public static bool IsAllowed(
this IDocumentSession session,
AuthorizationUser user,
string operation)
{
if (session == null) throw new ArgumentNullException("session");
if (user == null) throw new ArgumentNullException("user");
if (operation == null) throw new ArgumentNullException("operation");
IEnumerable<IPermission> permissions =
from permission in user.Permissions ?? new List<OperationPermission>()// permissions for user / role directly on document
where OperationMatches(permission.Operation, operation)
select permission;
session.Load<AuthorizationRole>(user.Roles.Where(roleId=>session.Advanced.IsLoaded(roleId) == false));
permissions = permissions.Concat(
from roleId in user.Roles
let role = session.Load<AuthorizationRole>(roleId)
where role != null
from permission in role.Permissions ?? new List<OperationPermission>()
where OperationMatches(permission.Operation, operation)
select permission
);
IEnumerable<IPermission> orderedPermissions = permissions.OrderByDescending(x => x.Priority).ThenBy(x => x.Allow);
var decidingPermission = orderedPermissions.FirstOrDefault();
return decidingPermission != null && decidingPermission.Allow;
}
private void ExecuteSecuredOperation(string userId)
{
string operation = "operation";
using (var s = store.OpenSession())
{
AuthorizationUser user = new AuthorizationUser { Id = userId, Name = "Name" };
user.Permissions = new List<OperationPermission>
{
new OperationPermission {Allow = true, Operation = operation}
};
s.Store(user);
s.SaveChanges();
}
using (var s = store.OpenSession())
{
var authorizationUser = s.Load<AuthorizationUser>(userId);
Assert.True(s.IsAllowed(authorizationUser, operation));
}
}
