/// <summary>
/// Pre-fetches the can-read security for the list of entities.
/// </summary>
/// <param name="entityAccessControlService">The security service to use.</param>
/// <param name="data">The data.</param>
/// <returns>
/// A predicate backed by a dictionary that can quickly return whether an entity is readable.
/// </returns>
public static Predicate <long> GetEntityReadability(IEntityAccessControlService entityAccessControlService, BulkRequestResult data)
{
if (entityAccessControlService == null)
{
throw new ArgumentNullException("entityAccessControlService");
}
Predicate <long> predicate;
if (SecurityBypassContext.IsActive)
{
predicate = (long entityId) => true;
}
else
{
// Get readable entities
List <EntityRef> entitiesToExplicitlyCheck = data.AllEntities
.Where(pair => !pair.Value.ImplicitlySecured)
.Select(pair => CreateEntityRefForSecurityCheck(data, pair.Key)) // Stop! If you change .Check to take longs, then discuss with Pete first.
.ToList();
IDictionary <long, bool> readableEntities = entityAccessControlService.Check(entitiesToExplicitlyCheck, new [] { Permissions.Read });
// Lookup predicate
predicate = (long entityId) =>
{
// Check if implicitly secured by relationship
EntityValue ev;
if (!data.AllEntities.TryGetValue(entityId, out ev))
{
return(false); // assert false
}
if (ev.ImplicitlySecured)
{
return(true);
}
// Check if explicitly secured
bool canRead;
if (readableEntities.TryGetValue(entityId, out canRead))
{
return(canRead);
}
return(false);
};
}
return(predicate);
}
/// <summary>
/// Constructor
/// </summary>
/// <param name="userRoleRepository"></param>
public SecurityProcessor(IEntityRepository entityRepository, IEntityAccessControlService entityAccessControlService, IUserRoleRepository userRoleRepository, IUpgradeIdProvider upgradeIdProvider)
{
if (entityRepository == null)
{
throw new ArgumentNullException(nameof(entityRepository));
}
if (entityAccessControlService == null)
{
throw new ArgumentNullException(nameof(entityAccessControlService));
}
if (userRoleRepository == null)
{
throw new ArgumentNullException(nameof(userRoleRepository));
}
if (upgradeIdProvider == null)
{
throw new ArgumentNullException(nameof(upgradeIdProvider));
}
EntityRepository = entityRepository;
EntityAccessControlService = entityAccessControlService;
UserRoleRepository = userRoleRepository;
UpgradeIdProvider = upgradeIdProvider;
}
/// <summary>
/// Create a new <see cref="SecurityActionMenuItemFilter"/>.
/// </summary>
/// <param name="entityAccessControlService">
/// The <see cref="IEntityAccessControlService"/> to perform security checks.
/// If omitted or null, the default implementation is used.
/// </param>
/// <param name="userRoleRepository">
/// The <see cref="IUserRoleRepository"/> to perform security checks.
/// If omitted or null, the default implementation is used.
/// </param>
public SecurityActionMenuItemFilter(IEntityAccessControlService entityAccessControlService = null, IUserRoleRepository userRoleRepository = null)
{
Service = entityAccessControlService ?? Factory.EntityAccessControlService;
UserRoleRepository = userRoleRepository ?? Factory.Current.Resolve <IUserRoleRepository>( );
}
/// <summary>
/// Constructor.
/// </summary>
/// <param name="tenantId">Tenant that the data applies to.</param>
/// <param name="unsecuredGraphData">Underlying graph data.</param>
/// <param name="entityAccessControlService">Security service.</param>
internal SecuredGraphEntityDataRepository(long tenantId, BulkRequestResult unsecuredGraphData, IEntityAccessControlService entityAccessControlService) : base(tenantId, unsecuredGraphData)
{
_entityAccessControlService = entityAccessControlService;
}
