/// <summary>
/// Resolves the permissions.
/// </summary>
/// <param name="scope">The scope.</param>
/// <param name="recordSet">The record set.</param>
/// <param name="sids">The sids.</param>
/// <returns></returns>
private static PermissionRecord ResolvePermissions(string scope, PermissionRecordSet recordSet, string[] sids)
{
//string[] roles = ProfileContext.Current.GetRolesForUser();
PermissionRecord returnPR = new PermissionRecord();
PermissionRecord pr = null;
if (sids != null)
{
foreach (string sid in sids)
{
pr = recordSet[PermissionHelper.CreatePermissionKey(scope, sid)];
if (pr != null)
{
returnPR.Merge(pr);
}
}
}
return(returnPR);
}
/// <summary>
/// Checks permissions in the following order:
/// 1. Check permissions for the organization active user belongs to.
/// 2. Check permissions for the role user belongs to.
/// 3. Check permissions for the user himself.
///
/// The later check overrides the previous one if permission is explicitely defined.
/// </summary>
/// <param name="scope"></param>
/// <param name="permission"></param>
/// <param name="recordSet"></param>
/// <returns></returns>
public static bool CheckPermission(string scope, Permission permission, PermissionRecordSet recordSet)
{
bool allow = true;
PermissionRecord permissionRecord = null;
// Administrator has unlimited access rights
if (Roles.IsUserInRole("Administrator"))
{
return(true);
}
//return true; // for development return true always
// Step 1: check organization
CustomerProfile profile = ProfileContext.Current.Profile;
if (profile != null)
{
// check if user is anonymous, if so just check roles
if (profile.IsAnonymous)
{
return(CheckAnonymous(scope, permission, recordSet));
//string[] roles = ProfileContext.Current.GetRolesForUser();
}
Account account = profile.Account;
if (account == null) // if no account exists, continue to check as if user is anonymous
{
return(CheckAnonymous(scope, permission, recordSet));
}
permissionRecord = ResolvePermissions(scope, recordSet, new string[1] {
account.Organization.PrincipalId.ToString()
});
if (permissionRecord != null)
{
allow = permissionRecord.GetBit(permission);
}
}
// Step 2: check roles
string[] roles = ProfileContext.Current.GetRolesForUser();
if (roles != null)
{
permissionRecord = ResolvePermissions(scope, recordSet, roles);
if (permissionRecord != null)
{
allow = permissionRecord.GetBit(permission);
}
}
// Step 3: check user
permissionRecord = ResolvePermissions(scope, recordSet, new string[1] {
ProfileContext.Current.UserId.ToString()
});
if (permissionRecord != null)
{
allow = permissionRecord.GetBit(permission);
}
//ProfileContext.Current.GetAccount()
return(allow);
}
/// <summary>
/// This method merges the supplied permissions with the current permissions to come up with an
/// updated permission set. The logic is that and Implied Allow overrides an Implied Deny, but
/// and Explicit Deny overrides an Implicit Allow, while an Explicit Allow overrides an Explicit
/// Deny. This gives us a least restrictive security system.
/// </summary>
/// <param name="permissionRecord">The permission to merge with the current permission set</param>
public void Merge(PermissionRecord permissionRecord)
{
this._allowMask |= permissionRecord.AllowMask;
this._denyMask |= permissionRecord.DenyMask;
}