PA 01.02.00

Added security check on roles import. It prevents from importing to system users with Admin and SuperUsers rights without necessary permissions. Tested with recent version of DNN 9.4.4
fordnn · Jan 18, 2020 · a634a45 · a634a45
1 parent b9bf03a
commit a634a45
Show file tree

Hide file tree

Showing 6 changed files with 46 additions and 6 deletions.
diff --git a/App_LocalResources/MainControl.ascx.resx b/App_LocalResources/MainControl.ascx.resx
@@ -282,4 +282,10 @@
   <data name="ExportInProgress.Text" xml:space="preserve">
     <value>Export in progress...</value>
   </data>
+  <data name="Line.Text" xml:space="preserve">
+    <value>Line {0}:</value>
+  </data>
+  <data name="UserDeniedToImportRole.Text" xml:space="preserve">
+    <value>User "{0}" is denied to import "{1}"&lt;br/&gt;</value>
+  </data>
 </root>
diff --git a/Install/_UsersExportImport.dnn b/Install/_UsersExportImport.dnn
@@ -1,16 +1,16 @@
 <dotnetnuke type="Package" version="5.0">
   <packages>
-    <package name="forDNN.UsersExportImport" type="Module" version="1.1.7">
+    <package name="forDNN.UsersExportImport" type="Module" version="1.2.0">
       <friendlyName>forDNN.UsersExportImport</friendlyName>
       <description>This module allows to export/import users, user profiles properties and roles to DNN (former DotNetNuke) from CSV/XML files. This is simple and fast way to create your users accounts in one click.</description>
       <owner>
         <name>Sergiy Velychko</name>
         <organization>forDNN Team</organization>
         <url>&lt;a href="http://forDNN.com" target="_blank"&gt;http://forDNN.com&lt;/a&gt;</url>
-        <email>&lt;a href="mailto:support@forDNN.com" target="_blank"&gt;support@forDNN.com&lt;/a&gt;</email>
+        <email>support@forDNN.com</email>
       </owner>
       <license>
-        Copyright (c) 2014, forDNN Team&lt;br/&gt;
+        Copyright (c) 2020, forDNN Team&lt;br/&gt;
         All rights reserved.&lt;br/&gt;
         &lt;br/&gt;
         Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:&lt;br/&gt;
@@ -25,6 +25,10 @@
       </license>
       <releaseNotes>
         <![CDATA[
+<b>Version 1.2.0:</b><br />
+Added security check on roles import. It prevents from importing to system users with Admin and SuperUsers rights without necessary permissions.<br />
+Tested with recent version of DNN 9.4.4<br />
+
 <b>Version 1.1.7:</b><br />
 Fixed issue with special chars "Zero width space" and "Zero width no-break space" in the names of the columns.<br />
 Improved import process when missed some required columns: DisplayName, IsSuperUser, Username, AffiliateId.<br />

diff --git a/Install/forDNN.UsersExportImport_v.01.02.00.zip b/Install/forDNN.UsersExportImport_v.01.02.00.zip
diff --git a/MainControl.ascx.cs b/MainControl.ascx.cs
@@ -239,6 +239,12 @@ private object GetDataRowValue(DataTable dt, DataRow dr, string FieldName, objec
 			return dr[FieldName];
 		}
 
+		private bool ObjectToBool(object Src)
+		{
+			string temp = string.Format("{0}", Src).ToLowerInvariant();
+			return (temp == "1") || (temp == "true");
+		}
+
 		private void DoImport()
 		{
 			if (objFile.PostedFile.FileName == "")
@@ -299,7 +305,18 @@ private void DoImport()
 					objUser.DisplayName = string.Format("{0}", GetDataRowValue(dt, dr, "DisplayName", string.Format("{0} {1}", dr["FirstName"], dr["LastName"]) ));
 					objUser.PortalID = this.PortalId;
 
-					objUser.IsSuperUser = (string.Format("{0}", GetDataRowValue(dt, dr, "IsSuperUser", "0")) == "1");
+					objUser.IsSuperUser = ObjectToBool(GetDataRowValue(dt, dr, "IsSuperUser", "0"));
+
+					//only SuperUsers allowed to import users with SuperUsers rights
+					if ((!this.UserInfo.IsSuperUser) && objUser.IsSuperUser)
+					{
+						FailedUsers.AppendFormat(
+							string.Format(Localization.GetString("Line", this.LocalResourceFile), UsersCount) +
+							Localization.GetString("UserDeniedToImportRole", this.LocalResourceFile),
+							this.UserInfo.Username,
+							"SuperUser");
+						continue;
+					}
 
 					//use email as username, when username is not provided
 					objUser.Username = string.Format("{0}", GetDataRowValue(dt, dr, "Username", objUser.Email));
@@ -371,7 +388,7 @@ private void DoImport()
 						UserController.UpdateUser(this.PortalId, objUser);
 
 						//Update Roles
-						string RolesStatus = UpdateRoles(objUser, dr);
+						string RolesStatus = UpdateRoles(this.UserInfo, this.PortalSettings.AdministratorRoleName, objUser, dr);
 						if (RolesStatus.Trim() != "")
 						{
 							FailedUsers.AppendFormat(Localization.GetString("UpdateRolesError", this.LocalResourceFile),
@@ -425,7 +442,7 @@ private void DoImport()
 				FailedUsers.ToString());
 		}
 
-		private string UpdateRoles(UserInfo objUser, DataRow dr)
+		private string UpdateRoles(UserInfo objCurrentUser, string AdministratorRoleName, UserInfo objUser, DataRow dr)
 		{
 			RoleController objRoleController = new RoleController();
 			bool ByID = false;
@@ -466,6 +483,19 @@ private string UpdateRoles(UserInfo objUser, DataRow dr)
 					objRole = objRoleController.GetRoleByName(this.PortalId, Role);
 				}
 
+				//check current user has permissions to import user with specific role
+				if (!
+					(objCurrentUser.IsInRole(objRole.RoleName) ||
+					objCurrentUser.IsInRole(AdministratorRoleName) ||
+					objCurrentUser.IsSuperUser
+					))
+				{
+					sb.AppendFormat(Localization.GetString("UserDeniedToImportRole", this.LocalResourceFile), objCurrentUser.Username, 
+						(ByID?string.Format("RoleID={0}", objRole.RoleID):string.Format("RoleName={0}", objRole.RoleName))
+					);
+					continue;
+				}
+
 				if (objRole != null)
 				{
 					objRoleController.AddUserRole(this.PortalId, objUser.UserID, objRole.RoleID, Null.NullDate);

diff --git a/bin/forDNN.Modules.UsersExportImport.dll b/bin/forDNN.Modules.UsersExportImport.dll
diff --git a/bin/forDNN.Modules.UsersExportImport.pdb b/bin/forDNN.Modules.UsersExportImport.pdb