public IList <UserAccessPolicy> CleanseFlowPoliciesForUser(SystemRoleType userRole, IList <UserAccessPolicy> policies)
{
if (CollectionUtils.IsNullOrEmpty(policies))
{
return(null);
}
if (userRole == SystemRoleType.Admin)
{
return(null); // Admin is allowed everything
}
List <UserAccessPolicy> cleansedPolicies = new List <UserAccessPolicy>(policies.Count);
IList <string> protectedFlows = _flowManager.GetProtectedFlowNames();
foreach (UserAccessPolicy policy in policies)
{
if (policy.PolicyType != ServiceRequestAuthorizationType.Flow)
{
cleansedPolicies.Add(policy);
}
else
{
if (!IsFlowRoleTypePermittedForUserRole(userRole, policy.FlowRoleType))
{
throw new ArgumentException(string.Format("Invalid user role (\"{0}\") specified for flow role (\"{0}\")",
EnumUtils.ToDescription(userRole), EnumUtils.ToDescription(policy.FlowRoleType)));
}
bool isFlowProtected =
(CollectionUtils.IndexOf(protectedFlows, policy.TypeQualifier,
StringComparison.InvariantCultureIgnoreCase) >= 0);
if (userRole == SystemRoleType.Authed)
{
DebugUtils.AssertDebuggerBreak(policy.FlowRoleType == FlowRoleType.Endpoint);
if (isFlowProtected)
{
cleansedPolicies.Add(policy);
}
else
{
// Don't add, must be FlowRoleType.Endpoint and flow is not protected
}
}
else if (userRole == SystemRoleType.Program)
{
if (isFlowProtected)
{
cleansedPolicies.Add(policy);
}
else
{
if ((policy.FlowRoleType == FlowRoleType.Modify) ||
(policy.FlowRoleType == FlowRoleType.View))
{
// Only add in these cases, not if FlowRoleType == FlowRoleType.Endpoint
// since flow is not protected
cleansedPolicies.Add(policy);
}
}
}
else
{
throw new ArgumentException("Unrecognized user role specified: \"(0)\"",
EnumUtils.ToDescription(userRole));
}
}
}
return(CollectionUtils.IsNullOrEmpty(cleansedPolicies) ? null : cleansedPolicies);
}