This change allows you to specify which role is allowed to login to the panel

Add the element ExcludedRolesToLogin tp the SiteSettings.config and specify comma separate which roles are not allowed to login to the panel. e.g.: <ExcludedRolesToLogin>Administrator,Reseller</ExcludedRolesToLogin> By doing this you can eliminate the attack surface by publishing the portal twice. One for the organization administrators and an internal one for the adminsitrators and reseller admins
2012-07-11 20:28:33 +04:00 · 2012-07-11 20:28:33 +04:00 · 80672a555f
commit 80672a555f
parent 37af5eceac
4 changed files with 41 additions and 6 deletions
--- a/WebsitePanel/Sources/WebsitePanel.WebPortal/Code/PortalUtils.cs
+++ b/WebsitePanel/Sources/WebsitePanel.WebPortal/Code/PortalUtils.cs
@ -331,11 +331,15 @@ namespace WebsitePanel.Portal
                    UserInfo user = authService.GetUserByUsernamePassword(username, password, ipAddress);
                    if (user != null)
                    {
-                        // issue authentication ticket
-                        FormsAuthenticationTicket ticket = CreateAuthTicket(user.Username, user.Password, user.Role, rememberLogin);
-                        SetAuthTicket(ticket, rememberLogin);
+                        if (IsRoleAllowedToLogin(user.Role))
+                        {
+                            // issue authentication ticket
+                            FormsAuthenticationTicket ticket = CreateAuthTicket(user.Username, user.Password, user.Role, rememberLogin);
+                            SetAuthTicket(ticket, rememberLogin);

-                        CompleteUserLogin(username, rememberLogin, preferredLocale, theme);
+                            CompleteUserLogin(username, rememberLogin, preferredLocale, theme);
+                        }
+                        else return BusinessErrorCodes.ERROR_USER_ACCOUNT_ROLE_NOT_ALLOWED;
                    }

                    return 0;
@ -347,6 +351,25 @@ namespace WebsitePanel.Portal
            }
        }

+        private static bool IsRoleAllowedToLogin(UserRole role)
+        {
+
+            string tmp = GetExcludedRolesToLogin();
+
+            if (tmp == null) tmp = string.Empty;
+
+            string roleKey = ((UserRole)role).ToString();
+
+            return !tmp.Contains(roleKey);
+        }
+
+
+        public static string GetExcludedRolesToLogin()
+        {
+            return PortalConfiguration.SiteSettings["ExcludedRolesToLogin"];
+        }
+
+
        private static int GetAuthenticationFormsTimeout()
        {
            //default