/// <summary>
/// Tests security /and/ (RlsOwner /or/ RlsMask) for the given UniqueName and validates SecurityResults[AceType.Record, right].AccessAllowed
/// </summary>
/// <param name="uniqueName">The UniqueName for which to select security.</param>
/// <param name="right">The RecordRight to test (used in error message).</param>
/// <param name="assetType">The associated AssetType (used in error message).</param>
/// <param name="rowOwnerId">The rlsOwner from the row.</param>
/// <param name="rowRlsMask">The rlsMask from the row.</param>
public SuplexSecurityInfo TrySecurityOrException(string userName, string uniqueName, AceType aceType, object right, string assetType, Guid rowOwnerId, byte[] rowRlsMask, bool allowOwnerOverride, bool recurseUp = true)
{
string exceptionMsg = this.GetNoRightsErrorMessage(right, assetType);
SecurityLoadParameters slp = new SecurityLoadParameters()
{
ExternalGroupInfo = new ExternalGroupInfo(LdapRoot, true, GlobalExternalGroupsCsv),
User = this.GetSuplexUser(userName, resolve: true)
};
SplxSecureManagerBase perms = recurseUp ?
GetSecureManagerSecurityRecurseUp(userName, aceType, uniqueName, slp) :
GetSecureManagerSecurity(userName, aceType, uniqueName, slp);
#region eval rls
RowLevelSecurityHelper.EvalOption option = RowLevelSecurityHelper.EvalOption.None;
if (rowOwnerId != Guid.Empty)
{
option |= RowLevelSecurityHelper.EvalOption.Owner;
}
if (rowRlsMask != null)
{
option |= RowLevelSecurityHelper.EvalOption.Mask;
}
RowLevelSecurityHelper rlsHelper = new RowLevelSecurityHelper()
{
RowOwnerId = rowOwnerId,
RowRlsMask = rowRlsMask,
SecurityPrincipalId = slp.User.IdToGuid(),
SecurityPrincipalRlsMask = slp.User.RlsMask,
Option = option
};
perms.Security.EvalRowLevelSecurity(rlsHelper, aceType, new object[] { right }, allowOwnerOverride);
if (option != RowLevelSecurityHelper.EvalOption.None &&
!perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed)
{
exceptionMsg = "You do not have rights to this record.";
}
#endregion
if (!perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed)
{
throw new SecurityException(exceptionMsg);
}
return(new SuplexSecurityInfo(slp.User, perms));
}
public SuplexSecurityInfo(ss.User user, SplxSecureManagerBase security)
{
User = user;
Security = security;
}
/// <summary>
/// Selects and loads security for the given UniqueName into a SplxRecordManager
/// </summary>
/// <param name="uniqueName"></param>
/// <returns>A loaded and resolved SplxRecordManager</returns>
SplxSecureManagerBase GetSecureManagerSecurityRecurseUp(string userName, AceType aceType, string uniqueName, SecurityLoadParameters slp)
{
string rootUniqueName = ContainerRootUniqueName;
SecureContainer root = new SecureContainer()
{
UniqueName = rootUniqueName
};
#region setup SecurityLoadParameters, load ExternalGroupInfo
if (slp == null)
{
slp = new SecurityLoadParameters()
{
ExternalGroupInfo = new ExternalGroupInfo(LdapRoot, true, GlobalExternalGroupsCsv),
User = this.GetSuplexUser(userName)
}
}
;
ExternalGroupInfo egi =
new ExternalGroupInfo(LdapRoot, true, GlobalExternalGroupsCsv);
egi.BuildGroupsList(slp.User.Name);
#endregion
SecureContainer ctrl = root;
SplxSecureManagerBase context = null;
#region IsFileStore = true
if (IsFileStore)
{
context = new SplxRecordManager()
{
UniqueName = uniqueName
};
if (aceType == AceType.FileSystem)
{
context = new SplxFileSystemManager()
{
UniqueName = uniqueName
}
}
;
splxApi.UIElement uie = _splxStore.UIElements.GetByUniqueNameRecursiveIgnoreCase(uniqueName);
if (uie == null)
{
throw new SecurityException($"Could not find security element [{uniqueName}] in the permissione configuration.");
}
ISecureControl curr = context;
IObjectModel parentObj = uie.ParentObject;
while (parentObj != null)
{
SecureContainer par = new SecureContainer()
{
UniqueName = ((splxApi.UIElement)parentObj).UniqueName
};
par.Children.Add(curr);
curr = par;
parentObj = parentObj.ParentObject;
}
curr.Security.Load(_splxStore, slp);
}
#endregion
#region IsFileStore = false
else
{
DataSet ds = _da.GetDataSet("splx.splx_dal_sel_security_byuserbyuie_up",
new System.Collections.sSortedList(
"@UIE_UNIQUE_NAME", uniqueName,
"@SPLX_USER_ID", slp.User.Id,
"@EXTERNAL_GROUP_LIST", egi.GroupsList));
_da.NameTablesFromCompositeSelect(ref ds);
//todo, when suplex is ready
//DataSet ds = _splxApi.GetSecurity( rootUniqueName, slp.User, slp.ExternalGroupInfo, future:recurseUp );
DataTable acl = ds.Tables["AclInfo"];
DataRow[] rows = acl.Select(string.Format("UIE_UNIQUE_NAME = '{0}'", rootUniqueName));
if (rows.Length > 0)
{
rows = acl.Select(string.Format("UIE_PARENT_ID = '{0}'", rows[0]["SPLX_UI_ELEMENT_ID"]));
}
while (rows.Length > 0)
{
string un = rows[0]["UIE_UNIQUE_NAME"].ToString();
if (un.StartsWith(ContainerUniqueNamePrefix))
{
context = new SplxRecordManager()
{
UniqueName = un
};
if (aceType == AceType.FileSystem)
{
context = new SplxFileSystemManager()
{
UniqueName = un
}
}
;
ctrl.Children.Add(context);
}
else
{
SecureContainer child = new SecureContainer()
{
UniqueName = un
};
ctrl.Children.Add(child);
ctrl = child;
}
rows = acl.Select(string.Format("UIE_PARENT_ID = '{0}'", rows[0]["SPLX_UI_ELEMENT_ID"]));
}
root.Security.Load(ds, slp);
}
#endregion
return(context);
}
/// <summary>
/// Tests security /and/ (RlsOwner /or/ RlsMask) for the given UniqueName and validates SecurityResults[AceType.Record, right].AccessAllowed
/// </summary>
/// <param name="uniqueName">The UniqueName for which to select security.</param>
/// <param name="right">The RecordRight to test (used in error message).</param>
/// <param name="assetType">The associated AssetType (used in error message).</param>
/// <param name="rowOwnerId">The rlsOwner from the row.</param>
/// <param name="rowRlsMask">The rlsMask from the row.</param>
public ss.User TrySecurityOrException(string uniqueName, AceType aceType, object right,
Guid?rowOwnerId = null, byte[] rowRlsMask = null, bool?allowOwnerOverride = null,
ss.User user = null)
{
if (rowOwnerId == null)
{
rowOwnerId = Guid.Empty;
}
if (rowOwnerId != Guid.Empty && allowOwnerOverride == null)
{
allowOwnerOverride = true;
}
if (allowOwnerOverride == null)
{
allowOwnerOverride = false;
}
string exceptionMsg = $"You do not have {right} rights to this record.";
SecurityLoadParameters slp = new SecurityLoadParameters()
{
ExternalGroupInfo = new ExternalGroupInfo(LdapRoot, true, GlobalExternalGroupsCsv),
User = user == null?this.GetSuplexUser(true) : user
};
SplxSecureManagerBase perms = this.GetSecureManagerManagerSecurity(aceType, uniqueName, slp);
#region eval rls
RowLevelSecurityHelper.EvalOption option = RowLevelSecurityHelper.EvalOption.None;
if (rowOwnerId != Guid.Empty)
{
option |= RowLevelSecurityHelper.EvalOption.Owner;
}
if (rowRlsMask != null)
{
option |= RowLevelSecurityHelper.EvalOption.Mask;
}
RowLevelSecurityHelper rlsHelper = new RowLevelSecurityHelper()
{
RowOwnerId = rowOwnerId.Value,
RowRlsMask = rowRlsMask,
SecurityPrincipalId = slp.User.IdToGuid(),
SecurityPrincipalRlsMask = slp.User.RlsMask,
Option = option
};
perms.Security.EvalRowLevelSecurity(rlsHelper, aceType, new object[] { right }, allowOwnerOverride.Value);
if (option != RowLevelSecurityHelper.EvalOption.None &&
!perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed)
{
exceptionMsg = "You do not have rights to this record.";
}
#endregion
if (!perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed)
{
throw new SecurityException(exceptionMsg);
}
return(slp.User);
}
