protected void BindUserEntityPermissions(QueryBase q, AccessRightValue access)
{
//get entity permissions
var roles = _user?.Roles?.Select(r => r.RoleId);
if (!roles.Any())
{
OnException(_loc["notspecified_userroles"]);
}
var entities = q is QueryExpression ? (q as QueryExpression).GetAllEntityNames() : new List <string>()
{
q.EntityName
};
var entIds = _entityFinder.FindByNames(entities.ToArray()).Select(n => n.EntityId);
_user.RoleObjectAccessEntityPermission = _roleObjectAccessEntityPermissionService.GetPermissions(entIds, roles, access);
}
public List <RoleObjectAccessEntityPermission> GetPermissions(IEnumerable <Guid> entityIds, IEnumerable <Guid> roleIds, AccessRightValue access)
{
Sql s = Sql.Builder.Append(@"SELECT MAX([RoleObjectAccess].[AccessRightsMask]) AS AccessRightsMask,[EntityPermission].[EntityId] AS EntityId,[EntityPermission].[AccessRight] AS AccessRight
FROM RoleObjectAccess WITH(NOLOCK)
INNER JOIN EntityPermission AS EntityPermission WITH(NOLOCK) ON EntityPermission.[EntityPermissionId]=RoleObjectAccess.[ObjectId]
WHERE [EntityPermission].[EntityId] IN (@0)
AND [RoleObjectAccess].[RoleId] IN (@1)
AND [EntityPermission].[AccessRight] = @2
GROUP BY [EntityPermission].[EntityId],[EntityPermission].[AccessRight]", entityIds, roleIds, (int)access);
return(_repository.ExecuteQuery(s.SQL, s.Arguments));
}
public RoleObjectAccessEntityPermission FindUserPermission(string entityName, string userAccountName, AccessRightValue access)
{
Sql s = Sql.Builder.Append(@"SELECT a.AccessRight,MAX(b.AccessRightsMask) AccessRightsMask FROM EntityPermission a
INNER JOIN RoleObjectAccess b ON a.EntityPermissionId = b.ObjectId
INNER JOIN Entity c ON a.EntityId = c.EntityId AND c.AuthorizationEnabled=1 AND c.Name=@0
INNER JOIN SystemUserRoles d ON b.RoleId = d.RoleId
INNER JOIN SystemUser e ON d.SystemUserId = e.SystemUserId AND e.LoginName=@1
WHERE a.AccessRight=@2
GROUP BY a.AccessRight", entityName, userAccountName, access);
return(_repository.Find(s.SQL, s.Arguments));
}
/// <summary>
/// 校验实体权限
/// </summary>
/// <param name="entity"></param>
/// <param name="access"></param>
/// <param name="entityMetadata"></param>
protected void VerifyEntityPermission(Entity entity, AccessRightValue access, Schema.Domain.Entity entityMetadata = null)
{
entityMetadata = entityMetadata ?? GetEntityMetaData(entity.Name);
//authorization disabled or user is administrator group
if (!entityMetadata.AuthorizationEnabled || _user.IsSuperAdmin)
{
return;
}
bool hasPermission = false;
//operation permission
var roleEntityPermission = _roleObjectAccessEntityPermissionService.FindUserPermission(entity.Name, _user.LoginName, access);
//if (roleEntityPermission == null) return;
//permission depth
var depth = "none";
if (roleEntityPermission != null)
{
var data = entity.UnWrapAttributeValue();
if (entityMetadata.EntityMask == EntityMaskEnum.Organization)
{
var b = data.GetGuidValue("organizationid");
hasPermission = (roleEntityPermission.AccessRightsMask != EntityPermissionDepth.None && this._user.OrganizationId.Equals(b));
}
else
{
var ownerIdType = data.GetIntValue("owneridtype");
//full
if (roleEntityPermission.AccessRightsMask == EntityPermissionDepth.Organization)
{
hasPermission = true;
}
else if (ownerIdType == (int)OwnerTypes.SystemUser)
{
//basic
if (roleEntityPermission.AccessRightsMask == EntityPermissionDepth.Self)
{
hasPermission = data.GetGuidValue("ownerid").Equals(this._user.SystemUserId);
}
//local
else if (roleEntityPermission.AccessRightsMask == EntityPermissionDepth.BusinessUnit)
{
var b = data.GetGuidValue("owningbusinessunit");
hasPermission = _user.BusinessUnitId.Equals(b);
}
//deep
else if (roleEntityPermission.AccessRightsMask == EntityPermissionDepth.BusinessUnitAndChild)
{
var b = data.GetGuidValue("owningbusinessunit");
hasPermission = _businessUnitService.IsChild(this._user.BusinessUnitId, b);
}
}
else if (ownerIdType == (int)OwnerTypes.Team)
{
//basic
if (roleEntityPermission.AccessRightsMask == EntityPermissionDepth.Self)
{
hasPermission = data.GetGuidValue("ownerid").Equals(this._user.SystemUserId);
}
//local
else if (roleEntityPermission.AccessRightsMask == EntityPermissionDepth.BusinessUnit)
{
var b = data.GetGuidValue("owningbusinessunit");
hasPermission = _user.BusinessUnitId.Equals(b);
}
//deep
else if (roleEntityPermission.AccessRightsMask == EntityPermissionDepth.BusinessUnitAndChild)
{
var b = data.GetGuidValue("owningbusinessunit");
hasPermission = _businessUnitService.IsChild(this._user.BusinessUnitId, b);
}
}
}
depth = roleEntityPermission.AccessRightsMask.ToString();
}
//shared permission
if (!hasPermission)
{
var objectId = entity.GetIdValue();
var poa = _principalObjectAccessService.Find(n => n.ObjectId == objectId && n.AccessRightsMask == access);
hasPermission = poa != null;
}
if (!hasPermission)
{
var msg = Enum.GetName(typeof(AccessRightValue), access);
msg = _loc["security_" + msg];
OnException(string.Format(_loc["security_noentitypermission"] + " " + depth, entityMetadata.LocalizedName, msg));
}
}
public List <RoleObjectAccessEntityPermission> GetPermissions(IEnumerable <Guid> entityIds, IEnumerable <Guid> roleIds, AccessRightValue access)
{
return(_roleObjectAccessEntityPermissionRepository.GetPermissions(entityIds, roleIds, access));
}
public RoleObjectAccessEntityPermission FindUserPermission(string entityName, string userAccountName, AccessRightValue access)
{
return(_roleObjectAccessEntityPermissionRepository.FindUserPermission(entityName, userAccountName, access));
}
