/// <summary>
/// In case of a delete command we always filter based on the userId
/// </summary>
static void InterceptDeleteCommand(DbCommandTreeInterceptionContext interceptionContext)
{
var deleteCommand = interceptionContext.Result as DbDeleteCommandTree;
if (deleteCommand != null)
{
var column = UserAwareAttribute.GetUserColumnName(deleteCommand.Target.VariableType.EdmType);
if (!string.IsNullOrEmpty(column))
{
// Get the userId (throw an exception if there is none)
var userId = GetCurrentUserId();
// Create the variable reference in order to create the property
var variableReference = DbExpressionBuilder.Variable(deleteCommand.Target.VariableType,
deleteCommand.Target.VariableName);
// Create the property to which will assign the correct value
var userProperty = DbExpressionBuilder.Property(variableReference, column);
var userIdWherePredicate = DbExpressionBuilder.Equal(userProperty, DbExpression.FromInt32(userId));
// The initial predicate is the sql where statement
var initialPredicate = deleteCommand.Predicate;
// Add to the initial statement the userId statement which translates in sql AND userId = 'value'
var finalPredicate = initialPredicate.And(userIdWherePredicate);
var newDeleteCommand = new DbDeleteCommandTree(
deleteCommand.MetadataWorkspace,
deleteCommand.DataSpace,
deleteCommand.Target,
finalPredicate);
interceptionContext.Result = newDeleteCommand;
}
}
}
public override DbExpression Visit(DbScanExpression expression)
{
expression = (DbScanExpression)base.Visit(expression);
var column = UserAwareAttribute.GetUserColumnName(expression.Target.ElementType);
if (!string.IsNullOrEmpty(column))
{
// Check that there is an authenticated user in this context
var identity = System.Threading.Thread.CurrentPrincipal.Identity as System.Security.Claims.ClaimsIdentity;
if (identity == null)
{
throw new System.Security.SecurityException("Unauthenticated access");
}
var userIdclaim = identity.Claims.SingleOrDefault(c => c.Type == System.Security.Claims.ClaimTypes.NameIdentifier);
if (userIdclaim == null)
{
throw new System.Security.SecurityException("Unauthenticated access");
}
// Get the current expression binding
var currentExpressionBinding = DbExpressionBuilder.Bind(expression);
var newFilterExpression = BuildFilterExpression(currentExpressionBinding, column);
if (newFilterExpression != null)
{
// If not null, a new DbFilterExpression has been created with our dynamic filters.
return(newFilterExpression);
}
}
return(expression);
}
/// <summary>
/// In case of an update command we always filter based on the userId
/// </summary>
static bool InterceptUpdate(DbCommandTreeInterceptionContext interceptionContext)
{
var updateCommand = interceptionContext.Result as DbUpdateCommandTree;
if (updateCommand != null)
{
var column = UserAwareAttribute.GetUserColumnName(updateCommand.Target.VariableType.EdmType);
if (!string.IsNullOrEmpty(column))
{
// Get the userId (throw an exception if there is none)
var userId = GetCurrentUserId();
// Create the variable reference in order to create the property
var variableReference = DbExpressionBuilder.Variable(updateCommand.Target.VariableType,
updateCommand.Target.VariableName);
// Create the property to which will assign the correct value
var userProperty = DbExpressionBuilder.Property(variableReference, column);
// Create the userId where predicate, object representation of sql where userId = value statement
var userIdWherePredicate = DbExpressionBuilder.Equal(userProperty, DbExpression.FromInt32(userId));
// Remove potential assignment of userId for extra safety
var filteredSetClauses =
updateCommand.SetClauses.Cast <DbSetClause>()
.Where(sc => ((DbPropertyExpression)sc.Property).Property.Name != column);
// Construct the final clauses, object representation of sql insert command values
var finalSetClauses =
new ReadOnlyCollection <DbModificationClause>(new List <DbModificationClause>(filteredSetClauses));
// The initial predicate is the sql where statement
var initialPredicate = updateCommand.Predicate;
// Add to the initial statement the userId statement which translates in sql AND UserId = 'value'
var finalPredicate = initialPredicate.And(userIdWherePredicate);
var newUpdateCommand = new DbUpdateCommandTree(
updateCommand.MetadataWorkspace,
updateCommand.DataSpace,
updateCommand.Target,
finalPredicate,
finalSetClauses,
updateCommand.Returning);
interceptionContext.Result = newUpdateCommand;
// True means an interception successfully happened so there is no need to continue
return(true);
}
}
return(false);
}