/// <summary> /// CheckComponentPermission() /// Check current user role permissioned to access the component as a whole /// </summary> private PermissionLevel CheckComponentPermission(UserClaims claims, ComponentExtensionEventArgs e) { // If not authenticated and no role assigned to anonymous users if (claims.IsAuthenticated == false && claims.Roles.Count == 0) { return(PermissionLevel.Denied); } return(CheckDefaultComponentPermission(claims, e)); }
/// <summary> /// CheckComponentOperationPermission() /// Check default user role permission to access the component operation named in e.OperationName /// </summary> private PermissionLevel CheckComponentOperationPermission(UserClaims claims, ComponentExtensionEventArgs e) { switch (e.OperationName) { default: break; } // If we get here, it means there is no explicit (override) authorization operation rule for at least one of the user's roles // So we go 'up' to the component permissions and try the same logic at component level return(CheckComponentPermission(claims, e)); }
/// <summary> /// CheckDefaultComponentPermission() /// Check default user role permission to access the component /// </summary> private PermissionLevel CheckDefaultComponentPermission(UserClaims claims, ComponentExtensionEventArgs e) { // Roles "Administrator", "User" have default authorized access to all components (can still later be overridden by more specific rules) if (claims.Roles.Intersect(new List <string> { "Administrator", "User" }).Any()) { return(PermissionLevel.Authorized); } return(PermissionLevel.Denied); }
/// <summary> /// OnBeforeCall() /// Check current user role permissions for the proposed component operation call /// </summary> private void OnBeforeCall(object sender, ComponentExtensionEventArgs e) { // Get user claims IAuthentication authentication = ApplicationSettings.Container.Resolve <IAuthentication>(); UserClaims claims = authentication.GetCurrentUserClaims(); // We start by looking at the operation permissions // If no decision reached from doing that, it internally ripples up to check the component permissions if (CheckComponentOperationPermission(claims, e) != PermissionLevel.Authorized) { // Give authentication opportunity to package up the exception authentication.ThrowAccessDenied(new GOServerException("accessDenied", "Access denied to component operation GOFileUploader." + e.OperationName, new ForbiddenAccessException("forbidden access"))); } }
/// <summary> /// CheckComponentOperationPermission() /// Check default user role permission to access the component operation named in e.OperationName /// </summary> private PermissionLevel CheckComponentOperationPermission(UserClaims claims, ComponentExtensionEventArgs e) { switch (e.OperationName) { case "Authenticate": { int deniedRoleCount = 0; foreach (string role in claims.Roles) { if (role == "Guest") { return(PermissionLevel.Authorized); } } // all roles denied? if (deniedRoleCount == claims.Roles.Count()) { return(PermissionLevel.Denied); } break; } case "AuthorizeNavigationTo": { int deniedRoleCount = 0; foreach (string role in claims.Roles) { if (role == "Guest") { return(PermissionLevel.Authorized); } } // all roles denied? if (deniedRoleCount == claims.Roles.Count()) { return(PermissionLevel.Denied); } break; } case "ChangePassword": { int deniedRoleCount = 0; foreach (string role in claims.Roles) { if (role == "Guest") { return(PermissionLevel.Authorized); } } // all roles denied? if (deniedRoleCount == claims.Roles.Count()) { return(PermissionLevel.Denied); } break; } case "LostPassword": { int deniedRoleCount = 0; foreach (string role in claims.Roles) { if (role == "Guest") { return(PermissionLevel.Authorized); } } // all roles denied? if (deniedRoleCount == claims.Roles.Count()) { return(PermissionLevel.Denied); } break; } case "Register": { int deniedRoleCount = 0; foreach (string role in claims.Roles) { if (role == "Guest") { return(PermissionLevel.Authorized); } } // all roles denied? if (deniedRoleCount == claims.Roles.Count()) { return(PermissionLevel.Denied); } break; } case "RegisterByEmail": { int deniedRoleCount = 0; foreach (string role in claims.Roles) { if (role == "Guest") { return(PermissionLevel.Authorized); } } // all roles denied? if (deniedRoleCount == claims.Roles.Count()) { return(PermissionLevel.Denied); } break; } case "RegisterFull": { int deniedRoleCount = 0; foreach (string role in claims.Roles) { if (role == "Guest") { return(PermissionLevel.Authorized); } } // all roles denied? if (deniedRoleCount == claims.Roles.Count()) { return(PermissionLevel.Denied); } break; } case "ResetPassword": { int deniedRoleCount = 0; foreach (string role in claims.Roles) { if (role == "Guest") { return(PermissionLevel.Authorized); } } // all roles denied? if (deniedRoleCount == claims.Roles.Count()) { return(PermissionLevel.Denied); } break; } case "ValidateRegistration": { int deniedRoleCount = 0; foreach (string role in claims.Roles) { if (role == "Guest") { return(PermissionLevel.Authorized); } } // all roles denied? if (deniedRoleCount == claims.Roles.Count()) { return(PermissionLevel.Denied); } break; } default: break; } // If we get here, it means there is no explicit (override) authorization operation rule for at least one of the user's roles // So we go 'up' to the component permissions and try the same logic at component level return(CheckComponentPermission(claims, e)); }