void OnBeforeSave(object sender, OnBeforeSaveEventArgs e)
{
if (e.SkipSecurity)
return;
var authentication = ApplicationSettings.Container.Resolve<IAuthentication>();
var claims = authentication.GetCurrentUserClaims();
var dataset = e.Entity.ObjectsDataSet as ObjectsDataSet;
string message;
if (AppSettings.Get<bool>("DataSetAuthorizationCheckModeRemoveFromDataSet"))
{
// If 'remove from dataset' option is enabled, do an explicit check of the main entity first
// so that we don't just quietly skip saves of the context/main entity
SecurityPredicate predicate;
var permissionLevel = ApplicationSettings.Container.Resolve<IAuthorizations>().CanUpdate(e.Entity, claims, out message, out predicate);
if (permissionLevel != PermissionLevel.Authorized)
authentication.ThrowAccessDenied(new GOServerException("accessDenied", String.IsNullOrEmpty(message) ? "unauthorized access" : message, new ForbiddenAccessException("forbidden access")));
}
// Perform authorization check on full dataset because could embed multiple saves and deletes
{
var permissionLevel = ApplicationSettings.Container.Resolve<IAuthorizations>().CheckWriteAuthorizationsOnDataSet(dataset, claims, e.Parameters, out message);
if (permissionLevel != PermissionLevel.Authorized)
authentication.ThrowAccessDenied(new GOServerException("accessDenied", String.IsNullOrEmpty(message) ? "unauthorized access" : message, new ForbiddenAccessException("forbidden access")));
}
// Note that because Save() may involve multiple save / deletes in a single savesset, we do not set e.FiltrExpression here
// (because there may be a different security data filter for different entities in the saveset)
// instead, the CheckWriteAuthorizationsOnDataSet has already checked the filter(s) (for the entire dataset)
}
/// <summary>
/// IDataProviderExtension<GOUserDataObject> OnBeforeSave extension
/// Hook into GOUserDataObject.Save() so that we can MD5 hash the password prior to saving
/// </summary>
void OnBeforeSaveGOUser(object sender, OnBeforeSaveEventArgs e)
{
if (e.Entity != null)
{
var userToSave = e.Entity as GOUserDataObject;
if (userToSave != null)
{
if (userToSave.IsNew)
{
userToSave.Password = GetMD5Hash(userToSave.Password);
}
else if (!e.Parameters.ContainsKey(ValidatingUser))
{
if (DataFacade.GOUserDataProvider.GetCollection(null, "UserName = \"" + userToSave.UserName + "\" && Password = \"" + userToSave.Password + "\"",
null,
parameters: e.Parameters,
skipSecurity: true).Any())
{
// The password is correct in the Database, we don't need to do anything
}
else
{
userToSave.Password = GetMD5Hash(userToSave.Password);
}
}
}
}
}
