public SPGlymaUser(SPWeb web, IGlymaSession glymaSession) { Web = web; GlymaSession = glymaSession; SecurableContextId = GlymaSession.SecurableContextId; SecurityDBDataContext dataContext = null; IDbConnectionAbstraction securityDbConnection = GlymaSession.ConnectionFactory.CreateSecurityDbConnection(); try { SPSecurity.RunWithElevatedPrivileges(delegate() { dataContext = new SecurityDBDataContext(securityDbConnection.Connection); var securableContext = (from dcSecurableContext in dataContext.SecurableContexts where dcSecurableContext.SecurableContextId == SecurableContextId select dcSecurableContext).FirstOrDefault(); if (securableContext == null) { return; } SecurableContextName = securableContext.SecurableContextName; SecurableContextUid = securableContext.SecurableContextUid; }); } finally { if (dataContext != null) { dataContext.Dispose(); dataContext = null; } if (securityDbConnection != null) { securityDbConnection.Dispose(); securityDbConnection = null; } } }
private HashSet<Guid> IsAuthorisedHashSet(Guid? securableParentUid, IEnumerable<Guid> securableObjectUids, params IRight[] requiredRights) { /// This user is a Glyma Security Manager, they have access to everything. if (Web.UserIsSiteAdmin) { return new HashSet<Guid>(securableObjectUids); } IDbConnectionAbstraction securityDbConnection = GlymaSession.ConnectionFactory.CreateSecurityDbConnection(); SecurityDBDataContext dataContext = null; SPSite elevatedSite = null; SPWeb elevatedWeb = null; try { GroupAssociationsOrderedByGroupSPId groupAssociations = new GroupAssociationsOrderedByGroupSPId(); SecurableObjectGenealogyTracker geneaologyTracker = new SecurableObjectGenealogyTracker(); SPSecurity.RunWithElevatedPrivileges(delegate() { dataContext = new SecurityDBDataContext(securityDbConnection.Connection); if (securableParentUid != null) { IQueryable<SecurableObject> securableObjectInheritanceInfo = from securableObject in dataContext.SecurableObjects where securableObject.SecurableContextId == SecurableContextId select securableObject; MultipleOrExpressionFilter<SecurableObject, Guid> securableObjectInheritanceInfoFilter = new MultipleOrExpressionFilter<SecurableObject, Guid>(securableObjectInheritanceInfo, securableObjectUids, "SecurableObjectUid"); IQueryable<SecurableObject> filteredSecurableObjectInheritanceInfo = securableObjectInheritanceInfoFilter.FilterResultSet(); geneaologyTracker.AddRange(securableParentUid, filteredSecurableObjectInheritanceInfo); geneaologyTracker.AddRangeIfNotPreExisting(securableParentUid, securableObjectUids); } else { geneaologyTracker.AddRange(null, securableObjectUids); IQueryable<GroupAssociation> groupsAssocationsWithBrokenInheritance = from securableObjectGroupAssocation in dataContext.GroupAssociations where securableObjectGroupAssocation.SecurableContextId == SecurableContextId && securableObjectGroupAssocation.SecurableObject.BreaksInheritance == true select securableObjectGroupAssocation; MultipleOrExpressionFilter<GroupAssociation, Guid> securableObjectInheritanceInfoFilter = new MultipleOrExpressionFilter<GroupAssociation, Guid>(groupsAssocationsWithBrokenInheritance, securableObjectUids, "SecurableParentUid"); IQueryable<GroupAssociation> filteredSecurableObjectInheritanceInfo = securableObjectInheritanceInfoFilter.FilterResultSet(); groupAssociations.AddRange(filteredSecurableObjectInheritanceInfo); foreach (GroupAssociation securableObjectWithBrokenInheritance in filteredSecurableObjectInheritanceInfo) { geneaologyTracker.Add(securableObjectWithBrokenInheritance.SecurableParentUid, securableObjectWithBrokenInheritance.SecurableObjectUid); } } /// Get the group associations for only the securable objects. IQueryable<GroupAssociation> allAccessibleGroupAssociations; /// The following needs to be done as Linq doesn't detect the null value in Nullable types and so doesn't generate the correct "IS NULL" SQL. if (securableParentUid.HasValue && geneaologyTracker.HasIndependentObjects && geneaologyTracker.HasInheritingObjects) { allAccessibleGroupAssociations = from securableObject in dataContext.GroupAssociations where (securableObject.SecurableContextId == SecurableContextId && securableObject.SecurableParentUid == securableParentUid) || (securableObject.SecurableContextId == SecurableContextId && securableObject.SecurableParentUid == null) select securableObject; } else if (securableParentUid.HasValue && geneaologyTracker.HasIndependentObjects) { allAccessibleGroupAssociations = from securableObject in dataContext.GroupAssociations where securableObject.SecurableContextId == SecurableContextId && securableObject.SecurableParentUid == securableParentUid select securableObject; } else /// This means the tracker has only either inheriting objects or domains. { allAccessibleGroupAssociations = from securableObject in dataContext.GroupAssociations where securableObject.SecurableContextId == SecurableContextId && securableObject.SecurableParentUid == null select securableObject; } MultipleOrExpressionFilter<GroupAssociation, Guid> groupAssocationFilter = new MultipleOrExpressionFilter<GroupAssociation, Guid>(allAccessibleGroupAssociations, geneaologyTracker.GetPermissionSources(), "SecurableObjectUid"); IQueryable<GroupAssociation> filteredGroupAssociations = groupAssocationFilter.FilterResultSet(); groupAssociations.AddRange(filteredGroupAssociations); }); AccessibleObjectsBuilder accessibleObjects = new AccessibleObjectsBuilder(); elevatedSite = GetElevatedSite(); elevatedWeb = GetElevatedWeb(elevatedSite); foreach (SPRoleAssignment roleAssignment in elevatedWeb.RoleAssignments) { SPGroup elevatedGroup = roleAssignment.Member as SPGroup; if (elevatedGroup != null) { SPGroup group = Web.Groups.GetByID(elevatedGroup.ID); /// Check that we're actually looking at a group, and that this group is on the list of accessible groups, and that this group contains the current user. if (group != null && group.ContainsCurrentUser) { /// Do a check that this group actually has the required right. foreach (SPRoleDefinition roleDefinition in roleAssignment.RoleDefinitionBindings) { IRole role = GetRole(roleDefinition.Name); IEnumerable<GroupAssociation> accessibleParentObjects; if (groupAssociations.GetBySPId(group.ID, out accessibleParentObjects)) { if (role != null && role.HasRights(requiredRights)) { IEnumerable<Guid> accessibleSecurableObjects = geneaologyTracker.GetSecurableObjectsByPermissionSources(accessibleParentObjects); accessibleObjects.AddRange(accessibleSecurableObjects); } } } } } } return accessibleObjects.GetAccessibleObjects(); } finally { if (dataContext != null) { dataContext.Dispose(); dataContext = null; } if (elevatedWeb != null) { elevatedWeb.Dispose(); elevatedWeb = null; } if (elevatedSite != null) { elevatedSite.Dispose(); elevatedSite = null; } if (securityDbConnection != null) { securityDbConnection.Dispose(); securityDbConnection = null; } } }
private HashSet <Guid> IsAuthorisedHashSet(Guid?securableParentUid, IEnumerable <Guid> securableObjectUids, params IRight[] requiredRights) { /// This user is a Glyma Security Manager, they have access to everything. if (Web.UserIsSiteAdmin) { return(new HashSet <Guid>(securableObjectUids)); } IDbConnectionAbstraction securityDbConnection = GlymaSession.ConnectionFactory.CreateSecurityDbConnection(); SecurityDBDataContext dataContext = null; SPSite elevatedSite = null; SPWeb elevatedWeb = null; try { GroupAssociationsOrderedByGroupSPId groupAssociations = new GroupAssociationsOrderedByGroupSPId(); SecurableObjectGenealogyTracker geneaologyTracker = new SecurableObjectGenealogyTracker(); SPSecurity.RunWithElevatedPrivileges(delegate() { dataContext = new SecurityDBDataContext(securityDbConnection.Connection); if (securableParentUid != null) { IQueryable <SecurableObject> securableObjectInheritanceInfo = from securableObject in dataContext.SecurableObjects where securableObject.SecurableContextId == SecurableContextId select securableObject; MultipleOrExpressionFilter <SecurableObject, Guid> securableObjectInheritanceInfoFilter = new MultipleOrExpressionFilter <SecurableObject, Guid>(securableObjectInheritanceInfo, securableObjectUids, "SecurableObjectUid"); IQueryable <SecurableObject> filteredSecurableObjectInheritanceInfo = securableObjectInheritanceInfoFilter.FilterResultSet(); geneaologyTracker.AddRange(securableParentUid, filteredSecurableObjectInheritanceInfo); geneaologyTracker.AddRangeIfNotPreExisting(securableParentUid, securableObjectUids); } else { geneaologyTracker.AddRange(null, securableObjectUids); IQueryable <GroupAssociation> groupsAssocationsWithBrokenInheritance = from securableObjectGroupAssocation in dataContext.GroupAssociations where securableObjectGroupAssocation.SecurableContextId == SecurableContextId && securableObjectGroupAssocation.SecurableObject.BreaksInheritance == true select securableObjectGroupAssocation; MultipleOrExpressionFilter <GroupAssociation, Guid> securableObjectInheritanceInfoFilter = new MultipleOrExpressionFilter <GroupAssociation, Guid>(groupsAssocationsWithBrokenInheritance, securableObjectUids, "SecurableParentUid"); IQueryable <GroupAssociation> filteredSecurableObjectInheritanceInfo = securableObjectInheritanceInfoFilter.FilterResultSet(); groupAssociations.AddRange(filteredSecurableObjectInheritanceInfo); foreach (GroupAssociation securableObjectWithBrokenInheritance in filteredSecurableObjectInheritanceInfo) { geneaologyTracker.Add(securableObjectWithBrokenInheritance.SecurableParentUid, securableObjectWithBrokenInheritance.SecurableObjectUid); } } /// Get the group associations for only the securable objects. IQueryable <GroupAssociation> allAccessibleGroupAssociations; /// The following needs to be done as Linq doesn't detect the null value in Nullable types and so doesn't generate the correct "IS NULL" SQL. if (securableParentUid.HasValue && geneaologyTracker.HasIndependentObjects && geneaologyTracker.HasInheritingObjects) { allAccessibleGroupAssociations = from securableObject in dataContext.GroupAssociations where (securableObject.SecurableContextId == SecurableContextId && securableObject.SecurableParentUid == securableParentUid) || (securableObject.SecurableContextId == SecurableContextId && securableObject.SecurableParentUid == null) select securableObject; } else if (securableParentUid.HasValue && geneaologyTracker.HasIndependentObjects) { allAccessibleGroupAssociations = from securableObject in dataContext.GroupAssociations where securableObject.SecurableContextId == SecurableContextId && securableObject.SecurableParentUid == securableParentUid select securableObject; } else /// This means the tracker has only either inheriting objects or domains. { allAccessibleGroupAssociations = from securableObject in dataContext.GroupAssociations where securableObject.SecurableContextId == SecurableContextId && securableObject.SecurableParentUid == null select securableObject; } MultipleOrExpressionFilter <GroupAssociation, Guid> groupAssocationFilter = new MultipleOrExpressionFilter <GroupAssociation, Guid>(allAccessibleGroupAssociations, geneaologyTracker.GetPermissionSources(), "SecurableObjectUid"); IQueryable <GroupAssociation> filteredGroupAssociations = groupAssocationFilter.FilterResultSet(); groupAssociations.AddRange(filteredGroupAssociations); }); AccessibleObjectsBuilder accessibleObjects = new AccessibleObjectsBuilder(); elevatedSite = GetElevatedSite(); elevatedWeb = GetElevatedWeb(elevatedSite); foreach (SPRoleAssignment roleAssignment in elevatedWeb.RoleAssignments) { SPGroup elevatedGroup = roleAssignment.Member as SPGroup; if (elevatedGroup != null) { SPGroup group = Web.Groups.GetByID(elevatedGroup.ID); /// Check that we're actually looking at a group, and that this group is on the list of accessible groups, and that this group contains the current user. if (group != null && group.ContainsCurrentUser) { /// Do a check that this group actually has the required right. foreach (SPRoleDefinition roleDefinition in roleAssignment.RoleDefinitionBindings) { IRole role = GetRole(roleDefinition.Name); IEnumerable <GroupAssociation> accessibleParentObjects; if (groupAssociations.GetBySPId(group.ID, out accessibleParentObjects)) { if (role != null && role.HasRights(requiredRights)) { IEnumerable <Guid> accessibleSecurableObjects = geneaologyTracker.GetSecurableObjectsByPermissionSources(accessibleParentObjects); accessibleObjects.AddRange(accessibleSecurableObjects); } } } } } } return(accessibleObjects.GetAccessibleObjects()); } finally { if (dataContext != null) { dataContext.Dispose(); dataContext = null; } if (elevatedWeb != null) { elevatedWeb.Dispose(); elevatedWeb = null; } if (elevatedSite != null) { elevatedSite.Dispose(); elevatedSite = null; } if (securityDbConnection != null) { securityDbConnection.Dispose(); securityDbConnection = null; } } }