/// <summary>
        /// In case of a delete command we always filter based on the userId
        /// </summary>
        static void InterceptDeleteCommand(DbCommandTreeInterceptionContext interceptionContext)
        {
            var deleteCommand = interceptionContext.Result as DbDeleteCommandTree;

            if (deleteCommand != null)
            {
                var column = UserAwareAttribute.GetUserColumnName(deleteCommand.Target.VariableType.EdmType);
                if (!string.IsNullOrEmpty(column))
                {
                    // Get the userId (throw an exception if there is none)
                    var userId = GetCurrentUserId();

                    // Create the variable reference in order to create the property
                    var variableReference = DbExpressionBuilder.Variable(deleteCommand.Target.VariableType,
                                                                         deleteCommand.Target.VariableName);
                    // Create the property to which will assign the correct value
                    var userProperty         = DbExpressionBuilder.Property(variableReference, column);
                    var userIdWherePredicate = DbExpressionBuilder.Equal(userProperty, DbExpression.FromInt32(userId));

                    // The initial predicate is the sql where statement
                    var initialPredicate = deleteCommand.Predicate;
                    // Add to the initial statement the userId statement which translates in sql AND userId = 'value'
                    var finalPredicate = initialPredicate.And(userIdWherePredicate);

                    var newDeleteCommand = new DbDeleteCommandTree(
                        deleteCommand.MetadataWorkspace,
                        deleteCommand.DataSpace,
                        deleteCommand.Target,
                        finalPredicate);

                    interceptionContext.Result = newDeleteCommand;
                }
            }
        }
Beispiel #2
0
        public override DbExpression Visit(DbScanExpression expression)
        {
            expression = (DbScanExpression)base.Visit(expression);

            var column = UserAwareAttribute.GetUserColumnName(expression.Target.ElementType);

            if (!string.IsNullOrEmpty(column))
            {
                // Check that there is an authenticated user in this context
                var identity = System.Threading.Thread.CurrentPrincipal.Identity as System.Security.Claims.ClaimsIdentity;
                if (identity == null)
                {
                    throw new System.Security.SecurityException("Unauthenticated access");
                }
                var userIdclaim = identity.Claims.SingleOrDefault(c => c.Type == System.Security.Claims.ClaimTypes.NameIdentifier);
                if (userIdclaim == null)
                {
                    throw new System.Security.SecurityException("Unauthenticated access");
                }

                // Get the current expression binding
                var currentExpressionBinding = DbExpressionBuilder.Bind(expression);
                var newFilterExpression      = BuildFilterExpression(currentExpressionBinding, column);
                if (newFilterExpression != null)
                {
                    //  If not null, a new DbFilterExpression has been created with our dynamic filters.
                    return(newFilterExpression);
                }
            }

            return(expression);
        }
        /// <summary>
        /// In case of an update command we always filter based on the userId
        /// </summary>
        static bool InterceptUpdate(DbCommandTreeInterceptionContext interceptionContext)
        {
            var updateCommand = interceptionContext.Result as DbUpdateCommandTree;

            if (updateCommand != null)
            {
                var column = UserAwareAttribute.GetUserColumnName(updateCommand.Target.VariableType.EdmType);
                if (!string.IsNullOrEmpty(column))
                {
                    // Get the userId (throw an exception if there is none)
                    var userId = GetCurrentUserId();

                    // Create the variable reference in order to create the property
                    var variableReference = DbExpressionBuilder.Variable(updateCommand.Target.VariableType,
                                                                         updateCommand.Target.VariableName);
                    // Create the property to which will assign the correct value
                    var userProperty = DbExpressionBuilder.Property(variableReference, column);
                    // Create the userId where predicate, object representation of sql where userId = value statement
                    var userIdWherePredicate = DbExpressionBuilder.Equal(userProperty, DbExpression.FromInt32(userId));

                    // Remove potential assignment of userId for extra safety
                    var filteredSetClauses =
                        updateCommand.SetClauses.Cast <DbSetClause>()
                        .Where(sc => ((DbPropertyExpression)sc.Property).Property.Name != column);

                    // Construct the final clauses, object representation of sql insert command values
                    var finalSetClauses =
                        new ReadOnlyCollection <DbModificationClause>(new List <DbModificationClause>(filteredSetClauses));

                    // The initial predicate is the sql where statement
                    var initialPredicate = updateCommand.Predicate;
                    // Add to the initial statement the userId statement which translates in sql AND UserId = 'value'
                    var finalPredicate = initialPredicate.And(userIdWherePredicate);

                    var newUpdateCommand = new DbUpdateCommandTree(
                        updateCommand.MetadataWorkspace,
                        updateCommand.DataSpace,
                        updateCommand.Target,
                        finalPredicate,
                        finalSetClauses,
                        updateCommand.Returning);

                    interceptionContext.Result = newUpdateCommand;
                    // True means an interception successfully happened so there is no need to continue
                    return(true);
                }
            }
            return(false);
        }