예제 #1
0
        /// <summary>
        /// Resolves the permissions.
        /// </summary>
        /// <param name="scope">The scope.</param>
        /// <param name="recordSet">The record set.</param>
        /// <param name="sids">The sids.</param>
        /// <returns></returns>
        private static PermissionRecord ResolvePermissions(string scope, PermissionRecordSet recordSet, string[] sids)
        {
            //string[] roles = ProfileContext.Current.GetRolesForUser();

            PermissionRecord returnPR = new PermissionRecord();
            PermissionRecord pr       = null;

            if (sids != null)
            {
                foreach (string sid in sids)
                {
                    pr = recordSet[PermissionHelper.CreatePermissionKey(scope, sid)];
                    if (pr != null)
                    {
                        returnPR.Merge(pr);
                    }
                }
            }

            return(returnPR);
        }
예제 #2
0
        /// <summary>
        /// Checks permissions in the following order:
        /// 1. Check permissions for the organization active user belongs to.
        /// 2. Check permissions for the role user belongs to.
        /// 3. Check permissions for the user himself.
        ///
        /// The later check overrides the previous one if permission is explicitely defined.
        /// </summary>
        /// <param name="scope"></param>
        /// <param name="permission"></param>
        /// <param name="recordSet"></param>
        /// <returns></returns>
        public static bool CheckPermission(string scope, Permission permission, PermissionRecordSet recordSet)
        {
            bool             allow            = true;
            PermissionRecord permissionRecord = null;

            // Administrator has unlimited access rights
            if (Roles.IsUserInRole("Administrator"))
            {
                return(true);
            }

            //return true; // for development return true always
            // Step 1: check organization
            CustomerProfile profile = ProfileContext.Current.Profile;

            if (profile != null)
            {
                // check if user is anonymous, if so just check roles
                if (profile.IsAnonymous)
                {
                    return(CheckAnonymous(scope, permission, recordSet));

                    //string[] roles = ProfileContext.Current.GetRolesForUser();
                }

                Account account = profile.Account;
                if (account == null) // if no account exists, continue to check as if user is anonymous
                {
                    return(CheckAnonymous(scope, permission, recordSet));
                }

                permissionRecord = ResolvePermissions(scope, recordSet, new string[1] {
                    account.Organization.PrincipalId.ToString()
                });
                if (permissionRecord != null)
                {
                    allow = permissionRecord.GetBit(permission);
                }
            }

            // Step 2: check roles
            string[] roles = ProfileContext.Current.GetRolesForUser();
            if (roles != null)
            {
                permissionRecord = ResolvePermissions(scope, recordSet, roles);
                if (permissionRecord != null)
                {
                    allow = permissionRecord.GetBit(permission);
                }
            }


            // Step 3: check user
            permissionRecord = ResolvePermissions(scope, recordSet, new string[1] {
                ProfileContext.Current.UserId.ToString()
            });
            if (permissionRecord != null)
            {
                allow = permissionRecord.GetBit(permission);
            }

            //ProfileContext.Current.GetAccount()
            return(allow);
        }
예제 #3
0
 /// <summary>
 /// This method merges the supplied permissions with the current permissions to come up with an
 /// updated permission set. The logic is that and Implied Allow overrides an Implied Deny, but
 /// and Explicit Deny overrides an Implicit Allow, while an Explicit Allow overrides an Explicit
 /// Deny. This gives us a least restrictive security system.
 /// </summary>
 /// <param name="permissionRecord">The permission to merge with the current permission set</param>
 public void Merge(PermissionRecord permissionRecord)
 {
     this._allowMask |= permissionRecord.AllowMask;
     this._denyMask  |= permissionRecord.DenyMask;
 }