/// <inheritdoc />
public override IPermission CreatePermission(OperationSemantic semantic)
{
switch (semantic)
{
case OperationSemantic.Default:
case OperationSemantic.Read:
return(new Permission(_defaultPermission));
case OperationSemantic.Write:
return(new Permission(_writePermission ?? _defaultPermission));
default:
throw new ArgumentOutOfRangeException(nameof(semantic), semantic, null);
}
}
/// <summary>
/// Requires a permission for the given operation semantic, parameter index and securable object.
/// </summary>
/// <param name="member">The member, field or property being accessed.</param>
/// <param name="semantic">The semantic of the operation being executed.</param>
/// <param name="parameterIndex">
/// The 1-based index of the parameter on which the permission is required, or 0 if the
/// permission is required on the <c>this</c> object.
/// </param>
/// <param name="securable"></param>
internal void RequirePermission(MemberInfo member, OperationSemantic semantic, int parameterIndex, object securable)
{
if (evaluatingPermissions)
{
return;
}
if (SecurityContext.Current == null)
{
return;
}
var subject = SecurityContext.Current.Subject;
var policy = SecurityContext.Current.Policy;
if (policy == null)
{
return;
}
try
{
evaluatingPermissions = true;
foreach (var permission in _permissions)
{
if ((permission.Semantic == OperationSemantic.Default || permission.Semantic == semantic) &&
permission.ParameterIndex == parameterIndex)
{
if (!policy.Evaluate(subject, permission.Permission, securable))
{
SecurityContext.Current.ExceptionHandler?.OnSecurityException(member, semantic, securable,
SecurityContext.Current.Subject, permission.Permission);
string memberKind;
if (member is FieldInfo)
{
memberKind = "field";
}
else if (member is PropertyInfo)
{
memberKind = "property";
}
else if (member is MethodBase)
{
memberKind = "method";
}
else
{
throw new ArgumentOutOfRangeException(nameof(member));
}
throw new SecurityException(
$"Cannot {semantic.ToString().ToLowerInvariant()} the {memberKind} {member.DeclaringType.Name}.{member.Name}: the subject '{subject.Name}' does not have the {permission.Permission.Name} permission on the object '{securable}'.");
}
}
}
}
finally
{
evaluatingPermissions = false;
}
}
public OperationPermission(OperationSemantic semantic, int parameterIndex, [Required] T permission)
{
Semantic = semantic;
Permission = permission;
ParameterIndex = parameterIndex;
}
/// <inheritdoc /> public abstract IPermission CreatePermission(OperationSemantic semantic);