public void Test_EnableCreateRule() { UserAccount userAccount; EntityType entityType1; AccessRule accessRule; IEntityAccessControlService entityAccessControlService; using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true)) using (new SecurityBypassContext()) { userAccount = new UserAccount(); userAccount.Name = Guid.NewGuid().ToString(); userAccount.Save(); entityType1 = new EntityType(); entityType1.Inherits.Add(UserResource.UserResource_Type); entityType1.Save(); entityAccessControlService = Factory.EntityAccessControlService; ctx.CommitTransaction(); } using (new SetUser(userAccount)) { Assert.That(entityAccessControlService.CanCreate(entityType1), Is.False, "User can somehow initially create entities (!?)"); } using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true)) using (new SecurityBypassContext()) { accessRule = new AccessRuleFactory().AddAllowCreate( userAccount.As <Subject>(), entityType1.As <SecurableEntity>()); ctx.CommitTransaction(); } using (new SetUser(userAccount)) { Assert.That(entityAccessControlService.CanCreate(entityType1), Is.True, "User cannot initially create entities"); } using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true)) { accessRule.AccessRuleEnabled = false; accessRule.Save(); ctx.CommitTransaction(); } using (new SetUser(userAccount)) { Assert.That(entityAccessControlService.CanCreate(entityType1), Is.False, "User can create entities afterwards (!?)"); } }
public void Test_ChangePermissionsOnAccessRule() { UserAccount userAccount; EntityType entityType; IEntity entity; EntityRef entityRef; AccessRule accessRule; IEntityAccessControlService entityAccessControlService; using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true)) using (new SecurityBypassContext()) { userAccount = new UserAccount(); userAccount.Name = Guid.NewGuid().ToString(); userAccount.Save(); entityType = new EntityType(); entityType.Inherits.Add(UserResource.UserResource_Type); entityType.Save(); entity = Entity.Create(entityType); entity.Save(); entityRef = new EntityRef(entity); entityAccessControlService = Factory.EntityAccessControlService; ctx.CommitTransaction(); } using (new SetUser(userAccount)) { Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Read }), Is.False, "User can somehow initially read entities (!?)"); Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Modify }), Is.False, "User can somehow initially write entities (!?)"); } using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true)) using (new SecurityBypassContext()) { accessRule = new AccessRuleFactory().AddAllowByQuery( userAccount.As <Subject>(), entityType.As <SecurableEntity>(), new[] { Permissions.Read, Permissions.Modify }, TestQueries.Entities(entityType).ToReport()); ctx.CommitTransaction(); } using (new SetUser(userAccount)) { Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Read }), Is.True, "User cannot read entity after access rule creation"); Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Modify }), Is.True, "User cannot modify entity after access rule creation"); } using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true)) { accessRule.PermissionAccess.Remove(Permissions.Modify.Entity.As <Permission>()); accessRule.Save(); ctx.CommitTransaction(); } using (new SetUser(userAccount)) { Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Read }), Is.True, "User cannot read entity after removing modify access"); Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Modify }), Is.False, "User can modify entity after removing modify access"); } using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true)) { accessRule.PermissionAccess.Remove(Permissions.Read.Entity.As <Permission>()); accessRule.Save(); ctx.CommitTransaction(); } using (new SetUser(userAccount)) { Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Read }), Is.False, "User can read entity after removing read access"); Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Modify }), Is.False, "User can modify entity after removing read access"); } using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true)) { accessRule.PermissionAccess.Add(Permissions.Read.Entity.As <Permission>()); accessRule.Save(); ctx.CommitTransaction(); } using (new SetUser(userAccount)) { Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Read }), Is.True, "User cannot read entity after re-adding read access"); Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Modify }), Is.False, "User can modify entity after re-adding read access"); } }