public static bool IsAuthorized(List <UsageRight> usageRights, ResourcePermissionType requiredPermissions, List <Group> groupMembership, string username) { List <UsageRight> applicableGroupRights; UsageRight userRights; ResourcePermissionType cumulativeResourceRights = ResourcePermissionType.None; // User rights override group rights when specified, thus we want to check user rights first and bail with the answer if possible userRights = GetRightsOfUser(usageRights, username); if (userRights != null) { // If the user has the required rights, we are done. if (userRights.HasFlags(requiredPermissions)) { return(true); } else // Now, if the user has any rights, we know it is denied because rights are either set or not set as a whole { return(false); } } // So, if we are here, the user does not have specific rights, we need to check group rights applicableGroupRights = GetRightsOfGroupsToWhichUserBelongs(usageRights, groupMembership); // If nothing is applicable then we know access is denied. if (applicableGroupRights == null) { return(false); } /* Now, group rights are granting cumulative. For instance, if a user is a member of groups A and B where A has readonly access and B has only checkout access then * the user would have both readonly and checkout access. Only user flags are applied to decline access as the system defaults to no access. Thus the simple way to * look at it is that by making a user a member of a group you are granting the specified permissions of that group. */ // So, we need to cumulate permissions, this is easily accomplished with a bitwise or operation for (int i = 0; i < applicableGroupRights.Count; i++) { if (applicableGroupRights[i].Permissions.Resource != null) { cumulativeResourceRights |= applicableGroupRights[i].Permissions.Resource.Permissions; } } return(cumulativeResourceRights.HasFlag(requiredPermissions)); }