public UserEntityTypePermission GetEntityTypePermissions(OperationContext context, EntityInfo entity)
{
var permSet = GetEntityPermissionSet(entity.EntityType);
if (permSet == null)
{
return(UserEntityTypePermission.Empty);
}
if (permSet.FixedTypePermissions != null)
{
return(permSet.FixedTypePermissions);
}
//We need to compute permissions
var typePerm = new UserEntityTypePermission();
//we ignore record-level filters when computing type-level access
foreach (var perm in permSet.ConditionalPermissions)
{
if (perm.IsActive(context))
{
typePerm.Merge(perm.RecordPermission);
}
}
typePerm.HasFilter = permSet.HasFilter;
return(typePerm);
}
// Private utilities ========================================================================
private bool CheckEntityAccess(EntityInfo entity, AccessType accessType, out UserEntityTypePermission permissions)
{
if (Context.User.Kind == UserKind.System || entity.Flags.IsSet(EntityFlags.BypassAuthorization))
{
permissions = UserEntityTypePermission.Empty;
return(true);
}
permissions = Context.User.Authority.GetEntityTypePermissions(Context, entity);
if (permissions.AccessTypes.IsSet(accessType))
{
return(true);
}
var isReadAction = accessType.IsSet(AccessType.Read);
if (this.DenyReadAction == DenyReadActionType.Throw)
{
AccessDenied(accessType, entity, permissions);
}
return(false);
}
//this overload saves us some cycles when we know already entity type access and there's no record-level access
private bool CheckRecordAccess(EntityRecord record, AccessType accessType, UserEntityTypePermission typePermissions)
{
if (this.ReadUnrestricted)
{
return(true);
}
if (Context.User.Kind == UserKind.System)
{
record.UserPermissions = UserRecordPermission.AllowAll;
return(true);
}
if (typePermissions.HasFilter)
{
return(CheckRecordAccess(record, accessType));
}
//Otherwise, assume record rights are the same as type access
record.UserPermissions = typePermissions;
if (typePermissions.AccessTypes.IsSet(accessType))
{
return(true);
}
AccessDenied(accessType, record);
return(false);
}
