Exemplo n.º 1
0
        /// <summary>
        /// Returns an SQL query as a string, where this query only returns the data which the user has permissions to view.
        /// </summary>
        /// <param name="fields"></param>
        /// <param name="permissions"></param>
        /// <returns></returns>
        public string BuildQueryFromPermissions(List <GetPortalPortalDataViewResult> fields, List <GetFilteredDataResult> permissions)
        {
            var groupedFieldsByTable = fields.OrderBy(f => f.TableOrder).GroupBy(x => x.TableOrder);

            using (var context = new OrgSys2017DataContext())
            {
                var userId = context.GetUserIDSession(Token).SingleOrDefault()?.UserID;

                foreach (var group in groupedFieldsByTable)
                {
                    foreach (var field in group)
                    {
                        if (!field.IsPresented)
                        {
                            continue;                           //skips fields that are not for display
                        }
                        if (field.IsEncrypted)
                        {
                            SelectColumnList.Add($"fn_DecryptString({field.TableName}.{field.ColumnName}) AS {field.ColumnAlias}");
                        }
                        else
                        {
                            SelectColumnList.Add($"{field.TableName}.{field.ColumnName} AS {field.ColumnAlias}");
                        }
                    }

                    var item = group.First();

                    if (item.TableName != "Claims" && item.TableName != "User_Profiles" && item.TableName != "Claim_Documents")
                    {
                        //PKName and PKTable are coming from Table_Order table
                        JoinTableList.Add($"LEFT JOIN {item.TableName} ON {item.PKTable}.{item.PKName} = {item.TableName}.{item.FKName}");
                    }
                }

                foreach (var filter in permissions)
                {
                    object value = ResolveFilterValue(filter, context, Token);
                    WhereClausePermissionList.Add($"{filter.TableName}.{filter.ColumnName} {filter.Operator} {value}");
                }
            }

            var query = $" SELECT DISTINCT {string.Join(", ", SelectColumnList)} FROM {TableName} {string.Join(" ", JoinTableList)} WHERE ";

            if (WhereClauseQueryList.Count > 0 && permissions.Count > 0)
            {
                query += string.Join(" AND ", WhereClauseQueryList) + " AND "; //add WHEREs that are part of the query itself, not permissions
            }
            else if (WhereClauseQueryList.Count > 0)
            {
                query += $" {string.Join(" AND ", WhereClauseQueryList)} ;";
            }

            if (permissions.Count > 0)
            {
                query += $" ({string.Join(" OR ", WhereClausePermissionList)}) ;";
            }

            return(query);
        }
Exemplo n.º 2
0
        /// <summary>
        /// Returns an SQL query as a string, where this query only returns the data which the user has permissions to view.
        /// </summary>
        /// <param name="fields"></param>
        /// <param name="permissions"></param>
        /// <returns></returns>
        public string BuildQuery(List <GetPortalPortalDataViewResult> fields, List <GetFilteredDataResult> permissions)
        {
            var groupedFieldsByTable = fields.OrderBy(f => f.TableOrder).GroupBy(x => x.TableOrder);
            int?userId;

            using (var context = new OrgSys2017DataContext())
            {
                userId = context.GetUserIDSession(Token).SingleOrDefault().UserID;
            }

            //these JOIN or WHERE statements need the values passed to the, not to be done through db
            if (TableName.StartsWith("OSI_New"))
            {
                SelectColumnList.Add(" OSI_New.os_claims.id AS ClaimID ");
                SelectColumnList.Add(" OSI_New.os_claims.ClaimType AS Description ");
                WhereClauseQueryList.Add($" OSI_New.os_employees.CompanyID = {ImportID} ");
            }
            else
            {
                //this portion is only for creating document views at the moment
                JoinTableList.Add($" LEFT JOIN [Session] ON [Session].SessionToken = '{Token}' ");
                JoinTableList.Add($" LEFT JOIN [User_Profiles] ON [Claim_Documents].UserID = [User_Profiles].UserID ");
                JoinTableList.Add($" LEFT JOIN [Client] ON [User_Profiles].ClientID = [Client].ClientID ");
                WhereClauseQueryList.Add($" Client.ClientID = [Session].ClientID ");
            }

            foreach (var group in groupedFieldsByTable)
            {
                foreach (var field in group)
                {
                    if (!field.IsPresented)
                    {
                        continue;                           //skips fields that are not for display
                    }
                    if (field.IsEncrypted)
                    {
                        SelectColumnList.Add($"fn_DecryptString({field.TableName}.{field.ColumnName}) AS {field.ColumnAlias}");
                    }
                    else
                    {
                        SelectColumnList.Add($"{field.TableName}.{field.ColumnName} AS {field.ColumnAlias}");
                    }
                }

                var item = group.First();

                if (item.TableName != "OSI_New.os_employees" && item.TableName != "User_Profiles" && item.TableName != "Claim_Documents")
                {
                    //PKName and PKTable are coming from Table_Order table
                    JoinTableList.Add($"LEFT JOIN {item.TableName} ON {item.PKTable}.{item.PKName} = {item.TableName}.{item.FKName}");
                }
            }

            foreach (var filter in permissions)
            {
                object value;
                switch (filter.FilterValue) //substitutes current user id when needed, allows for dynamic query
                {
                case "UserID":
                    value = userId;
                    break;

                case "OrgsysUserID":
                    value = OrgsysEmployeeID;
                    break;

                default:
                    value = filter.FilterValue;
                    break;
                }
                bool isFilterColumn = filter.isFilterValueColumn.Value;

                if (isFilterColumn)//If the filter is an actual column in the built query
                {
                    WhereClausePermissionList.Add($"{filter.TableName}.{filter.ColumnName} {filter.Operator} {value}");
                }
                else
                {
                    WhereClausePermissionList.Add($"{filter.TableName}.{filter.ColumnName} {filter.Operator} '{value}'");
                }
            }

            var query = $" SELECT {string.Join(", ", SelectColumnList)} FROM {TableName} {string.Join(" ", JoinTableList)} WHERE ";

            if (WhereClauseQueryList.Count > 0 && permissions.Count > 0)
            {
                query += string.Join(" AND ", WhereClauseQueryList) + " AND "; //add WHEREs that are part of the query itself, not permissions
            }
            else if (WhereClauseQueryList.Count > 0)
            {
                query += $" {string.Join(" AND ", WhereClauseQueryList)} ;";
            }

            if (permissions.Count > 0)
            {
                query += $" ({string.Join(" OR ", WhereClausePermissionList)}) ;";
            }

            return(query);
        }