/// <summary> /// In case of a delete command we always filter based on the userId /// </summary> private static void InterceptDeleteCommand(DbCommandTreeInterceptionContext interceptionContext) { var deleteCommand = interceptionContext.Result as DbDeleteCommandTree; if (deleteCommand != null) { var column = UserAwareAttribute.GetUserColumnName(deleteCommand.Target.VariableType.EdmType); if (!string.IsNullOrEmpty(column)) { // Get the userId (throw an exception if there is none) var userId = GetCurrentUserId(); // Create the variable reference in order to create the property var variableReference = DbExpressionBuilder.Variable(deleteCommand.Target.VariableType, deleteCommand.Target.VariableName); // Create the property to which will assign the correct value var userProperty = DbExpressionBuilder.Property(variableReference, column); var userIdWherePredicate = DbExpressionBuilder.Equal(userProperty, DbExpression.FromInt32(userId)); // The initial predicate is the sql where statement var initialPredicate = deleteCommand.Predicate; // Add to the initial statement the userId statement which translates in sql AND userId = 'value' var finalPredicate = initialPredicate.And(userIdWherePredicate); var newDeleteCommand = new DbDeleteCommandTree( deleteCommand.MetadataWorkspace, deleteCommand.DataSpace, deleteCommand.Target, finalPredicate); interceptionContext.Result = newDeleteCommand; } } }
/// <summary> /// In case of an update command we always filter based on the userId /// </summary> private static bool InterceptUpdate(DbCommandTreeInterceptionContext interceptionContext) { var updateCommand = interceptionContext.Result as DbUpdateCommandTree; if (updateCommand != null) { var column = UserAwareAttribute.GetUserColumnName(updateCommand.Target.VariableType.EdmType); if (!string.IsNullOrEmpty(column)) { // Validate user Security.ValidateCurrentUser(); // Get the userId (throw an exception if there is none) var userId = GetCurrentUserId(); // Create the variable reference in order to create the property var variableReference = DbExpressionBuilder.Variable(updateCommand.Target.VariableType, updateCommand.Target.VariableName); // Create the property to which will assign the correct value var userProperty = DbExpressionBuilder.Property(variableReference, column); // Create the userId where predicate, object representation of sql where userId = value statement var userIdWherePredicate = DbExpressionBuilder.Equal(userProperty, DbExpression.FromInt32(userId)); // Remove potential assignment of userId for extra safety var filteredSetClauses = updateCommand.SetClauses.Cast <DbSetClause>() .Where(sc => ((DbPropertyExpression)sc.Property).Property.Name != column); // Construct the final clauses, object representation of sql insert command values var finalSetClauses = new ReadOnlyCollection <DbModificationClause>(new List <DbModificationClause>(filteredSetClauses)); // The initial predicate is the sql where statement var initialPredicate = updateCommand.Predicate; // Add to the initial statement the userId statement which translates in sql AND UserId = 'value' var finalPredicate = initialPredicate.And(userIdWherePredicate); var newUpdateCommand = new DbUpdateCommandTree( updateCommand.MetadataWorkspace, updateCommand.DataSpace, updateCommand.Target, finalPredicate, finalSetClauses, updateCommand.Returning); interceptionContext.Result = newUpdateCommand; // True means an interception successfully happened so there is no need to continue return(true); } } return(false); }
public override DbExpression Visit(DbScanExpression expression) { expression = (DbScanExpression)base.Visit(expression); var column = UserAwareAttribute.GetUserColumnName(expression.Target.ElementType); if (!string.IsNullOrEmpty(column)) { // Check that there is an authenticated user in this context var principal = Thread.CurrentPrincipal; var identity = principal.Identity as ClaimsIdentity; if (identity == null) { throw new SecurityException("Unauthenticated access"); } var userIdclaim = identity.Claims.SingleOrDefault(c => c.Type == ClaimTypes.NameIdentifier); if (userIdclaim == null) { throw new SecurityException("Unauthenticated access"); } // If it's admin, then no need to filter if (principal.IsInRole("Administrator")) { return(expression); } // Get the current expression binding var currentExpressionBinding = DbExpressionBuilder.Bind(expression); var newFilterExpression = BuildFilterExpression(currentExpressionBinding, column); if (newFilterExpression != null) { // If not null, a new DbFilterExpression has been created with our dynamic filters. return(newFilterExpression); } } return(expression); }
public override DbExpression Visit(DbScanExpression expression) { expression = (DbScanExpression)base.Visit(expression); var column = UserAwareAttribute.GetUserColumnName(expression.Target.ElementType); if (!string.IsNullOrEmpty(column)) { // Validate user Security.ValidateCurrentUser(); // Get the current expression binding var currentExpressionBinding = DbExpressionBuilder.Bind(expression); var newFilterExpression = BuildFilterExpression(currentExpressionBinding, column); if (newFilterExpression != null) { // If not null, a new DbFilterExpression has been created with our dynamic filters. return(newFilterExpression); } } return(expression); }