protected void VerifyPermission(string permissionName, string module)
{
if (!_authQueries.VerifyPermission(UserId, permissionName, module))
{
throw new HttpException(403, "Access forbidden");
}
}
public JsonResult PlayerData(SearchPackage searchPackage)
{
var allowViewEmail = _authQueries.VerifyPermission(UserId, Permissions.ViewEmail, Modules.PlayerReport);
var allowViewMobile = _authQueries.VerifyPermission(UserId, Permissions.ViewMobile, Modules.PlayerReport);
var dataBuilder = new SearchPackageDataBuilder <PlayerRecord>(searchPackage, _queries.GetPlayerRecords());
var data = dataBuilder
.Map(r => r.PlayerId, r => new object[]
{
r.Licensee,
r.Brand,
r.Username,
allowViewMobile ? r.Mobile : r.Mobile.MaskMobile(),
allowViewEmail ? r.Email : r.Email.MaskEmail(),
r.Birthday,
r.IsInternalAccount,
r.RegistrationDate,
r.IsInactive,
r.Language,
r.Currency,
r.SignUpIP,
r.VipLevel,
r.Country,
r.PlayerName,
r.Title,
r.Gender,
r.StreetAddress,
r.PostCode,
r.Created,
r.CreatedBy,
r.Updated,
r.UpdatedBy,
r.Activated,
r.ActivatedBy,
r.Deactivated,
r.DeactivatedBy
})
.GetPageData(r => r.RegistrationDate);
return(new JsonResult {
Data = data, MaxJsonLength = int.MaxValue, JsonRequestBehavior = JsonRequestBehavior.AllowGet
});
}
public RejectOnlineDepositResponse Reject(RejectOnlineDepositRequest request)
{
if (false ==
(_authQueries.VerifyPermission(UserId, Permissions.Reject, Modules.DepositVerification) ||
_authQueries.VerifyPermission(UserId, Permissions.Reject, Modules.DepositApproval)))
{
throw new HttpException(403, "Access forbidden");
}
var data = _onlineDepositQueries.GetOnlineDepositById(request.Id);
CheckBrand(data.BrandId);
var model = Mapper.Map <Core.Payment.Interface.Data.RejectOnlineDepositRequest>(request);
_onlineDepositCommands.Reject(model);
return(new RejectOnlineDepositResponse
{
Success = true
});
}
public void Can_verify_permission_for_admin()
{
_authCommands.CreatePermission(new CreatePermission
{
Name = "Test",
Module = "Test"
});
var permissions = _authQueries.GetPermissions().Select(p => p.Id);
var roleId = Guid.NewGuid();
_authCommands.CreateRole(new CreateRole
{
RoleId = roleId,
Permissions = permissions.ToList()
});
var actorId = Guid.NewGuid();
var createActorModel = new CreateActor
{
ActorId = actorId,
Password = TestDataGenerator.GetRandomString(),
Username = TestDataGenerator.GetRandomString()
};
_authCommands.CreateActor(createActorModel);
_authCommands.AssignRoleToActor(new AssignRole
{
ActorId = createActorModel.ActorId,
RoleId = roleId
});
var actorHasPermission = _authQueries.VerifyPermission(actorId, "Test", "Test");
var actorHasNoPermission = _authQueries.VerifyPermission(actorId, "Invalid", "Invalid");
actorHasPermission.Should().BeTrue();
actorHasNoPermission.Should().BeFalse();
}
public IMethodReturn Invoke(IMethodInvocation input,
GetNextInterceptionBehaviorDelegate getNext)
{
var methodBaseClass = input.MethodBase;
if (input.MethodBase.DeclaringType != null && input.MethodBase.DeclaringType.IsInterface)
{
// Map interface method to implementing class method which contains the Permission attributes
var targetType = input.Target.GetType();
var parameterTypes = input.MethodBase.GetParameters().Select(par => par.ParameterType).ToArray();
const BindingFlags flags = BindingFlags.NonPublic | BindingFlags.Public | BindingFlags.DeclaredOnly | BindingFlags.Instance;
methodBaseClass = targetType.GetMethod(input.MethodBase.ReflectedType.FullName + "." + input.MethodBase.Name, flags, Type.DefaultBinder, parameterTypes, null) ??
targetType.GetMethod(input.MethodBase.Name, flags, Type.DefaultBinder, parameterTypes, null) ??
input.MethodBase;
}
var permissionAttrs = methodBaseClass.GetCustomAttributes(typeof(PermissionAttribute), true);
if (permissionAttrs.Any())
{
if (_actorInfoProvider.IsActorAvailable == false)
{
throw new RegoException("Current user data is not accessible.");
}
var userId = _actorInfoProvider.Actor.Id;
var allowed = permissionAttrs.Select(p => (PermissionAttribute)p).Aggregate(false, (current, permission) => current ||
_authQueries.VerifyPermission(userId,
permission.Permission, permission.Module));
if (!allowed)
{
throw new InsufficientPermissionsException(
string.Format("User \"{0}\" has insufficient permissions for the operation ", _actorInfoProvider.Actor.UserName));
}
}
// Invoke the next behavior in the chain.
var result = getNext()(input, getNext);
return(result);
}
