| public SetDiscretionaryAclProtection ( bool isProtected, bool preserveInheritance ) : void | ||
| isProtected | bool | |
| preserveInheritance | bool | |
| return | void | |
public void GetBinaryForm ()
{
CommonSecurityDescriptor csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, null, null, null, null);
Assert.AreEqual (20, csd.BinaryLength);
byte[] binaryForm = new byte[csd.BinaryLength];
csd.GetBinaryForm (binaryForm, 0);
Assert.AreEqual (ControlFlags.DiscretionaryAclPresent | ControlFlags.SelfRelative,
csd.ControlFlags);
// The default 'Allow Everyone Full Access' serializes as NOT having a
// DiscretionaryAcl, as the above demonstrates (byte 3 is 0 not 4).
Assert.AreEqual (new byte[20] {
1, 0, 0, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
}, binaryForm);
// Changing SystemAcl protection does nothing special.
csd.SetSystemAclProtection (true, true);
Assert.AreEqual (20, csd.BinaryLength);
// Modifying the DiscretionaryAcl (even effective no-ops like this) causes serialization.
csd.SetDiscretionaryAclProtection (false, true);
Assert.AreEqual (48, csd.BinaryLength);
}
public void SetAccessRuleProtection(bool isProtected,
bool preserveInheritance)
{
WriteLock();
try {
descriptor.SetDiscretionaryAclProtection(isProtected, preserveInheritance);
} finally {
WriteUnlock();
}
}
public override byte[] GetAllowAllNodeAcl(string repositoryName, Guid domainId, Guid rootMapId)
{
// Return an empty Windows node ACL.
SecurityIdentifier farmAccountSid = SPFarm.Local.DefaultServiceAccount.SecurityIdentifier;
CommonSecurityDescriptor securityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.None, farmAccountSid, null, null, null);
securityDescriptor.SetDiscretionaryAclProtection(true, false);
byte[] itemAcl = new byte[securityDescriptor.BinaryLength];
securityDescriptor.GetBinaryForm(itemAcl, 0);
return itemAcl;
}
public void SetAccessRuleProtection(bool isProtected, bool preserveInheritance)
{
WriteLock();
try
{
_securityDescriptor.SetDiscretionaryAclProtection(isProtected, preserveInheritance);
_daclModified = true;
}
finally
{
WriteUnlock();
}
}
public void AefaModifiedFlagIsStoredOnDiscretionaryAcl ()
{
CommonSecurityDescriptor csd1, csd2;
// Incidentally this shows the DiscretionaryAcl is NOT cloned.
csd1 = new CommonSecurityDescriptor (false, false, ControlFlags.None, null, null, null, null);
csd2 = new CommonSecurityDescriptor (false, false, ControlFlags.None, null, null, null, csd1.DiscretionaryAcl);
Assert.AreSame (csd1.DiscretionaryAcl, csd2.DiscretionaryAcl);
Assert.AreEqual ("", csd1.GetSddlForm (AccessControlSections.Access));
csd2.SetDiscretionaryAclProtection (false, true);
Assert.AreEqual ("D:(A;;0xffffffff;;;WD)", csd1.GetSddlForm (AccessControlSections.Access));
Assert.AreEqual ("D:(A;;0xffffffff;;;WD)", csd2.GetSddlForm (AccessControlSections.Access));
}
protected byte[] GetNodeAclWorker(string mapDatabaseName, string repositoryName, Guid domainId, Guid rootMapId, bool isCacheEnabled)
{
SecurityIdentifier farmAccountSid = SPFarm.Local.DefaultServiceAccount.SecurityIdentifier;
CommonSecurityDescriptor securityDescriptor = new CommonSecurityDescriptor(false, false, ControlFlags.None, farmAccountSid, null, null, null);
securityDescriptor.SetDiscretionaryAclProtection(true, false);
// Deny access to all users.
SecurityIdentifier everyoneSid = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
securityDescriptor.DiscretionaryAcl.RemoveAccess(AccessControlType.Allow, everyoneSid, unchecked((int)0xffffffffL), InheritanceFlags.None, PropagationFlags.None);
// Grant access to specified users.
securityDescriptor.DiscretionaryAcl.AddAccess(AccessControlType.Allow, farmAccountSid, unchecked((int)0xffffffffL), InheritanceFlags.None, PropagationFlags.None);
List<SpUserDetail> allowedUsers = GetAllowedUsers(mapDatabaseName, repositoryName, domainId, rootMapId);
List<string> addedSids = new List<string>();
foreach (SpUserDetail user in allowedUsers)
{
SecurityIdentifier userSid = null;
if (!string.IsNullOrEmpty(user.Sid))
{
userSid = new SecurityIdentifier(user.Sid);
}
else
{
userSid = GetSidFromClaim(user.LoginName);
}
if (userSid != null && !addedSids.Contains(userSid.Value))
{
securityDescriptor.DiscretionaryAcl.AddAccess(AccessControlType.Allow, userSid, unchecked((int)0xffffffffL), InheritanceFlags.None, PropagationFlags.None);
addedSids.Add(userSid.Value);
}
}
byte[] itemAcl = new byte[securityDescriptor.BinaryLength];
securityDescriptor.GetBinaryForm(itemAcl, 0);
return itemAcl;
}
public void ProtectionChangesFlags ()
{
SecurityIdentifier userSid = new SecurityIdentifier (WellKnownSidType.LocalSystemSid, null);
SecurityIdentifier groupSid = new SecurityIdentifier (WellKnownSidType.BuiltinAdministratorsSid, null);
CommonSecurityDescriptor csd;
csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, userSid, groupSid, null, null);
Assert.AreEqual (ControlFlags.DiscretionaryAclPresent
| ControlFlags.SelfRelative, csd.ControlFlags);
csd.SetDiscretionaryAclProtection (true, false);
Assert.AreEqual (ControlFlags.DiscretionaryAclPresent
| ControlFlags.DiscretionaryAclProtected
| ControlFlags.SelfRelative, csd.ControlFlags);
csd.SetSystemAclProtection (true, false); // despite not being *present*
Assert.AreEqual (ControlFlags.DiscretionaryAclPresent
| ControlFlags.DiscretionaryAclProtected
| ControlFlags.SystemAclProtected
| ControlFlags.SelfRelative, csd.ControlFlags);
}
public void GetSddlFormAefaRemovesDacl ()
{
CommonSecurityDescriptor csd = new CommonSecurityDescriptor
(false, false, ControlFlags.None, null, null, null, null);
Assert.AreEqual (1, csd.DiscretionaryAcl.Count);
Assert.AreEqual ("", csd.GetSddlForm (AccessControlSections.Access));
Assert.AreEqual (ControlFlags.DiscretionaryAclPresent
| ControlFlags.SelfRelative,
csd.ControlFlags);
Assert.AreSame (csd.DiscretionaryAcl, csd.DiscretionaryAcl);
Assert.AreNotSame (csd.DiscretionaryAcl[0], csd.DiscretionaryAcl[0]);
Assert.AreEqual ("", csd.GetSddlForm (AccessControlSections.Access));
csd.SetDiscretionaryAclProtection (false, true);
Assert.AreEqual ("D:(A;;0xffffffff;;;WD)", csd.GetSddlForm (AccessControlSections.Access));
Assert.AreSame (csd.DiscretionaryAcl, csd.DiscretionaryAcl);
Assert.AreNotSame (csd.DiscretionaryAcl[0], csd.DiscretionaryAcl[0]);
Assert.AreEqual (ControlFlags.DiscretionaryAclPresent
| ControlFlags.SelfRelative,
csd.ControlFlags);
csd.SetDiscretionaryAclProtection (true, true);
Assert.AreEqual (1, csd.DiscretionaryAcl.Count);
Assert.AreEqual ("D:P(A;;0xffffffff;;;WD)", csd.GetSddlForm (AccessControlSections.Access));
Assert.AreEqual (ControlFlags.DiscretionaryAclPresent
| ControlFlags.DiscretionaryAclProtected
| ControlFlags.SelfRelative,
csd.ControlFlags);
csd.SetDiscretionaryAclProtection (false, false);
Assert.AreEqual (1, csd.DiscretionaryAcl.Count);
Assert.AreEqual ("D:(A;;0xffffffff;;;WD)", csd.GetSddlForm (AccessControlSections.Access));
Assert.AreEqual (ControlFlags.DiscretionaryAclPresent
| ControlFlags.SelfRelative,
csd.ControlFlags);
}
