public void Test_EnableCreateRule()
{
UserAccount userAccount;
EntityType entityType1;
AccessRule accessRule;
IEntityAccessControlService entityAccessControlService;
using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true))
using (new SecurityBypassContext())
{
userAccount = new UserAccount();
userAccount.Name = Guid.NewGuid().ToString();
userAccount.Save();
entityType1 = new EntityType();
entityType1.Inherits.Add(UserResource.UserResource_Type);
entityType1.Save();
entityAccessControlService = Factory.EntityAccessControlService;
ctx.CommitTransaction();
}
using (new SetUser(userAccount))
{
Assert.That(entityAccessControlService.CanCreate(entityType1), Is.False,
"User can somehow initially create entities (!?)");
}
using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true))
using (new SecurityBypassContext())
{
accessRule = new AccessRuleFactory().AddAllowCreate(
userAccount.As <Subject>(),
entityType1.As <SecurableEntity>());
ctx.CommitTransaction();
}
using (new SetUser(userAccount))
{
Assert.That(entityAccessControlService.CanCreate(entityType1), Is.True,
"User cannot initially create entities");
}
using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true))
{
accessRule.AccessRuleEnabled = false;
accessRule.Save();
ctx.CommitTransaction();
}
using (new SetUser(userAccount))
{
Assert.That(entityAccessControlService.CanCreate(entityType1), Is.False,
"User can create entities afterwards (!?)");
}
}
public void Test_ChangePermissionsOnAccessRule()
{
UserAccount userAccount;
EntityType entityType;
IEntity entity;
EntityRef entityRef;
AccessRule accessRule;
IEntityAccessControlService entityAccessControlService;
using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true))
using (new SecurityBypassContext())
{
userAccount = new UserAccount();
userAccount.Name = Guid.NewGuid().ToString();
userAccount.Save();
entityType = new EntityType();
entityType.Inherits.Add(UserResource.UserResource_Type);
entityType.Save();
entity = Entity.Create(entityType);
entity.Save();
entityRef = new EntityRef(entity);
entityAccessControlService = Factory.EntityAccessControlService;
ctx.CommitTransaction();
}
using (new SetUser(userAccount))
{
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Read }), Is.False,
"User can somehow initially read entities (!?)");
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Modify }), Is.False,
"User can somehow initially write entities (!?)");
}
using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true))
using (new SecurityBypassContext())
{
accessRule = new AccessRuleFactory().AddAllowByQuery(
userAccount.As <Subject>(),
entityType.As <SecurableEntity>(),
new[] { Permissions.Read, Permissions.Modify },
TestQueries.Entities(entityType).ToReport());
ctx.CommitTransaction();
}
using (new SetUser(userAccount))
{
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Read }), Is.True,
"User cannot read entity after access rule creation");
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Modify }), Is.True,
"User cannot modify entity after access rule creation");
}
using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true))
{
accessRule.PermissionAccess.Remove(Permissions.Modify.Entity.As <Permission>());
accessRule.Save();
ctx.CommitTransaction();
}
using (new SetUser(userAccount))
{
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Read }), Is.True,
"User cannot read entity after removing modify access");
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Modify }), Is.False,
"User can modify entity after removing modify access");
}
using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true))
{
accessRule.PermissionAccess.Remove(Permissions.Read.Entity.As <Permission>());
accessRule.Save();
ctx.CommitTransaction();
}
using (new SetUser(userAccount))
{
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Read }), Is.False,
"User can read entity after removing read access");
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Modify }), Is.False,
"User can modify entity after removing read access");
}
using (var ctx = DatabaseContext.GetContext(true, preventPostSaveActionsPropagating: true))
{
accessRule.PermissionAccess.Add(Permissions.Read.Entity.As <Permission>());
accessRule.Save();
ctx.CommitTransaction();
}
using (new SetUser(userAccount))
{
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Read }), Is.True,
"User cannot read entity after re-adding read access");
Assert.That(entityAccessControlService.Check(entityRef, new[] { Permissions.Modify }), Is.False,
"User can modify entity after re-adding read access");
}
}
