Fading Coder

One Final Commit for the Last Sprint

Home > Tech > Content

Fixing Permission Check Errors in NFine When Switching Tabs

Tech 1

When logging into NFine (except with the admin account, which bypasses permisions), clicking on Menu 1 opens Window 1, and clicking on Menu 2 opens Window 2. However, when switching back to Window 1 and performing an operation, no permissions are detected. Debugging reveals the issue in the HandlerAuthorizeAttribute class:

private bool CheckActionAuthorization(ActionExecutingContext context)
{
    var userProvider = OperatorProvider.Provider.GetCurrent();
    var roleId = userProvider.RoleId;
    var moduleId = WebHelper.GetCookie("nfine_active_module_id");
    var actionPath = HttpContext.Current.Request.ServerVariables["SCRIPT_NAME"].ToString();
    return new RoleAuthorizationService().ValidateAction(roleId, moduleId, actionPath);
}

The moduleId value is incorrect. Checking the frontend tabManager.js file:

addTab: function() {
    $("#header-nav>ul>li.open").removeClass("open");
    var moduleId = $(this).data('module-id');
    if (moduleId) {
        top.$.cookie('nfine_active_module_id', moduleId, { path: "/" });
    }
    var url = $(this).attr('href');
    var menuTitle = $.trim($(this).text());
    var tabExists = false;

The cookie is set here when creating a new tab, but the tab activation event doesn't update it:

activateTab: function() {
    var tabId = $(this).data('id');
    if (!$(this).hasClass('active')) {
        $('.mainContent .app-iframe').each(function() {
            if ($(this).data('id') === tabId) {
                $(this).show().siblings('.app-iframe').hide();
                return false;
            }
        });
        $(this).addClass('active').siblings('.menu-tab').removeClass('active');
        $.tabUtils.scrollToTab(this);
    }
}

The solution is to add a data-module-id attribute when creating the tab and update the cookei when the tab is activated:

addTab: function() {
    $("#header-nav>ul>li.open").removeClass("open");
    var moduleId = $(this).data('module-id');
    if (moduleId) {
        top.$.cookie('nfine_active_module_id', moduleId, { path: "/" });
    }
    var url = $(this).attr('href');
    var menuTitle = $.trim($(this).text());
    var tabExists = false;

    $('.menu-tab').each(function() {
        if ($(this).data('id') === url) {
            if (!$(this).hasClass('active')) {
                $(this).addClass('active').siblings('.menu-tab').removeClass('active');
                $.tabUtils.scrollToTab(this);
                $('.mainContent .app-iframe').each(function() {
                    if ($(this).data('id') === url) {
                        $(this).show().siblings('.app-iframe').hide();
                        return false;
                    }
                });
            }
            tabExists = true;
            return false;
        }
    });

    if (!tabExists) {
        var tabHtml = '<a href="javascript:;" class="active menu-tab" data-id="' + url + '" data-module-id="' + moduleId + '">' + menuTitle + ' <i class="fa fa-times"></i></a>';
        $('.menu-tab').removeClass('active');
        var iframeHtml = '<iframe class="app-iframe" id="iframe' + moduleId + '" name="iframe' + moduleId + '" width="100%" height="100%" src="' + url + '" frameborder="0" data-id="' + url + '" seamless></iframe>';
        $('.mainContent').find('iframe.app-iframe').hide();
        $('.mainContent').append(iframeHtml);
        $.loading(true);
        $('.mainContent iframe:visible').load(function() {
            $.loading(false);
        });
        $('.menu-tabs .page-tabs-content').append(tabHtml);
        $.tabUtils.scrollToTab($('.menu-tab.active'));
    }
    return false;
}

Then update the activateTab function to set the cookie:

activateTab: function() {
    var tabId = $(this).data('id');
    if (!$(this).hasClass('active')) {
        top.$.cookie('nfine_active_module_id', $(this).data('module-id'), { path: "/" });
        $('.mainContent .app-iframe').each(function() {
            if ($(this).data('id') === tabId) {
                $(this).show().siblings('.app-iframe').hide();
                return false;
            }
        });
        $(this).addClass('active').siblings('.menu-tab').removeClass('active');
        $.tabUtils.scrollToTab(this);
    }
}

This framework is very helpful for beginners, especially because fixing bugs improves your understanding of its inner workings.

Tags: NFinePermission CheckTab SwitchingBug FixC#
Back to List

Prev: Beijing Mobile Gigabit H3-2S ONT: Super Admin Password & IPTV Port to LAN Conversion

Next: Essential Text Processing Tools in CentOS 7: grep, sed, and awk

Related Articles

Understanding Strong and Weak References in Java

Strong References Strong reference are the most prevalent type of object referencing in Java. When an object has a strong reference pointing to it, the garbage collector will not reclaim its memory. F...

Comprehensive Guide to SSTI Explained with Payload Bypass Techniques

Introduction Server-Side Template Injection (SSTI) is a vulnerability in web applications where user input is improper handled within the template engine and executed on the server. This exploit can r...

Implement Image Upload Functionality for Django Integrated TinyMCE Editor

Django’s Admin panel is highly user-friendly, and pairing it with TinyMCE, an effective rich text editor, simplifies content management significantly. Combining the two is particular useful for bloggi...

Leave a Comment

Anonymous

◎Feel free to join the discussion and share your thoughts.

Copyright © fadingcoder.top