Lock custom binaries behind server admin privilege.

immense · Jun 4, 2024 · 0bf5384 · 0bf5384
1 parent cd3057d
commit 0bf5384
Showing 1 changed file with 51 additions and 25 deletions.
diff --git a/Server/Components/Pages/Deploy.razor b/Server/Components/Pages/Deploy.razor
@@ -68,8 +68,8 @@
     Attended Support
 </h4>
 <p class="text-info">
-    You can upload custom versions of the attended support client (i.e. "Remotely_Desktop.exe") 
-    and send the download link to end-users when they need support. For example, you could sign 
+    You can upload custom versions of the attended support client (i.e. "Remotely_Desktop.exe")
+    and send the download link to end-users when they need support. For example, you could sign
     the EXE with a commercial certificate so the end-user (hopefully) doesn't see a SmartScreen
     warning about the file.
 </p>
@@ -91,20 +91,28 @@
         }
         else if (_winX64File?.PhysicalPath is not null)
         {
-            <div class="text-primary mb-2">
+            <div class="text-info mb-2">
                 Created Date: @(_winX64CreatedDate) UTC
             </div>
         }
 
-        <div class="mb-2">
-            <FileInputButton ClassNames="btn btn-primary"
-                             OnChanged="HandleWin64FileChanged">
-                <ButtonContent>
-                    <i class="oi oi-data-transfer-upload" title="Upload File"></i>
-                    <span class="ms-2">Upload File</span>
-                </ButtonContent>
-            </FileInputButton>
-        </div>
+        @if (_isServerAdmin)
+        {
+            <div class="mb-2">
+                <FileInputButton ClassNames="btn btn-primary"
+                                 OnChanged="HandleWin64FileChanged">
+                    <ButtonContent>
+                        <i class="oi oi-data-transfer-upload" title="Upload File"></i>
+                        <span class="ms-2">Upload File</span>
+                    </ButtonContent>
+                </FileInputButton>
+                <div class="mt-1">
+                    <span class="text-primary">
+                        Note: Only server admins will have this button.
+                    </span>
+                </div>
+            </div>
+        }
 
         <div class="input-group">
             <input type="text" class="form-control" readonly value="@_winX64Uri" />
@@ -120,28 +128,36 @@
             <strong>Windows 10/11 (32-Bit)</strong>
         </div>
 
-        @if(_winX86File?.Exists != true)
+        @if (_winX86File?.Exists != true)
         {
             <div class="text-danger mb-2">
                 Note: A custom binary for this file hasn't been uploaded yet.
             </div>
         }
         else if (_winX86File?.PhysicalPath is not null)
         {
-            <div class="text-primary mb-2">
+            <div class="text-info mb-2">
                 Created Date: @(_winX86CreatedDate) UTC
             </div>
         }
 
-        <div class="mb-2">
-            <FileInputButton ClassNames="btn btn-primary"
-                             OnChanged="HandleWin86FileChanged">
-                <ButtonContent>
-                    <i class="oi oi-data-transfer-upload" title="Upload File"></i>
-                    <span class="ms-2">Upload File</span>
-                </ButtonContent>
-            </FileInputButton>
-        </div>
+        @if (_isServerAdmin)
+        {
+            <div class="mb-2">
+                <FileInputButton ClassNames="btn btn-primary"
+                                 OnChanged="HandleWin86FileChanged">
+                    <ButtonContent>
+                        <i class="oi oi-data-transfer-upload" title="Upload File"></i>
+                        <span class="ms-2">Upload File</span>
+                    </ButtonContent>
+                </FileInputButton>
+                <div class="mt-1">
+                    <span class="text-primary">
+                        Note: Only server admins will have this button.
+                    </span>
+                </div>
+            </div>
+        }
 
         <div class="input-group">
             <input type="text" class="form-control" readonly value="@_winX86Uri" />
@@ -165,6 +181,7 @@
     private string _winX86Uri = string.Empty;
     private bool _isLoading = false;
     private string _loadingMessage = string.Empty;
+    private bool _isServerAdmin;
     private DateTime _winX64CreatedDate;
     private DateTime _winX86CreatedDate;
 
@@ -177,6 +194,7 @@
             return;
         }
 
+        _isServerAdmin = userResult.Value.IsServerAdmin;
         _organizationId = userResult.Value.OrganizationID;
         _appDataDir = Path.Combine(HostEnv.ContentRootPath, "AppData");
         _winX64Uri = $"{NavMan.BaseUri}api/custom-binaries/win-x64/desktop/{_organizationId}";
@@ -247,8 +265,8 @@
 
     private void SetScriptContent()
     {
-        _windowsScript = 
-            $"Invoke-WebRequest -Uri '{NavMan.BaseUri}api/ClientDownloads/WindowsInstaller/{_organizationId}' -OutFile \"${{env:TEMP}}\\Install-Remotely.ps1\" -UseBasicParsing;"+
+        _windowsScript =
+            $"Invoke-WebRequest -Uri '{NavMan.BaseUri}api/ClientDownloads/WindowsInstaller/{_organizationId}' -OutFile \"${{env:TEMP}}\\Install-Remotely.ps1\" -UseBasicParsing;" +
             "Start-Process -FilePath 'powershell.exe' -ArgumentList (\"-executionpolicy\", \"bypass\", \"-f\", \"${env:TEMP}\\Install-Remotely.ps1\") -Verb RunAs;";
 
         _ubuntuScript = GetLinuxScript("UbuntuInstaller-x64");
@@ -258,6 +276,14 @@
 
     private async Task TrySaveFile(IFileInfo? fileInfo, InputFileChangeEventArgs ev)
     {
+        // Since this is server-side Blazor, it would be impossible to
+        // get to this point without being a server admin.  But we'll add
+        // it here to prevent any issues caused by future changes.
+        if (!_isServerAdmin)
+        {
+            return;
+        }
+
         await _writeLock.WaitAsync();
         try
         {