/// <summary> /// Tests security for (RlsOwner /or/ RlsMask). /// </summary> /// <param name="rlsOwner">The rlsOwner from the row.</param> /// <param name="rlsMask">The rlsMask from the row.</param> /// <param name="user">The current security principal.</param> void TryRowLevelSecurityOrException(Guid rlsOwner, byte[] rlsMask, ss.User user) { RowLevelSecurityHelper.EvalOption option = RowLevelSecurityHelper.EvalOption.None; if (rlsOwner != Guid.Empty) { option |= RowLevelSecurityHelper.EvalOption.Owner; } if (rlsMask != null) { option |= RowLevelSecurityHelper.EvalOption.Mask; } RowLevelSecurityHelper rlsHelper = new RowLevelSecurityHelper() { RowOwnerId = rlsOwner, RowRlsMask = rlsMask, SecurityPrincipalId = user.IdToGuid(), SecurityPrincipalRlsMask = user.RlsMask, Option = option }; rlsHelper.Eval(); bool ok = rlsHelper.IsRowOwner || rlsHelper.HasMaskMatch; if (!ok) { throw new SecurityException("You do not have rights to this record."); } }
/// <summary> /// Tests security /and/ (RlsOwner /or/ RlsMask) for the given UniqueName and validates SecurityResults[AceType.Record, right].AccessAllowed /// </summary> /// <param name="uniqueName">The UniqueName for which to select security.</param> /// <param name="right">The RecordRight to test (used in error message).</param> /// <param name="assetType">The associated AssetType (used in error message).</param> /// <param name="rowOwnerId">The rlsOwner from the row.</param> /// <param name="rowRlsMask">The rlsMask from the row.</param> public SuplexSecurityInfo TrySecurityOrException(string userName, string uniqueName, AceType aceType, object right, string assetType, Guid rowOwnerId, byte[] rowRlsMask, bool allowOwnerOverride, bool recurseUp = true) { string exceptionMsg = this.GetNoRightsErrorMessage(right, assetType); SecurityLoadParameters slp = new SecurityLoadParameters() { ExternalGroupInfo = new ExternalGroupInfo(LdapRoot, true, GlobalExternalGroupsCsv), User = this.GetSuplexUser(userName, resolve: true) }; SplxSecureManagerBase perms = recurseUp ? GetSecureManagerSecurityRecurseUp(userName, aceType, uniqueName, slp) : GetSecureManagerSecurity(userName, aceType, uniqueName, slp); #region eval rls RowLevelSecurityHelper.EvalOption option = RowLevelSecurityHelper.EvalOption.None; if (rowOwnerId != Guid.Empty) { option |= RowLevelSecurityHelper.EvalOption.Owner; } if (rowRlsMask != null) { option |= RowLevelSecurityHelper.EvalOption.Mask; } RowLevelSecurityHelper rlsHelper = new RowLevelSecurityHelper() { RowOwnerId = rowOwnerId, RowRlsMask = rowRlsMask, SecurityPrincipalId = slp.User.IdToGuid(), SecurityPrincipalRlsMask = slp.User.RlsMask, Option = option }; perms.Security.EvalRowLevelSecurity(rlsHelper, aceType, new object[] { right }, allowOwnerOverride); if (option != RowLevelSecurityHelper.EvalOption.None && !perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed) { exceptionMsg = "You do not have rights to this record."; } #endregion if (!perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed) { throw new SecurityException(exceptionMsg); } return(new SuplexSecurityInfo(slp.User, perms)); }
/// <summary> /// Tests security /and/ (RlsOwner /or/ RlsMask) for the given UniqueName and validates SecurityResults[AceType.Record, right].AccessAllowed /// </summary> /// <param name="uniqueName">The UniqueName for which to select security.</param> /// <param name="right">The RecordRight to test (used in error message).</param> /// <param name="assetType">The associated AssetType (used in error message).</param> /// <param name="rowOwnerId">The rlsOwner from the row.</param> /// <param name="rowRlsMask">The rlsMask from the row.</param> public ss.User TrySecurityOrException(string uniqueName, AceType aceType, object right, Guid?rowOwnerId = null, byte[] rowRlsMask = null, bool?allowOwnerOverride = null, ss.User user = null) { if (rowOwnerId == null) { rowOwnerId = Guid.Empty; } if (rowOwnerId != Guid.Empty && allowOwnerOverride == null) { allowOwnerOverride = true; } if (allowOwnerOverride == null) { allowOwnerOverride = false; } string exceptionMsg = $"You do not have {right} rights to this record."; SecurityLoadParameters slp = new SecurityLoadParameters() { ExternalGroupInfo = new ExternalGroupInfo(LdapRoot, true, GlobalExternalGroupsCsv), User = user == null?this.GetSuplexUser(true) : user }; SplxSecureManagerBase perms = this.GetSecureManagerManagerSecurity(aceType, uniqueName, slp); #region eval rls RowLevelSecurityHelper.EvalOption option = RowLevelSecurityHelper.EvalOption.None; if (rowOwnerId != Guid.Empty) { option |= RowLevelSecurityHelper.EvalOption.Owner; } if (rowRlsMask != null) { option |= RowLevelSecurityHelper.EvalOption.Mask; } RowLevelSecurityHelper rlsHelper = new RowLevelSecurityHelper() { RowOwnerId = rowOwnerId.Value, RowRlsMask = rowRlsMask, SecurityPrincipalId = slp.User.IdToGuid(), SecurityPrincipalRlsMask = slp.User.RlsMask, Option = option }; perms.Security.EvalRowLevelSecurity(rlsHelper, aceType, new object[] { right }, allowOwnerOverride.Value); if (option != RowLevelSecurityHelper.EvalOption.None && !perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed) { exceptionMsg = "You do not have rights to this record."; } #endregion if (!perms.Security.Descriptor.SecurityResults[aceType, right].AccessAllowed) { throw new SecurityException(exceptionMsg); } return(slp.User); }