예제 #1
 /// <summary>
 /// Copies the authorization.
 /// </summary>
 /// <param name="sourceEntity">The source entity.</param>
 /// <param name="targetEntity">The target entity.</param>
 public static void CopyAuthorization(ISecured sourceEntity, ISecured targetEntity)
     using (var rockContext = new RockContext())
         CopyAuthorization(sourceEntity, targetEntity, rockContext);
예제 #2
        /// <summary>
        /// Determines whether the specified entity is private. Entity is considered private if only the current user
        /// has access.  In this scenario, the first rule would give current user access, and second rule would deny
        /// all users.
        /// </summary>
        /// <param name="entity">The entity.</param>
        /// <param name="action">The action.</param>
        /// <param name="person">The person.</param>
        /// <returns>
        ///   <c>true</c> if the specified entity is private; otherwise, <c>false</c>.
        /// </returns>
        public static bool IsPrivate(ISecured entity, string action, Person person)
            if (person != null)
                // If there's no Authorizations object, create it
                if (Authorizations == null)

                // If there are entries in the Authorizations object for this entity type and entity instance, evaluate each
                // one to find the first one specific to the selected user or a role that the selected user belongs
                // to.  If a match is found return whether the user is allowed (true) or denied (false) access
                if (Authorizations.Keys.Contains(entity.TypeId) &&
                    Authorizations[entity.TypeId].Keys.Contains(entity.Id) &&
                    Authorizations[entity.TypeId][entity.Id].Keys.Contains(action) &&
                    Authorizations[entity.TypeId][entity.Id][action].Count == 2)
                    AuthRule firstRule  = Authorizations[entity.TypeId][entity.Id][action][0];
                    AuthRule secondRule = Authorizations[entity.TypeId][entity.Id][action][1];

                    // If first rule allows current user, and second rule denies all other users then entity is private
                    if (firstRule.AllowOrDeny == "A" &&
                        firstRule.SpecialRole == SpecialRole.None &&
                        firstRule.PersonId == person.Id &&
                        secondRule.AllowOrDeny == "D" &&
                        secondRule.SpecialRole == SpecialRole.AllUsers)

예제 #3
        /// <summary>
        /// This is a heavily modified version of the Security.ItemAuthorized private method. It should perform
        /// nearly 99% of the same functionality. It's use is to find the explicit Auth record that matches the
        /// entity in question.
        /// </summary>
        /// <param name="entity">The entity whose auth records we are searching for.</param>
        /// <param name="action">The action that is to be authorized.</param>
        /// <param name="person">The person requesting permissions.</param>
        /// <param name="isRootEntity">True if this is the first call, false when called recursively.</param>
        /// <param name="checkParentAuthority">True if the parent authorities should be checked, otherwise false.</param>
        /// <param name="authoritative">On return this contains the ISecured object that had the explicit Auth record defined.</param>
        /// <returns>An Auth object if a permission was found, otherwise null.</returns>
        Auth ItemAuthorized(ISecured entity, string action, Person person, bool isRootEntity, bool checkParentAuthority, out ISecured authoritative)
            var auth = MatchingAuth(entity, action, person);

            if (auth != null)
                authoritative = entity;

            if (checkParentAuthority)
                Auth     parentAuthorized = null;
                ISecured parentAuthority  = null;

                if (isRootEntity && entity.ParentAuthorityPre != null)
                    parentAuthorized = ItemAuthorized(entity.ParentAuthorityPre, action, person, false, false, out parentAuthority);

                if (parentAuthorized == null && entity.ParentAuthority != null)
                    parentAuthorized = ItemAuthorized(entity.ParentAuthority, action, person, false, true, out parentAuthority);

                if (parentAuthorized != null)
                    authoritative = parentAuthority;

            authoritative = null;
예제 #4
        /// <summary>
        /// Handles the Click event of the control.
        /// </summary>
        /// <param name="sender">The source of the event.</param>
        /// <param name="e">The <see cref="EventArgs"/> instance containing the event data.</param>
        protected void gUnlock_Click(object sender, EventArgs e)
            RowEventArgs args = ( RowEventArgs )e;

            var auth = new AuthService(new RockContext()).Get(args.RowKeyId);

            if (auth != null && auth.Id != 0)
                var      rockContext = new RockContext();
                var      person      = ppPerson.PersonId.HasValue ? new PersonService(new RockContext()).Get(ppPerson.PersonId.Value) : CurrentPerson;
                ISecured entity      = GetEntity();

                var explicitAuth = new AuthService(rockContext).Queryable()
                                   .Where(a => a.EntityTypeId == auth.EntityTypeId && a.EntityId == auth.EntityId && a.Action == auth.Action)
                                   .Where(a => a.PersonAlias.PersonId == person.Id)

                if (explicitAuth != null)
                    explicitAuth.AllowOrDeny = "A";

                    Authorization.RefreshAction(entity.TypeId, entity.Id, auth.Action);
                    Authorization.AllowPerson(entity, auth.Action, person);

                nbPoppedLock.Text = string.Format("An explicit Allow rule has been added for {0}", person.FullName);

                BindGrid(entity, person);
예제 #5
        /// <summary>
        /// Handles the Click event of the control.
        /// </summary>
        /// <param name="sender">The source of the event.</param>
        /// <param name="e">The <see cref="EventArgs"/> instance containing the event data.</param>
        protected void btnCheck_Click(object sender, EventArgs e)
            ISecured entity = null;

            pnlResult.Visible = false;
            nbWarning.Text    = string.Empty;

            // Find the entity they are searching for or display an error if we couldn't parse the Id.
            entity = GetEntity();

            // If the entity was not found, display an error.
            if (entity == null)
                nbWarning.Text = "Could not find the entity, maybe the wrong Id was specified.";

            // Get the selected person or use the currently logged in person.
            var person = ppPerson.PersonId.HasValue ? new PersonService(new RockContext()).Get(ppPerson.PersonId.Value) : CurrentPerson;

            BindGrid(entity, person);

            pnlResult.Visible = true;
예제 #6
        /// <summary>
        /// Updates authorization rules for the entity so that the current person is allowed to perform the specified action.
        /// </summary>
        /// <param name="entity">The entity.</param>
        /// <param name="action">The action.</param>
        /// <param name="person">The person.</param>
        /// <param name="rockContext">The rock context.</param>
        public static void AllowPerson( ISecured entity, string action, Person person, RockContext rockContext = null )
            if ( person != null )
                rockContext = rockContext ?? new RockContext();

                // If there's no Authorizations object, create it
                if ( Authorizations == null )
                    Load( rockContext );

                var authService = new AuthService( rockContext );

                // If there are not entries in the Authorizations object for this entity type and entity instance, create
                // the dictionary entries
                if ( !Authorizations.Keys.Contains( entity.TypeId ) )
                    Authorizations.Add( entity.TypeId, new Dictionary<int, Dictionary<string, List<AuthRule>>>() );

                if ( !Authorizations[entity.TypeId].Keys.Contains( entity.Id ) )
                    Authorizations[entity.TypeId].Add( entity.Id, new Dictionary<string, List<AuthRule>>() );

                List<AuthRule> rules = null;
                if ( Authorizations[entity.TypeId][entity.Id].Keys.Contains( action ) )
                    rules = Authorizations[entity.TypeId][entity.Id][action];
                    rules = new List<AuthRule>();
                    Authorizations[entity.TypeId][entity.Id].Add( action, rules );

                int order = 0;

                Auth auth = new Auth();
                auth.EntityTypeId = entity.TypeId;
                auth.EntityId = entity.Id;
                auth.Order = order++;
                auth.Action = action;
                auth.AllowOrDeny = "A";
                auth.SpecialRole = SpecialRole.None;
                auth.PersonId = person.Id;
                authService.Add( auth );

                foreach(var rule in rules)
                    var existingAuth = authService.Get( rule.Id );
                    existingAuth.Order = order++;


                rules.Insert(0, new AuthRule( auth ) );
예제 #7
        /// <summary>
        /// Evaluates whether a selected user is allowed to perform the selected action on the selected
        /// entity.
        /// </summary>
        /// <param name="entity"></param>
        /// <param name="action"></param>
        /// <param name="user"></param>
        /// <returns></returns>
        public static bool Authorized( ISecured entity, string action, System.Web.Security.MembershipUser user )
            // If there's no Authorizations object, create it
            if ( Authorizations == null )

            // If there's no entry in the Authorizations object for this entity type, return the default authorization
            if ( !Authorizations.Keys.Contains( entity.AuthEntity ) )
                return entity.DefaultAuthorization( action );

            // If there are entries in the Authorizations object for this entity type and entity instance, evaluate each
            // one to find the first one specific to the selected user or a role that the selected user belongs
            // to.  If a match is found return whether the user is allowed (true) or denied (false) access
            if ( Authorizations[entity.AuthEntity].Keys.Contains( entity.Id ) &&
                Authorizations[entity.AuthEntity][entity.Id].Keys.Contains( action ) )
                foreach ( AuthRule authRule in Authorizations[entity.AuthEntity][entity.Id][action] )
                    if ( authRule.UserOrRoleName == "*" )
                        return authRule.AllowOrDeny == "A";

                    if ( user != null )
                        if ( ( authRule.UserOrRole == "U" && user.UserName == authRule.UserOrRoleName ) ||
                        ( authRule.UserOrRole == "R" && System.Web.Security.Roles.IsUserInRole( user.UserName, authRule.UserOrRoleName ) ) )
                            return authRule.AllowOrDeny == "A";

            // If not match was found for the selected user on the current entity instance, check to see if the instance
            // has a parent authority defined and if so evaluate that entities authorization rules.  If there is no
            // parent authority return the defualt authorization
            if ( entity.ParentAuthority != null )
                return Authorized( entity.ParentAuthority, action, user );
                return entity.DefaultAuthorization( action );
예제 #8
        /// <summary>
        /// Gets the ordered explicit authorization rules for an entity. The first rule in the list
        /// should be checked first, and so on. The order follows from the first explicit rule on the
        /// entity to the last explicit rule on the entity, then the first explicit rule on the parent
        /// entity to the last explicit rule on the parent entity and so on.
        /// </summary>
        /// <param name="entity">The entity.</param>
        /// <returns>A collection of explicit authorization rules in the proper order.</returns>
        private static List <string> GetOrderedExplicitAuthorizationRules(ISecured entity)
            var explicitRules = new List <string>();

            if (entity == null)

            // Get the ancestor authorization rules.
            var parentEntity = entity.ParentAuthority;

            if (parentEntity != null)
                explicitRules = GetOrderedExplicitAuthorizationRules(parentEntity);

            var authRules = Authorization.AuthRules(entity.TypeId, entity.Id, Authorization.VIEW);

            // Walk each rule in descending order so that the final order is correct
            // since we insert rules at index 0.
            foreach (var rule in authRules.OrderByDescending(a => a.Order))
                string entityIdentifier;

                if (rule.SpecialRole != SpecialRole.None)
                    entityIdentifier = $"S:{( int ) rule.SpecialRole}";
                else if (rule.GroupId.HasValue)
                    var role = RoleCache.Get(rule.GroupId.Value);

                    if (role == null)

                    entityIdentifier = $"G:{role.Guid}";
                else if (rule.PersonId.HasValue)
                    /* Not currently supported, maybe in the future. -dsh */

                explicitRules.Insert(0, $"{entityIdentifier}:{rule.AllowOrDeny}");

예제 #9
        public static void CopyAuthorization( ISecured sourceEntity, ISecured targetEntity, int? personId )
            using ( new Rock.Helpers.UnitOfWorkScope() )
                // If there's no Authorizations object, create it
                if ( Authorizations == null )

                AuthService authService = new AuthService();

                // Delete the current authorizations for the target entity
                foreach(Auth auth in authService.GetAuthsByEntityTypeAndEntityId(targetEntity.AuthEntity, targetEntity.Id))

                Dictionary<string, List<AuthRule>> newActions = new Dictionary<string, List<AuthRule>>();

                int order = 0;
                foreach ( KeyValuePair<string, List<AuthRule>> action in Authorizations[sourceEntity.AuthEntity][sourceEntity.Id] )
                    if (targetEntity.SupportedActions.Contains(action.Key))
                        newActions.Add( action.Key, new List<AuthRule>() );

                        foreach ( AuthRule rule in action.Value )
                            Auth auth = new Auth();
                            auth.EntityType = targetEntity.AuthEntity;
                            auth.EntityId = targetEntity.Id;
                            auth.Order = order;
                            auth.Action = action.Key;
                            auth.AllowOrDeny = rule.AllowOrDeny;
                            auth.UserOrRole = rule.UserOrRole;
                            auth.UserOrRoleName = rule.UserOrRoleName;

                            authService.Save(auth, personId);

                            newActions[action.Key].Add( new AuthRule( rule.AllowOrDeny, rule.UserOrRole, rule.UserOrRoleName ) );


                if ( !Authorizations.ContainsKey( targetEntity.AuthEntity ) )
                    Authorizations.Add( targetEntity.AuthEntity, new Dictionary<int, Dictionary<string, List<AuthRule>>>() );

                Dictionary<int, Dictionary<string, List<AuthRule>>> entityType = Authorizations[targetEntity.AuthEntity];

                if ( !entityType.ContainsKey( targetEntity.Id ) )
                    entityType.Add( targetEntity.Id, new Dictionary<string, List<AuthRule>>() );

                entityType[targetEntity.Id] = newActions;
 /// <summary>
 ///     Initializes a new instance of the
 ///     <see cref="NotAuthorizedToEditException" />
 ///     class.
 /// </summary>
 /// <param name="person">
 ///     The <see cref="Person" /> performing the edit,
 ///     whose authorizations should be checked.
 /// </param>
 /// <param name="entity">
 ///     The <see cref="ISecured" /> entity being edited.
 /// </param>
 public NotAuthorizedToEditException(Person person, ISecured entity)
     : base
             "{0} is not authorized to edit {1}.",
             (String.IsNullOrWhiteSpace(person.FullName) ? "Person" : person.FullName.Trim()),
             (String.IsNullOrWhiteSpace(entity.TypeName) ? "entity" : entity.TypeName.Trim())
예제 #11
 /// <summary>
 /// Updates authorization rules for the entity so that the current person is allowed to perform the specified action.
 /// </summary>
 /// <param name="entity">The entity.</param>
 /// <param name="action">The action.</param>
 /// <param name="person">The person.</param>
 /// <param name="rockContext">The rock context.</param>
 public static void AllowPerson(ISecured entity, string action, Person person, RockContext rockContext = null)
     if (rockContext != null)
         MyAllowPerson(entity, action, person, rockContext);
         using (var myRockContext = new RockContext())
             MyAllowPerson(entity, action, person, myRockContext);
예제 #12
        /// <summary>
        ///   Checks if principal Users has access to some action (AccessRight).
        /// </summary>
        /// <param name="secured"> Secured entity. </param>
        /// <param name="right"> AccessRight action </param>
        /// <param name="principal"> Current principal. </param>
        /// <returns> Value indicates if action is approved for selected role. </returns>
        //public static bool IsAllowed(this ISecured secured, AccessRight right, IPrincipal principal, IUsersInRolesRepository uic)
        //    var user = principal.Identity.Name;
        //    var roles = uic.GetAll();
        //    var v = roles.Any(role => secured.IsAllowed(right, user));
        //    return v;

        private static Access GetAccess(ISecured secured, AccessRight right, string role)
            var access = secured.Permissions.GetAccess(right, role);

            if (access != Access.Inherit)

            var securedChild = secured as ISecuredChild;

            return(securedChild == null || securedChild.Parent == null
                       ? Access.Inherit
                       : GetAccess(securedChild.Parent, right, role));
예제 #13
        /// <summary>
        ///   Checks if role has access to some action (AccessRight).
        /// </summary>
        /// <param name="secured"> Secured entity. </param>
        /// <param name="right"> AccessRight action </param>
        /// <param name="role"> Role to check against. </param>
        /// <returns> Value indicates if action is approved for selected role. </returns>
        public static bool IsAllowed(this ISecured secured, AccessRight right, string role)
            if (CmsContext.UnrestrictedRoles.Any(x => x == role))

            var access = GetAccess(secured, right, role);

            if (access == Access.Inherit)
                access = GetApplicationAccess(secured, right, role);

            return(access == Access.Allow);
예제 #14
        private static void MyMakeUnPrivate(ISecured entity, string action, Person person, RockContext rockContext)
            if (IsPrivate(entity, action, person))
                var authService = new AuthService(rockContext);

                // if is private, then there are only two rules for this action that should be deleted
                foreach (AuthRule authRule in Authorizations[entity.TypeId][entity.Id][action])
                    var oldAuth = authService.Get(authRule.Id);


                Authorizations[entity.TypeId][entity.Id][action] = new List <AuthRule>();
예제 #15
        private static bool?ItemAuthorized(ISecured entity, string action, SpecialRole specialRole)
            // If there's no Authorizations object, create it
            if (Authorizations == null)

            var entityTypeId = entity.TypeId;

            // If there are entries in the Authorizations object for this entity type and entity instance, evaluate each
            // one to find the first one specific to the selected user or a role that the selected user belongs
            // to.  If a match is found return whether the user is allowed (true) or denied (false) access
            if (Authorizations.Keys.Contains(entityTypeId) &&
                Authorizations[entityTypeId].Keys.Contains(entity.Id) &&
                foreach (AuthRule authRule in Authorizations[entityTypeId][entity.Id][action])
                    if (authRule.SpecialRole == specialRole)
                        return(authRule.AllowOrDeny == "A");

            // If no match was found for the selected user on the current entity instance, check to see if the instance
            // has a parent authority defined and if so evaluate that entities authorization rules.  If there is no
            // parent authority return the defualt authorization
            bool?parentAuthorized = null;

            if (entity.ParentAuthorityPre != null)
                parentAuthorized = ItemAuthorized(entity.ParentAuthorityPre, action, specialRole);

            if (!parentAuthorized.HasValue && entity.ParentAuthority != null)
                parentAuthorized = ItemAuthorized(entity.ParentAuthority, action, specialRole);

예제 #16
        private void AddParentRules(List <MyAuthRule> rules, ISecured parent, string action)
            if (parent != null)
                var entityType = Rock.Web.Cache.EntityTypeCache.Read(parent.TypeId);
                foreach (AuthRule rule in Authorization.AuthRules(parent.TypeId, parent.Id, action))
                    if (!rules.Exists(r =>
                                      r.SpecialRole == rule.SpecialRole &&
                                      r.PersonId == rule.PersonId &&
                                      r.GroupId == rule.GroupId))
                        var myRule = new MyAuthRule(rule);
                        myRule.EntityTitle = string.Format("{0} ({1})", parent.ToString(), entityType.FriendlyName ?? entityType.Name).TrimStart();

                AddParentRules(rules, parent.ParentAuthority, action);
예제 #17
 /// <summary>
 /// Checks to see if the person is authorized to VIEW
 /// </summary>
 /// <param name="securedModel">The secured model.</param>
 /// <param name="person">The person.</param>
 /// <exception cref="System.Web.Http.HttpResponseException">
 /// </exception>
 protected virtual void CheckCanView(ISecured securedModel, Person person)
     if (securedModel != null)
         if (IsProxy(securedModel))
             if (!securedModel.IsAuthorized(Rock.Security.Authorization.VIEW, person))
                 throw new HttpResponseException(HttpStatusCode.Unauthorized);
             // Need to reload using service with a proxy enabled so that if model has custom
             // parent authorities, those properties can be lazy-loaded and checked for authorization
             ISecured reloadedModel = (ISecured)Service.Get(securedModel.Id);
             if (reloadedModel != null && !reloadedModel.IsAuthorized(Rock.Security.Authorization.VIEW, person))
                 throw new HttpResponseException(HttpStatusCode.Unauthorized);
예제 #18
 /// <summary>
 /// Evaluates whether a selected user is allowed to perform the selected action on the selected
 /// entity.
 /// </summary>
 /// <param name="entity">The entity.</param>
 /// <param name="action">The action.</param>
 /// <param name="specialRole">The special role.</param>
 /// <returns></returns>
 public static bool Authorized( ISecured entity, string action, SpecialRole specialRole )
     return ItemAuthorized( entity, action, specialRole, true, true ) ?? entity.IsAllowedByDefault( action );
예제 #19
 /// <summary>
 /// Updates authorization rules for the entity so that the current person is allowed to perform the specified action.
 /// </summary>
 /// <param name="entity">The entity.</param>
 /// <param name="action">The action.</param>
 /// <param name="person">The person.</param>
 /// <param name="rockContext">The rock context.</param>
 public static void AllowPerson( ISecured entity, string action, Person person, RockContext rockContext = null )
     if ( rockContext != null )
         MyAllow( entity, action, person, null, SpecialRole.None, rockContext );
         using ( var myRockContext = new RockContext() )
             MyAllow( entity, action, person, null, SpecialRole.None, myRockContext );
예제 #20
        /// <summary>
        /// Updates the bulk update security.
        /// </summary>
        private static void UpdateBulkUpdateSecurity()
            var rockContext = new RockContext();
            var authService = new Rock.Model.AuthService(rockContext);

            var bulkUpdateBlockType = BlockTypeCache.Get(Rock.SystemGuid.BlockType.BULK_UPDATE.AsGuid());
            var bulkUpdateBlocks    = new BlockService(rockContext).Queryable().Where(a => a.BlockTypeId == bulkUpdateBlockType.Id).ToList();

            foreach (var bulkUpdateBlock in bulkUpdateBlocks)
                var alreadyUpdated = authService.Queryable().Where(a =>
                                                                   (a.Action == "EditConnectionStatus" || a.Action == "EditRecordStatus") &&
                                                                   a.EntityTypeId == bulkUpdateBlock.TypeId &&
                                                                   a.EntityId == bulkUpdateBlock.Id).Any();

                if (alreadyUpdated)
                    // EditConnectionStatus and/or EditRecordStatus has already been set, so don't copy VIEW auth to it

                var groupIdAuthRules     = new HashSet <int>();
                var personIdAuthRules    = new HashSet <int>();
                var specialRoleAuthRules = new HashSet <SpecialRole>();
                var authRulesToAdd       = new List <AuthRule>();

                Dictionary <ISecured, List <AuthRule> > parentAuthRulesList = new Dictionary <ISecured, List <AuthRule> >();
                ISecured secured = bulkUpdateBlock;
                while (secured != null)
                    var             entityType = secured.TypeId;
                    List <AuthRule> authRules  = Authorization.AuthRules(secured.TypeId, secured.Id, Authorization.VIEW).OrderBy(a => a.Order).ToList();

                    foreach (var rule in authRules)
                        if (rule.GroupId.HasValue)
                            if (!groupIdAuthRules.Contains(rule.GroupId.Value))

                        else if (rule.PersonId.HasValue)
                            if (!personIdAuthRules.Contains(rule.PersonId.Value))
                        else if (rule.SpecialRole != SpecialRole.None)
                            if (!specialRoleAuthRules.Contains(rule.SpecialRole))

                    secured = secured.ParentAuthority;

                List <Auth> authsToAdd = new List <Auth>();

                foreach (var auth in authRulesToAdd)
                    authsToAdd.Add(AddAuth(bulkUpdateBlock, auth, "EditConnectionStatus"));
                    authsToAdd.Add(AddAuth(bulkUpdateBlock, auth, "EditRecordStatus"));

                int authOrder = 0;
                authsToAdd.ForEach(a => a.Order = authOrder++);

                Authorization.RefreshAction(bulkUpdateBlock.TypeId, bulkUpdateBlock.Id, "EditConnectionStatus");
                Authorization.RefreshAction(bulkUpdateBlock.TypeId, bulkUpdateBlock.Id, "EditRecordStatus");

예제 #21
        /// <summary>
        /// Evaluates whether a selected user is allowed to perform the selected action on the selected
        /// entity.
        /// </summary>
        /// <param name="entity"></param>
        /// <param name="action"></param>
        /// <param name="user"></param>
        /// <returns></returns>
        public static bool Authorized(ISecured entity, string action, Rock.CMS.User user)
            //    return Authorized( entity, action, user != null ? user.Person.Guid.ToString() : string.Empty );

            ///// <summary>
            ///// Evaluates whether a selected user is allowed to perform the selected action on the selected
            ///// entity.
            ///// </summary>
            ///// <param name="entity">The entity.</param>
            ///// <param name="action">The action.</param>
            ///// <param name="userName">Name of the user.</param>
            ///// <returns></returns>
            //private static bool Authorized( ISecured entity, string action, string userName )
            // If there's no Authorizations object, create it
            if (Authorizations == null)

            // If there are entries in the Authorizations object for this entity type and entity instance, evaluate each
            // one to find the first one specific to the selected user or a role that the selected user belongs
            // to.  If a match is found return whether the user is allowed (true) or denied (false) access
            if (Authorizations.Keys.Contains(entity.AuthEntity) &&
                Authorizations[entity.AuthEntity].Keys.Contains(entity.Id) &&
                string userName = user != null?user.Person.Guid.ToString() : string.Empty;

                foreach (AuthRule authRule in Authorizations[entity.AuthEntity][entity.Id][action])
                    // All Users
                    if (authRule.SpecialRole == SpecialRole.AllUsers)
                        return(authRule.AllowOrDeny == "A");

                    // All Authenticated Users
                    if (authRule.SpecialRole == SpecialRole.AllAuthenticatedUsers && userName.Trim() != string.Empty)
                        return(authRule.AllowOrDeny == "A");

                    // All Unauthenticated Users
                    if (authRule.SpecialRole == SpecialRole.AllUnAuthenticatedUsers && userName.Trim() == string.Empty)
                        return(authRule.AllowOrDeny == "A");

                    if (authRule.SpecialRole == SpecialRole.None && userName != string.Empty)
                        // See if person has been authorized to entity
                        if (authRule.PersonId.HasValue &&
                            user.PersonId.HasValue &&
                            authRule.PersonId.Value == user.PersonId.Value)
                            return(authRule.AllowOrDeny == "A");

                        // See if person is in role authorized
                        if (authRule.GroupId.HasValue)
                            Role role = Role.Read(authRule.GroupId.Value);
                            if (role != null && role.UserInRole(userName))
                                return(authRule.AllowOrDeny == "A");

            // If not match was found for the selected user on the current entity instance, check to see if the instance
            // has a parent authority defined and if so evaluate that entities authorization rules.  If there is no
            // parent authority return the defualt authorization
            if (entity.ParentAuthority != null)
                return(Authorized(entity.ParentAuthority, action, user));
예제 #22
 /// <summary>
 /// Copies the authorization.
 /// </summary>
 /// <param name="sourceEntity">The source entity.</param>
 /// <param name="targetEntity">The target entity.</param>
 public static void CopyAuthorization( ISecured sourceEntity, ISecured targetEntity )
     using ( var rockContext = new RockContext() )
         CopyAuthorization( sourceEntity, targetEntity, rockContext );
예제 #23
        /// <summary>
        /// Adds the parent rules.
        /// </summary>
        /// <param name="authService">The authentication service.</param>
        /// <param name="itemRules">The item rules.</param>
        /// <param name="parentRules">The parent rules.</param>
        /// <param name="parent">The parent.</param>
        /// <param name="action">The action.</param>
        /// <param name="recurse">if set to <c>true</c> [recurse].</param>
        private void AddParentRules( AuthService authService, List<AuthRule> itemRules, List<MyAuthRule> parentRules, ISecured parent, string action, bool recurse )
            if ( parent != null )
                var entityType = Rock.Web.Cache.EntityTypeCache.Read( parent.TypeId );
                foreach ( var auth in authService.GetAuths( parent.TypeId, parent.Id, action ) )
                    var rule = new AuthRule( auth );

                    if ( !itemRules.Exists( r =>
                            r.SpecialRole == rule.SpecialRole &&
                            r.PersonId == rule.PersonId &&
                            r.GroupId == rule.GroupId ) &&
                        !parentRules.Exists( r =>
                            r.AuthRule.SpecialRole == rule.SpecialRole &&
                            r.AuthRule.PersonId == rule.PersonId &&
                            r.AuthRule.GroupId == rule.GroupId ) )
                        var myRule = new MyAuthRule( rule );
                        myRule.EntityTitle = string.Format( "{0} <small>({1})</small>", parent.ToString(), entityType.FriendlyName ?? entityType.Name ).TrimStart();
                        parentRules.Add( myRule );

                if ( recurse )
                    AddParentRules( authService, itemRules, parentRules, parent.ParentAuthority, action, true );
예제 #24
 /// <summary>
 /// Removes that two authorization rules that made the entity private.
 /// </summary>
 /// <param name="entity">The entity.</param>
 /// <param name="action">The action.</param>
 /// <param name="person">The person.</param>
 /// <param name="rockContext">The rock context.</param>
 public static void MakeUnPrivate( ISecured entity, string action, Person person, RockContext rockContext = null )
     if ( rockContext != null )
         MyMakeUnPrivate( entity, action, person, rockContext );
         using ( var myRockContext = new RockContext() )
             MyMakeUnPrivate( entity, action, person, myRockContext );
예제 #25
        /// <summary>
        /// Removes that two authorization rules that made the entity private.
        /// </summary>
        /// <param name="entity">The entity.</param>
        /// <param name="action">The action.</param>
        /// <param name="person">The person.</param>
        /// <param name="rockContext">The rock context.</param>
        public static void MakeUnPrivate( ISecured entity, string action, Person person, RockContext rockContext = null )
            if ( IsPrivate( entity, action, person ) )
                rockContext = rockContext ?? new RockContext();
                var authService = new AuthService( rockContext );

                // if is private, then there are only two rules for this action that should be deleted
                foreach ( AuthRule authRule in Authorizations[entity.TypeId][entity.Id][action] )
                    var oldAuth = authService.Get( authRule.Id );
                    authService.Delete( oldAuth );


                Authorizations[entity.TypeId][entity.Id][action] = new List<AuthRule>();
예제 #26
        /// <summary>
        /// Evaluates whether a selected person is allowed to perform the selected action on the selected
        /// entity.
        /// </summary>
        /// <param name="entity">The entity.</param>
        /// <param name="action">The action.</param>
        /// <param name="person">The person.</param>
        /// <param name="rockContext">The rock context.</param>
        /// <returns></returns>
        public static bool Authorized( ISecured entity, string action, Rock.Model.Person person, RockContext rockContext = null )
            // If there's no Authorizations object, create it
            if ( Authorizations == null )
                rockContext = rockContext ?? new RockContext();
                Load( rockContext );

            var entityTypeId = entity.TypeId;

            // If there are entries in the Authorizations object for this entity type and entity instance, evaluate each
                // one to find the first one specific to the selected user or a role that the selected user belongs
                // to.  If a match is found return whether the user is allowed (true) or denied (false) access
            if ( Authorizations.Keys.Contains( entityTypeId ) &&
                Authorizations[entityTypeId].Keys.Contains( entity.Id ) &&
                Authorizations[entityTypeId][entity.Id].Keys.Contains( action ) )
                string userName = person != null ? person.Guid.ToString() : string.Empty;

                foreach ( AuthRule authRule in Authorizations[entityTypeId][entity.Id][action] )
                    // All Users
                    if ( authRule.SpecialRole == SpecialRole.AllUsers )
                        return authRule.AllowOrDeny == "A";

                    // All Authenticated Users
                    if ( authRule.SpecialRole == SpecialRole.AllAuthenticatedUsers && userName.Trim() != string.Empty )
                        return authRule.AllowOrDeny == "A";

                    // All Unauthenticated Users
                    if ( authRule.SpecialRole == SpecialRole.AllUnAuthenticatedUsers && userName.Trim() == string.Empty )
                        return authRule.AllowOrDeny == "A";

                    if ( authRule.SpecialRole == SpecialRole.None && person != null )
                        // See if person has been authorized to entity
                        if ( authRule.PersonId.HasValue &&
                            authRule.PersonId.Value == person.Id )
                            return authRule.AllowOrDeny == "A";

                        // See if person is in role authorized
                        if ( authRule.GroupId.HasValue )
                            Role role = Role.Read( authRule.GroupId.Value );
                            if ( role != null && role.IsUserInRole( userName ) )
                                return authRule.AllowOrDeny == "A";

            // If no match was found for the selected user on the current entity instance, check to see if the instance
            // has a parent authority defined and if so evaluate that entities authorization rules.  If there is no
            // parent authority return the defualt authorization
            if ( entity.ParentAuthority != null )
                return Authorized( entity.ParentAuthority, action, person );
                return entity.IsAllowedByDefault( action );
예제 #27
        /// <summary>
        /// Evaluates whether a selected user is allowed to perform the selected action on the selected
        /// entity.
        /// </summary>
        /// <param name="entity">The entity.</param>
        /// <param name="action">The action.</param>
        /// <param name="specialRole">The special role.</param>
        /// <returns></returns>
        public static bool Authorized( ISecured entity, string action, SpecialRole specialRole )
            // If there's no Authorizations object, create it
            if ( Authorizations == null )
                Load( new RockContext() );

            var entityTypeId = entity.TypeId;

            // If there are entries in the Authorizations object for this entity type and entity instance, evaluate each
            // one to find the first one specific to the selected user or a role that the selected user belongs
            // to.  If a match is found return whether the user is allowed (true) or denied (false) access
            if ( Authorizations.Keys.Contains( entityTypeId ) &&
                Authorizations[entityTypeId].Keys.Contains( entity.Id ) &&
                Authorizations[entityTypeId][entity.Id].Keys.Contains( action ) )
                foreach ( AuthRule authRule in Authorizations[entityTypeId][entity.Id][action] )
                    if ( authRule.SpecialRole == specialRole )
                        return authRule.AllowOrDeny == "A";

            // If no match was found for the selected user on the current entity instance, check to see if the instance
            // has a parent authority defined and if so evaluate that entities authorization rules.  If there is no
            // parent authority return the defualt authorization
            if ( entity.ParentAuthority != null )
                return Authorized( entity.ParentAuthority, action, specialRole );
                return entity.IsAllowedByDefault( action );
예제 #28
        /// <summary>
        /// Copies the authorizations from one <see cref="ISecured" /> object to another
        /// </summary>
        /// <param name="sourceEntity">The source entity.</param>
        /// <param name="targetEntity">The target entity.</param>
        /// <param name="rockContext">The rock context.</param>
        /// <remarks>
        /// If a rockContext value is included, this method will save any previous changes made to the context
        /// </remarks>
        public static void CopyAuthorization( ISecured sourceEntity, ISecured targetEntity, RockContext rockContext = null )
            rockContext = rockContext ?? new RockContext();

            // If there's no Authorizations object, create it
            if ( Authorizations == null )
                Load( rockContext );

            var sourceEntityTypeId = sourceEntity.TypeId;
            var targetEntityTypeId = targetEntity.TypeId;

            AuthService authService = new AuthService( rockContext );

            // Delete the current authorizations for the target entity
            foreach ( Auth auth in authService.Get( targetEntityTypeId, targetEntity.Id ) )
                authService.Delete( auth );

            Dictionary<string, List<AuthRule>> newActions = new Dictionary<string, List<AuthRule>>();

            int order = 0;
            if ( Authorizations.ContainsKey( sourceEntityTypeId ) && Authorizations[sourceEntityTypeId].ContainsKey( sourceEntity.Id ) )
                foreach ( KeyValuePair<string, List<AuthRule>> action in Authorizations[sourceEntityTypeId][sourceEntity.Id] )
                    if ( targetEntity.SupportedActions.ContainsKey( action.Key ) )
                        newActions.Add( action.Key, new List<AuthRule>() );

                        foreach ( AuthRule rule in action.Value )
                            Auth auth = new Auth();
                            auth.EntityTypeId = targetEntityTypeId;
                            auth.EntityId = targetEntity.Id;
                            auth.Order = order;
                            auth.Action = action.Key;
                            auth.AllowOrDeny = rule.AllowOrDeny;
                            auth.SpecialRole = rule.SpecialRole;
                            auth.PersonId = rule.PersonId;
                            auth.GroupId = rule.GroupId;

                            authService.Add( auth );

                            newActions[action.Key].Add( new AuthRule( rule.Id, rule.EntityId, rule.AllowOrDeny, rule.SpecialRole, rule.PersonId, rule.GroupId, rule.Order ) );



            if ( !Authorizations.ContainsKey( targetEntityTypeId ) )
                Authorizations.Add( targetEntityTypeId, new Dictionary<int, Dictionary<string, List<AuthRule>>>() );

            Dictionary<int, Dictionary<string, List<AuthRule>>> entityType = Authorizations[targetEntityTypeId];

            if ( !entityType.ContainsKey( targetEntity.Id ) )
                entityType.Add( targetEntity.Id, new Dictionary<string, List<AuthRule>>() );

            entityType[targetEntity.Id] = newActions;
예제 #29
 /// <summary>
 /// Finds the auth rules.
 /// </summary>
 /// <param name="securableObject">The securable object.</param>
 /// <returns></returns>
 public static IQueryable<AuthRule> FindAuthRules( ISecured securableObject )
     return ( from action in securableObject.SupportedActions
              from rule in AuthRules( securableObject.TypeId, securableObject.Id, action.Key )
              select rule ).AsQueryable();
예제 #30
        /// <summary>
        /// Determines whether the specified entity is private. Entity is considered private if only the current user
        /// has access.  In this scenario, the first rule would give current user access, and second rule would deny
        /// all users.
        /// </summary>
        /// <param name="entity">The entity.</param>
        /// <param name="action">The action.</param>
        /// <param name="person">The person.</param>
        /// <param name="rockContext">The rock context.</param>
        /// <returns>
        ///   <c>true</c> if the specified entity is private; otherwise, <c>false</c>.
        /// </returns>
        public static bool IsPrivate( ISecured entity, string action, Person person, RockContext rockContext = null )
            if ( person != null )
                // If there's no Authorizations object, create it
                if ( Authorizations == null )
                    rockContext = rockContext ?? new RockContext();
                    Load( rockContext );

                // If there are entries in the Authorizations object for this entity type and entity instance, evaluate each
                // one to find the first one specific to the selected user or a role that the selected user belongs
                // to.  If a match is found return whether the user is allowed (true) or denied (false) access
                if ( Authorizations.Keys.Contains( entity.TypeId ) &&
                    Authorizations[entity.TypeId].Keys.Contains( entity.Id ) &&
                    Authorizations[entity.TypeId][entity.Id].Keys.Contains( action ) &&
                    Authorizations[entity.TypeId][entity.Id][action].Count == 2 )
                    AuthRule firstRule = Authorizations[entity.TypeId][entity.Id][action][0];
                    AuthRule secondRule = Authorizations[entity.TypeId][entity.Id][action][1];

                    // If first rule allows current user, and second rule denies all other users then entity is private
                    if ( firstRule.AllowOrDeny == "A" &&
                        firstRule.SpecialRole == SpecialRole.None &&
                        firstRule.PersonId == person.Id &&
                        secondRule.AllowOrDeny == "D" &&
                        secondRule.SpecialRole == SpecialRole.AllUsers )
                        return true;

            return false;
예제 #31
        private static Access GetApplicationAccess(ISecured secured, AccessRight right, string role)
            var application = CmsContext.Current.GetApplication(secured.GetType()) as ISecured;

            return(application == null ? Access.Deny : application.Permissions.GetAccess(right, role));
예제 #32
        /// <summary>
        /// Occurs before the action method is invoked.
        /// </summary>
        /// <param name="actionContext">The action context.</param>
        public override void OnActionExecuting(HttpActionContext actionContext)
            var    principal = actionContext.Request.GetUserPrincipal();
            Person person    = null;

            if (principal != null && principal.Identity != null)
                using (var rockContext = new RockContext())
                    string    userName  = principal.Identity.Name;
                    UserLogin userLogin = null;
                    if (userName.StartsWith("rckipid="))
                        var personService      = new PersonService(rockContext);
                        var impersonatedPerson = personService.GetByImpersonationToken(userName.Substring(8));
                        if (impersonatedPerson != null)
                            userLogin = impersonatedPerson.GetImpersonatedUser();
                        var userLoginService = new UserLoginService(rockContext);
                        userLogin = userLoginService.GetByUserName(userName);

                    if (userLogin != null)
                        person = userLogin.Person;
                        var pinAuthentication = AuthenticationContainer.GetComponent(typeof(Security.Authentication.PINAuthentication).FullName);

                        // Don't allow PIN authentications.
                        if (userLogin.EntityTypeId != null)
                            var userLoginEntityType = EntityTypeCache.Get(userLogin.EntityTypeId.Value);
                            if (userLoginEntityType != null && userLoginEntityType.Id == pinAuthentication.EntityType.Id)
                                actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);

            var reflectedHttpActionDescriptor = ( ReflectedHttpActionDescriptor )actionContext.ActionDescriptor;

            var controller          = actionContext.ActionDescriptor.ControllerDescriptor;
            var controllerClassName = controller.ControllerType.FullName;
            var actionMethod        = actionContext.Request.Method.Method;

            var      apiId = RestControllerService.GetApiId(reflectedHttpActionDescriptor.MethodInfo, actionMethod, controller.ControllerName);
            ISecured item  = RestActionCache.Get(apiId);

            if (item == null)
                // if there isn't a RestAction in the database, use the Controller as the secured item
                item = RestControllerCache.Get(controllerClassName);
                if (item == null)
                    item = new RestController();

            if (actionContext.Request.Properties.Keys.Contains("Person"))
                person = actionContext.Request.Properties["Person"] as Person;
                actionContext.Request.Properties.Add("Person", person);

                /* 12/12/2019 BJW
                 * Setting this current person item was only done in put, post, and patch in the ApiController
                 * class. Set it here so that it is always set for all methods, including delete. This enhances
                 * history logging done in the pre and post save model hooks (when the pre-save event is called
                 * we can access DbContext.GetCurrentPersonAlias and log who deleted the record).
                 * Task: https://app.asana.com/0/1120115219297347/1153140643799337/f
                System.Web.HttpContext.Current.AddOrReplaceItem("CurrentPerson", person);

            string action = actionMethod.Equals("GET", StringComparison.OrdinalIgnoreCase) ?
                            Security.Authorization.VIEW : Security.Authorization.EDIT;

            bool authorized = false;

            if (item.IsAuthorized(action, person))
                authorized = true;
            else if (actionContext.Request.Headers.Contains("X-Rock-App-Id") && actionContext.Request.Headers.Contains("X-Rock-Mobile-Api-Key"))
                // Normal authorization failed, but this is a Mobile App request so check
                // if the application itself has been given permission.
                var appId        = actionContext.Request.Headers.GetValues("X-Rock-App-Id").First().AsIntegerOrNull();
                var mobileApiKey = actionContext.Request.Headers.GetValues("X-Rock-Mobile-Api-Key").First();

                if (appId.HasValue)
                    using (var rockContext = new RockContext())
                        var appUser = Mobile.MobileHelper.GetMobileApplicationUser(appId.Value, mobileApiKey, rockContext);

                        if (appUser != null && item.IsAuthorized(action, appUser.Person))
                            authorized = true;

            if (!authorized)
                actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
예제 #33
        /// <summary>
        /// Renders the specified context.
        /// </summary>
        /// <param name="context">The context.</param>
        /// <param name="result">The result.</param>
        /// <exception cref="System.Exception">Your Lava command must contain at least one valid filter. If you configured a filter it's possible that the property or attribute you provided does not exist.</exception>
        public override void Render(Context context, TextWriter result)
            // first ensure that entity commands are allowed in the context
            if (!this.IsAuthorized(context))
                result.Write(string.Format(RockLavaBlockBase.NotAuthorizedMessage, this.Name));
                base.Render(context, result);

            bool hasFilter = false;

            var modelName = string.Empty;

            // get a service for the entity based off it's friendly name
            if (_entityName == "business")
                modelName = "Rock.Model.Person";
                modelName = "Rock.Model." + _entityName;

            // Check first to see if this is a core model. use the createIfNotFound = false option
            var entityTypeCache = EntityTypeCache.Get(modelName, false);

            if (entityTypeCache == null)
                var entityTypes = EntityTypeCache.All();

                // If not, look for first plug-in model that has same friendly name
                entityTypeCache = entityTypes
                                  .Where(e =>
                                         e.IsEntity &&
                                         !e.Name.StartsWith("Rock.Model") &&
                                         e.FriendlyName != null &&
                                         e.FriendlyName.RemoveSpaces().ToLower() == _entityName)
                                  .OrderBy(e => e.Id)

                // If still null check to see if this was a duplicate class and full class name was used as entity name
                if (entityTypeCache == null)
                    modelName       = _entityName.Replace('_', '.');
                    entityTypeCache = entityTypes.Where(e => String.Equals(e.Name, modelName, StringComparison.OrdinalIgnoreCase)).FirstOrDefault();

            if (entityTypeCache != null)
                Type entityType = entityTypeCache.GetEntityType();
                if (entityType != null)
                    // Get the appropriate database context for this entity type.
                    // Note that this may be different from the standard RockContext if the entity is sourced from a plug-in.
                    var dbContext = Reflection.GetDbContextForEntityType(entityType);

                    // Check if there is a RockContext in the Lava context. If so then use the RockContext passed in.
                    if (dbContext is RockContext)
                        var lavaContext = context.Registers["RockContext"];

                        if (lavaContext.IsNotNull())
                            dbContext = (DbContext)lavaContext;

                    // Disable change-tracking for this data context to improve performance - objects supplied to a Lava context are read-only.
                    dbContext.Configuration.AutoDetectChangesEnabled = false;

                    // Create an instance of the entity's service
                    IService serviceInstance = Reflection.GetServiceForEntityType(entityType, dbContext);

                    ParameterExpression paramExpression = Expression.Parameter(entityType, "x");
                    Expression          queryExpression = null; // the base expression we'll use to build our query from

                    // Parse markup
                    var parms = ParseMarkup(_markup, context);

                    if (parms.Any(p => p.Key == "id"))
                        string propertyName = "Id";

                        List <string> selectionParms = new List <string>();

                        var entityProperty = entityType.GetProperty(propertyName);
                        queryExpression = ExpressionHelper.PropertyFilterExpression(selectionParms, paramExpression, propertyName, entityProperty.PropertyType);

                        hasFilter = true;
                        // where clause expression
                        if (parms.Any(p => p.Key == "where"))
                            queryExpression = ParseWhere(parms["where"], entityType, serviceInstance, paramExpression, entityType, entityTypeCache);

                            if (queryExpression != null)
                                hasFilter = true;

                        // DataView expression
                        if (parms.Any(p => p.Key == "dataview"))
                            var dataViewId = parms["dataview"].AsIntegerOrNull();

                            if (dataViewId.HasValue)
                                var dataViewExpression = GetDataViewExpression(dataViewId.Value, serviceInstance, paramExpression, entityTypeCache);

                                if (queryExpression == null)
                                    queryExpression = dataViewExpression;
                                    hasFilter       = true;
                                    queryExpression = Expression.AndAlso(queryExpression, dataViewExpression);

                        // process dynamic filter expressions (from the query string)
                        if (parms.Any(p => p.Key == "dynamicparameters"))
                            var dynamicFilters = parms["dynamicparameters"].Split(',')
                                                 .Select(x => x.Trim())
                                                 .Where(x => !string.IsNullOrWhiteSpace(x))

                            foreach (var dynamicFilter in dynamicFilters)
                                var dynamicFilterValue      = HttpContext.Current.Request[dynamicFilter];
                                var dynamicFilterExpression = GetDynamicFilterExpression(dynamicFilter, dynamicFilterValue, entityType, serviceInstance, paramExpression);
                                if (dynamicFilterExpression != null)
                                    if (queryExpression == null)
                                        queryExpression = dynamicFilterExpression;
                                        hasFilter       = true;
                                        queryExpression = Expression.AndAlso(queryExpression, dynamicFilterExpression);

                    // Make the query from the expression.

                    /* [2020-10-08] DL
                     * "Get" is intentionally used here rather than "GetNoTracking" to allow lazy-loading of navigation properties from the Lava context.
                     * (Refer https://github.com/SparkDevNetwork/Rock/issues/4293)
                    MethodInfo getMethod = serviceInstance.GetType().GetMethod("Get", new Type[] { typeof(ParameterExpression), typeof(Expression), typeof(Rock.Web.UI.Controls.SortProperty), typeof(int?) });

                    if (getMethod != null)
                        // get a listing of ids and build it into the query expression
                        if (parms.Any(p => p.Key == "ids"))
                            List <int>         value = parms["ids"].ToString().Split(',').Select(int.Parse).ToList();
                            MemberExpression   propertyExpression = Expression.Property(paramExpression, "Id");
                            ConstantExpression constantExpression = Expression.Constant(value, typeof(List <int>));
                            Expression         containsExpression = Expression.Call(constantExpression, typeof(List <int>).GetMethod("Contains", new Type[] { typeof(int) }), propertyExpression);
                            if (queryExpression != null)
                                queryExpression = Expression.AndAlso(queryExpression, containsExpression);
                                queryExpression = containsExpression;

                            hasFilter = true;

                        var getResult   = getMethod.Invoke(serviceInstance, new object[] { paramExpression, queryExpression, null, null });
                        var queryResult = getResult as IQueryable <IEntity>;

                        // process entity specific filters
                        switch (_entityName)
                        case "person":
                            queryResult = PersonFilters((IQueryable <Person>)queryResult, parms);

                        case "business":
                            queryResult = BusinessFilters((IQueryable <Person>)queryResult, parms);

                        // if there was a dynamic expression add it now
                        if (parms.Any(p => p.Key == "expression"))
                            queryResult = queryResult.Where(parms["expression"]);
                            hasFilter   = true;

                        var queryResultExpression = queryResult.Expression;

                        // add sort expressions
                        if (parms.Any(p => p.Key == "sort"))
                            string orderByMethod = "OrderBy";

                            foreach (var column in parms["sort"].Split(',').Select(x => x.Trim()).Where(x => !string.IsNullOrWhiteSpace(x)).ToList())
                                string propertyName;
                                var    direction = SortDirection.Ascending;

                                if (column.EndsWith(" desc", StringComparison.OrdinalIgnoreCase))
                                    direction    = SortDirection.Descending;
                                    propertyName = column.Left(column.Length - 5);
                                    propertyName = column;

                                string methodName = direction == SortDirection.Descending ? orderByMethod + "Descending" : orderByMethod;

                                if (entityType.GetProperty(propertyName) != null)
                                    // sorting a entity property
                                    var memberExpression          = Expression.Property(paramExpression, propertyName);
                                    LambdaExpression sortSelector = Expression.Lambda(memberExpression, paramExpression);
                                    queryResultExpression = Expression.Call(typeof(Queryable), methodName, new Type[] { queryResult.ElementType, sortSelector.ReturnType }, queryResultExpression, sortSelector);
                                    // sorting on an attribute

                                    // get attribute id
                                    int?attributeId = null;
                                    foreach (var attribute in AttributeCache.GetByEntityType(entityTypeCache.Id))
                                        if (attribute.Key == propertyName)
                                            attributeId = attribute.Id;

                                    if (attributeId.HasValue)
                                        // get AttributeValue queryable and parameter
                                        if (dbContext is RockContext)
                                            var attributeValues = new AttributeValueService(dbContext as RockContext).Queryable();
                                            ParameterExpression attributeValueParameter = Expression.Parameter(typeof(AttributeValue), "v");
                                            MemberExpression    idExpression            = Expression.Property(paramExpression, "Id");
                                            var attributeExpression = Attribute.Helper.GetAttributeValueExpression(attributeValues, attributeValueParameter, idExpression, attributeId.Value);

                                            LambdaExpression sortSelector = Expression.Lambda(attributeExpression, paramExpression);
                                            queryResultExpression = Expression.Call(typeof(Queryable), methodName, new Type[] { queryResult.ElementType, sortSelector.ReturnType }, queryResultExpression, sortSelector);
                                            throw new Exception(string.Format("The database context for type {0} does not support RockContext attribute value queries.", entityTypeCache.FriendlyName));

                                orderByMethod = "ThenBy";

                        // check to ensure we had some form of filter (otherwise we'll return all results in the table)
                        if (!hasFilter)
                            throw new Exception("Your Lava command must contain at least one valid filter. If you configured a filter it's possible that the property or attribute you provided does not exist.");

                        // reassemble the queryable with the sort expressions
                        queryResult = queryResult.Provider.CreateQuery(queryResultExpression) as IQueryable <IEntity>;

                        if (parms.GetValueOrNull("count").AsBoolean())
                            int countResult = queryResult.Count();
                            context.Scopes.Last()["count"] = countResult;
                            // Run security check on each result if enabled and entity is not a person (we do not check security on people)
                            if (parms["securityenabled"].AsBoolean() && _entityName != "person")
                                var items        = queryResult.ToList();
                                var itemsSecured = new List <IEntity>();

                                Person person = GetCurrentPerson(context);

                                foreach (IEntity item in items)
                                    ISecured itemSecured = item as ISecured;
                                    if (itemSecured == null || itemSecured.IsAuthorized(Authorization.VIEW, person))

                                         *      8/13/2020 - JME
                                         *      It might seem logical to break out of the loop if there is limit parameter provided once the
                                         *  limit is reached. This though has two issues.
                                         *  FIRST
                                         *  Depending how it was implemented it can have the effect of breaking when an offset is
                                         *  provided.
                                         *          {% contentchannelitem where:'ContentChannelId == 1' limit:'3' %}
                                         *          {% for item in contentchannelitemItems %}
                                         *              {{ item.Id }} - {{ item.Title }}<br>
                                         *          {% endfor %}
                                         *      {% endcontentchannelitem %}
                                         *  Returns 3 items (correct)
                                         *      {% contentchannelitem where:'ContentChannelId == 1' limit:'3' offset:'1' %}
                                         *          {% for item in contentchannelitemItems %}
                                         *              {{ item.Id }} - {{ item.Title }}<br>
                                         *          {% endfor %}
                                         *      {% endcontentchannelitem %}
                                         *  Returns only 2 items (incorrect) - because of the offset
                                         *  SECOND
                                         *  If the limit is moved before the security check it's possible that the security checks
                                         *  will remove items and will therefore not give you the amount of items that you asked for.
                                         *  Unfortunately this has to be an inefficent process to ensure pagination works. I will also
                                         *  add a detailed note to the documentation to encourage people to disable security checks,
                                         *  especially when used with pagination, in the Lava docs.

                                queryResult = itemsSecured.AsQueryable();

                            // offset
                            if (parms.Any(p => p.Key == "offset"))
                                queryResult = queryResult.Skip(parms["offset"].AsInteger());

                            // limit, default to 1000
                            if (parms.Any(p => p.Key == "limit"))
                                queryResult = queryResult.Take(parms["limit"].AsInteger());
                                queryResult = queryResult.Take(1000);

                            var resultList = queryResult.ToList();

                            // if there is only one item to return set an alternative non-array based variable
                            if (resultList.Count == 1)
                                context.Scopes.Last()[_entityName] = resultList.FirstOrDefault();

                            context.Scopes.Last()[parms["iterator"]] = resultList;
                result.Write(string.Format("Could not find a model for {0}.", _entityName));
                base.Render(context, result);

            base.Render(context, result);
예제 #34
        /// <summary>
        /// Adds the parent rules.
        /// </summary>
        /// <param name="authService">The authentication service.</param>
        /// <param name="itemRules">The item rules.</param>
        /// <param name="parentRules">The parent rules.</param>
        /// <param name="parent">The parent.</param>
        /// <param name="action">The action.</param>
        private void AddParentRules(AuthService authService, List <AuthRule> itemRules, List <MyAuthRule> parentRules, ISecured parent, string action)
            if (parent != null)
                var entityType = Rock.Web.Cache.EntityTypeCache.Read(parent.TypeId);
                foreach (var auth in authService.GetAuths(parent.TypeId, parent.Id, action))
                    var rule = new AuthRule(auth);

                    if (!itemRules.Exists(r =>
                                          r.SpecialRole == rule.SpecialRole &&
                                          r.PersonId == rule.PersonId &&
                                          r.GroupId == rule.GroupId) &&
                        !parentRules.Exists(r =>
                                            r.SpecialRole == rule.SpecialRole &&
                                            r.PersonId == rule.PersonId &&
                                            r.GroupId == rule.GroupId))
                        var myRule = new MyAuthRule(rule);
                        myRule.EntityTitle = string.Format("{0} <small>({1})</small>", parent.ToString(), entityType.FriendlyName ?? entityType.Name).TrimStart();

                AddParentRules(authService, itemRules, parentRules, parent.ParentAuthority, action);
예제 #35
        /// <summary>
        /// Bind the grid to the authorization records found in the database.
        /// </summary>
        /// <param name="entitySecured">The securable entity to query authorization records of.</param>
        /// <param name="person">The person whose access level we are checking.</param>
        void BindGrid(ISecured entitySecured, Person person)
            // Walk all the supported actions and build a row of results.
            List <AuthGridRow> rows = new List <AuthGridRow>();

            foreach (var action in entitySecured.SupportedActions)
                ISecured authorative = null;
                var      auth        = ItemAuthorized(entitySecured, action.Key, person, true, true, out authorative);

                if (auth != null)
                    var    authEntity   = authorative as IEntity;
                    string friendlyName = "Unknown";

                    if (auth.SpecialRole != SpecialRole.None)
                        friendlyName = auth.SpecialRole.ToStringSafe().SplitCase();
                    else if (auth.PersonAlias != null)
                        friendlyName = auth.PersonAlias.ToStringSafe();
                    else if (auth.Group != null)
                        friendlyName = auth.Group.ToStringSafe();

                    var row = new AuthGridRow();
                    row.Id     = auth.Id;
                    row.Action = auth.Action;
                    if (authEntity != null)
                        row.EntityType = authEntity.TypeName;
                        row.EntityId   = authEntity.Id != 0 ? ( int? )authEntity.Id : null;
                        row.EntityName = authEntity.Id != 0 ? authEntity.ToString() : "(Entity Administration Security)";
                        row.EntityId = null;

                        if (authorative as GlobalDefault != null)
                            row.EntityType = "(Global Default)";
                            row.EntityName = string.Empty;
                            row.EntityType = "Unknown";
                            row.EntityName = "Unknown";
                    row.Access       = auth.AllowOrDeny == "A" ? "<span class='label label-success'>Allow</span>" : "<span class='label label-danger'>Deny</span>";
                    row.Role         = friendlyName;
                    row.IsUnlockable = auth.AllowOrDeny != "A";

                    var row = new AuthGridRow();
                    row.Id           = 0;
                    row.Action       = action.Key;
                    row.EntityType   = string.Empty;
                    row.EntityId     = null;
                    row.EntityName   = string.Empty;
                    row.Access       = "<span class='label label-default'>Unknown</span>";
                    row.Role         = "No explicit permissions found";
                    row.IsUnlockable = false;


            gResults.DataSource = rows;
예제 #36
 /// <summary>
 /// Checks the can edit.
 /// </summary>
 /// <param name="securedModel">The secured model.</param>
 protected virtual void CheckCanEdit(ISecured securedModel)
     CheckCanEdit(securedModel, GetPerson());
예제 #37
 /// <summary>
 /// Evaluates whether a selected person is allowed to perform the selected action on the selected
 /// entity.
 /// </summary>
 /// <param name="entity">The entity.</param>
 /// <param name="action">The action.</param>
 /// <param name="person">The person.</param>
 /// <returns></returns>
 public static bool Authorized( ISecured entity, string action, Rock.Model.Person person )
     return ItemAuthorized( entity, action, person, true, true ) ?? entity.IsAllowedByDefault( action );
예제 #38
        /// <summary>
        /// Determines whether the specified entity is private. Entity is considered private if only the current user
        /// has access.  In this scenario, the first rule would give current user access, and second rule would deny
        /// all users.
        /// </summary>
        /// <param name="entity">The entity.</param>
        /// <param name="action">The action.</param>
        /// <param name="person">The person.</param>
        /// <returns>
        ///   <c>true</c> if the specified entity is private; otherwise, <c>false</c>.
        /// </returns>
        public static bool IsPrivate( ISecured entity, string action, Person person )
            bool isPrivate = false;

            if ( person != null )

                lock ( _lock )
                    // If there are entries in the Authorizations object for this entity type and entity instance, evaluate each
                    // one to find the first one specific to the selected user or a role that the selected user belongs
                    // to.  If a match is found return whether the user is allowed (true) or denied (false) access
                    if ( _authorizations != null &&
                        _authorizations.Keys.Contains( entity.TypeId ) &&
                        _authorizations[entity.TypeId].Keys.Contains( entity.Id ) &&
                        _authorizations[entity.TypeId][entity.Id].Keys.Contains( action ) &&
                        _authorizations[entity.TypeId][entity.Id][action].Count == 2 )
                        AuthRule firstRule = _authorizations[entity.TypeId][entity.Id][action][0];
                        AuthRule secondRule = _authorizations[entity.TypeId][entity.Id][action][1];

                        // If first rule allows current user, and second rule denies all other users then entity is private
                        if ( firstRule.AllowOrDeny == 'A' &&
                            firstRule.SpecialRole == SpecialRole.None &&
                            firstRule.PersonId == person.Id &&
                            secondRule.AllowOrDeny == 'D' &&
                            secondRule.SpecialRole == SpecialRole.AllUsers )
                            isPrivate = true;

            return isPrivate;
예제 #39
        protected override void OnInit(EventArgs e)
            string entityParam = PageParameter("EntityTypeId");
            Type   type        = null;

            // Get Entity Type
            int entityTypeId = 0;

            if (Int32.TryParse(entityParam, out entityTypeId))
                var entityType = EntityTypeCache.Read(entityTypeId);
                if (entityType != null)
                    entityParam = entityType.FriendlyName;
                    type        = entityType.GetEntityType();

            // Get Entity Id
            int entityId = 0;

            if (!Int32.TryParse(PageParameter("EntityId"), out entityId))
                entityId = 0;

            // Get object type
            if (type != null)
                if (entityId == 0)
                    iSecured = (ISecured)Activator.CreateInstance(type);
                    // Get the context type since this may be for a non-rock core object
                    Type contextType = null;
                    var  contexts    = Rock.Reflection.SearchAssembly(type.Assembly, typeof(System.Data.Entity.DbContext));
                    if (contexts.Any())
                        contextType = contexts.First().Value;

                    Type   serviceType = typeof(Rock.Data.Service <>);
                    Type[] modelType   = { type };
                    Type   service     = serviceType.MakeGenericType(modelType);
                    var    getMethod   = service.GetMethod("Get", new Type[] { typeof(int) });

                    if (contextType != null)
                        var context         = Activator.CreateInstance(contextType);
                        var serviceInstance = Activator.CreateInstance(service, new object[] { context });
                        iSecured = getMethod.Invoke(serviceInstance, new object[] { entityId }) as ISecured;
                        var serviceInstance = Activator.CreateInstance(service);
                        iSecured = getMethod.Invoke(serviceInstance, new object[] { entityId }) as ISecured;

                var block = iSecured as Rock.Model.Block;
                if (block != null)
                    // If the entity is a block, get the cachedblock's supported action, as the RockPage may have
                    // added additional actions when the cache was created.
                    foreach (var action in BlockCache.Read(block.Id).SupportedActions)
                        if (!block.SupportedActions.Contains(action))

                    iSecured = block;

                if (iSecured != null && iSecured.IsAuthorized("Administrate", CurrentPerson))
                    rptActions.DataSource = iSecured.SupportedActions;

                    rGrid.DataKeyNames        = new string[] { "id" };
                    rGrid.GridReorder        += new GridReorderEventHandler(rGrid_GridReorder);
                    rGrid.GridRebind         += new GridRebindEventHandler(rGrid_GridRebind);
                    rGrid.RowDataBound       += new GridViewRowEventHandler(rGrid_RowDataBound);
                    rGrid.ShowHeaderWhenEmpty = false;
                    rGrid.EmptyDataText       = string.Empty;
                    rGrid.ShowActionRow       = false;

                    rGridParentRules.DataKeyNames        = new string[] { "id" };
                    rGridParentRules.ShowHeaderWhenEmpty = false;
                    rGridParentRules.EmptyDataText       = string.Empty;
                    rGridParentRules.ShowActionRow       = false;


                    string script = string.Format(@"
                    Sys.Application.add_load(function () {{
                        $('#modal-popup div.modal-header h3 small', window.parent.document).html('{0}');
                ", HttpUtility.JavaScriptStringEncode(iSecured.ToString()));
                    this.Page.ClientScript.RegisterStartupScript(this.GetType(), string.Format("set-html-{0}", this.ClientID), script, true);
                    rGrid.Visible            = false;
                    rGridParentRules.Visible = false;
                    nbMessage.Text           = "Unfortunately, you are not able to edit security because you do not belong to a role that has been configured to allow administration of this item.";
                    nbMessage.Visible        = true;
                rGrid.Visible            = false;
                rGridParentRules.Visible = false;
                nbMessage.Text           = string.Format("The requested entity type ('{0}') could not be loaded to determine security attributes.", entityParam);
                nbMessage.Visible        = true;
예제 #40
        private void AddParentRules( List<MyAuthRule> rules, ISecured parent, string action )
            if ( parent != null )
                var entityType = Rock.Web.Cache.EntityTypeCache.Read( parent.TypeId );
                foreach ( AuthRule rule in Authorization.AuthRules( parent.TypeId, parent.Id, action ) )
                    if ( !rules.Exists( r =>
                        r.SpecialRole == rule.SpecialRole &&
                        r.PersonId == rule.PersonId &&
                        r.GroupId == rule.GroupId ) )
                        var myRule = new MyAuthRule( rule );
                        myRule.EntityTitle = string.Format( "{0} ({1})", parent.ToString(), entityType.FriendlyName ?? entityType.Name ).TrimStart();
                        rules.Add( myRule );

                AddParentRules( rules, parent.ParentAuthority, action );
예제 #41
        /// <summary>
        /// Evaluates whether a selected user is allowed to perform the selected action on the selected
        /// entity.
        /// </summary>
        /// <param name="entity"></param>
        /// <param name="action"></param>
        /// <param name="user"></param>
        /// <returns></returns>
        public static bool Authorized( ISecured entity, string action, Rock.CMS.User user )
            //    return Authorized( entity, action, user != null ? user.Person.Guid.ToString() : string.Empty );

            ///// <summary>
            ///// Evaluates whether a selected user is allowed to perform the selected action on the selected
            ///// entity.
            ///// </summary>
            ///// <param name="entity">The entity.</param>
            ///// <param name="action">The action.</param>
            ///// <param name="userName">Name of the user.</param>
            ///// <returns></returns>
            //private static bool Authorized( ISecured entity, string action, string userName )
            // If there's no Authorizations object, create it
            if ( Authorizations == null )

            // If there are entries in the Authorizations object for this entity type and entity instance, evaluate each
            // one to find the first one specific to the selected user or a role that the selected user belongs
            // to.  If a match is found return whether the user is allowed (true) or denied (false) access
            if ( Authorizations.Keys.Contains( entity.AuthEntity ) &&
                Authorizations[entity.AuthEntity].Keys.Contains( entity.Id ) &&
                Authorizations[entity.AuthEntity][entity.Id].Keys.Contains( action ) )

                string userName = user != null ? user.Person.Guid.ToString() : string.Empty;

                foreach ( AuthRule authRule in Authorizations[entity.AuthEntity][entity.Id][action] )
                    // All Users
                    if ( authRule.SpecialRole == SpecialRole.AllUsers )
                        return authRule.AllowOrDeny == "A";

                    // All Authenticated Users
                    if (authRule.SpecialRole == SpecialRole.AllAuthenticatedUsers && userName.Trim() != string.Empty)
                        return authRule.AllowOrDeny == "A";

                    // All Unauthenticated Users
                    if ( authRule.SpecialRole == SpecialRole.AllUnAuthenticatedUsers && userName.Trim() == string.Empty )
                        return authRule.AllowOrDeny == "A";

                    if ( authRule.SpecialRole == SpecialRole.None && userName != string.Empty )
                        // See if person has been authorized to entity
                        if ( authRule.PersonId.HasValue &&
                            user.PersonId.HasValue &&
                            authRule.PersonId.Value == user.PersonId.Value )
                            return authRule.AllowOrDeny == "A";

                        // See if person is in role authorized
                        if (authRule.GroupId.HasValue)
                            Role role = Role.Read( authRule.GroupId.Value );
                            if ( role != null && role.UserInRole( userName ) )
                                return authRule.AllowOrDeny == "A";

            // If not match was found for the selected user on the current entity instance, check to see if the instance
            // has a parent authority defined and if so evaluate that entities authorization rules.  If there is no
            // parent authority return the defualt authorization
            if ( entity.ParentAuthority != null )
                return Authorized( entity.ParentAuthority, action, user );
                return entity.DefaultAuthorization( action );
예제 #42
        /// <summary>
        /// Makes the entity private for the selected action and person
        /// </summary>
        /// <param name="entity">The entity.</param>
        /// <param name="action">The action.</param>
        /// <param name="person">The person.</param>
        /// <param name="rockContext">The rock context.</param>
        private static void MyMakePrivate( ISecured entity, string action, Person person, RockContext rockContext )
            if ( !IsPrivate( entity, action, person ) )
                if ( person != null )
                    var personAlias = new PersonAliasService( rockContext ).GetPrimaryAlias( person.Id );
                    if ( personAlias != null )
                        var authService = new AuthService( rockContext );

                        // Delete any existing rules in database
                        foreach ( Auth auth in authService
                            .GetAuths( entity.TypeId, entity.Id, action ) )
                            authService.Delete( auth );


                        // Create the rules in the database
                        Auth auth1 = new Auth();
                        auth1.EntityTypeId = entity.TypeId;
                        auth1.EntityId = entity.Id;
                        auth1.Order = 0;
                        auth1.Action = action;
                        auth1.AllowOrDeny = "A";
                        auth1.SpecialRole = SpecialRole.None;
                        auth1.PersonAlias = personAlias;
                        auth1.PersonAliasId = personAlias.Id;
                        authService.Add( auth1 );

                        Auth auth2 = new Auth();
                        auth2.EntityTypeId = entity.TypeId;
                        auth2.EntityId = entity.Id;
                        auth2.Order = 1;
                        auth2.Action = action;
                        auth2.AllowOrDeny = "D";
                        auth2.SpecialRole = SpecialRole.AllUsers;
                        authService.Add( auth2 );


                        // Reload the static dictionary for this action
                        ReloadAction( entity.TypeId, entity.Id, action, rockContext );
예제 #43
        /// <summary>
        /// Copies the authorizations from one <see cref="ISecured"/> object to another
        /// </summary>
        /// <param name="sourceEntity">The source entity.</param>
        /// <param name="targetEntity">The target entity.</param>
        /// <param name="personId">The person id.</param>
        public static void CopyAuthorization(ISecured sourceEntity, ISecured targetEntity, int?personId)
            using (new Rock.Data.UnitOfWorkScope())
                // If there's no Authorizations object, create it
                if (Authorizations == null)

                AuthService authService = new AuthService();

                // Delete the current authorizations for the target entity
                foreach (Auth auth in authService.GetByEntityTypeAndEntityId(targetEntity.AuthEntity, targetEntity.Id))
                    authService.Delete(auth, personId);

                Dictionary <string, List <AuthRule> > newActions = new Dictionary <string, List <AuthRule> >();

                int order = 0;
                if (Authorizations.ContainsKey(sourceEntity.AuthEntity) && Authorizations[sourceEntity.AuthEntity].ContainsKey(sourceEntity.Id))
                    foreach (KeyValuePair <string, List <AuthRule> > action in Authorizations[sourceEntity.AuthEntity][sourceEntity.Id])
                        if (targetEntity.SupportedActions.Contains(action.Key))
                            newActions.Add(action.Key, new List <AuthRule>());

                            foreach (AuthRule rule in action.Value)
                                Auth auth = new Auth();
                                auth.EntityType  = targetEntity.AuthEntity;
                                auth.EntityId    = targetEntity.Id;
                                auth.Order       = order;
                                auth.Action      = action.Key;
                                auth.AllowOrDeny = rule.AllowOrDeny;
                                auth.SpecialRole = rule.SpecialRole;
                                auth.PersonId    = rule.PersonId;
                                auth.GroupId     = rule.GroupId;

                                authService.Add(auth, personId);
                                authService.Save(auth, personId);

                                newActions[action.Key].Add(new AuthRule(rule.Id, rule.AllowOrDeny, rule.SpecialRole, rule.PersonId, rule.GroupId, rule.Order));


                if (!Authorizations.ContainsKey(targetEntity.AuthEntity))
                    Authorizations.Add(targetEntity.AuthEntity, new Dictionary <int, Dictionary <string, List <AuthRule> > >());

                Dictionary <int, Dictionary <string, List <AuthRule> > > entityType = Authorizations[targetEntity.AuthEntity];

                if (!entityType.ContainsKey(targetEntity.Id))
                    entityType.Add(targetEntity.Id, new Dictionary <string, List <AuthRule> >());

                entityType[targetEntity.Id] = newActions;
예제 #44
        public void UpdateSecurity(ISecured secured)
            //TODO!!!: When writing security check for antecedentid = referenceid &/or version=0
            //First check user and owner rights, black list and white list against record
            //Then get ok
            if (secured.SecurityID.HasValue)
                //Call Edit
                if (CheckOwnership(secured, ActionPermission.Read | ActionPermission.Update))
                    using (new TransactionScope(TransactionScopeOption.Suppress))
                        var c = new XODBC(ApplicationConnectionString,null);
                        if (secured.IsBlack)
                            var s = (from o in c.SecurityBlacklists where o.SecurityBlacklistID==secured.SecurityID && o.Version==0 && o.VersionDeletedBy==null select o).Single();
                            s.AccessorContactID = secured.AccessorContactID;
                            s.AccessorApplicationID = secured.AccessorApplicationID;
                            s.AccessorCompanyID = secured.AccessorCompanyID;
                            s.AccessorProjectID = secured.AccessorProjectID;
                            s.AccessorRoleID = secured.AccessorRoleID;
                            s.CanCreate = secured.CanCreate;
                            s.CanRead = secured.CanRead;
                            s.CanDelete = secured.CanDelete;
                            s.CanUpdate = secured.CanUpdate;
                            s.VersionUpdated = DateTime.UtcNow;
                            s.VersionUpdatedBy = secured.OwnerContactID;
                            var s = (from o in c.SecurityWhitelists where o.SecurityWhitelistID == secured.SecurityID && o.Version== 0 && o.VersionDeletedBy == null select o).Single();
                            s.AccessorContactID = secured.AccessorContactID;
                            s.AccessorApplicationID = secured.AccessorApplicationID;
                            s.AccessorCompanyID = secured.AccessorCompanyID;
                            s.AccessorProjectID = secured.AccessorProjectID;
                            s.AccessorRoleID = secured.AccessorRoleID;
                            s.CanCreate = secured.CanCreate;
                            s.CanRead = secured.CanRead;
                            s.CanDelete = secured.CanDelete;
                            s.CanUpdate = secured.CanUpdate;
                            s.VersionUpdated = DateTime.UtcNow;
                            s.VersionUpdatedBy = secured.OwnerContactID;
                    throw new AuthorityException(string.Format("Incorrect permission for action: \"Update\" Contact: {0} Record: {1}", secured.AccessorContactID, secured.OwnerReferenceID));
                //Call New
                if (CheckOwnership(secured, ActionPermission.Read | ActionPermission.Create))
                    using (new TransactionScope(TransactionScopeOption.Suppress))
                        var c = new XODBC(ApplicationConnectionString,null);
                        if (secured.IsBlack)
                            var s = new SecurityBlacklist
                                SecurityBlacklistID = Guid.NewGuid(),
                                AccessorContactID = secured.AccessorContactID,
                                AccessorApplicationID = secured.AccessorApplicationID,
                                AccessorCompanyID = secured.AccessorCompanyID,
                                AccessorProjectID = secured.AccessorProjectID,
                                AccessorRoleID = secured.AccessorRoleID,
                                OwnerApplicationID = secured.OwnerApplicationID,
                                OwnerCompanyID = secured.OwnerCompanyID,
                                OwnerContactID = secured.OwnerContactID,
                                OwnerEntitySystemType = secured.OwnerEntitySystemType,
                                OwnerField = secured.OwnerField,
                                OwnerProjectID = secured.OwnerProjectID,
                                OwnerReferenceID = secured.OwnerReferenceID,
                                OwnerTableType = secured.OwnerTableType,
                                CanCreate = secured.CanCreate,
                                CanRead = secured.CanRead,
                                CanDelete = secured.CanDelete,
                                CanUpdate = secured.CanUpdate,
                                VersionOwnerContactID = secured.OwnerContactID,
                                VersionOwnerCompanyID = secured.OwnerCompanyID,
                                VersionUpdated = DateTime.UtcNow,
                                VersionUpdatedBy = secured.OwnerContactID
                            var s = new SecurityWhitelist
                                SecurityWhitelistID = Guid.NewGuid(),
                                AccessorContactID = secured.AccessorContactID,
                                AccessorApplicationID = secured.AccessorApplicationID,
                                AccessorCompanyID = secured.AccessorCompanyID,
                                AccessorProjectID = secured.AccessorProjectID,
                                AccessorRoleID = secured.AccessorRoleID,
                                OwnerApplicationID = secured.OwnerApplicationID,
                                OwnerCompanyID = secured.OwnerCompanyID,
                                OwnerContactID = secured.OwnerContactID,
                                OwnerEntitySystemType = secured.OwnerEntitySystemType,
                                OwnerField = secured.OwnerField,
                                OwnerProjectID = secured.OwnerProjectID,
                                OwnerReferenceID = secured.OwnerReferenceID,
                                OwnerTableType = secured.OwnerTableType,
                                CanCreate = secured.CanCreate,
                                CanRead = secured.CanRead,
                                CanDelete = secured.CanDelete,
                                CanUpdate = secured.CanUpdate,
                                VersionOwnerContactID = secured.OwnerContactID,
                                VersionOwnerCompanyID = secured.OwnerCompanyID,
                                VersionUpdated = DateTime.UtcNow,
                                VersionUpdatedBy = secured.OwnerContactID
                    throw new AuthorityException(string.Format("Incorrect permission for action: \"Create\" Contact: {0} Record: {1}", secured.AccessorContactID, secured.OwnerReferenceID));

예제 #45
 /// <summary>
 /// Allows the security role.
 /// </summary>
 /// <param name="entity">The entity.</param>
 /// <param name="action">The action.</param>
 /// <param name="group">The group.</param>
 /// <param name="rockContext">The rock context.</param>
 public static void AllowSecurityRole( ISecured entity, string action, Group group, RockContext rockContext = null )
     if ( rockContext != null )
         MyAllow( entity, action, null, group, SpecialRole.None, rockContext );
         using ( var myRockContext = new RockContext() )
             MyAllow( entity, action, null, group, SpecialRole.None, myRockContext );
예제 #46
        /// <summary>
        /// Occurs before the action method is invoked.
        /// </summary>
        /// <param name="actionContext">The action context.</param>
        public override void OnActionExecuting(HttpActionContext actionContext)
            var    controller          = actionContext.ActionDescriptor.ControllerDescriptor;
            string controllerClassName = controller.ControllerType.FullName;
            string actionMethod        = actionContext.Request.Method.Method;
            string actionPath          = actionContext.Request.GetRouteData().Route.RouteTemplate.Replace("{controller}", controller.ControllerName);

            //// find any additional arguments that aren't part of the RouteTemplate that qualified the action method
            //// for example: ~/person/search?name={name}&includeHtml={includeHtml}&includeDetails={includeDetails}&includeBusinesses={includeBusinesses}
            //// is a different action method than ~/person/search?name={name}
            var routeQueryParams = actionContext.ActionArguments.Where(a => !actionPath.Contains("{" + a.Key + "}"));

            if (routeQueryParams.Any())
                var actionPathQueryString = routeQueryParams.Select(a => string.Format("{0}={{{0}}}", a.Key)).ToList().AsDelimited("&");
                actionPath += "?" + actionPathQueryString;

            ISecured item = RestActionCache.Get(actionMethod + actionPath);

            if (item == null)
                item = RestControllerCache.Get(controllerClassName);
                if (item == null)
                    item = new RestController();

            Person person = null;

            if (actionContext.Request.Properties.Keys.Contains("Person"))
                person = actionContext.Request.Properties["Person"] as Person;
                var principal = actionContext.Request.GetUserPrincipal();
                if (principal != null && principal.Identity != null)
                    using (var rockContext = new RockContext())
                        string    userName  = principal.Identity.Name;
                        UserLogin userLogin = null;
                        if (userName.StartsWith("rckipid="))
                            Rock.Model.PersonService personService      = new Model.PersonService(rockContext);
                            Rock.Model.Person        impersonatedPerson = personService.GetByImpersonationToken(userName.Substring(8), false, null);
                            if (impersonatedPerson != null)
                                userLogin = impersonatedPerson.GetImpersonatedUser();
                            var userLoginService = new Rock.Model.UserLoginService(rockContext);
                            userLogin = userLoginService.GetByUserName(userName);

                        if (userLogin != null)
                            person = userLogin.Person;
                            actionContext.Request.Properties.Add("Person", person);

            string action = actionMethod.Equals("GET", StringComparison.OrdinalIgnoreCase) ?
                            Rock.Security.Authorization.VIEW : Rock.Security.Authorization.EDIT;

            if (!item.IsAuthorized(action, person))
                actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
예제 #47
 /// <summary>
 /// Allows all users.
 /// </summary>
 /// <param name="entity">The entity.</param>
 /// <param name="action">The action.</param>
 /// <param name="rockContext">The rock context.</param>
 public static void AllowAllUsers( ISecured entity, string action, RockContext rockContext = null )
     if ( rockContext != null )
         MyAllowAllUsers( entity, action, rockContext );
         using ( var myRockContext = new RockContext() )
             MyAllowAllUsers( entity, action, myRockContext );
예제 #48
        /// <summary>
        /// Find the matching Auth record for this entity, action and person combination. Only explicit
        /// Auth records are checked.
        /// </summary>
        /// <param name="entity">The entity whose Auth records we are going to search for.</param>
        /// <param name="action">The type of action that is to be authenticated.</param>
        /// <param name="person">The person that is requesting permission.</param>
        /// <returns>An Auth object if an explicit permission was found, otherwise null.</returns>
        Auth MatchingAuth(ISecured entity, string action, Person person)
            var rockContext = new RockContext();
            var authService = new AuthService(rockContext);

            var  rules      = authService.Get(entity.TypeId, entity.Id).Where(a => a.Action == action).ToList();
            bool matchFound = false;
            bool authorized = false;

            foreach (var authRule in rules)
                // All Users
                if (authRule.SpecialRole == SpecialRole.AllUsers)
                    matchFound = true;
                    authorized = authRule.AllowOrDeny == "A";

                // All Authenticated Users
                if (!matchFound && authRule.SpecialRole == SpecialRole.AllAuthenticatedUsers && person != null)
                    matchFound = true;
                    authorized = authRule.AllowOrDeny == "A";

                // All Unauthenticated Users
                if (!matchFound && authRule.SpecialRole == SpecialRole.AllUnAuthenticatedUsers && person == null)
                    matchFound = true;
                    authorized = authRule.AllowOrDeny == "A";

                if (!matchFound && authRule.SpecialRole == SpecialRole.None && person != null)
                    // See if person has been authorized to entity
                    if (authRule.PersonAliasId.HasValue &&
                        person.Aliases.Where(a => a.Id == authRule.PersonAliasId.Value).Any())
                        matchFound = true;
                        authorized = authRule.AllowOrDeny == "A";

                    // See if person is in role authorized
                    if (!matchFound && authRule.GroupId.HasValue)
                        var role = RoleCache.Get(authRule.GroupId.Value);
                        if (role != null && role.IsPersonInRole(person.Guid))
                            matchFound = true;
                            authorized = authRule.AllowOrDeny == "A";

예제 #49
        /// <summary>
        /// If the entity is currently private for selected person, removes all the rules 
        /// </summary>
        /// <param name="entity">The entity.</param>
        /// <param name="action">The action.</param>
        /// <param name="person">The person.</param>
        /// <param name="rockContext">The rock context.</param>
        private static void MyMakeUnPrivate( ISecured entity, string action, Person person, RockContext rockContext )
            if ( IsPrivate( entity, action, person ) )
                var authService = new AuthService( rockContext );

                // Delete any existing rules in database
                foreach ( Auth auth in authService
                    .GetAuths( entity.TypeId, entity.Id, action ) )
                    authService.Delete( auth );

                // Reload the static dictionary for this action
                ReloadAction( entity.TypeId, entity.Id, action, rockContext );
예제 #50
        /// <summary>
        /// Copies the authorizations from one <see cref="ISecured" /> object to another
        /// </summary>
        /// <param name="sourceEntity">The source entity.</param>
        /// <param name="targetEntity">The target entity.</param>
        /// <param name="rockContext">The rock context.</param>
        /// <param name="action">Optional action (if ommitted or left blank, all actions will be copied).</param>
        /// <remarks>
        /// This method will save any previous changes made to the context
        /// </remarks>
        public static void CopyAuthorization( ISecured sourceEntity, ISecured targetEntity, RockContext rockContext, string action = "" )

            var sourceEntityTypeId = sourceEntity.TypeId;
            var targetEntityTypeId = targetEntity.TypeId;

            AuthService authService = new AuthService( rockContext );

            // Delete the current authorizations for the target entity
            foreach ( Auth auth in authService.Get( targetEntityTypeId, targetEntity.Id ).ToList() )
                if ( string.IsNullOrWhiteSpace( action ) || auth.Action.Equals( action, StringComparison.OrdinalIgnoreCase ) )
                    authService.Delete( auth );

            // Copy target auths to source auths
            int order = 0;
            foreach ( Auth sourceAuth in authService.Get( sourceEntityTypeId, sourceEntity.Id ).ToList() )
                if ( ( string.IsNullOrWhiteSpace( action ) || sourceAuth.Action.Equals( action, StringComparison.OrdinalIgnoreCase ) ) &&
                    targetEntity.SupportedActions.ContainsKey( sourceAuth.Action ) )
                    Auth auth = new Auth();
                    auth.EntityTypeId = targetEntityTypeId;
                    auth.EntityId = targetEntity.Id;
                    auth.Action = sourceAuth.Action;
                    auth.AllowOrDeny = sourceAuth.AllowOrDeny;
                    auth.GroupId = sourceAuth.GroupId;
                    auth.PersonAliasId = sourceAuth.PersonAliasId;
                    auth.SpecialRole = sourceAuth.SpecialRole;
                    auth.Order = order++;

                    authService.Add( auth );

            ReloadEntity( targetEntityTypeId, targetEntity.Id, rockContext );
예제 #51
        /// <summary>
        /// Raises the <see cref="E:System.Web.UI.Control.Init" /> event.
        /// </summary>
        /// <param name="e">An <see cref="T:System.EventArgs" /> object that contains the event data.</param>
        protected override void OnInit( EventArgs e )
            int? entityTypeId = PageParameter( "EntityTypeId" ).AsIntegerOrNull();
            string entityTypeName = string.Empty;
            Type type = null;

            // Get Entity Type
            if ( entityTypeId.HasValue )
                var entityType = EntityTypeCache.Read( entityTypeId.Value );
                if ( entityType != null )
                    entityTypeName = entityType.FriendlyName;
                    type = entityType.GetEntityType();

            // Get Entity Id
            int entityId = PageParameter( "EntityId" ).AsIntegerOrNull() ?? 0;

            // Get object type
            if ( type != null )
                if ( entityId == 0 )
                    iSecured = (ISecured)Activator.CreateInstance( type );
                    // Get the context type since this may be for a non-rock core object
                    Type contextType = null;
                    var contexts = Rock.Reflection.SearchAssembly( type.Assembly, typeof( Rock.Data.DbContext ) );
                    if ( contexts.Any() )
                        contextType = contexts.First().Value;
                        contextType = typeof( RockContext );

                    Type serviceType = typeof( Rock.Data.Service<> );
                    Type[] modelType = { type };
                    Type service = serviceType.MakeGenericType( modelType );
                    var getMethod = service.GetMethod( "Get", new Type[] { typeof( int ) } );

                    var context = Activator.CreateInstance( contextType );
                    var serviceInstance = Activator.CreateInstance( service, new object[] { context } );
                    iSecured = getMethod.Invoke( serviceInstance, new object[] { entityId } ) as ISecured;

                var block = iSecured as Rock.Model.Block;
                if ( block != null )
                    // If the entity is a block, get any actions that were updated or added by the block type using
                    // one or more SecurityActionAttributes.
                    foreach ( var action in BlockCache.Read( block.Id ).BlockType.SecurityActions )
                        if ( block.SupportedActions.ContainsKey( action.Key ) )
                            block.SupportedActions[action.Key] = action.Value;
                            block.SupportedActions.Add( action.Key, action.Value );

                    iSecured = block;

                if ( iSecured != null && iSecured.IsAuthorized( Authorization.ADMINISTRATE, CurrentPerson ) )
                    if ( iSecured.SupportedActions.Any() )
                        lActionDescription.Text = iSecured.SupportedActions.FirstOrDefault().Value;

                    rptActions.DataSource = iSecured.SupportedActions;

                    rGrid.DataKeyNames = new string[] { "Id" };
                    rGrid.GridReorder += new GridReorderEventHandler( rGrid_GridReorder );
                    rGrid.GridRebind += new GridRebindEventHandler( rGrid_GridRebind );
                    rGrid.RowDataBound += new GridViewRowEventHandler( rGrid_RowDataBound );
                    rGrid.ShowHeaderWhenEmpty = false;
                    rGrid.EmptyDataText = string.Empty;
                    rGrid.ShowActionRow = false;

                    rGridParentRules.DataKeyNames = new string[] { "Id" };
                    rGridParentRules.ShowHeaderWhenEmpty = false;
                    rGridParentRules.EmptyDataText = string.Empty;
                    rGridParentRules.ShowActionRow = false;


                    string scriptFormat = @"
                    Sys.Application.add_load(function () {{
                        $('#modal-popup div.modal-header h3 small', window.parent.document).html('{0}');
                    string script = string.Format( scriptFormat, HttpUtility.JavaScriptStringEncode( iSecured.ToString() ) );

                    this.Page.ClientScript.RegisterStartupScript( this.GetType(), string.Format( "set-html-{0}", this.ClientID ), script, true );
                    rGrid.Visible = false;
                    rGridParentRules.Visible = false;
                    nbMessage.Text = "Unfortunately, you are not able to edit security because you do not belong to a role that has been configured to allow administration of this item.";
                    nbMessage.Visible = true;
                rGrid.Visible = false;
                rGridParentRules.Visible = false;
                nbMessage.Text = string.Format( "The requested entity type ('{0}') could not be loaded to determine security attributes.", entityTypeName );
                nbMessage.Visible = true;

            base.OnInit( e );
예제 #52
        /// <summary>
        /// Makes the entity private by setting up two authorization rules, one granting the selected person, and
        /// then another that denies all other users.
        /// </summary>
        /// <param name="entity">The entity.</param>
        /// <param name="action">The action.</param>
        /// <param name="person">The person.</param>
        /// <param name="rockContext">The rock context.</param>
        public static void MakePrivate( ISecured entity, string action, Person person, RockContext rockContext = null )
            if ( !IsPrivate( entity, action, person ) )
                if ( person != null )
                    rockContext = rockContext ?? new RockContext();

                    // If there's no Authorizations object, create it
                    if ( Authorizations == null )
                        Load( rockContext );

                    var authService = new AuthService( rockContext );

                    // If there are not entries in the Authorizations object for this entity type and entity instance, create
                    // the dictionary entries
                    if ( !Authorizations.Keys.Contains( entity.TypeId ) )
                        Authorizations.Add( entity.TypeId, new Dictionary<int, Dictionary<string, List<AuthRule>>>() );

                    if ( !Authorizations[entity.TypeId].Keys.Contains( entity.Id ) )
                        Authorizations[entity.TypeId].Add( entity.Id, new Dictionary<string, List<AuthRule>>() );

                    if ( !Authorizations[entity.TypeId][entity.Id].Keys.Contains( action ) )
                        Authorizations[entity.TypeId][entity.Id].Add( action, new List<AuthRule>() );
                        // If existing rules exist, delete them.
                        foreach ( AuthRule authRule in Authorizations[entity.TypeId][entity.Id][action] )
                            var oldAuth = authService.Get( authRule.Id );
                            authService.Delete( oldAuth );

                    var rules = new List<AuthRule>();

                    Auth auth1 = new Auth();
                    auth1.EntityTypeId = entity.TypeId;
                    auth1.EntityId = entity.Id;
                    auth1.Order = 0;
                    auth1.Action = action;
                    auth1.AllowOrDeny = "A";
                    auth1.SpecialRole = SpecialRole.None;
                    auth1.PersonId = person.Id;
                    authService.Add( auth1 );

                    Auth auth2 = new Auth();
                    auth2.EntityTypeId = entity.TypeId;
                    auth2.EntityId = entity.Id;
                    auth2.Order = 1;
                    auth2.Action = action;
                    auth2.AllowOrDeny = "D";
                    auth2.SpecialRole = SpecialRole.AllUsers;
                    authService.Add( auth2 );


                    rules.Add( new AuthRule( auth1 ) );
                    rules.Add( new AuthRule( auth2 ) );

                    Authorizations[entity.TypeId][entity.Id][action] = rules;
예제 #53
        /// <summary>
        /// Raises the <see cref="E:System.Web.UI.Control.Init" /> event.
        /// </summary>
        /// <param name="e">An <see cref="T:System.EventArgs" /> object that contains the event data.</param>
        protected override void OnInit(EventArgs e)
            int?   entityTypeId   = PageParameter("EntityTypeId").AsIntegerOrNull();
            string entityTypeName = string.Empty;
            Type   type           = null;

            // Get Entity Type
            if (entityTypeId.HasValue)
                var entityType = EntityTypeCache.Read(entityTypeId.Value);
                if (entityType != null)
                    entityTypeName = entityType.FriendlyName;
                    type           = entityType.GetEntityType();

            // Get Entity Id
            int entityId = PageParameter("EntityId").AsIntegerOrNull() ?? 0;

            // Get object type
            if (type != null)
                if (entityId == 0)
                    iSecured = (ISecured)Activator.CreateInstance(type);
                    // Get the context type since this may be for a non-rock core object
                    Type contextType = null;
                    var  contexts    = Rock.Reflection.SearchAssembly(type.Assembly, typeof(Rock.Data.DbContext));
                    if (contexts.Any())
                        contextType = contexts.First().Value;
                        contextType = typeof(RockContext);

                    Type   serviceType = typeof(Rock.Data.Service <>);
                    Type[] modelType   = { type };
                    Type   service     = serviceType.MakeGenericType(modelType);
                    var    getMethod   = service.GetMethod("Get", new Type[] { typeof(int) });

                    var context         = Activator.CreateInstance(contextType);
                    var serviceInstance = Activator.CreateInstance(service, new object[] { context });
                    iSecured = getMethod.Invoke(serviceInstance, new object[] { entityId }) as ISecured;

                var block = iSecured as Rock.Model.Block;
                if (block != null)
                    // If the entity is a block, get any actions that were updated or added by the block type using
                    // one or more SecurityActionAttributes.
                    var blockCache = BlockCache.Read(block.Id);
                    if (blockCache != null && blockCache.BlockType != null)
                        foreach (var action in BlockCache.Read(block.Id).BlockType.SecurityActions)
                            if (block.SupportedActions.ContainsKey(action.Key))
                                block.SupportedActions[action.Key] = action.Value;
                                block.SupportedActions.Add(action.Key, action.Value);

                    iSecured = block;

                if (iSecured != null)
                    if (iSecured.IsAuthorized(Authorization.ADMINISTRATE, CurrentPerson))
                        if (iSecured.SupportedActions.Any())
                            lActionDescription.Text = iSecured.SupportedActions.FirstOrDefault().Value;

                        rptActions.DataSource = iSecured.SupportedActions;

                        rGrid.DataKeyNames        = new string[] { "Id" };
                        rGrid.GridReorder        += new GridReorderEventHandler(rGrid_GridReorder);
                        rGrid.GridRebind         += new GridRebindEventHandler(rGrid_GridRebind);
                        rGrid.RowDataBound       += new GridViewRowEventHandler(rGrid_RowDataBound);
                        rGrid.ShowHeaderWhenEmpty = false;
                        rGrid.EmptyDataText       = string.Empty;
                        rGrid.ShowActionRow       = false;

                        rGridParentRules.DataKeyNames        = new string[] { "Id" };
                        rGridParentRules.ShowHeaderWhenEmpty = false;
                        rGridParentRules.EmptyDataText       = string.Empty;
                        rGridParentRules.ShowActionRow       = false;


                        string scriptFormat = @"
                    Sys.Application.add_load(function () {{
                        $('#modal-popup div.modal-header h3 small', window.parent.document).html('{0}');
                        string script       = string.Format(scriptFormat, HttpUtility.JavaScriptStringEncode(iSecured.ToString()));

                        this.Page.ClientScript.RegisterStartupScript(this.GetType(), string.Format("set-html-{0}", this.ClientID), script, true);
                        nbMessage.Text = "Unfortunately, you are not able to edit security because you do not belong to a role that has been configured to allow administration of this item.";
                    nbMessage.Text = "The item you are trying to secure does not exist or does not implement ISecured.";
                nbMessage.Text = string.Format("The requested entity type ('{0}') could not be loaded to determine security attributes.", entityTypeName);

예제 #54
        protected override void OnInit(EventArgs e)
            // Read parameter values
            string entityName = Authorization.DecodeEntityTypeName(PageParameter("EntityType"));

            int entityId = 0;

            if (!Int32.TryParse(PageParameter("EntityId"), out entityId))
                entityId = 0;

            // Get object type
            Type type = Type.GetType(entityName);

            if (type != null)
                if (entityId == 0)
                    iSecured = (ISecured)Activator.CreateInstance(type);
                    iSecured = type.InvokeMember("Read", System.Reflection.BindingFlags.InvokeMethod, null, type, new object[] { entityId }) as ISecured;

                if (iSecured.IsAuthorized("Administrate", CurrentPerson))
                    rptActions.DataSource = iSecured.SupportedActions;

                    rGrid.DataKeyNames        = new string[] { "id" };
                    rGrid.GridReorder        += new GridReorderEventHandler(rGrid_GridReorder);
                    rGrid.GridRebind         += new GridRebindEventHandler(rGrid_GridRebind);
                    rGrid.RowDataBound       += new GridViewRowEventHandler(rGrid_RowDataBound);
                    rGrid.ShowHeaderWhenEmpty = false;
                    rGrid.EmptyDataText       = string.Empty;
                    rGrid.ShowActionRow       = false;

                    rGridParentRules.DataKeyNames        = new string[] { "id" };
                    rGridParentRules.ShowHeaderWhenEmpty = false;
                    rGridParentRules.EmptyDataText       = string.Empty;
                    rGridParentRules.ShowActionRow       = false;


                    string script = string.Format(@"
                    Sys.Application.add_load(function () {{
                        $('#modal-popup div.modal-header h3 small', window.parent.document).html('{0}');
                ", iSecured.ToString());

                    this.Page.ClientScript.RegisterStartupScript(this.GetType(), string.Format("set-html-{0}", this.ClientID), script, true);
                rGrid.Visible            = false;
                rGridParentRules.Visible = false;
                nbMessage.Text           = string.Format("Could not load the requested entity type ('{0}') to determine security attributes", entityName);
                nbMessage.Visible        = true;
예제 #55
        /// <summary>
        /// Renders the specified context.
        /// </summary>
        /// <param name="context">The context.</param>
        /// <param name="result">The result.</param>
        /// <exception cref="System.Exception">Your Lava command must contain at least one valid filter. If you configured a filter it's possible that the property or attribute you provided does not exist.</exception>
        public override void Render(Context context, TextWriter result)
            // first ensure that entity commands are allowed in the context
            if (!this.IsAuthorized(context))
                result.Write(string.Format(RockLavaBlockBase.NotAuthorizedMessage, this.Name));
                base.Render(context, result);

            bool hasFilter = false;

            // get a service for the entity based off it's friendly name
            var entityTypes = EntityTypeCache.All();

            var model = string.Empty;

            if (_entityName == "business")
                model = "Rock.Model.Person";
                model = "Rock.Model." + _entityName;

            // Check first to see if this is a core model
            var entityTypeCache = entityTypes.Where(e => String.Equals(e.Name, model, StringComparison.OrdinalIgnoreCase)).FirstOrDefault();

            // If not, look for first plugin model that has same friendly name
            if (entityTypeCache == null)
                entityTypeCache = entityTypes
                                  .Where(e =>
                                         e.IsEntity &&
                                         !e.Name.StartsWith("Rock.Model") &&
                                         e.FriendlyName != null &&
                                         e.FriendlyName.RemoveSpaces().ToLower() == _entityName)
                                  .OrderBy(e => e.Id)

            // If still null check to see if this was a duplicate class and full class name was used as entity name
            if (entityTypeCache == null)
                model           = _entityName.Replace('_', '.');
                entityTypeCache = entityTypes.Where(e => String.Equals(e.Name, model, StringComparison.OrdinalIgnoreCase)).FirstOrDefault();

            if (entityTypeCache != null)
                Type entityType = entityTypeCache.GetEntityType();
                if (entityType != null)
                    // Get the database context
                    Type contextType = null;
                    Rock.Data.DbContext dbContext = null;
                    var contexts = Rock.Reflection.SearchAssembly(entityType.Assembly, typeof(Rock.Data.DbContext));
                    if (contexts.Any())
                        contextType = contexts.First().Value;
                        dbContext   = Activator.CreateInstance(contextType) as Rock.Data.DbContext;
                    if (dbContext == null)
                        dbContext = _rockContext;

                    // create an instance of the entity's service
                    Type[]             modelType          = { entityType };
                    Type               genericServiceType = typeof(Rock.Data.Service <>);
                    Type               modelServiceType   = genericServiceType.MakeGenericType(modelType);
                    Rock.Data.IService serviceInstance    = Activator.CreateInstance(modelServiceType, new object[] { dbContext }) as IService;

                    ParameterExpression paramExpression = Expression.Parameter(entityType, "x");
                    Expression          queryExpression = null; // the base expression we'll use to build our query from

                    // parse markup
                    var parms = ParseMarkup(_markup, context);

                    if (parms.Any(p => p.Key == "id"))
                        string propertyName = "Id";

                        List <string> selectionParms = new List <string>();

                        var entityProperty = entityType.GetProperty(propertyName);
                        queryExpression = ExpressionHelper.PropertyFilterExpression(selectionParms, paramExpression, propertyName, entityProperty.PropertyType);

                        hasFilter = true;
                        // where clause expression
                        if (parms.Any(p => p.Key == "where"))
                            queryExpression = ParseWhere(parms["where"], entityType, serviceInstance, paramExpression, entityType, entityTypeCache);

                            if (queryExpression != null)
                                hasFilter = true;

                        // dataview expression
                        if (parms.Any(p => p.Key == "dataview"))
                            var dataViewId = parms["dataview"].AsIntegerOrNull();

                            if (dataViewId.HasValue)
                                var dataViewExpression = GetDataViewExpression(dataViewId.Value, serviceInstance, paramExpression, entityTypeCache);

                                if (queryExpression == null)
                                    queryExpression = dataViewExpression;
                                    hasFilter       = true;
                                    queryExpression = Expression.AndAlso(queryExpression, dataViewExpression);

                        // process dynamic filter expressions (from the query string)
                        if (parms.Any(p => p.Key == "dynamicparameters"))
                            var dynamicFilters = parms["dynamicparameters"].Split(',')
                                                 .Select(x => x.Trim())
                                                 .Where(x => !string.IsNullOrWhiteSpace(x))

                            foreach (var dynamicFilter in dynamicFilters)
                                var dynamicFilterValue      = HttpContext.Current.Request[dynamicFilter];
                                var dynamicFilterExpression = GetDynamicFilterExpression(dynamicFilter, dynamicFilterValue, entityType, serviceInstance, paramExpression);
                                if (dynamicFilterExpression != null)
                                    if (queryExpression == null)
                                        queryExpression = dynamicFilterExpression;
                                        hasFilter       = true;
                                        queryExpression = Expression.AndAlso(queryExpression, dynamicFilterExpression);

                    // make the query from the expression
                    MethodInfo getMethod = serviceInstance.GetType().GetMethod("Get", new Type[] { typeof(ParameterExpression), typeof(Expression), typeof(Rock.Web.UI.Controls.SortProperty), typeof(int?) });
                    if (getMethod != null)
                        var queryResult = getMethod.Invoke(serviceInstance, new object[] { paramExpression, queryExpression, null, null }) as IQueryable <IEntity>;

                        // process entity specific filters
                        switch (_entityName)
                        case "person":
                            queryResult = PersonFilters((IQueryable <Person>)queryResult, parms);

                        case "business":
                            queryResult = BusinessFilters((IQueryable <Person>)queryResult, parms);

                        // if there was a dynamic expression add it now
                        if (parms.Any(p => p.Key == "expression"))
                            queryResult = queryResult.Where(parms["expression"]);
                            hasFilter   = true;

                        // get a listing of ids
                        if (parms.Any(p => p.Key == "ids"))
                            var value = parms["ids"].ToString().Split(',').Select(int.Parse).ToList();
                            queryResult = queryResult.Where(x => value.Contains(x.Id));
                            hasFilter   = true;

                        var queryResultExpression = queryResult.Expression;

                        // add sort expressions
                        if (parms.Any(p => p.Key == "sort"))
                            string orderByMethod = "OrderBy";

                            foreach (var column in parms["sort"].Split(',').Select(x => x.Trim()).Where(x => !string.IsNullOrWhiteSpace(x)).ToList())
                                string propertyName;
                                var    direction = SortDirection.Ascending;

                                if (column.EndsWith(" desc", StringComparison.OrdinalIgnoreCase))
                                    direction    = SortDirection.Descending;
                                    propertyName = column.Left(column.Length - 5);
                                    propertyName = column;

                                string methodName = direction == SortDirection.Descending ? orderByMethod + "Descending" : orderByMethod;

                                if (entityType.GetProperty(propertyName) != null)
                                    // sorting a entity property
                                    var memberExpression          = Expression.Property(paramExpression, propertyName);
                                    LambdaExpression sortSelector = Expression.Lambda(memberExpression, paramExpression);
                                    queryResultExpression = Expression.Call(typeof(Queryable), methodName, new Type[] { queryResult.ElementType, sortSelector.ReturnType }, queryResultExpression, sortSelector);
                                    // sorting on an attribute

                                    // get attribute id
                                    int?attributeId = null;
                                    foreach (var id in AttributeCache.GetByEntity(entityTypeCache.Id).SelectMany(a => a.AttributeIds))
                                        var attribute = AttributeCache.Get(id);
                                        if (attribute.Key == propertyName)
                                            attributeId = id;

                                    if (attributeId.HasValue)
                                        // get AttributeValue queryable and parameter
                                        var attributeValues = _rockContext.Set <AttributeValue>();
                                        ParameterExpression attributeValueParameter = Expression.Parameter(typeof(AttributeValue), "v");
                                        MemberExpression    idExpression            = Expression.Property(paramExpression, "Id");
                                        var attributeExpression = Attribute.Helper.GetAttributeValueExpression(attributeValues, attributeValueParameter, idExpression, attributeId.Value);

                                        LambdaExpression sortSelector = Expression.Lambda(attributeExpression, paramExpression);
                                        queryResultExpression = Expression.Call(typeof(Queryable), methodName, new Type[] { queryResult.ElementType, sortSelector.ReturnType }, queryResultExpression, sortSelector);

                                orderByMethod = "ThenBy";

                        // reassemble the queryable with the sort expressions
                        queryResult = queryResult.Provider.CreateQuery(queryResultExpression) as IQueryable <IEntity>;

                        if (parms.GetValueOrNull("count").AsBoolean())
                            int countResult = queryResult.Count();
                            context.Scopes.Last()["count"] = countResult;
                            // run security check on each result
                            var items        = queryResult.ToList();
                            var itemsSecured = new List <IEntity>();

                            Person person = GetCurrentPerson(context);

                            foreach (IEntity item in items)
                                ISecured itemSecured = item as ISecured;
                                if (itemSecured == null || itemSecured.IsAuthorized(Authorization.VIEW, person))

                            queryResult = itemsSecured.AsQueryable();

                            // offset
                            if (parms.Any(p => p.Key == "offset"))
                                queryResult = queryResult.Skip(parms["offset"].AsInteger());

                            // limit, default to 1000
                            if (parms.Any(p => p.Key == "limit"))
                                queryResult = queryResult.Take(parms["limit"].AsInteger());
                                queryResult = queryResult.Take(1000);

                            // check to ensure we had some form of filter (otherwise we'll return all results in the table)
                            if (!hasFilter)
                                throw new Exception("Your Lava command must contain at least one valid filter. If you configured a filter it's possible that the property or attribute you provided does not exist.");

                            var resultList = queryResult.ToList();

                            // if there is only one item to return set an alternative non-array based variable
                            if (resultList.Count == 1)
                                context.Scopes.Last()[_entityName] = resultList.FirstOrDefault();

                            context.Scopes.Last()[parms["iterator"]] = resultList;
                result.Write(string.Format("Could not find a model for {0}.", _entityName));
                base.Render(context, result);

            base.Render(context, result);
예제 #56
        public void DeleteSecurity(ISecured secured)
            //TODO!!!: When writing security check for antecedentid = referenceid &/or version=0
            if (secured.SecurityID.HasValue)
                if (CheckOwnership(secured, ActionPermission.Read | ActionPermission.Delete))
                    using (new TransactionScope(TransactionScopeOption.Suppress))
                        var c = new XODBC(ApplicationConnectionString,null);
                        if (secured.IsBlack)
                            var s = (from o in c.SecurityBlacklists where o.SecurityBlacklistID == secured.SecurityID && o.Version == 0 && o.VersionDeletedBy == null select o).Single();                          
                            var s = (from o in c.SecurityWhitelists where o.SecurityWhitelistID == secured.SecurityID && o.Version == 0 && o.VersionDeletedBy == null select o).Single();                           
                    throw new AuthorityException(string.Format("Incorrect permission for action: \"Delete\" Contact: {0} Record: {1}", secured.AccessorContactID, secured.OwnerReferenceID));
                throw new NotSupportedException("Can not delete a security record without an ID.");

예제 #57
        protected override void OnInit( EventArgs e )
            // Read parameter values
            string entityName = Authorization.DecodeEntityTypeName( PageParameter( "EntityType" ) );

            int entityId = 0;
            if (!Int32.TryParse( PageParameter( "EntityId" ), out entityId ))
                entityId = 0;

            // Get object type
            Type type = Type.GetType( entityName );
            if ( type != null )
                if (entityId == 0)
                     iSecured = (ISecured)Activator.CreateInstance(type);
                     iSecured = type.InvokeMember( "Read", System.Reflection.BindingFlags.InvokeMethod, null, type, new object[] { entityId } )as ISecured;

                if ( iSecured.IsAuthorized( "Administrate", CurrentPerson ) )
                    rptActions.DataSource = iSecured.SupportedActions;

                    rGrid.DataKeyNames = new string[] { "id" };
                    rGrid.GridReorder += new GridReorderEventHandler( rGrid_GridReorder );
                    rGrid.GridRebind += new GridRebindEventHandler( rGrid_GridRebind );
                    rGrid.RowDataBound += new GridViewRowEventHandler( rGrid_RowDataBound );
                    rGrid.ShowHeaderWhenEmpty = false;
                    rGrid.EmptyDataText = string.Empty;
                    rGrid.ShowActionRow = false;

                    rGridParentRules.DataKeyNames = new string[] { "id" };
                    rGridParentRules.ShowHeaderWhenEmpty = false;
                    rGridParentRules.EmptyDataText = string.Empty;
                    rGridParentRules.ShowActionRow = false;


                    string script = string.Format( @"
                    Sys.Application.add_load(function () {{
                        $('#modal-popup div.modal-header h3 small', window.parent.document).html('{0}');
                ", iSecured.ToString() );

                    this.Page.ClientScript.RegisterStartupScript( this.GetType(), string.Format( "set-html-{0}", this.ClientID ), script, true );
                rGrid.Visible = false;
                rGridParentRules.Visible = false;
                nbMessage.Text = string.Format("Could not load the requested entity type ('{0}') to determine security attributes", entityName);
                nbMessage.Visible = true;
            base.OnInit( e );
예제 #58
 public bool CheckOwnership(ISecured secured, ActionPermission permission)
     using (new TransactionScope(TransactionScopeOption.Suppress))
         var c = new XODBC(ApplicationConnectionString,null);
         var verified = new System.Data.Objects.ObjectParameter("verified", typeof(byte));
         c.X_SP_GetSecuredRight(secured.OwnerContactID, secured.OwnerApplicationID, secured.OwnerTableType, secured.OwnerReferenceID, secured.OwnerField,
             secured.CanRead || ((ActionPermission.Read & permission) == ActionPermission.Read)
             , secured.CanCreate || ((ActionPermission.Create & permission) == ActionPermission.Create)
             , secured.CanUpdate || ((ActionPermission.Update & permission) == ActionPermission.Update)
             , secured.CanDelete || ((ActionPermission.Delete & permission) == ActionPermission.Delete)
             , verified);
         return (bool)verified.Value;
예제 #59
        /// <summary>
        /// Occurs before the action method is invoked.
        /// </summary>
        /// <param name="actionContext">The action context.</param>
        public override void OnActionExecuting(HttpActionContext actionContext)
            var reflectedHttpActionDescriptor = ( ReflectedHttpActionDescriptor )actionContext.ActionDescriptor;

            var    controller          = actionContext.ActionDescriptor.ControllerDescriptor;
            string controllerClassName = controller.ControllerType.FullName;
            string actionMethod        = actionContext.Request.Method.Method;

            var      apiId = RestControllerService.GetApiId(reflectedHttpActionDescriptor.MethodInfo, actionMethod, controller.ControllerName);
            ISecured item  = RestActionCache.Get(apiId);

            if (item == null)
                // if there isn't a RestAction in the database, use the Controller as the secured item
                item = RestControllerCache.Get(controllerClassName);
                if (item == null)
                    item = new RestController();

            Person person = null;

            if (actionContext.Request.Properties.Keys.Contains("Person"))
                person = actionContext.Request.Properties["Person"] as Person;
                var principal = actionContext.Request.GetUserPrincipal();
                if (principal != null && principal.Identity != null)
                    using (var rockContext = new RockContext())
                        string    userName  = principal.Identity.Name;
                        UserLogin userLogin = null;
                        if (userName.StartsWith("rckipid="))
                            Rock.Model.PersonService personService      = new Model.PersonService(rockContext);
                            Rock.Model.Person        impersonatedPerson = personService.GetByImpersonationToken(userName.Substring(8));
                            if (impersonatedPerson != null)
                                userLogin = impersonatedPerson.GetImpersonatedUser();
                            var userLoginService = new Rock.Model.UserLoginService(rockContext);
                            userLogin = userLoginService.GetByUserName(userName);

                        if (userLogin != null)
                            person = userLogin.Person;
                            actionContext.Request.Properties.Add("Person", person);

                            /* 12/12/2019 BJW
                             * Setting this current person item was only done in put, post, and patch in the ApiController
                             * class. Set it here so that it is always set for all methods, including delete. This enhances
                             * history logging done in the pre and post save model hooks (when the pre-save event is called
                             * we can access DbContext.GetCurrentPersonAlias and log who deleted the record).
                             * Task: https://app.asana.com/0/1120115219297347/1153140643799337/f
                            System.Web.HttpContext.Current.AddOrReplaceItem("CurrentPerson", person);

            string action = actionMethod.Equals("GET", StringComparison.OrdinalIgnoreCase) ?
                            Rock.Security.Authorization.VIEW : Rock.Security.Authorization.EDIT;

            if (!item.IsAuthorized(action, person))
                actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
예제 #60
        /// <summary>
        /// Mies the allow all users.
        /// </summary>
        /// <param name="entity">The entity.</param>
        /// <param name="action">The action.</param>
        /// <param name="rockContext">The rock context.</param>
        private static void MyAllowAllUsers( ISecured entity, string action, RockContext rockContext )
            var authService = new AuthService( rockContext );

            // Delete any existing rules in database
            foreach ( Auth auth in authService
                .GetAuths( entity.TypeId, entity.Id, action ) )
                authService.Delete( auth );


            // Create the rule in the database
            Auth auth1 = new Auth();
            auth1.EntityTypeId = entity.TypeId;
            auth1.EntityId = entity.Id;
            auth1.Order = 0;
            auth1.Action = action;
            auth1.AllowOrDeny = "A";
            auth1.SpecialRole = SpecialRole.AllUsers;
            authService.Add( auth1 );


            // Reload the static dictionary for this action
            ReloadAction( entity.TypeId, entity.Id, action, rockContext );