protected IResponse ValidateCreateAccess(IRequestContext ctx, Route route) { bool hasPermission = false; var security = this.Database.DatabasePermissions(); if (!security.HasTableAccessSecurity) { // If there's no security, table create is only allowed if the service is running as the same user hasPermission = ctx.Request.User.Identity.Name.Equals(WindowsIdentity.GetCurrent().Name); } else { // Otherwise, check for writer or better permissions at the DB level hasPermission = HasPermission(security, ctx.Request.User, PermissionScope.Writer); } if (!hasPermission) { return(ArribaResponse.Forbidden(String.Format("Create Table access denied for {0}.", ctx.Request.User.Identity.Name))); } else { return(ContinueToNextHandlerResponse); } }
protected IResponse ValidateTableAccess(IRequestContext ctx, Route routeData, PermissionScope scope, bool overrideLocalHostSameUser = false) { string tableName = GetAndValidateTableName(routeData); if (!this.Database.TableExists(tableName)) { return(ArribaResponse.NotFound("Table requested does not exist.")); } var currentUser = ctx.Request.User; // If we are asked if override auth, check if the request was made from a loopback address (local) and the // current process identity matches the request identity if (overrideLocalHostSameUser && IsRequestOriginLoopback(ctx.Request) && IsProcessUserSame(currentUser.Identity)) { // Log for auditing that we skipped out on checking table auth. this.EventSource.Raise(MonitorEventLevel.Warning, MonitorEventOpCode.Mark, entityType: "Table", entityIdentity: tableName, name: "Authentication Override", user: ctx.Request.User.Identity.Name, detail: "Skipping table authentication for local loopback user on request"); return(ContinueToNextHandlerResponse); } if (!HasTableAccess(tableName, currentUser, scope)) { return(ArribaResponse.Forbidden(String.Format("Access to {0} denied for {1}.", tableName, currentUser.Identity.Name))); } else { return(ContinueToNextHandlerResponse); } }