protected IResponse ValidateCreateAccess(IRequestContext ctx, Route route)
{
bool hasPermission = false;
var security = this.Database.DatabasePermissions();
if (!security.HasTableAccessSecurity)
{
// If there's no security, table create is only allowed if the service is running as the same user
hasPermission = ctx.Request.User.Identity.Name.Equals(WindowsIdentity.GetCurrent().Name);
}
else
{
// Otherwise, check for writer or better permissions at the DB level
hasPermission = HasPermission(security, ctx.Request.User, PermissionScope.Writer);
}
if (!hasPermission)
{
return(ArribaResponse.Forbidden(String.Format("Create Table access denied for {0}.", ctx.Request.User.Identity.Name)));
}
else
{
return(ContinueToNextHandlerResponse);
}
}
protected IResponse ValidateTableAccess(IRequestContext ctx, Route routeData, PermissionScope scope, bool overrideLocalHostSameUser = false)
{
string tableName = GetAndValidateTableName(routeData);
if (!this.Database.TableExists(tableName))
{
return(ArribaResponse.NotFound("Table requested does not exist."));
}
var currentUser = ctx.Request.User;
// If we are asked if override auth, check if the request was made from a loopback address (local) and the
// current process identity matches the request identity
if (overrideLocalHostSameUser && IsRequestOriginLoopback(ctx.Request) && IsProcessUserSame(currentUser.Identity))
{
// Log for auditing that we skipped out on checking table auth.
this.EventSource.Raise(MonitorEventLevel.Warning,
MonitorEventOpCode.Mark,
entityType: "Table",
entityIdentity: tableName,
name: "Authentication Override",
user: ctx.Request.User.Identity.Name,
detail: "Skipping table authentication for local loopback user on request");
return(ContinueToNextHandlerResponse);
}
if (!HasTableAccess(tableName, currentUser, scope))
{
return(ArribaResponse.Forbidden(String.Format("Access to {0} denied for {1}.", tableName, currentUser.Identity.Name)));
}
else
{
return(ContinueToNextHandlerResponse);
}
}
