public void Update() { var xorg = new Ogre { Key = new PersistonKey("Ogre", DatonKey.NEWPK, false), Name = "Xorg", Money = 4, PaymentMethod = new List <Ogre.PaymentMethodRow> { new Ogre.PaymentMethodRow { Method = "credit", Notes = "usually declined" } } }; //bill can't update money var bill = new User(); bill.Roles = new[] { new RetroRole { BaseLevel = PermissionLevel.All, TableOverrides = new List <TablePermission> { new TablePermission { TableName = "Ogre", BaseLevel = PermissionLevel.View | PermissionLevel.Modify, ColumnOverrides = new List <ColumnPermission> { new ColumnPermission { ColumnName = "Money", BaseLevel = PermissionLevel.None } } }, new TablePermission { TableName = "PaymentMethod", Level = (usr, daton, tabname) => PermissionLevel.None } } } }; var ddict = new DataDictionary(); ddict.AddDatonUsingClassAnnotation(typeof(Ogre)); var ogredef = ddict.DatonDefs["Ogre"]; var paymentdef = ogredef.MainTableDef.Children[0]; var diff = new PersistonDiff(ogredef, xorg.Key, xorg.Version) { MainTable = new List <PersistonDiff.DiffRow> { new PersistonDiff.DiffRow { Kind = DiffKind.Other, Columns = new Dictionary <string, object> { { "Name", "Priscilla" }, //allowed { "Money", (decimal)5.49 } //disallowed }, ChildTables = new Dictionary <TableDef, List <PersistonDiff.DiffRow> > { { paymentdef, new List <PersistonDiff.DiffRow> { new PersistonDiff.DiffRow { Kind = DiffKind.Other, Columns = new Dictionary <string, object> { { "Method", "cash" }, //disallowed by function { "Notes", "cash is best" } } } } } } } } }; var guard = new SecurityGuard(ddict, bill); var errors = guard.GetDisallowedWrites(xorg, ogredef, diff).ToArray(); Assert.AreEqual(3, errors.Length); Assert.IsTrue(errors[0].Contains("Ogre.Money")); Assert.IsTrue(errors[1].Contains("PaymentMethod.Method")); Assert.IsTrue(errors[2].Contains("PaymentMethod.Notes")); }
public override async Task Save(IDbConnection db, IUser user, Persiston pristineDaton, Persiston modifiedDaton, PersistonDiff diff) { await base.Save(db, user, pristineDaton, modifiedDaton, diff); using var cmd = db.CreateCommand(); //change the notes value after RetroDRY saving var modifiedCustomer = (Customer)modifiedDaton; cmd.CommandText = "update Customer set Notes = Notes || '!' where CustomerId=" + modifiedCustomer.CustomerId; cmd.ExecuteNonQuery(); }
public void Create() { var xorg = new Ogre { Key = new PersistonKey("Ogre", DatonKey.NEWPK, false), Name = "Xorg", Money = 4, PaymentMethod = new List <Ogre.PaymentMethodRow> { new Ogre.PaymentMethodRow { Method = "credit", Notes = "usually declined" } } }; //nancy can only create new payment rows, not update existing var nancy = new User(); nancy.Roles = new[] { new RetroRole { BaseLevel = PermissionLevel.None, TableOverrides = new List <TablePermission> { new TablePermission { TableName = "PaymentMethod", BaseLevel = PermissionLevel.Create } } } }; var ddict = new DataDictionary(); ddict.AddDatonUsingClassAnnotation(typeof(Ogre)); var ogredef = ddict.DatonDefs["Ogre"]; var paymentdef = ogredef.MainTableDef.Children[0]; var diff = new PersistonDiff(ogredef, xorg.Key, xorg.Version) { MainTable = new List <PersistonDiff.DiffRow> { new PersistonDiff.DiffRow { Kind = DiffKind.Other, Columns = new Dictionary <string, object> { { "Name", "Priscilla" } //disallowed }, ChildTables = new Dictionary <TableDef, List <PersistonDiff.DiffRow> > { { paymentdef, new List <PersistonDiff.DiffRow> { new PersistonDiff.DiffRow { Kind = DiffKind.Other, Columns = new Dictionary <string, object> { { "Notes", "disallowed" } //disallowed update } }, new PersistonDiff.DiffRow { Kind = DiffKind.NewRow, Columns = new Dictionary <string, object> { { "Method", "barter" } //allowed create row } } } } } } } }; var guard = new SecurityGuard(ddict, nancy); var errors = guard.GetDisallowedWrites(xorg, ogredef, diff).ToArray(); Assert.AreEqual(2, errors.Length); Assert.IsTrue(errors[0].Contains("Ogre.Name")); Assert.IsTrue(errors[1].Contains("PaymentMethod.Notes")); }