public static bool CanAlternateBetweenUsers(
this WebViewPage @this,
[AspMvcAction]string action = null,
[AspMvcController]string controller = null,
string method = "GET",
object routeValues = null)
{
// TODO: must cache all of these informations
// todo: this method is similar to CanAccessAction... maybe we can merge them somehow
if (@this == null)
throw new ArgumentNullException("this");
var routeValuesDic = new RouteValueDictionary(routeValues);
var mvcHelper = new MvcActionHelper(
@this.ViewContext.Controller.ControllerContext, action, controller, method, routeValuesDic);
if (mvcHelper.ActionDescriptor == null)
{
// The view does not exist... this means that nobody can access it.
return false;
}
var attributes = mvcHelper
.GetFilters()
.Select(f => f.Instance)
.OfType<CanAlternateUserAttribute>()
.ToArray();
var result = attributes.Length > 0;
return result;
}
/// <summary>
/// Checks whether the current user can access the specified action.
/// At this moment it looks only at PermissionAttribute attributes.
/// </summary>
/// <param name="this">The current view page.</param>
/// <param name="action">Action name to test.</param>
/// <param name="controller">Controller name to test.</param>
/// <param name="method">Http method to differentiate GET, HEAD, POST, PUT and DELETE actions.</param>
/// <param name="routeValues">An object containing the route values for the action. </param>
/// <returns>Returns true if the current user has access to the given action; otherwise false. </returns>
public static bool CanAccessAction(
this WebViewPage @this,
[AspMvcAction]string action = null,
[AspMvcController]string controller = null,
string method = "GET",
object routeValues = null)
{
// TODO: must cache all of these informations
if (@this == null)
throw new ArgumentNullException("this");
var routeValuesDic = new RouteValueDictionary(routeValues);
var mvcHelper = new MvcActionHelper(
@this.ViewContext.Controller.ControllerContext, action, controller, method, routeValuesDic);
if (mvcHelper.ActionDescriptor == null)
{
// The view does not exist... this means that nobody can access it.
return false;
}
if (routeValues != null)
{
// checking action parameters
var actionParams = mvcHelper.ActionDescriptor.GetParameters();
// todo: check routeValuesDic to see if the contained values fit the actionParams
// todo: maybe we should try to bind values (it could be slow)
}
// Getting the current DB User... (the logged user).
var cerebelloController = @this.ViewContext.Controller as CerebelloController;
User dbUser = null;
if (cerebelloController != null)
{
cerebelloController.InitDb();
cerebelloController.InitDbUser(@this.Request.RequestContext);
dbUser = cerebelloController.DbUser;
}
// If there is a logged user, then use permission attributes to determine whether user has access or not.
if (dbUser != null)
{
var attributes = mvcHelper
.GetFilters()
.Select(f => f.Instance)
.OfType<PermissionAttribute>()
.ToArray();
var permissionContext = new PermissionContext
{
User = dbUser,
ControllerContext = mvcHelper.MockControllerContext,
};
var result = !attributes.Any()
|| attributes.All(pa => pa.CanAccessResource(permissionContext));
return result;
}
return false;
}
