public async Task <List <VMScript> > SafeSearchScriptsAsync(string name, bool includePublished = false)
{
IQueryable <Db.Models.VMScript> scriptQuery;
var authorizedScripts = await _userAuth.GetAuthorizedScripts(null, RBACActionEnum.Read);
if (authorizedScripts.GloballyAuthorized)
{
scriptQuery = _dbContext.Script.Where(p => p.Name.Contains(name) && p.IsDeleted == false).Select(p => new VMScript(p));
}
else
{
var authorizedScriptIds = authorizedScripts.AuthorizedIds.Select(p => p.Id).ToList();
scriptQuery = _dbContext.Script.Where(p => p.Name.Contains(name) && authorizedScriptIds.Contains(p.ScriptId) && p.IsDeleted == false).Select(p => new VMScript(p));
}
if (includePublished)
{
scriptQuery.Include(p => p.PublishedVersion);
}
return(await scriptQuery.ToListAsync());
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, EphItAuthRequirement requirement)
{
_userAuth.SetAuthenticatedWith(null);
if (!context.User.Identity.IsAuthenticated)
{
Log.Warning("User is not authenticated.");
context.Fail();
return;
}
var t = _httpContextAccessor.HttpContext.GetRouteData();
object objectId = null;
if (t != null)
{
foreach (var key in t.Values.Keys)
{
if (key.ToLower().Equals(requirement.RBACObject.ToString().ToLower() + "id"))
{
objectId = t.Values[key];
}
}
}
AuthorizedObjects authObjects = new AuthorizedObjects();
switch (requirement.RBACObject)
{
case RBACObjectsId.Scripts:
if (objectId != null)
{
authObjects = await _userAuth.GetAuthorizedScripts((int)objectId, requirement.RBACAction);
}
else
{
authObjects = await _userAuth.GetAuthorizedScripts(null, requirement.RBACAction);
}
break;
}
if (authObjects.GloballyAuthorized || authObjects.AuthorizedIds.Count > 0)
{
// Globally Authorized = all objects so auth passes
// AuthorizedIds > 0 means user is allowed to perform x action on objectId
Log.Information($"User {context.User.Identity.Name} is authorized for action {requirement.RBACAction} on object type {requirement.RBACObject}.");
context.Succeed(requirement);
return;
}
if (objectId != null)
{
// This means user tried to do something to an object and the auth check didn't pass
Log.Warning($"User {context.User.Identity.Name} is NOT authorized for action {requirement.RBACAction} on object type {requirement.RBACObject} with objectId {objectId}");
context.Fail();
return;
}
// We would reach this point if the user tried to do something with no objectId (ie, create a new script)
// And they don't have global permissions to do that action or their security role doesn't have any
// objects associated with it. So if Role1 has the EditScript permission but no scripts associated with it yet
// We'd wind up here. Now we simply do a check to see if they are in a role that can do the required action
// IE if they can do a ScriptEdit, this succeeds because they are trying to create a script.
var teams = await _userAuth.GetRoleIdsAsync();
if (await _dbContext.Role.Where(p =>
teams.Contains(p.RoleId) &&
p.RoleObjectAction.Where(obj =>
obj.RbacObjectId.Equals((short)requirement.RBACObject) &&
obj.RbacActionId.Equals((short)requirement.RBACAction)
).Any()
)
.AnyAsync()
)
{
Log.Information($"User {context.User.Identity.Name} is authorized for action {requirement.RBACAction} on object type {requirement.RBACObject}.");
context.Succeed(requirement);
return;
}
Log.Warning($"User {context.User.Identity.Name} is NOT authorized for action {requirement.RBACAction} on object type {requirement.RBACObject}");
context.Fail();
return;
}