public UserEntityTypePermission GetEntityTypePermissions(OperationContext context, EntityInfo entity) { var permSet = GetEntityPermissionSet(entity.EntityType); if (permSet == null) { return(UserEntityTypePermission.Empty); } if (permSet.FixedTypePermissions != null) { return(permSet.FixedTypePermissions); } //We need to compute permissions var typePerm = new UserEntityTypePermission(); //we ignore record-level filters when computing type-level access foreach (var perm in permSet.ConditionalPermissions) { if (perm.IsActive(context)) { typePerm.Merge(perm.RecordPermission); } } typePerm.HasFilter = permSet.HasFilter; return(typePerm); }
// Private utilities ======================================================================== private bool CheckEntityAccess(EntityInfo entity, AccessType accessType, out UserEntityTypePermission permissions) { if (Context.User.Kind == UserKind.System || entity.Flags.IsSet(EntityFlags.BypassAuthorization)) { permissions = UserEntityTypePermission.Empty; return(true); } permissions = Context.User.Authority.GetEntityTypePermissions(Context, entity); if (permissions.AccessTypes.IsSet(accessType)) { return(true); } var isReadAction = accessType.IsSet(AccessType.Read); if (this.DenyReadAction == DenyReadActionType.Throw) { AccessDenied(accessType, entity, permissions); } return(false); }
//this overload saves us some cycles when we know already entity type access and there's no record-level access private bool CheckRecordAccess(EntityRecord record, AccessType accessType, UserEntityTypePermission typePermissions) { if (this.ReadUnrestricted) { return(true); } if (Context.User.Kind == UserKind.System) { record.UserPermissions = UserRecordPermission.AllowAll; return(true); } if (typePermissions.HasFilter) { return(CheckRecordAccess(record, accessType)); } //Otherwise, assume record rights are the same as type access record.UserPermissions = typePermissions; if (typePermissions.AccessTypes.IsSet(accessType)) { return(true); } AccessDenied(accessType, record); return(false); }