/// <summary>
/// This function checks if the current user has enough access rights to execute that query.
/// </summary>
/// <returns>True if the user has access, false if access is denied.
/// </returns>
public new bool HasAccess(string ASQLStatement)
{
bool ReturnValue;
System.Data.DataTable tab;
String SQLStatement;
System.Int32 Counter;
System.Int32 EndOfNamePos;
String TableName;
char[] WhiteChar;
DataRow[] FoundRows;
String RequiredAccessPermission;
String RequiredAccessPermission4GLName;
String SQLTablePrecedingKeyword;
String ErrorMessage;
ReturnValue = false;
try
{
// inherited
if (HasAccess(ASQLStatement) == true)
{
if (FRetrievingTablePermissions == true)
{
return(true);
}
SQLStatement = ASQLStatement.Trim().ToUpper();
TLogging.LogAtLevel(10, "TDataBasePetra.HasAccess: SQLStatement: " + SQLStatement);
// get all the access rights to the tables of the user
// TODO 2 oChristianK cThread safety : This is currently not threadsave and probably not the most efficient way to use cached data. Change this.
FRetrievingTablePermissions = true;
tab = FCache.GetDataTable(
this,
"SELECT s_can_create_l, s_can_modify_l, s_can_delete_l, s_can_inquire_l, s_table_name_c FROM PUB_s_user_table_access_permission WHERE s_user_id_c = '"
+
UserID + "'");
FRetrievingTablePermissions = false;
RequiredAccessPermission = "";
if (SQLStatement.IndexOf("SELECT") == 0)
{
RequiredAccessPermission = "s_can_inquire_l";
RequiredAccessPermission4GLName = "INQUIRE";
SQLTablePrecedingKeyword = "FROM";
TLogging.LogAtLevel(10, "TDataBasePetra.HasAccess: Access permission: " + RequiredAccessPermission4GLName);
}
else if (SQLStatement.IndexOf("UPDATE") == 0)
{
RequiredAccessPermission = "s_can_modify_l";
RequiredAccessPermission4GLName = "MODIFY";
SQLTablePrecedingKeyword = " ";
TLogging.LogAtLevel(10, "TDataBasePetra.HasAccess: Access permission: " + RequiredAccessPermission4GLName);
}
else if (SQLStatement.IndexOf("INSERT") == 0)
{
RequiredAccessPermission = "s_can_create_l";
RequiredAccessPermission4GLName = "CREATE";
SQLTablePrecedingKeyword = "INTO";
TLogging.LogAtLevel(10, "TDataBasePetra.HasAccess: Access permission: " + RequiredAccessPermission4GLName);
}
else if (SQLStatement.IndexOf("DELETE") == 0)
{
RequiredAccessPermission = "s_can_delete_l";
RequiredAccessPermission4GLName = "DELETE";
SQLTablePrecedingKeyword = "FROM";
TLogging.LogAtLevel(10, "TDataBasePetra.HasAccess: Access permission: " + RequiredAccessPermission4GLName);
}
else
{
TLogging.Log("DBAccessSecurity: SQL query could not be recognised. Starting with: " + SQLStatement.Substring(0, 10));
throw new Exception("DBAccessSecurity: SQL query could not be recognised.");
}
if (RequiredAccessPermission.Length != 0)
{
TLogging.LogAtLevel(10, "TDataBasePetra.HasAccess: RequiredAccessPermission.Length <> 0");
WhiteChar = new char[] {
',', ')', '.', ' '
};
Counter = SQLStatement.IndexOf(SQLTablePrecedingKeyword);
if (Counter == -1)
{
TLogging.Log(
"DBAccessSecurity: SQL query could not be recognised. Keyword that should precede the DB table name (" +
SQLTablePrecedingKeyword + ") was not found!");
throw new Exception("DBAccessSecurity: SQL query could not be recognised.");
}
ReturnValue = true;
while (Counter != -1)
{
Counter = SQLStatement.IndexOf("PUB_", Counter);
if (Counter != -1)
{
EndOfNamePos = SQLStatement.IndexOfAny(WhiteChar, Counter);
if (EndOfNamePos == -1)
{
EndOfNamePos = SQLStatement.Length;
}
TableName = SQLStatement.Substring(Counter + 4, EndOfNamePos - Counter - 4).Trim();
TLogging.LogAtLevel(10, "TDataBasePetra.HasAccess: Table name: " + TableName);
Counter = Counter + TableName.Length;
if (TableName == "S_USER_DEFAULTS")
{
// always allow access to the s_user_defaults
// strangely enough, that is not in the table s_user_table_access_permission
}
else if ((RequiredAccessPermission == "s_can_inquire_l") &&
(TableName == "S_USER_MODULE_ACCESS_PERMISSION"))
{
// always allow INQUIRE access to the
// s_user_module_access_permission table
}
else
{
// test for DB table
FoundRows = tab.Select("s_table_name_c = '" + TableName + "'");
if (FoundRows.Length == 0)
{
ErrorMessage = String.Format(Catalog.GetString(
"You do not have permission to access {0}."), TableName.ToLower());
TLogging.Log(StrAccessDeniedLogPrefix + ErrorMessage);
LogInPetraErrorLog(ErrorMessage);
TLogging.LogAtLevel(10, "TDataBasePetra.HasAccess: logged access error in DB Log Table.");
throw new ESecurityDBTableAccessDeniedException(String.Format(ErrorMessage,
RequiredAccessPermission4GLName.ToLower(), TableName.ToLower()),
RequiredAccessPermission4GLName.ToLower(), TableName.ToLower());
}
// test for access permission
if (Convert.ToBoolean(FoundRows[0][RequiredAccessPermission]) == false)
{
ErrorMessage = String.Format(Catalog.GetString("You do not have permission to {0} {1} records."),
RequiredAccessPermission4GLName.ToLower(),
TableName.ToLower());
TLogging.Log(StrAccessDeniedLogPrefix + ErrorMessage);
LogInPetraErrorLog(ErrorMessage);
TLogging.LogAtLevel(10, "TDataBasePetra.HasAccess: logged access error in DB Log Table.");
throw new ESecurityDBTableAccessDeniedException(ErrorMessage,
RequiredAccessPermission4GLName.ToLower(), TableName.ToLower());
}
}
}
}
}
}
}
catch
{
throw;
}
return(ReturnValue);
}
