_Data\Countries.config" />
     <None Include="App_Data\CountryStates.config" />
-    <None Include="App_Data\WebsitePanel_Modules.config" />
-    <None Include="App_Data\WebsitePanel_Pages.config" />
+    <None Include="App_Data\WebsitePanel_Modules.config">
+      <SubType>Designer</SubType>
+    </None>
+    <None Include="App_Data\WebsitePanel_Pages.config">
+      <SubType>Designer</SubType>
+    </None>
     <None Include="App_Data\Ecommerce_Modules.config" />
     <None Include="App_Data\Ecommerce_Pages.config" />
     <None Include="App_Data\SupportedLocales.config" />