internal static bool HasAnyRoles(this IAuthSession session, ICollection <string> roles,
                                         IAuthRepository authRepo, IRequest req)
        {
            var userRoles = session.GetRoles(authRepo);

            if (userRoles.Contains(RoleNames.Admin) || roles.Any(userRoles.Contains))
            {
                return(true);
            }

            session.UpdateFromUserAuthRepo(req, authRepo);

            userRoles = session.GetRoles(authRepo);
            if (userRoles.Contains(RoleNames.Admin) || roles.Any(userRoles.Contains))
            {
                req.SaveSession(session);
                return(true);
            }
            return(false);
        }
        public bool IsAuthorized(Operation operation, IRequest req, IAuthSession session)
        {
            if (HostContext.HasValidAuthSecret(req))
            {
                return(true);
            }

            if (operation.RequiresAuthentication && !session.IsAuthenticated)
            {
                return(false);
            }

            var authRepo = HostContext.AppHost.GetAuthRepository(req);

            using (authRepo as IDisposable)
            {
                var allRoles = session.GetRoles(authRepo);
                if (!operation.RequiredRoles.IsEmpty() && !operation.RequiredRoles.All(allRoles.Contains))
                {
                    return(false);
                }

                var allPerms = session.GetPermissions(authRepo);
                if (!operation.RequiredPermissions.IsEmpty() && !operation.RequiredPermissions.All(allPerms.Contains))
                {
                    return(false);
                }

                if (!operation.RequiresAnyRole.IsEmpty() && !operation.RequiresAnyRole.Any(allRoles.Contains))
                {
                    return(false);
                }

                if (!operation.RequiresAnyPermission.IsEmpty() && !operation.RequiresAnyPermission.Any(allPerms.Contains))
                {
                    return(false);
                }

                return(true);
            }
        }