private void ProcessRoleInheritance(object modelHost, SecurableObject securableObject, BreakRoleInheritanceDefinition breakRoleInheritanceModel)
{
var context = securableObject.Context;
InvokeOnModelEvent(this, new ModelEventArgs
{
CurrentModelNode = null,
Model = null,
EventType = ModelEventType.OnProvisioning,
Object = securableObject,
ObjectType = typeof(SecurableObject),
ObjectDefinition = breakRoleInheritanceModel,
ModelHost = modelHost
});
//context.Load(securableObject);
//context.ExecuteQueryWithTrace();
if (!securableObject.IsPropertyAvailable("HasUniqueRoleAssignments"))
{
context.Load(securableObject, s => s.HasUniqueRoleAssignments);
context.ExecuteQueryWithTrace();
}
if (!securableObject.HasUniqueRoleAssignments)
{
TraceService.VerboseFormat((int)LogEventId.ModelProvisionCoreCall,
"HasUniqueRoleAssignments is FALSE. Breaking role inheritance with CopyRoleAssignments: [{0}] and ClearSubscopes: [{1}]",
new object[]
{
breakRoleInheritanceModel.CopyRoleAssignments,
breakRoleInheritanceModel.ClearSubscopes
});
securableObject.BreakRoleInheritance(breakRoleInheritanceModel.CopyRoleAssignments, breakRoleInheritanceModel.ClearSubscopes);
context.ExecuteQueryWithTrace();
}
if (breakRoleInheritanceModel.ForceClearSubscopes)
{
TraceService.Verbose((int)LogEventId.ModelProvisionCoreCall, "ForceClearSubscopes is TRUE. Removing all role assignments.");
context.Load(securableObject.RoleAssignments);
context.ExecuteQueryWithTrace();
while (securableObject.RoleAssignments.Count > 0)
securableObject.RoleAssignments[0].DeleteObject();
}
InvokeOnModelEvent(this, new ModelEventArgs
{
CurrentModelNode = null,
Model = null,
EventType = ModelEventType.OnProvisioned,
Object = securableObject,
ObjectType = typeof(SecurableObject),
ObjectDefinition = breakRoleInheritanceModel,
ModelHost = modelHost
});
}
public static void SetSecurity(this SecurableObject securable, TokenParser parser, ObjectSecurity security)
{
//using (var scope = new PnPMonitoredScope("Set Security"))
//{
var context = securable.Context as ClientContext;
var groups = context.LoadQuery(context.Web.SiteGroups.Include(g => g.LoginName));
var webRoleDefinitions = context.LoadQuery(context.Web.RoleDefinitions);
context.ExecuteQueryRetry();
securable.BreakRoleInheritance(security.CopyRoleAssignments, security.ClearSubscopes);
foreach (var roleAssignment in security.RoleAssignments)
{
Principal principal = groups.FirstOrDefault(g => g.LoginName == parser.ParseString(roleAssignment.Principal));
if (principal == null)
{
principal = context.Web.EnsureUser(roleAssignment.Principal);
}
var roleDefinitionBindingCollection = new RoleDefinitionBindingCollection(context);
var roleDefinition = webRoleDefinitions.FirstOrDefault(r => r.Name == roleAssignment.RoleDefinition);
if (roleDefinition != null)
{
roleDefinitionBindingCollection.Add(roleDefinition);
}
securable.RoleAssignments.Add(principal, roleDefinitionBindingCollection);
}
context.ExecuteQueryRetry();
//}
}
private void SetInheritance(SecurableObject objectToSecure, SecureObjectCreator definition)
{
if (definition.BreakInheritance)
{
objectToSecure.BreakRoleInheritance(definition.CopyExisting, definition.ResetChildPermissions);
}
}
private void ProcessRoleInheritance(object modelHost, SecurableObject securableObject, BreakRoleInheritanceDefinition breakRoleInheritanceModel)
{
var context = securableObject.Context;
InvokeOnModelEvent(this, new ModelEventArgs
{
CurrentModelNode = null,
Model = null,
EventType = ModelEventType.OnProvisioning,
Object = securableObject,
ObjectType = typeof(SecurableObject),
ObjectDefinition = breakRoleInheritanceModel,
ModelHost = modelHost
});
if (!securableObject.IsObjectPropertyInstantiated("HasUniqueRoleAssignments"))
{
context.Load(securableObject, s => s.HasUniqueRoleAssignments);
context.ExecuteQueryWithTrace();
}
if (!securableObject.HasUniqueRoleAssignments)
{
TraceService.VerboseFormat((int)LogEventId.ModelProvisionCoreCall,
"HasUniqueRoleAssignments is FALSE. Breaking role inheritance with CopyRoleAssignments: [{0}] and ClearSubscopes: [{1}]",
new object[]
{
breakRoleInheritanceModel.CopyRoleAssignments,
breakRoleInheritanceModel.ClearSubscopes
});
securableObject.BreakRoleInheritance(breakRoleInheritanceModel.CopyRoleAssignments, breakRoleInheritanceModel.ClearSubscopes);
context.ExecuteQueryWithTrace();
}
if (breakRoleInheritanceModel.ForceClearSubscopes)
{
TraceService.Verbose((int)LogEventId.ModelProvisionCoreCall, "ForceClearSubscopes is TRUE. Removing all role assignments.");
context.Load(securableObject.RoleAssignments);
context.ExecuteQueryWithTrace();
while (securableObject.RoleAssignments.Count > 0)
{
securableObject.RoleAssignments[0].DeleteObject();
}
}
InvokeOnModelEvent(this, new ModelEventArgs
{
CurrentModelNode = null,
Model = null,
EventType = ModelEventType.OnProvisioned,
Object = securableObject,
ObjectType = typeof(SecurableObject),
ObjectDefinition = breakRoleInheritanceModel,
ModelHost = modelHost
});
}
public void BreakRoleInheritance(bool copyRoleAssignments, object clearSubscopes)
{
if (clearSubscopes == Undefined.Value || clearSubscopes == Null.Value || clearSubscopes == null)
{
SecurableObject.BreakRoleInheritance(copyRoleAssignments);
}
else
{
SecurableObject.BreakRoleInheritance(copyRoleAssignments, TypeConverter.ToBoolean(clearSubscopes));
}
}
private void AddPrincipal(SPPrincipal principal, SPRoleDefinition roleDefinition)
{
var roleAssignment = new SPRoleAssignment(principal);
roleAssignment.RoleDefinitionBindings.Add(roleDefinition);
if (!SecurableObject.HasUniqueRoleAssignments)
{
SecurableObject.BreakRoleInheritance(true, false);
}
SecurableObject.RoleAssignments.Add(roleAssignment);
}
public static void SetSecurity(this SecurableObject securable, TokenParser parser, ObjectSecurity security, ProvisioningMessagesDelegate MessageDelegate)
{
// If there's no role assignments we're returning
if (security.RoleAssignments.Count == 0)
{
return;
}
var context = securable.Context as ClientContext;
var groups = context.LoadQuery(context.Web.SiteGroups.Include(g => g.LoginName, g => g.Id));
var webRoleDefinitions = context.LoadQuery(context.Web.RoleDefinitions);
securable.BreakRoleInheritance(security.CopyRoleAssignments, security.ClearSubscopes);
var securableRoleAssignments = context.LoadQuery(securable.RoleAssignments);
context.ExecuteQueryRetry();
IEnumerable <Model.RoleAssignment> roleAssignmentsToHandle = security.RoleAssignments;
// try to apply the security in two steps: step one assumes all principals from the template exist and can be granted permission at once
try
{
// note that this step fails if there is one principal that doesn't exist
ApplySecurity(securable, parser, context, groups, webRoleDefinitions, securableRoleAssignments, roleAssignmentsToHandle);
context.ExecuteQueryRetry();
}
catch (ServerException ex)
{
// catch user not found; enter step 2: check each and every principal for existence before granting security for those that exist
if (ex.ServerErrorCode == -2146232832 && ex.ServerErrorTypeName.Equals("Microsoft.SharePoint.SPException", StringComparison.InvariantCultureIgnoreCase))
{
roleAssignmentsToHandle = CheckForAndRemoveNonExistingPrincipals(roleAssignmentsToHandle, parser, groups, context, MessageDelegate);
ApplySecurity(securable, parser, context, groups, webRoleDefinitions, securableRoleAssignments, roleAssignmentsToHandle);
// if it fails this time we just let it fail
context.ExecuteQueryRetry();
}
}
}
public static void SetSecurity(this SecurableObject securable, TokenParser parser, ObjectSecurity security)
{
// If there's no role assignments we're returning
if (security.RoleAssignments.Count == 0)
{
return;
}
var context = securable.Context as ClientContext;
var groups = context.LoadQuery(context.Web.SiteGroups.Include(g => g.LoginName));
var webRoleDefinitions = context.LoadQuery(context.Web.RoleDefinitions);
var securableRoleAssignments = context.LoadQuery(securable.RoleAssignments);
context.ExecuteQueryRetry();
securable.BreakRoleInheritance(security.CopyRoleAssignments, security.ClearSubscopes);
foreach (var roleAssignment in security.RoleAssignments)
{
if (!roleAssignment.Remove)
{
var roleAssignmentPrincipal = parser.ParseString(roleAssignment.Principal);
Principal principal = groups.FirstOrDefault(g => g.LoginName == roleAssignmentPrincipal);
if (principal == null)
{
principal = context.Web.EnsureUser(roleAssignmentPrincipal);
}
if (principal != null)
{
var roleDefinitionBindingCollection = new RoleDefinitionBindingCollection(context);
var roleAssignmentRoleDefinition = parser.ParseString(roleAssignment.RoleDefinition);
var roleDefinition = webRoleDefinitions.FirstOrDefault(r => r.Name == roleAssignmentRoleDefinition);
if (roleDefinition != null)
{
roleDefinitionBindingCollection.Add(roleDefinition);
securable.RoleAssignments.Add(principal, roleDefinitionBindingCollection);
}
}
}
else
{
var roleAssignmentPrincipal = parser.ParseString(roleAssignment.Principal);
Principal principal = groups.FirstOrDefault(g => g.LoginName == roleAssignmentPrincipal);
if (principal == null)
{
principal = context.Web.EnsureUser(roleAssignmentPrincipal);
}
principal.EnsureProperty(p => p.Id);
if (principal != null)
{
var assignmentsForPrincipal = securableRoleAssignments.Where(t => t.PrincipalId == principal.Id);
foreach (var assignmentForPrincipal in assignmentsForPrincipal)
{
var roleAssignmentRoleDefinition = parser.ParseString(roleAssignment.RoleDefinition);
var binding = assignmentForPrincipal.EnsureProperty(r => r.RoleDefinitionBindings).FirstOrDefault(b => b.Name == roleAssignmentRoleDefinition);
if (binding != null)
{
assignmentForPrincipal.DeleteObject();
context.ExecuteQueryRetry();
break;
}
}
}
}
}
context.ExecuteQueryRetry();
}
