예제 #1
0
        /// <summary>
        /// This function checks if the current user has enough access rights to execute that query.
        /// </summary>
        /// <returns>True if the user has access, false if access is denied.
        /// </returns>
        public new bool HasAccess(string ASQLStatement)
        {
            bool ReturnValue;

            System.Data.DataTable tab;
            String SQLStatement;

            System.Int32 Counter;
            System.Int32 EndOfNamePos;
            String       TableName;

            char[]    WhiteChar;
            DataRow[] FoundRows;
            String    RequiredAccessPermission;
            String    RequiredAccessPermission4GLName;
            String    SQLTablePrecedingKeyword;
            String    ErrorMessage;

            ReturnValue = false;
            try
            {
                // inherited
                if (HasAccess(ASQLStatement) == true)
                {
                    if (FRetrievingTablePermissions == true)
                    {
                        return(true);
                    }

                    SQLStatement = ASQLStatement.Trim().ToUpper();
                    TLogging.LogAtLevel(10, "TDataBasePetra.HasAccess: SQLStatement: " + SQLStatement);

                    // get all the access rights to the tables of the user
                    // TODO 2 oChristianK cThread safety : This is currently not threadsave and probably not the most efficient way to use cached data. Change this.
                    FRetrievingTablePermissions = true;


                    tab = FCache.GetDataTable(
                        this,
                        "SELECT s_can_create_l, s_can_modify_l, s_can_delete_l, s_can_inquire_l, s_table_name_c FROM PUB_s_user_table_access_permission WHERE s_user_id_c = '"
                        +
                        UserID + "'");

                    FRetrievingTablePermissions = false;
                    RequiredAccessPermission    = "";

                    if (SQLStatement.IndexOf("SELECT") == 0)
                    {
                        RequiredAccessPermission        = "s_can_inquire_l";
                        RequiredAccessPermission4GLName = "INQUIRE";
                        SQLTablePrecedingKeyword        = "FROM";
                        TLogging.LogAtLevel(10, "TDataBasePetra.HasAccess: Access permission: " + RequiredAccessPermission4GLName);
                    }
                    else if (SQLStatement.IndexOf("UPDATE") == 0)
                    {
                        RequiredAccessPermission        = "s_can_modify_l";
                        RequiredAccessPermission4GLName = "MODIFY";
                        SQLTablePrecedingKeyword        = " ";
                        TLogging.LogAtLevel(10, "TDataBasePetra.HasAccess: Access permission: " + RequiredAccessPermission4GLName);
                    }
                    else if (SQLStatement.IndexOf("INSERT") == 0)
                    {
                        RequiredAccessPermission        = "s_can_create_l";
                        RequiredAccessPermission4GLName = "CREATE";
                        SQLTablePrecedingKeyword        = "INTO";
                        TLogging.LogAtLevel(10, "TDataBasePetra.HasAccess: Access permission: " + RequiredAccessPermission4GLName);
                    }
                    else if (SQLStatement.IndexOf("DELETE") == 0)
                    {
                        RequiredAccessPermission        = "s_can_delete_l";
                        RequiredAccessPermission4GLName = "DELETE";
                        SQLTablePrecedingKeyword        = "FROM";
                        TLogging.LogAtLevel(10, "TDataBasePetra.HasAccess: Access permission: " + RequiredAccessPermission4GLName);
                    }
                    else
                    {
                        TLogging.Log("DBAccessSecurity: SQL query could not be recognised. Starting with: " + SQLStatement.Substring(0, 10));
                        throw new Exception("DBAccessSecurity: SQL query could not be recognised.");
                    }

                    if (RequiredAccessPermission.Length != 0)
                    {
                        TLogging.LogAtLevel(10, "TDataBasePetra.HasAccess: RequiredAccessPermission.Length <> 0");

                        WhiteChar = new char[] {
                            ',', ')', '.', ' '
                        };

                        Counter = SQLStatement.IndexOf(SQLTablePrecedingKeyword);

                        if (Counter == -1)
                        {
                            TLogging.Log(
                                "DBAccessSecurity: SQL query could not be recognised. Keyword that should precede the DB table name (" +
                                SQLTablePrecedingKeyword + ") was not found!");
                            throw new Exception("DBAccessSecurity: SQL query could not be recognised.");
                        }

                        ReturnValue = true;

                        while (Counter != -1)
                        {
                            Counter = SQLStatement.IndexOf("PUB_", Counter);

                            if (Counter != -1)
                            {
                                EndOfNamePos = SQLStatement.IndexOfAny(WhiteChar, Counter);

                                if (EndOfNamePos == -1)
                                {
                                    EndOfNamePos = SQLStatement.Length;
                                }

                                TableName = SQLStatement.Substring(Counter + 4, EndOfNamePos - Counter - 4).Trim();
                                TLogging.LogAtLevel(10, "TDataBasePetra.HasAccess: Table name: " + TableName);

                                Counter = Counter + TableName.Length;

                                if (TableName == "S_USER_DEFAULTS")
                                {
                                    // always allow access to the s_user_defaults
                                    // strangely enough, that is not in the table s_user_table_access_permission
                                }
                                else if ((RequiredAccessPermission == "s_can_inquire_l") &&
                                         (TableName == "S_USER_MODULE_ACCESS_PERMISSION"))
                                {
                                    // always allow INQUIRE access to the
                                    // s_user_module_access_permission table
                                }
                                else
                                {
                                    // test for DB table
                                    FoundRows = tab.Select("s_table_name_c = '" + TableName + "'");

                                    if (FoundRows.Length == 0)
                                    {
                                        ErrorMessage = String.Format(Catalog.GetString(
                                                                         "You do not have permission to access {0}."), TableName.ToLower());
                                        TLogging.Log(StrAccessDeniedLogPrefix + ErrorMessage);
                                        LogInPetraErrorLog(ErrorMessage);
                                        TLogging.LogAtLevel(10, "TDataBasePetra.HasAccess: logged access error in DB Log Table.");

                                        throw new ESecurityDBTableAccessDeniedException(String.Format(ErrorMessage,
                                                                                                      RequiredAccessPermission4GLName.ToLower(), TableName.ToLower()),
                                                                                        RequiredAccessPermission4GLName.ToLower(), TableName.ToLower());
                                    }

                                    // test for access permission
                                    if (Convert.ToBoolean(FoundRows[0][RequiredAccessPermission]) == false)
                                    {
                                        ErrorMessage = String.Format(Catalog.GetString("You do not have permission to {0} {1} records."),
                                                                     RequiredAccessPermission4GLName.ToLower(),
                                                                     TableName.ToLower());
                                        TLogging.Log(StrAccessDeniedLogPrefix + ErrorMessage);
                                        LogInPetraErrorLog(ErrorMessage);
                                        TLogging.LogAtLevel(10, "TDataBasePetra.HasAccess: logged access error in DB Log Table.");

                                        throw new ESecurityDBTableAccessDeniedException(ErrorMessage,
                                                                                        RequiredAccessPermission4GLName.ToLower(), TableName.ToLower());
                                    }
                                }
                            }
                        }
                    }
                }
            }
            catch
            {
                throw;
            }

            return(ReturnValue);
        }