protected override bool DoCheckAccessLevel(ISecurityManager secman, ISession session, AccessLevel access)
{
//Bypass security checks if the data is needed for system use
if (SecurityFlowScope.CheckFlag(SYSTEM_USE_FLAG))
{
return(true);
}
if (!base.DoCheckAccessLevel(secman, session, access))
{
return(false);
}
if (!Target.IsAssigned)
{
return(true);
}
var id = Target.AsString();
//allow{ path='*' } - match all
//deny { path='*@fin::*' } - but deny access to `fin` forest
//deny { path='geo@class::*' } - any `geo` tree in `class` forest
if (!access.Data.ChildrenNamed(ALLOW_SECT)
.Any(c => id.MatchPattern(c.ValOf(PATH_ATTR))))
{
return(false); //NONE allowed
}
if (access.Data.ChildrenNamed(DENY_SECT)
.Any(c => id.MatchPattern(c.ValOf(PATH_ATTR))))
{
return(false); //Deny match
}
return(true);
}