public void InheritingRowPermissions() { InsertCurrentPrincipal(); // Not related to row permissions. // Insert the test data (server code bypasses row permissions): using (var scope = TestScope.Create()) { var repository = scope.Resolve <Common.DomRepository>(); var context = scope.Resolve <Common.ExecutionContext>(); repository.DemoRowPermissions2.DocumentApproval.Delete(repository.DemoRowPermissions2.DocumentApproval.Query()); repository.DemoRowPermissions2.DocumentComment.Delete(repository.DemoRowPermissions2.DocumentComment.Query()); repository.DemoRowPermissions2.Document.Delete(repository.DemoRowPermissions2.Document.Query()); repository.DemoRowPermissions2.RegionSupervisor.Delete(repository.DemoRowPermissions2.RegionSupervisor.Query()); repository.DemoRowPermissions2.Employee.Delete(repository.DemoRowPermissions2.Employee.Query()); repository.DemoRowPermissions2.Division.Delete(repository.DemoRowPermissions2.Division.Query()); repository.DemoRowPermissions2.Region.Delete(repository.DemoRowPermissions2.Region.Query()); var reg3 = new DemoRowPermissions2.Region { Name = "reg3" }; repository.DemoRowPermissions2.Region.Insert(new[] { reg3 }); var div1 = new DemoRowPermissions2.Division { Name = "div1" }; var div2 = new DemoRowPermissions2.Division { Name = "div2" }; var div3 = new DemoRowPermissions2.Division { Name = "div3", RegionID = reg3.ID }; repository.DemoRowPermissions2.Division.Insert(new[] { div1, div2, div3 }); // The current user: var emp1 = new DemoRowPermissions2.Employee { UserName = context.UserInfo.UserName, DivisionID = div1.ID }; var emp2 = new DemoRowPermissions2.Employee { UserName = "******" }; repository.DemoRowPermissions2.Employee.Insert(new[] { emp1, emp2 }); var sup3 = new DemoRowPermissions2.RegionSupervisor { EmployeeID = emp1.ID, RegionID = reg3.ID }; repository.DemoRowPermissions2.RegionSupervisor.Insert(new[] { sup3 }); // The current user can access doc1, because it's in the same division: var doc1 = new DemoRowPermissions2.Document { Title = "doc1", DivisionID = div1.ID }; // The current user cannot access doc2: var doc2 = new DemoRowPermissions2.Document { Title = "doc2", DivisionID = div2.ID }; // The current user can access doc3, because it's in the region he supervises: var doc3 = new DemoRowPermissions2.Document { Title = "doc3", DivisionID = div3.ID }; repository.DemoRowPermissions2.Document.Insert(new[] { doc1, doc2, doc3 }); // The current user can access com1, because it is related to his document: var com1 = new DemoRowPermissions2.DocumentComment { DocumentID = doc1.ID, Comment = "com1" }; // The current user cannot access com2: var com2 = new DemoRowPermissions2.DocumentComment { DocumentID = doc2.ID, Comment = "com2" }; repository.DemoRowPermissions2.DocumentComment.Insert(new[] { com1, com2 }); // The current user can access app1, because it is related to his document: var app1 = new DemoRowPermissions2.DocumentApproval { ID = doc1.ID, ApprovedByID = emp1.ID, Note = "app1" }; // The current user cannot access app2: var app2 = new DemoRowPermissions2.DocumentApproval { ID = doc2.ID, ApprovedByID = emp1.ID, Note = "app2" }; // The current user can read app3, but cannot write it, because it is approved by a different user: var app3 = new DemoRowPermissions2.DocumentApproval { ID = doc3.ID, ApprovedByID = emp2.ID, Note = "app3" }; repository.DemoRowPermissions2.DocumentApproval.Insert(new[] { app1, app2, app3 }); scope.CommitAndClose(); } // Test the current user's row permissions: // The test will not execute client requests, but simply directly check the row permissions filters. using (var scope = TestScope.Create()) { var allowedReadBrowse = scope.Resolve <GenericRepository <DemoRowPermissions2.DocumentBrowse> >() .Load <Common.RowPermissionsReadItems>(); Assert.AreEqual("doc1, doc3", TestUtility.DumpSorted(allowedReadBrowse, browse => browse.Title)); var allowedReadComment = scope.Resolve <GenericRepository <DemoRowPermissions2.DocumentComment> >() .Load <Common.RowPermissionsReadItems>(); Assert.AreEqual("com1", TestUtility.DumpSorted(allowedReadComment, comment => comment.Comment)); var allowedReadApproval = scope.Resolve <GenericRepository <DemoRowPermissions2.DocumentApproval> >() .Load <Common.RowPermissionsReadItems>(); Assert.AreEqual("app1, app3", TestUtility.DumpSorted(allowedReadApproval, approval => approval.Note)); var allowedWriteApproval = scope.Resolve <GenericRepository <DemoRowPermissions2.DocumentApproval> >() .Load <Common.RowPermissionsWriteItems>(); Assert.AreEqual("app1", TestUtility.DumpSorted(allowedWriteApproval, approval => approval.Note)); var allowedReadInfo = scope.Resolve <GenericRepository <DemoRowPermissions2.DocumentInfo> >() .Load <Common.RowPermissionsReadItems>(); Assert.AreEqual("doc1_2, doc3_2", TestUtility.DumpSorted(allowedReadInfo, info => info.Title2)); } }
public void InheritingRowPermissions() { InsertCurrentPrincipal(); // Not related to row permissions. // Insert the test data (server code bypasses row permissions): using (var container = new RhetosTestContainer(commitChanges: true)) { var repository = container.Resolve<Common.DomRepository>(); var context = container.Resolve<Common.ExecutionContext>(); repository.DemoRowPermissions2.DocumentApproval.Delete(repository.DemoRowPermissions2.DocumentApproval.All()); repository.DemoRowPermissions2.DocumentComment.Delete(repository.DemoRowPermissions2.DocumentComment.All()); repository.DemoRowPermissions2.Document.Delete(repository.DemoRowPermissions2.Document.All()); repository.DemoRowPermissions2.RegionSupervisor.Delete(repository.DemoRowPermissions2.RegionSupervisor.All()); repository.DemoRowPermissions2.Employee.Delete(repository.DemoRowPermissions2.Employee.All()); repository.DemoRowPermissions2.Division.Delete(repository.DemoRowPermissions2.Division.All()); repository.DemoRowPermissions2.Region.Delete(repository.DemoRowPermissions2.Region.All()); var reg3 = new DemoRowPermissions2.Region { Name = "reg3" }; repository.DemoRowPermissions2.Region.Insert(new[] { reg3 }); var div1 = new DemoRowPermissions2.Division { Name = "div1" }; var div2 = new DemoRowPermissions2.Division { Name = "div2" }; var div3 = new DemoRowPermissions2.Division { Name = "div3", RegionID = reg3.ID }; repository.DemoRowPermissions2.Division.Insert(new[] { div1, div2, div3 }); // The current user: var emp1 = new DemoRowPermissions2.Employee { UserName = context.UserInfo.UserName, DivisionID = div1.ID }; var emp2 = new DemoRowPermissions2.Employee { UserName = "******" }; repository.DemoRowPermissions2.Employee.Insert(new[] { emp1, emp2 }); var sup3 = new DemoRowPermissions2.RegionSupervisor { EmployeeID = emp1.ID, RegionID = reg3.ID }; repository.DemoRowPermissions2.RegionSupervisor.Insert(new[] { sup3 }); // The current user can access doc1, because it's in the same division: var doc1 = new DemoRowPermissions2.Document { Title = "doc1", DivisionID = div1.ID }; // The current user cannot access doc2: var doc2 = new DemoRowPermissions2.Document { Title = "doc2", DivisionID = div2.ID }; // The current user can access doc3, because it's in the region he supervises: var doc3 = new DemoRowPermissions2.Document { Title = "doc3", DivisionID = div3.ID }; repository.DemoRowPermissions2.Document.Insert(new[] { doc1, doc2, doc3 }); // The current user can access com1, because it is related to his document: var com1 = new DemoRowPermissions2.DocumentComment { DocumentID = doc1.ID, Comment = "com1" }; // The current user cannot access com2: var com2 = new DemoRowPermissions2.DocumentComment { DocumentID = doc2.ID, Comment = "com2" }; repository.DemoRowPermissions2.DocumentComment.Insert(new[] { com1, com2 }); // The current user can access app1, because it is related to his document: var app1 = new DemoRowPermissions2.DocumentApproval { ID = doc1.ID, ApprovedByID = emp1.ID, Note = "app1" }; // The current user cannot access app2: var app2 = new DemoRowPermissions2.DocumentApproval { ID = doc2.ID, ApprovedByID = emp1.ID, Note = "app2" }; // The current user can read app3, but cannot write it, because it is approved by a different user: var app3 = new DemoRowPermissions2.DocumentApproval { ID = doc3.ID, ApprovedByID = emp2.ID, Note = "app3" }; repository.DemoRowPermissions2.DocumentApproval.Insert(new[] { app1, app2, app3 }); } // Test the current user's row permissions: // The test will not execute client requests, but simply directly check the row permissions filters. using (var container = new RhetosTestContainer()) { var allowedReadBrowse = container.Resolve<GenericRepository<DemoRowPermissions2.DocumentBrowse>>() .Load<Common.RowPermissionsReadItems>(); Assert.AreEqual("doc1, doc3", TestUtility.DumpSorted(allowedReadBrowse, browse => browse.Title)); var allowedReadComment = container.Resolve<GenericRepository<DemoRowPermissions2.DocumentComment>>() .Load<Common.RowPermissionsReadItems>(); Assert.AreEqual("com1", TestUtility.DumpSorted(allowedReadComment, comment => comment.Comment)); var allowedReadApproval = container.Resolve<GenericRepository<DemoRowPermissions2.DocumentApproval>>() .Load<Common.RowPermissionsReadItems>(); Assert.AreEqual("app1, app3", TestUtility.DumpSorted(allowedReadApproval, approval => approval.Note)); var allowedWriteApproval = container.Resolve<GenericRepository<DemoRowPermissions2.DocumentApproval>>() .Load<Common.RowPermissionsWriteItems>(); Assert.AreEqual("app1", TestUtility.DumpSorted(allowedWriteApproval, approval => approval.Note)); } }
public void CombiningMultipleRules() { InsertCurrentPrincipal(); // Not related to row permissions. // Insert the test data (server code bypasses row permissions): using (var scope = TestScope.Create()) { var repository = scope.Resolve <Common.DomRepository>(); var context = scope.Resolve <Common.ExecutionContext>(); repository.DemoRowPermissions2.DocumentApproval.Delete(repository.DemoRowPermissions2.DocumentApproval.Query()); repository.DemoRowPermissions2.DocumentComment.Delete(repository.DemoRowPermissions2.DocumentComment.Query()); repository.DemoRowPermissions2.Document.Delete(repository.DemoRowPermissions2.Document.Query()); repository.DemoRowPermissions2.RegionSupervisor.Delete(repository.DemoRowPermissions2.RegionSupervisor.Query()); repository.DemoRowPermissions2.Employee.Delete(repository.DemoRowPermissions2.Employee.Query()); repository.DemoRowPermissions2.Division.Delete(repository.DemoRowPermissions2.Division.Query()); repository.DemoRowPermissions2.Region.Delete(repository.DemoRowPermissions2.Region.Query()); var reg3 = new DemoRowPermissions2.Region { Name = "reg3" }; repository.DemoRowPermissions2.Region.Insert(new[] { reg3 }); var div1 = new DemoRowPermissions2.Division { Name = "div1" }; var div2 = new DemoRowPermissions2.Division { Name = "div2" }; var div3 = new DemoRowPermissions2.Division { Name = "div3", RegionID = reg3.ID }; repository.DemoRowPermissions2.Division.Insert(new[] { div1, div2, div3 }); // The current user: var emp1 = new DemoRowPermissions2.Employee { UserName = context.UserInfo.UserName, DivisionID = div1.ID }; repository.DemoRowPermissions2.Employee.Insert(new[] { emp1 }); var sup3 = new DemoRowPermissions2.RegionSupervisor { EmployeeID = emp1.ID, RegionID = reg3.ID }; repository.DemoRowPermissions2.RegionSupervisor.Insert(new[] { sup3 }); // The user can access doc1, because it's in the same division: var doc1 = new DemoRowPermissions2.Document { Title = "doc1", DivisionID = div1.ID }; // The user cannot access doc2: var doc2 = new DemoRowPermissions2.Document { Title = "doc2", DivisionID = div2.ID }; // The user can access doc3, because it's in the region he supervises: var doc3 = new DemoRowPermissions2.Document { Title = "doc3", DivisionID = div3.ID }; // The user can access doc4 (same division), but cannot edit it (previous year): var doc4 = new DemoRowPermissions2.Document { Title = "doc4", DivisionID = div1.ID, Created = DateTime.Now.AddYears(-1) }; repository.DemoRowPermissions2.Document.Insert(new[] { doc1, doc2, doc3, doc4 }); scope.CommitAndClose(); } // Simulate client request: Reading all documents (access denied) using (var scope = TestScope.Create(builder => builder.ConfigureIgnoreClaims())) { var processingEngine = scope.Resolve <IProcessingEngine>(); var serverCommand = new ReadCommandInfo { DataSource = typeof(DemoRowPermissions2.Document).FullName, ReadRecords = true }; var serverResponse = processingEngine.Execute(new[] { serverCommand }); var report = GenerateReport(serverResponse); Console.WriteLine("Server response: " + report); Assert.IsTrue(report.Contains("You are not authorized")); } // Simulate client request: Reading the user's documents using (var scope = TestScope.Create(builder => builder.ConfigureIgnoreClaims())) { var processingEngine = scope.Resolve <IProcessingEngine>(); var serverCommand = new ReadCommandInfo { DataSource = typeof(DemoRowPermissions2.Document).FullName, ReadRecords = true, Filters = new[] { new FilterCriteria(typeof(Common.RowPermissionsReadItems)) } }; var serverResponse = processingEngine.Execute(new[] { serverCommand }); var report = GenerateReport(serverResponse); Console.WriteLine("Server response: " + report); Assert.AreEqual("doc1, doc3, doc4", report); } // Simulate client request: Edit doc1 (ok) using (var scope = TestScope.Create(builder => builder.ConfigureIgnoreClaims())) { var repository = scope.Resolve <Common.DomRepository>(); var doc1 = repository.DemoRowPermissions2.Document.Query().Where(d => d.Title == "doc1").Single(); doc1.Title += "x"; var processingEngine = scope.Resolve <IProcessingEngine>(); var serverCommand = new SaveEntityCommandInfo { Entity = typeof(DemoRowPermissions2.Document).FullName, DataToUpdate = new[] { doc1 } }; var serverResponse = processingEngine.Execute(new[] { serverCommand }); var report = GenerateReport(serverResponse); Console.WriteLine("Server response: " + report); Assert.AreEqual("Command executed", report); var documents = repository.DemoRowPermissions2.Document.Query().Select(d => d.Title).OrderBy(t => t); Assert.AreEqual("doc1x, doc2, doc3, doc4", string.Join(", ", documents)); } // Simulate client request: Edit doc4 (access denied) using (var scope = TestScope.Create(builder => builder.ConfigureIgnoreClaims())) { var repository = scope.Resolve <Common.DomRepository>(); var doc4 = repository.DemoRowPermissions2.Document.Query().Where(d => d.Title == "doc4").Single(); doc4.Title += "x"; var processingEngine = scope.Resolve <IProcessingEngine>(); var serverCommand = new SaveEntityCommandInfo { Entity = typeof(DemoRowPermissions2.Document).FullName, DataToUpdate = new[] { doc4 } }; var serverResponse = processingEngine.Execute(new[] { serverCommand }); var report = GenerateReport(serverResponse); Console.WriteLine("Server response: " + report); Assert.IsTrue(report.Contains("Insufficient permissions")); } }
public void CombiningMultipleRules() { InsertCurrentPrincipal(); // Not related to row permissions. // Insert the test data (server code bypasses row permissions): using (var container = new RhetosTestContainer(commitChanges: true)) { var repository = container.Resolve<Common.DomRepository>(); var context = container.Resolve<Common.ExecutionContext>(); repository.DemoRowPermissions2.DocumentApproval.Delete(repository.DemoRowPermissions2.DocumentApproval.All()); repository.DemoRowPermissions2.DocumentComment.Delete(repository.DemoRowPermissions2.DocumentComment.All()); repository.DemoRowPermissions2.Document.Delete(repository.DemoRowPermissions2.Document.All()); repository.DemoRowPermissions2.RegionSupervisor.Delete(repository.DemoRowPermissions2.RegionSupervisor.All()); repository.DemoRowPermissions2.Employee.Delete(repository.DemoRowPermissions2.Employee.All()); repository.DemoRowPermissions2.Division.Delete(repository.DemoRowPermissions2.Division.All()); repository.DemoRowPermissions2.Region.Delete(repository.DemoRowPermissions2.Region.All()); var reg3 = new DemoRowPermissions2.Region { Name = "reg3" }; repository.DemoRowPermissions2.Region.Insert(new[] { reg3 }); var div1 = new DemoRowPermissions2.Division { Name = "div1" }; var div2 = new DemoRowPermissions2.Division { Name = "div2" }; var div3 = new DemoRowPermissions2.Division { Name = "div3", RegionID = reg3.ID }; repository.DemoRowPermissions2.Division.Insert(new[] { div1, div2, div3 }); // The current user: var emp1 = new DemoRowPermissions2.Employee { UserName = context.UserInfo.UserName, DivisionID = div1.ID }; repository.DemoRowPermissions2.Employee.Insert(new[] { emp1 }); var sup3 = new DemoRowPermissions2.RegionSupervisor { EmployeeID = emp1.ID, RegionID = reg3.ID }; repository.DemoRowPermissions2.RegionSupervisor.Insert(new[] { sup3 }); // The user can access doc1, because it's in the same division: var doc1 = new DemoRowPermissions2.Document { Title = "doc1", DivisionID = div1.ID }; // The user cannot access doc2: var doc2 = new DemoRowPermissions2.Document { Title = "doc2", DivisionID = div2.ID }; // The user can access doc3, because it's in the region he supervises: var doc3 = new DemoRowPermissions2.Document { Title = "doc3", DivisionID = div3.ID }; // The user can access doc4 (same division), but cannot edit it (previous year): var doc4 = new DemoRowPermissions2.Document { Title = "doc4", DivisionID = div1.ID, Created = DateTime.Now.AddYears(-1) }; repository.DemoRowPermissions2.Document.Insert(new[] { doc1, doc2, doc3, doc4 }); } // Simulate client request: Reading all documents (access denied) using (var container = new RhetosTestContainer()) { container.AddIgnoreClaims(); var processingEngine = container.Resolve<IProcessingEngine>(); var serverCommand = new ReadCommandInfo { DataSource = typeof(DemoRowPermissions2.Document).FullName, ReadRecords = true }; var serverResponse = processingEngine.Execute(new[] { serverCommand }); var report = GenerateReport(serverResponse); Console.WriteLine("Server response: " + report); Assert.IsTrue(report.Contains("You are not authorized")); } // Simulate client request: Reading the user's documents using (var container = new RhetosTestContainer()) { container.AddIgnoreClaims(); var processingEngine = container.Resolve<IProcessingEngine>(); var serverCommand = new ReadCommandInfo { DataSource = typeof(DemoRowPermissions2.Document).FullName, ReadRecords = true, Filters = new[] { new FilterCriteria(typeof(Common.RowPermissionsReadItems)) } }; var serverResponse = processingEngine.Execute(new[] { serverCommand }); var report = GenerateReport(serverResponse); Console.WriteLine("Server response: " + report); Assert.AreEqual("doc1, doc3, doc4", report); } // Simulate client request: Edit doc1 (ok) using (var container = new RhetosTestContainer()) { container.AddIgnoreClaims(); var repository = container.Resolve<Common.DomRepository>(); var doc1 = repository.DemoRowPermissions2.Document.Query().Where(d => d.Title == "doc1").Single(); doc1.Title += "x"; var processingEngine = container.Resolve<IProcessingEngine>(); var serverCommand = new SaveEntityCommandInfo { Entity = typeof(DemoRowPermissions2.Document).FullName, DataToUpdate = new[] { doc1 } }; var serverResponse = processingEngine.Execute(new[] { serverCommand }); var report = GenerateReport(serverResponse); Console.WriteLine("Server response: " + report); Assert.AreEqual("Comand executed", report); var documents = repository.DemoRowPermissions2.Document.Query().Select(d => d.Title).OrderBy(t => t); Assert.AreEqual("doc1x, doc2, doc3, doc4", string.Join(", ", documents)); } // Simulate client request: Edit doc4 (acces denied) using (var container = new RhetosTestContainer()) { container.AddIgnoreClaims(); var repository = container.Resolve<Common.DomRepository>(); var doc4 = repository.DemoRowPermissions2.Document.Query().Where(d => d.Title == "doc4").Single(); doc4.Title += "x"; var processingEngine = container.Resolve<IProcessingEngine>(); var serverCommand = new SaveEntityCommandInfo { Entity = typeof(DemoRowPermissions2.Document).FullName, DataToUpdate = new[] { doc4 } }; var serverResponse = processingEngine.Execute(new[] { serverCommand }); var report = GenerateReport(serverResponse); Console.WriteLine("Server response: " + report); Assert.IsTrue(report.Contains("Insufficient permissions")); } }