/// <summary>
/// Tests security for (RlsOwner /or/ RlsMask).
/// </summary>
/// <param name="rlsOwner">The rlsOwner from the row.</param>
/// <param name="rlsMask">The rlsMask from the row.</param>
/// <param name="user">The current security principal.</param>
void TryRowLevelSecurityOrException(Guid rlsOwner, byte[] rlsMask, ss.User user)
{
RowLevelSecurityHelper.EvalOption option = RowLevelSecurityHelper.EvalOption.None;
if (rlsOwner != Guid.Empty)
{
option |= RowLevelSecurityHelper.EvalOption.Owner;
}
if (rlsMask != null)
{
option |= RowLevelSecurityHelper.EvalOption.Mask;
}
RowLevelSecurityHelper rlsHelper = new RowLevelSecurityHelper()
{
RowOwnerId = rlsOwner,
RowRlsMask = rlsMask,
SecurityPrincipalId = user.IdToGuid(),
SecurityPrincipalRlsMask = user.RlsMask,
Option = option
};
rlsHelper.Eval();
bool ok = rlsHelper.IsRowOwner || rlsHelper.HasMaskMatch;
if (!ok)
{
throw new SecurityException("You do not have rights to this record.");
}
}
/// <summary>
/// Tests security /and/ (RlsOwner /or/ RlsMask) for the given UniqueName and validates SecurityResults[AceType.Record, right].AccessAllowed
/// </summary>
/// <param name="uniqueName">The UniqueName for which to select security.</param>
/// <param name="right">The RecordRight to test (used in error message).</param>
/// <param name="assetType">The associated AssetType (used in error message).</param>
/// <param name="rowOwnerId">The rlsOwner from the row.</param>
/// <param name="rowRlsMask">The rlsMask from the row.</param>
public SuplexSecurityInfo TrySecurityOrException(string userName, string uniqueName, AceType aceType, object right, string assetType, Guid rowOwnerId, byte[] rowRlsMask, bool allowOwnerOverride, bool recurseUp = true)
{
string exceptionMsg = this.GetNoRightsErrorMessage(right, assetType);
SecurityLoadParameters slp = new SecurityLoadParameters()
{
ExternalGroupInfo = new ExternalGroupInfo(LdapRoot, true, GlobalExternalGroupsCsv),
User = this.GetSuplexUser(userName, resolve: true)
};
SplxSecureManagerBase perms = recurseUp ?
GetSecureManagerSecurityRecurseUp(userName, aceType, uniqueName, slp) :
GetSecureManagerSecurity(userName, aceType, uniqueName, slp);
#region eval rls
RowLevelSecurityHelper.EvalOption option = RowLevelSecurityHelper.EvalOption.None;
if (rowOwnerId != Guid.Empty)
{
option |= RowLevelSecurityHelper.EvalOption.Owner;
}
if (rowRlsMask != null)
{
option |= RowLevelSecurityHelper.EvalOption.Mask;
}
RowLevelSecurityHelper rlsHelper = new RowLevelSecurityHelper()
{
RowOwnerId = rowOwnerId,
RowRlsMask = rowRlsMask,
SecurityPrincipalId = slp.User.IdToGuid(),
SecurityPrincipalRlsMask = slp.User.RlsMask,
Option = option
};
perms.Security.EvalRowLevelSecurity(rlsHelper, aceType, new object[] { right }, allowOwnerOverride);
if (option != RowLevelSecurityHelper.EvalOption.None &&
!perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed)
{
exceptionMsg = "You do not have rights to this record.";
}
#endregion
if (!perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed)
{
throw new SecurityException(exceptionMsg);
}
return(new SuplexSecurityInfo(slp.User, perms));
}
/// <summary>
/// Tests security /and/ (RlsOwner /or/ RlsMask) for the given UniqueName and validates SecurityResults[AceType.Record, right].AccessAllowed
/// </summary>
/// <param name="uniqueName">The UniqueName for which to select security.</param>
/// <param name="right">The RecordRight to test (used in error message).</param>
/// <param name="assetType">The associated AssetType (used in error message).</param>
/// <param name="rowOwnerId">The rlsOwner from the row.</param>
/// <param name="rowRlsMask">The rlsMask from the row.</param>
public ss.User TrySecurityOrException(string uniqueName, AceType aceType, object right,
Guid?rowOwnerId = null, byte[] rowRlsMask = null, bool?allowOwnerOverride = null,
ss.User user = null)
{
if (rowOwnerId == null)
{
rowOwnerId = Guid.Empty;
}
if (rowOwnerId != Guid.Empty && allowOwnerOverride == null)
{
allowOwnerOverride = true;
}
if (allowOwnerOverride == null)
{
allowOwnerOverride = false;
}
string exceptionMsg = $"You do not have {right} rights to this record.";
SecurityLoadParameters slp = new SecurityLoadParameters()
{
ExternalGroupInfo = new ExternalGroupInfo(LdapRoot, true, GlobalExternalGroupsCsv),
User = user == null?this.GetSuplexUser(true) : user
};
SplxSecureManagerBase perms = this.GetSecureManagerManagerSecurity(aceType, uniqueName, slp);
#region eval rls
RowLevelSecurityHelper.EvalOption option = RowLevelSecurityHelper.EvalOption.None;
if (rowOwnerId != Guid.Empty)
{
option |= RowLevelSecurityHelper.EvalOption.Owner;
}
if (rowRlsMask != null)
{
option |= RowLevelSecurityHelper.EvalOption.Mask;
}
RowLevelSecurityHelper rlsHelper = new RowLevelSecurityHelper()
{
RowOwnerId = rowOwnerId.Value,
RowRlsMask = rowRlsMask,
SecurityPrincipalId = slp.User.IdToGuid(),
SecurityPrincipalRlsMask = slp.User.RlsMask,
Option = option
};
perms.Security.EvalRowLevelSecurity(rlsHelper, aceType, new object[] { right }, allowOwnerOverride.Value);
if (option != RowLevelSecurityHelper.EvalOption.None &&
!perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed)
{
exceptionMsg = "You do not have rights to this record.";
}
#endregion
if (!perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed)
{
throw new SecurityException(exceptionMsg);
}
return(slp.User);
}
