public T Delete <T>(T anEntity) where T : Entity
{
var user = securityService.GetCurrentUserPrincipal();
if (user == null)
{
throw new UnauthorizedException(string.Empty, Permissions.Delete, EntityTypes.Parse(typeof(T).Name));
}
var isAuthorized = this.securityService.IsAuthorized(user.UserId, user.CompanyId, anEntity, Permissions.Delete);
if (!isAuthorized)
{
throw new UnauthorizedException(user.LoginName, Permissions.Delete, EntityTypes.Parse(typeof(T).Name));
}
return(this.context.Delete(anEntity));
}
public T Save <T>(T anEntity) where T : Entity, new()
{
var requiredPermission = anEntity.Id == 0 ? Permissions.Create : Permissions.Update;
var user = securityService.GetCurrentUserPrincipal();
if (user == null)
{
throw new UnauthorizedException(string.Empty, requiredPermission, EntityTypes.Parse(typeof(T).Name));
}
var isAuthorized = this.securityService.IsAuthorized(user.UserId, user.CompanyId, anEntity, requiredPermission);
if (!isAuthorized)
{
throw new UnauthorizedException(user.LoginName, requiredPermission, EntityTypes.Parse(typeof(T).Name));
}
return(this.context.Save(anEntity));
}
public IQueryable <T> Relation <T>() where T : Entity
{
var result = this.context.Relation <T>();
var policy = AuthorizationPolicies.GetPolicyFor <T>(Permissions.Read);
if (policy == null)
{
return(result);
}
//TODO: Si el usuario no esta loggeado y existe algun tipo de policy para hacer lecturas, va a tirar unauthorized.
//Ver como resolver las politicas de seguridad para usuarios anonimos
var user = securityService.GetCurrentUserPrincipal();
if (user == null)
{
throw new UnauthorizedException(string.Empty, Permissions.Read, EntityTypes.Parse(typeof(T).Name));
}
foreach (var rule in policy.Rules)
{
var permissions = securityService.GetPermissionsOf(user.UserId, user.CompanyId, rule.EntityType, rule.Permission)
.OrderByDescending(p => p.IsDenied)
.ThenBy(p => p.EntityId);
var all = permissions.FirstOrDefault(p => p.EntityId == null);
var allowedIds = permissions.Where(p => !p.IsDenied && p.EntityId != null)
.Select(p => p.EntityId)
.ToList();
var deniedIds = permissions.Where(p => p.IsDenied && p.EntityId != null)
.Select(p => p.EntityId)
.ToList();
Expression allowed = this.BuildAlwaysTrueExpression();
Expression denied = this.BuildAlwaysTrueExpression();
Expression isNull = this.BuildIsNullExpression(rule.EntityIdExpression);
if (all != null)
{
if (all.IsDenied)
{
allowed = this.BuildExpresionFor(allowedIds, rule.EntityIdExpression);
isNull = this.BuildAlwaysFalseExpression();
}
else
{
denied = Expression.Not(this.BuildExpresionFor(deniedIds, rule.EntityIdExpression));
}
}
else
{
denied = Expression.Not(this.BuildExpresionFor(deniedIds, rule.EntityIdExpression));
allowed = this.BuildExpresionFor(allowedIds, rule.EntityIdExpression);
}
if (!allowedIds.Any())
{
allowed = this.BuildAlwaysTrueExpression();
}
if (!deniedIds.Any())
{
denied = this.BuildAlwaysTrueExpression();
}
var filter = Expression.AndAlso(allowed, denied);
filter = Expression.OrElse(isNull, filter);
result = result.Where(Expression.Lambda <Func <T, bool> >(filter, rule.EntityIdExpression.Parameters));
}
return(result);
}
