public virtual bool HasPermission(PermissionType permission, Guid? scope) { if (this.IsAdmin) { return true; } if (this.IsUser) { if (myAuthzs.Any(f => f.Permission == permission && (scope == null || f.Scope == scope))) { return true; } using (var ctx = storeFactory.Create(this.UserLogin)) { //// Authorization can be assigned directly to the user. //if (ctx.Authorization.Any(f => f.Permission == permission && f.Scope == scope && f.UserName == this.UserLogin)) //{ // return true; //} FieldInfo fi = permission.GetType().GetField(permission.ToString()); PermissionScopeAttribute[] attributes = (PermissionScopeAttribute[])fi.GetCustomAttributes(typeof(PermissionScopeAttribute), false); foreach (var attrib in attributes) { if (attrib.ScopeType == PermissionScopeType.Organization) { var authzdRoles = ctx.Authorization.IncludePaths("Role").Where(f => f.Permission == permission && f.Scope == scope && f.Role != null).ToList(); var me = ctx.Users.IncludePaths("Roles.Role").Single(f => f.Username == this.UserLogin); var myDirectRoles = me.Roles.Select(f => f.Role).ToList(); // If my direct membership in a role means that I end up being in a role that's got the authorization, then I get the authorization. if (authzdRoles.Any(f => { RoleKey key = new RoleKey { Name = f.Role.Name, OrgId = f.Scope }; return flattenedRoles.ContainsKey(key) && (from have in myDirectRoles join need in flattenedRoles[key] on have.Id equals need.Id select have).Any(); })) { return true; } } else if (attrib.ScopeType == PermissionScopeType.MemberOfOrganization) { // Figure out if the user has permissions on a member due to being able to manage an organization to which the user belongs // Get the member's current org id's IEnumerable<Guid> orgIds = ctx.Members.Where(f => f.Id == scope.Value).SelectMany( f => f.Memberships.Select(g => g.OrganizationId)).AsEnumerable(); // If any of the users authorizations are of the given permission on a scope of one of the user's orgs, // then grant the operation. if (myAuthzs.Any(f => f.Permission == permission && orgIds.Any(g => g == f.Scope))) { return true; } } else if (attrib.ScopeType == PermissionScopeType.Member) { if (myAuthzs.Any(f => f.Permission == permission && f.Scope == scope)) { return true; } } else { throw new NotImplementedException("Don't know PermissionScope " + attrib.ScopeType.ToString()); } } //Type t = PermissionScopeTypeAttribute.GetScopeType(permission); //if (t == typeof(Organization)) //{ // var me = ctx.Users.IncludePaths("Roles.Role").Single(f => f.Username == this.UserLogin); // var myDirectRoles = me.Roles.Select(f => f.Role).ToList(); // // If my direct membership in a role means that I end up being in a role that's got the authorization, then I get the authorization. // if (authzdRoles.Any(f => // { // RoleKey key = new RoleKey { Name = f.Role.Name, OrgId = f.Scope }; // return flattenedRoles.ContainsKey(key) && (from have in myDirectRoles join need in flattenedRoles[key] on have.Id equals need.Id select have).Any(); // })) // { // return true; // } //} } } return false; }