public void CheckAccess(Permission permission, IUser user, IContent content)
{
if (!TryCheckAccess(permission, user, content))
{
throw new FrameworkSecurityException("A security exception occurred in the content management system.")
{
PermissionName = permission.Name,
User = user
};
}
}
public bool Authorize(Permission permission, IContent content, string message)
{
if (_authorizationService == null)
return false;
if (_authorizationService.TryCheckAccess(permission, _user, content))
return true;
if (message != null)
{
//if (_user == null)
//{
// //notifier error
// _notifier.Error(T("{0}. Anonymous users do not have {1} permission.",
// message, permission.Name));
//}
//else
//{
// //notifier error
// _notifier.Error(T("{0}. Current user, {2}, does not have {1} permission.",
// message, permission.Name, _user.UserName));
//}
}
return false;
}
public bool Authorize(Permission permission, IContent content)
{
return Authorize(permission, content, null);
}
public bool Authorize(Permission permission, string message)
{
return Authorize(permission, null, message);
}
public bool Authorize(Permission permission)
{
return Authorize(permission, null, null);
}
public bool TryCheckAccess(Permission permission, IUser user, IContent content)
{
var context = new CheckAccessContext { Permission = permission, User = user };
_authorizationServiceEventHandler.Checking(context);
for (var adjustmentLimiter = 0; adjustmentLimiter != 3; ++adjustmentLimiter)
{
if (!context.Granted && context.User != null)
{
//if (!String.IsNullOrEmpty(_workContextAccessor.GetContext().CurrentSite.SuperUser) &&
// String.Equals(context.User.UserName, _workContextAccessor.GetContext().CurrentSite.SuperUser, StringComparison.Ordinal))
//{
// context.Granted = true;
//}
}
if (!context.Granted)
{
// determine which set of permissions would satisfy the access check
var grantingNames = PermissionNames(context.Permission, Enumerable.Empty<string>()).Distinct().ToArray();
// determine what set of roles should be examined by the access check
IEnumerable<string> rolesToExamine;
if (context.User == null)
{
rolesToExamine = AnonymousRole;
}
//else if (context.User.Has<IUserRoles>())
//{
// // the current user is not null, so get his roles and add "Authenticated" to it
// rolesToExamine = context.User.As<IUserRoles>().Roles;
// // when it is a simulated anonymous user in the admin
// if (!rolesToExamine.Contains(AnonymousRole[0]))
// {
// rolesToExamine = rolesToExamine.Concat(AuthenticatedRole);
// }
//}
else
{
// the user is not null and has no specific role, then it's just "Authenticated"
rolesToExamine = AuthenticatedRole;
}
foreach (var role in rolesToExamine)
{
foreach (var permissionName in _roleService.GetPermissionsForRoleByName(role))
{
string possessedName = permissionName;
if (grantingNames.Any(grantingName => String.Equals(possessedName, grantingName, StringComparison.OrdinalIgnoreCase)))
{
context.Granted = true;
}
if (context.Granted)
break;
}
if (context.Granted)
break;
}
}
context.Adjusted = false;
_authorizationServiceEventHandler.Adjust(context);
if (!context.Adjusted)
break;
}
_authorizationServiceEventHandler.Complete(context);
return context.Granted;
}
private static IEnumerable<string> PermissionNames(Permission permission, IEnumerable<string> stack)
{
// the given name is tested
yield return permission.Name;
// iterate implied permissions to grant, it present
if (permission.ImpliedBy != null && permission.ImpliedBy.Any())
{
foreach (var impliedBy in permission.ImpliedBy)
{
// avoid potential recursion
if (stack.Contains(impliedBy.Name))
continue;
// otherwise accumulate the implied permission names recursively
foreach (var impliedName in PermissionNames(impliedBy, stack.Concat(new[] { permission.Name })))
{
yield return impliedName;
}
}
}
yield return StandardPermissions.SiteOwner.Name;
}