/// <summary> /// Returns the permissions the specified Identity is authorized for based on the specified permissions identifiers. If no permissions are specified it will check all ProjectRequestTypeWorkflowActivity permission definitions. /// </summary> /// <param name="db">The DataContext.</param> /// <param name="apiIdentity">The Identity to check permission for.</param> /// <param name="projectID">The project ID.</param> /// <param name="workflowActivityID">The workflow activity ID.</param> /// <param name="requestTypeID">The request type ID.</param> /// <param name="permissionID">The permissions to check, or null for all.</param> /// <returns></returns> public static async Task <IEnumerable <PermissionDefinition> > GetGrantedPermissionsForWorkflowActivityAsync(this DataContext db, ApiIdentity apiIdentity, Guid projectID, Guid workflowActivityID, Guid requestTypeID, params Guid[] permissionID) { ExtendedQuery query = new ExtendedQuery { ProjectRequestTypeWorkflowActivity = p => p.ProjectID == projectID && p.RequestTypeID == requestTypeID && p.WorkflowActivityID == workflowActivityID }; PermissionDefinition[] permissions = null; if (permissionID != null && permissionID.Any()) { permissions = PermissionIdentifiers.ProjectRequestTypeWorkflowActivities.Permissions().Where(p => permissionID.Contains(p.ID)).ToArray(); if (permissions != null && permissions.Length == 0) { //invalid permissions were specified, return no permission return(Enumerable.Empty <PermissionDefinition>()); } } if (permissions == null || permissions.Length == 0) { permissions = PermissionIdentifiers.ProjectRequestTypeWorkflowActivities.Permissions().ToArray(); } var grantedPermissions = await db.HasGrantedPermissions(apiIdentity, query, permissions); return(grantedPermissions); }
public async Task <IEnumerable <PermissionDefinition> > HasGrantedPermissions(DataContext db, ApiIdentity identity, Guid[] objID, ExtendedQuery filters, params PermissionDefinition[] requestedPermissions) { var predicateAll = PredicateBuilder.True <Permission>(); var predicateAny = PredicateBuilder.False <Permission>(); if (filters == null) { filters = new ExtendedQuery(); } var locations = requestedPermissions.SelectMany(p => p.Locations).Distinct(); foreach (var location in locations) { var permissions = requestedPermissions.Where(p => p.Locations.Any(l => l == location)).ToArray(); switch (location) { case PermissionAclTypes.Global: var globalAcls = db.GlobalAcls.FilterAcl(identity, permissions); if (filters.Global != null) { globalAcls = globalAcls.Where(filters.Global); } predicateAny = predicateAny.Or(p => globalAcls.Where(a => a.PermissionID == p.ID).Any()); predicateAll = predicateAll.And(p => globalAcls.Where(a => a.PermissionID == p.ID).All(a => a.Allowed)); break; case PermissionAclTypes.DataMarts: var dmFilter = this.DataMartFilter(objID); if (dmFilter == null) { break; } var dataMartAcls = db.DataMartAcls.FilterAcl(identity, permissions).Where(dmFilter); if (filters.DataMarts != null) { dataMartAcls = dataMartAcls.Where(filters.DataMarts); } predicateAny = predicateAny.Or(p => dataMartAcls.Where(a => a.PermissionID == p.ID).Any()); predicateAll = predicateAll.And(p => dataMartAcls.Where(a => a.PermissionID == p.ID).All(a => a.Allowed)); break; case PermissionAclTypes.Groups: var gFilter = this.GroupFilter(objID); if (gFilter == null) { break; } var groupAcls = db.GroupAcls.FilterAcl(identity, permissions); if (filters.Groups != null) { groupAcls = groupAcls.Where(filters.Groups); } predicateAny = predicateAny.Or(p => groupAcls.Where(a => a.PermissionID == p.ID).Where(gFilter).Any()); predicateAll = predicateAll.And(p => groupAcls.Where(a => a.PermissionID == p.ID).Where(gFilter).All(a => a.Allowed)); break; case PermissionAclTypes.Organizations: var oFilter = this.OrganizationFilter(objID); if (oFilter == null) { break; } var organizationAcls = db.OrganizationAcls.FilterAcl(identity, permissions); if (filters.Organizations != null) { organizationAcls = organizationAcls.Where(filters.Organizations); } predicateAny = predicateAny.Or(p => organizationAcls.Where(a => a.PermissionID == p.ID).Where(oFilter).Any()); predicateAll = predicateAll.And(p => organizationAcls.Where(a => a.PermissionID == p.ID).Where(oFilter).All(a => a.Allowed)); break; case PermissionAclTypes.OrganizationUsers: var ouFilter = this.OrganizationUserFilter(objID); if (ouFilter == null) { break; } var organizationUserAcls = db.OrganizationUserAcls.FilterAcl(identity, permissions); if (filters.OrganizationUsers != null) { organizationUserAcls = organizationUserAcls.Where(filters.OrganizationUsers); } predicateAny = predicateAny.Or(p => organizationUserAcls.Where(a => a.PermissionID == p.ID).Where(ouFilter).Any()); predicateAll = predicateAll.And(p => organizationUserAcls.Where(a => a.PermissionID == p.ID).Where(ouFilter).All(a => a.Allowed)); break; case PermissionAclTypes.ProjectDataMarts: var pdmFilter = this.ProjectDataMartFilter(objID); if (pdmFilter == null) { break; } var projectDataMartAcls = db.ProjectDataMartAcls.FilterAcl(identity, permissions).Where(pdmFilter); if (filters.ProjectDataMarts != null) { projectDataMartAcls = projectDataMartAcls.Where(filters.ProjectDataMarts); } predicateAny = predicateAny.Or(p => projectDataMartAcls.Where(a => a.PermissionID == p.ID).Any()); predicateAll = predicateAll.And(p => projectDataMartAcls.Where(a => a.PermissionID == p.ID).All(a => a.Allowed)); break; case PermissionAclTypes.ProjectOrganizations: var poFilter = this.ProjectOrganzationFilter(objID); if (poFilter == null) { break; } var projectOrganizationAcls = db.ProjectOrganizationAcls.FilterAcl(identity, permissions); if (filters.ProjectOrganizations != null) { projectOrganizationAcls = projectOrganizationAcls.Where(filters.ProjectOrganizations); } predicateAny = predicateAny.Or(p => projectOrganizationAcls.Where(a => a.PermissionID == p.ID).Where(poFilter).Any()); predicateAll = predicateAll.And(p => projectOrganizationAcls.Where(a => a.PermissionID == p.ID).Where(poFilter).All(a => a.Allowed)); break; case PermissionAclTypes.Projects: var pFilter = this.ProjectFilter(objID); if (pFilter == null) { break; } var projectAcls = db.ProjectAcls.FilterAcl(identity, permissions); if (filters.Projects != null) { projectAcls = projectAcls.Where(filters.Projects); } predicateAny = predicateAny.Or(p => projectAcls.Where(a => a.PermissionID == p.ID).Where(pFilter).Any()); predicateAll = predicateAll.And(p => projectAcls.Where(a => a.PermissionID == p.ID).Where(pFilter).All(a => a.Allowed)); break; case PermissionAclTypes.Registries: var rFilter = this.RegistryFilter(objID); if (rFilter == null) { break; } var registryAcls = db.RegistryAcls.FilterAcl(identity, permissions); if (filters.Registries != null) { registryAcls = registryAcls.Where(filters.Registries); } predicateAny = predicateAny.Or(p => registryAcls.Where(a => a.PermissionID == p.ID).Where(rFilter).Any()); predicateAll = predicateAll.And(p => registryAcls.Where(a => a.PermissionID == p.ID).Where(rFilter).All(a => a.Allowed)); break; case PermissionAclTypes.Requests: var reqFilter = this.RequestFilter(objID); if (reqFilter == null) { break; } var requestAcls = db.RequestAcls.FilterAcl(identity, permissions); if (filters.Requests != null) { requestAcls = requestAcls.Where(filters.Requests); } predicateAny = predicateAny.Or(p => requestAcls.Where(a => a.PermissionID == p.ID).Where(reqFilter).Any()); predicateAll = predicateAll.And(p => requestAcls.Where(a => a.PermissionID == p.ID).Where(reqFilter).All(a => a.Allowed)); break; case PermissionAclTypes.RequestSharedFolders: var rsfFilter = this.RequestSharedFolderFilter(objID); if (rsfFilter == null) { break; } var rsfAcls = db.RequestSharedFolderAcls.FilterAcl(identity, permissions); if (filters.SharedFolders != null) { rsfAcls = rsfAcls.Where(filters.SharedFolders); } predicateAny = predicateAny.Or(p => rsfAcls.Where(a => a.PermissionID == p.ID).Where(rsfFilter).Any()); predicateAll = predicateAll.And(p => rsfAcls.Where(a => a.PermissionID == p.ID).Where(rsfFilter).All(a => a.Allowed)); break; case PermissionAclTypes.Users: var uFilter = this.UserFilter(objID); if (uFilter == null) { break; } var userAcls = db.UserAcls.FilterAcl(identity, permissions); if (filters.Users != null) { userAcls = userAcls.Where(filters.Users); } predicateAny = predicateAny.Or(p => userAcls.Where(a => a.PermissionID == p.ID).Where(uFilter).Any()); predicateAll = predicateAll.And(p => userAcls.Where(a => a.PermissionID == p.ID).Where(uFilter).All(a => a.Allowed)); break; case PermissionAclTypes.RequestTypes: var rtFilter = this.RequestTypeFilter(objID); if (rtFilter == null) { break; } var requestTypeAcls = db.RequestTypeAcls.FilterAcl(identity, permissions); if (filters.RequestTypes != null) { requestTypeAcls.Where(filters.RequestTypes); } predicateAny = predicateAny.Or(p => requestTypeAcls.Where(a => a.PermissionID == p.ID).Where(rtFilter).Any()); predicateAll = predicateAll.And(p => requestTypeAcls.Where(a => a.PermissionID == p.ID).Where(rtFilter).All(a => a.Allowed)); break; case PermissionAclTypes.Templates: var tFilter = this.TemplateFilter(objID); if (tFilter == null) { break; } var templateAcls = db.TemplateAcls.FilterAcl(identity, permissions); if (filters.Templates != null) { templateAcls = templateAcls.Where(filters.Templates); } predicateAny = predicateAny.Or(p => templateAcls.Where(a => a.PermissionID == p.ID).Where(tFilter).Any()); predicateAll = predicateAll.And(p => templateAcls.Where(a => a.PermissionID == p.ID).Where(tFilter).All(a => a.Allowed)); break; default: throw new NotSupportedException("The security location is not supported."); } } //Combine the two predicates and and them so that we know that we have at least one allowed, and all are allowed var predicate = PredicateBuilder.True <Permission>(); predicate = predicate.And(predicateAll.Expand()); predicate = predicate.And(predicateAny.Expand()); var result = (from p in await db.Permissions.AsExpandable().Where(predicate).ToArrayAsync() join rp in requestedPermissions on p.ID equals rp.ID select rp); return(result); }