private void AutoApplyFilters(ReadCommandInfo commandInfo)
{
if (_applyFiltersOnClientRead.TryGetValue(commandInfo.DataSource, out List <ApplyFilterWhere> applyFilters))
{
commandInfo.Filters ??= Array.Empty <FilterCriteria>();
var newFilters = applyFilters
.Where(applyFilter => applyFilter.Where == null || applyFilter.Where(commandInfo))
.Where(applyFilter => !commandInfo.Filters.Any(existingFilter => GenericFilterHelper.EqualsSimpleFilter(existingFilter, applyFilter.FilterName)))
.Select(applyFilter => new FilterCriteria {
Filter = applyFilter.FilterName
})
.ToList();
_logger.Trace(() => "AutoApplyFilters: " + string.Join(", ", newFilters.Select(f => f.Filter)));
commandInfo.Filters = commandInfo.Filters.Concat(newFilters).ToArray();
}
}
private void AutoApplyFilters(ReadCommandInfo commandInfo)
{
List <string> filterNames;
if (_applyFiltersOnClientRead.TryGetValue(commandInfo.DataSource, out filterNames))
{
commandInfo.Filters = commandInfo.Filters ?? new FilterCriteria[] { };
var newFilters = filterNames
.Where(name => !commandInfo.Filters.Any(existingFilter => GenericFilterHelper.EqualsSimpleFilter(existingFilter, name)))
.Select(name => new FilterCriteria {
Filter = name
})
.ToList();
_logger.Trace(() => "AutoApplyFilters: " + string.Join(", ", newFilters.Select(f => f.Filter)));
commandInfo.Filters = commandInfo.Filters.Concat(newFilters).ToArray();
}
}
public void SimpleRowPermissionRules()
{
InsertCurrentPrincipal(); // Not related to row permissions.
// Insert the test data (server code bypasses row permissions):
using (var container = new RhetosTestContainer(commitChanges: true))
{
var repository = container.Resolve<Common.DomRepository>();
var context = container.Resolve<Common.ExecutionContext>();
repository.DemoRowPermissions1.Document.Delete(repository.DemoRowPermissions1.Document.All());
repository.DemoRowPermissions1.Employee.Delete(repository.DemoRowPermissions1.Employee.All());
repository.DemoRowPermissions1.Division.Delete(repository.DemoRowPermissions1.Division.All());
var div1 = new DemoRowPermissions1.Division { Name = "div1" };
var div2 = new DemoRowPermissions1.Division { Name = "div2" };
repository.DemoRowPermissions1.Division.Insert(new[] { div1, div2 });
// The current user:
var emp1 = new DemoRowPermissions1.Employee
{
UserName = context.UserInfo.UserName,
DivisionID = div1.ID
};
repository.DemoRowPermissions1.Employee.Insert(new[] { emp1 });
// The user can access doc1, because it's in the same division:
var doc1 = new DemoRowPermissions1.Document { Title = "doc1", DivisionID = div1.ID };
// The user cannot access doc2:
var doc2 = new DemoRowPermissions1.Document { Title = "doc2", DivisionID = div2.ID };
repository.DemoRowPermissions1.Document.Insert(new[] { doc1, doc2 });
}
// Simulate client request: Reading all documents (access denied)
using (var container = new RhetosTestContainer())
{
container.AddIgnoreClaims();
var processingEngine = container.Resolve<IProcessingEngine>();
var serverCommand = new ReadCommandInfo
{
DataSource = typeof(DemoRowPermissions1.Document).FullName,
ReadRecords = true
};
var serverResponse = processingEngine.Execute(new[] { serverCommand });
var report = GenerateReport(serverResponse);
Console.WriteLine("Server response: " + report);
Assert.IsTrue(report.Contains("You are not authorized"));
}
// Simulate client request: Reading the user's documents
using (var container = new RhetosTestContainer())
{
container.AddIgnoreClaims();
var processingEngine = container.Resolve<IProcessingEngine>();
var serverCommand = new ReadCommandInfo
{
DataSource = typeof(DemoRowPermissions1.Document).FullName,
ReadRecords = true,
Filters = new[] { new FilterCriteria(typeof(Common.RowPermissionsReadItems)) }
};
var serverResponse = processingEngine.Execute(new[] { serverCommand });
var report = GenerateReport(serverResponse);
Console.WriteLine("Server response: " + report);
Assert.AreEqual("doc1", report);
}
}
public void CombiningMultipleRules()
{
InsertCurrentPrincipal(); // Not related to row permissions.
// Insert the test data (server code bypasses row permissions):
using (var container = new RhetosTestContainer(commitChanges: true))
{
var repository = container.Resolve<Common.DomRepository>();
var context = container.Resolve<Common.ExecutionContext>();
repository.DemoRowPermissions2.DocumentApproval.Delete(repository.DemoRowPermissions2.DocumentApproval.All());
repository.DemoRowPermissions2.DocumentComment.Delete(repository.DemoRowPermissions2.DocumentComment.All());
repository.DemoRowPermissions2.Document.Delete(repository.DemoRowPermissions2.Document.All());
repository.DemoRowPermissions2.RegionSupervisor.Delete(repository.DemoRowPermissions2.RegionSupervisor.All());
repository.DemoRowPermissions2.Employee.Delete(repository.DemoRowPermissions2.Employee.All());
repository.DemoRowPermissions2.Division.Delete(repository.DemoRowPermissions2.Division.All());
repository.DemoRowPermissions2.Region.Delete(repository.DemoRowPermissions2.Region.All());
var reg3 = new DemoRowPermissions2.Region { Name = "reg3" };
repository.DemoRowPermissions2.Region.Insert(new[] { reg3 });
var div1 = new DemoRowPermissions2.Division { Name = "div1" };
var div2 = new DemoRowPermissions2.Division { Name = "div2" };
var div3 = new DemoRowPermissions2.Division { Name = "div3", RegionID = reg3.ID };
repository.DemoRowPermissions2.Division.Insert(new[] { div1, div2, div3 });
// The current user:
var emp1 = new DemoRowPermissions2.Employee
{
UserName = context.UserInfo.UserName,
DivisionID = div1.ID
};
repository.DemoRowPermissions2.Employee.Insert(new[] { emp1 });
var sup3 = new DemoRowPermissions2.RegionSupervisor
{
EmployeeID = emp1.ID,
RegionID = reg3.ID
};
repository.DemoRowPermissions2.RegionSupervisor.Insert(new[] { sup3 });
// The user can access doc1, because it's in the same division:
var doc1 = new DemoRowPermissions2.Document { Title = "doc1", DivisionID = div1.ID };
// The user cannot access doc2:
var doc2 = new DemoRowPermissions2.Document { Title = "doc2", DivisionID = div2.ID };
// The user can access doc3, because it's in the region he supervises:
var doc3 = new DemoRowPermissions2.Document { Title = "doc3", DivisionID = div3.ID };
// The user can access doc4 (same division), but cannot edit it (previous year):
var doc4 = new DemoRowPermissions2.Document { Title = "doc4", DivisionID = div1.ID, Created = DateTime.Now.AddYears(-1) };
repository.DemoRowPermissions2.Document.Insert(new[] { doc1, doc2, doc3, doc4 });
}
// Simulate client request: Reading all documents (access denied)
using (var container = new RhetosTestContainer())
{
container.AddIgnoreClaims();
var processingEngine = container.Resolve<IProcessingEngine>();
var serverCommand = new ReadCommandInfo
{
DataSource = typeof(DemoRowPermissions2.Document).FullName,
ReadRecords = true
};
var serverResponse = processingEngine.Execute(new[] { serverCommand });
var report = GenerateReport(serverResponse);
Console.WriteLine("Server response: " + report);
Assert.IsTrue(report.Contains("You are not authorized"));
}
// Simulate client request: Reading the user's documents
using (var container = new RhetosTestContainer())
{
container.AddIgnoreClaims();
var processingEngine = container.Resolve<IProcessingEngine>();
var serverCommand = new ReadCommandInfo
{
DataSource = typeof(DemoRowPermissions2.Document).FullName,
ReadRecords = true,
Filters = new[] { new FilterCriteria(typeof(Common.RowPermissionsReadItems)) }
};
var serverResponse = processingEngine.Execute(new[] { serverCommand });
var report = GenerateReport(serverResponse);
Console.WriteLine("Server response: " + report);
Assert.AreEqual("doc1, doc3, doc4", report);
}
// Simulate client request: Edit doc1 (ok)
using (var container = new RhetosTestContainer())
{
container.AddIgnoreClaims();
var repository = container.Resolve<Common.DomRepository>();
var doc1 = repository.DemoRowPermissions2.Document.Query().Where(d => d.Title == "doc1").Single();
doc1.Title += "x";
var processingEngine = container.Resolve<IProcessingEngine>();
var serverCommand = new SaveEntityCommandInfo
{
Entity = typeof(DemoRowPermissions2.Document).FullName,
DataToUpdate = new[] { doc1 }
};
var serverResponse = processingEngine.Execute(new[] { serverCommand });
var report = GenerateReport(serverResponse);
Console.WriteLine("Server response: " + report);
Assert.AreEqual("Comand executed", report);
var documents = repository.DemoRowPermissions2.Document.Query().Select(d => d.Title).OrderBy(t => t);
Assert.AreEqual("doc1x, doc2, doc3, doc4", string.Join(", ", documents));
}
// Simulate client request: Edit doc4 (acces denied)
using (var container = new RhetosTestContainer())
{
container.AddIgnoreClaims();
var repository = container.Resolve<Common.DomRepository>();
var doc4 = repository.DemoRowPermissions2.Document.Query().Where(d => d.Title == "doc4").Single();
doc4.Title += "x";
var processingEngine = container.Resolve<IProcessingEngine>();
var serverCommand = new SaveEntityCommandInfo
{
Entity = typeof(DemoRowPermissions2.Document).FullName,
DataToUpdate = new[] { doc4 }
};
var serverResponse = processingEngine.Execute(new[] { serverCommand });
var report = GenerateReport(serverResponse);
Console.WriteLine("Server response: " + report);
Assert.IsTrue(report.Contains("Insufficient permissions"));
}
}
public void SortAndPaginateKeepsOriginalQueryableType()
{
var readCommand = new ReadCommandInfo
{
OrderByProperties = new[] { new OrderByProperty { Property = "Name", Descending = true } },
Skip = 1,
Top = 2,
};
IQueryable<object> query = new[] { "a", "b", "c", "d" }.AsQueryable().Select(name => new C { Name = name });
Console.WriteLine(query.GetType());
Assert.IsTrue(query is IQueryable<C>);
var result = GenericFilterHelper.SortAndPaginate<object>(query, readCommand);
Assert.AreEqual("c, b", TestUtility.Dump(result, item => ((C)item).Name));
Console.WriteLine(result.GetType());
Assert.IsTrue(result is IQueryable<C>);
}
public void Sort()
{
var readCommand = new ReadCommandInfo
{
OrderByProperties = new[]
{
new OrderByProperty { Property = "Name", Descending = true },
new OrderByProperty { Property = "Size", Descending = false },
}
};
IQueryable<Entity2> query = new[]
{
new Entity2 { Name = "b", Size = 2, Ignore = 1 },
new Entity2 { Name = "b", Size = 2, Ignore = 2 },
new Entity2 { Name = "b", Size = 3, Ignore = 3 },
new Entity2 { Name = "b", Size = 1, Ignore = 4 },
new Entity2 { Name = "a", Size = 1, Ignore = 5 },
new Entity2 { Name = "c", Size = 3, Ignore = 6 }
}.AsQueryable();
query = query.OrderBy(item => item.Ignore); // SortAndPaginate should ignore previous ordering, not append to it.
var result = GenericFilterHelper.SortAndPaginate(query, readCommand);
Console.WriteLine(result.ToString());
Assert.AreEqual(
"c3, b1, b2, b2, b3, a1",
TestUtility.Dump(result, item => item.Name + item.Size));
}
public IList <Claim> GetRequiredClaims(ICommandInfo info)
{
ReadCommandInfo commandInfo = (ReadCommandInfo)info;
return(new[] { new Claim(commandInfo.DataSource, "Read") });
}
private bool AlreadyFilteredByRowPermissions(ReadCommandInfo readCommand)
{
if (readCommand.Filters != null && readCommand.Filters.Length > 0)
{
int lastRowPermissionFilter = -1;
for (int f = readCommand.Filters.Length - 1; f >= 0; f--)
if (GenericFilterHelper.EqualsSimpleFilter(readCommand.Filters[f], RowPermissionsReadInfo.FilterName))
{
lastRowPermissionFilter = f;
break;
}
if (lastRowPermissionFilter >= 0)
if (lastRowPermissionFilter == readCommand.Filters.Length - 1)
{
_logger.Trace(() => string.Format("(DataStructure:{0}) Last filter is '{1}', skipping RowPermissionsRead validation.",
readCommand.DataSource, RowPermissionsReadInfo.FilterName));
return true;
}
else
_logger.Trace(() => string.Format("(DataStructure:{0}) Warning: Improve performance by moving filter '{1}' to last position, in order to skip RowPermissionsRead validation.",
readCommand.DataSource, RowPermissionsReadInfo.FilterName));
}
return false;
}
