private bool TryAssertIdeaForum(Entity ideaForumEntity, CrmEntityRight right, CrmEntityCacheDependencyTrace dependencies, ContentMap map)
{
return(right == CrmEntityRight.Change
? this.UserInRole(CrmEntityRight.Change, false, ideaForumEntity, dependencies, map)
: this.UserInRole(CrmEntityRight.Read, true, ideaForumEntity, dependencies, map) ||
this.UserInRole(CrmEntityRight.Change, false, ideaForumEntity, dependencies, map));
}
private bool TryAssert(CrmEntityRight right)
{
using (var serviceContext = PortalViewContext.CreateServiceContext())
{
var attachedEntity = serviceContext.MergeClone(Entity);
return(PortalViewContext.CreateCrmEntitySecurityProvider().TryAssert(serviceContext, attachedEntity, right));
}
}
private string BuildKey(Entity entity, CrmEntityRight right, string securityContextKey)
{
var baseKey = string.Concat(securityContextKey, ":", entity.Id, ":", right);
IIdentity identity;
return(TryGetCurrentIdentity(out identity)
? string.Concat(baseKey, ":Identity=", identity.Name)
: string.Concat(baseKey, ":Anonymous"));
}
private bool TryAssertSecurity(CrmEntityRight right)
{
try
{
return(SecurityProvider.TryAssert(ServiceContext, Entity, right));
}
catch (InvalidOperationException e)
{
ADXTrace.Instance.TraceError(TraceCategory.Application, string.Format("Error validating security for entity [{0}:{1}]: {2}", Entity.LogicalName, Entity.Id, e.ToString()));
return(false);
}
}
protected bool TryAssertSecurity(Entity entity, CrmEntityRight right)
{
if (!ServiceContext.IsAttached(entity))
{
entity = ServiceContext.MergeClone(entity);
}
try
{
return(SecurityProvider.TryAssert(ServiceContext, entity, right));
}
catch (InvalidOperationException e)
{
ADXTrace.Instance.TraceError(TraceCategory.Application, string.Format("Error validating security for entity [{0}:{1}]: {2}", entity.LogicalName, entity.Id, e.ToString()));
return(false);
}
}
public CrmEntitySecurityCacheInfo(Entity entity, CrmEntityRight right, string securityContextKey)
{
if (entity == null)
{
throw new ArgumentNullException("entity");
}
if (entity.Id == null)
{
throw new ArgumentException("Parameter ID must have a value.", "entity");
}
if (securityContextKey == null)
{
throw new ArgumentNullException("securityContextKey");
}
Key = BuildKey(entity, right, securityContextKey);
}
private bool UserInRole(CrmEntityRight right, bool defaultIfNoRoles, Entity ideaForumEntity, CrmEntityCacheDependencyTrace dependencies, ContentMap map)
{
if (!Roles.Enabled)
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format("Roles are not enabled for this application. Returning {0}.", defaultIfNoRoles));
return(defaultIfNoRoles);
}
IEnumerable <Entity> roles = new List <Entity>();
IdeaForumNode ideaForumNode;
if (!map.TryGetValue(ideaForumEntity, out ideaForumNode))
{
return(false);
}
if (right == CrmEntityRight.Read)
{
roles = ideaForumNode.WebRolesRead.Select(wr => wr.ToEntity());
}
else if (right == CrmEntityRight.Change)
{
roles = ideaForumNode.WebRolesWrite.Select(wr => wr.ToEntity());
}
if (!roles.Any())
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format("Read is not restricted to any particular roles. Returning {0}.", defaultIfNoRoles));
return(defaultIfNoRoles);
}
dependencies.AddEntityDependencies(roles);
var userRoles = this.GetUserRoles();
return(roles.Select(e => e.GetAttributeValue <string>("adx_name")).Intersect(userRoles, StringComparer.InvariantCulture).Any());
}
public override bool TryAssert(OrganizationServiceContext context, Entity currentEvent, CrmEntityRight right, CrmEntityCacheDependencyTrace dependencies)
{
currentEvent.AssertEntityName("adx_event");
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format("Testing right {0} on event ({1}).", right, currentEvent.Id));
dependencies.AddEntityDependency(currentEvent);
dependencies.AddEntitySetDependency("adx_webrole");
dependencies.AddEntitySetDependency("adx_eventaccesspermission");
if (!Roles.Enabled)
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, "Roles are not enabled for this application. Allowing Read, but not Change.");
// If roles are not enabled on the site, grant Read, deny Change.
return(right == CrmEntityRight.Read);
}
// Windows Live ID Server decided to return null for an unauthenticated user's name
// A null username, however, breaks the Roles.GetRolesForUser() because it expects an empty string.
var currentUsername = (HttpContext.Current.User != null && HttpContext.Current.User.Identity != null)
? HttpContext.Current.User.Identity.Name ?? string.Empty
: string.Empty;
var userRoles = Roles.GetRolesForUser(currentUsername);
// Get all rules applicable to the event, grouping equivalent rules. (Rules that
// target the same event and confer the same right are equivalent.)
var ruleGroupings = from rule in GetRulesApplicableToEvent(context, currentEvent, dependencies)
let eventReference = rule.GetAttributeValue <EntityReference>("adx_eventid")
let rightOption = rule.GetAttributeValue <OptionSetValue>("adx_right")
where eventReference != null && rightOption != null
group rule by new { EventID = eventReference.Id, Right = rightOption.Value } into ruleGrouping
select ruleGrouping;
var websiteReference = currentEvent.GetAttributeValue <EntityReference>("adx_websiteid");
foreach (var ruleGrouping in ruleGroupings)
{
// Collect the names of all the roles that apply to this rule grouping
var ruleGroupingRoles = ruleGrouping.SelectMany(rule => rule.GetRelatedEntities(context, "adx_eventaccesspermission_webrole").ToList()
.Where(role => BelongsToWebsite(websiteReference, role))
.Select(role => role.GetAttributeValue <string>("adx_name")));
// Determine if the user belongs to any of the roles that apply to this rule grouping
var userIsInAnyRoleForThisRule = ruleGroupingRoles.Any(role => userRoles.Any(userRole => userRole == role));
// If the user belongs to one of the roles...
if (userIsInAnyRoleForThisRule)
{
if (ruleGrouping.Key.Right != RestrictRead)
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format("User has right Change on forum ({0}). Permission granted.", ruleGrouping.Key.EventID));
// ...the user has all rights.
return(true);
}
}
// If the user does not belong to any of the roles, the rule restricts read, and the desired right
// is read...
else if (ruleGrouping.Key.Right == RestrictRead && right == CrmEntityRight.Read)
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format("User does not have right Read due to read restriction on event ({0}). Permission denied.", ruleGrouping.Key.EventID));
// ...the user has no right.
return(false);
}
}
//Get all membership type applicable to the event
var membershipTypes = currentEvent.GetRelatedEntities(context, "adx_event_membershiptype");
//If the event has membership types, specific user has right to access it. If there is no membership type, every user has right.
if (membershipTypes.Any())
{
var contact = PortalContext.Current.User;
//Anonymouse user has no right.
if (contact == null)
{
return(false);
}
foreach (var membershipType in membershipTypes)
{
if (contact.GetRelatedEntities(context, "adx_membership_contact").Any(m => m.GetAttributeValue <EntityReference>("adx_membershiptypeid") == membershipType.ToEntityReference()))
{
return(true);
}
}
return(false);
}
// If none of the above rules apply, assert on parent webpage.
var parentWebPage = currentEvent.GetRelatedEntity(context, "adx_webpage_event");
// If there is no parent web page, grant Read by default, and deny Change.
if (parentWebPage == null)
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, "No access control rules apply to the current user and event. Allowing Read, but not Change.");
return(right == CrmEntityRight.Read);
}
ADXTrace.Instance.TraceInfo(TraceCategory.Application, "No access control rules apply to the current user and event. Asserting right on parent web page.");
return(_webPageAccessControlProvider.TryAssert(context, parentWebPage, right, dependencies));
}
/// <summary> The try assert. </summary> /// <param name="context"> The context. </param> /// <param name="entity"> The entity. </param> /// <param name="right"> The right. </param> /// <param name="dependencies"> The dependencies. </param> /// <param name="map"> The map. </param> /// <returns> The assertion. </returns> protected abstract bool TryAssert(OrganizationServiceContext context, Entity entity, CrmEntityRight right, CrmEntityCacheDependencyTrace dependencies, ContentMap map);
/// <summary> The try assert. </summary>
/// <param name="context"> The context. </param>
/// <param name="entityReference"> The entity reference. </param>
/// <param name="right"> The right. </param>
/// <param name="dependencies"> The dependencies. </param>
/// <returns> The assertion. </returns>
public bool TryAssert(OrganizationServiceContext context, EntityReference entityReference, CrmEntityRight right, CrmEntityCacheDependencyTrace dependencies)
{
EntityNode entity = null;
this.ContentMapProvider.Using(map => map.TryGetValue(entityReference, out entity));
return(entity != null && this.TryAssert(context, entity.ToEntity(), right, dependencies));
}
private IQueryable <TEntity> FilterBySecurity <TEntity>(OrganizationServiceContext context, IQueryable <TEntity> queryable, CrmEntityRight right) where TEntity : Entity
{
return(queryable.ToList().Where(e => HasRight(context, e, right)).AsQueryable());
}
/// <summary> The try assert. </summary>
/// <param name="context"> The context. </param>
/// <param name="entity"> The entity. </param>
/// <param name="right"> The right. </param>
/// <param name="dependencies"> The dependencies. </param>
/// <param name="map"> The map. </param>
/// <param name="useScope">Pass true if you need to determine web file permissions throught parent web page</param>
/// <returns> The <see cref="bool"/>. </returns>
public virtual bool TryAssert(OrganizationServiceContext context, Entity entity, CrmEntityRight right,
CrmEntityCacheDependencyTrace dependencies, ContentMap map, bool useScope)
{
entity.AssertEntityName("adx_webpage");
this.AddDependencies(
dependencies,
entity,
new[] { "adx_webrole", "adx_webrole_contact", "adx_webrole_account", "adx_webpageaccesscontrolrule" });
WebPageNode page;
if (!map.TryGetValue(entity, out page))
{
// the website context is missing data
ADXTrace.Instance.TraceError(TraceCategory.Application, string.Format("Failed to lookup the web page '{0}' ({1}).", entity.GetAttributeValue <string>("adx_name"), entity.Id));
return(false);
}
dependencies.IsCacheable = false;
return(this.TryAssert(page, right, useScope));
}
protected override bool TryAssert(OrganizationServiceContext serviceContext, Entity entity, CrmEntityRight right, CrmEntityCacheDependencyTrace dependencies, ContentMap map)
{
entity.ThrowOnNull("entity");
dependencies.AddEntityDependency(entity);
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format(@"Testing right {0} on {1} ""{2}"" ({3}).", right, entity.LogicalName, entity.GetAttributeValue <string>("adx_name"), entity.Id));
switch (entity.LogicalName)
{
case "adx_ideaforum":
dependencies.AddEntitySetDependency("adx_webrole");
return(this.TryAssertIdeaForum(entity, right, dependencies, map));
case "adx_idea":
return(this.TryAssertIdea(serviceContext, entity, right, dependencies, map));
case "adx_ideacomment":
return(this.TryAssertIdeaComment(serviceContext, entity, right, dependencies, map));
case "adx_ideavote":
return(this.TryAssertIdeaVote(serviceContext, entity, right, dependencies, map));
default:
throw new NotSupportedException("Entities of type {0} are not supported by this provider.".FormatWith(entity.LogicalName));
}
}
private bool TryAssertIdeaVote(OrganizationServiceContext serviceContext, Entity entity, CrmEntityRight right, CrmEntityCacheDependencyTrace dependencies, ContentMap map)
{
var idea = entity.GetRelatedEntity(serviceContext, new Relationship("adx_idea_ideavote"));
return(idea != null && this.TryAssert(serviceContext, idea, right, dependencies, map));
}
private bool TryAssertIdeaComment(OrganizationServiceContext serviceContext, Entity entity, CrmEntityRight right, CrmEntityCacheDependencyTrace dependencies, ContentMap map)
{
var idea = entity.GetRelatedEntity(serviceContext, new Relationship("adx_idea_ideacomment"));
if (idea == null)
{
return(false);
}
var approved = entity.GetAttributeValue <bool?>("adx_approved").GetValueOrDefault(false);
// If the right being asserted is Read, and the comment is approved, assert whether the idea is readable.
if (right == CrmEntityRight.Read && approved)
{
return(this.TryAssert(serviceContext, idea, right, dependencies));
}
return(this.TryAssert(serviceContext, idea, CrmEntityRight.Change, dependencies, map));
}
/// <summary> The try assert. </summary>
/// <param name="page"> The page. </param>
/// <param name="right"> The right. </param>
/// <param name="useScope">Pass true if you need to determine web file permissions throught parent web page</param>
/// <returns> The <see cref="bool"/>. </returns>
public virtual bool TryAssert(WebPageNode page, CrmEntityRight right, bool useScope)
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format("Testing right {0} on web page '{1}' ({2}).", right, page.Name, page.Id));
if (!Roles.Enabled)
{
ADXTrace.Instance.TraceError(TraceCategory.Application, "Roles are not enabled for this application. Allowing Read, but not Change.");
// If roles are not enabled on the site, grant Read, deny Change.
return(right == CrmEntityRight.Read);
}
// Ignore access control rules for service pages like not found or access denied
if (right == CrmEntityRight.Read && IsServicePage(page))
{
return(true);
}
// If the chain of pages from the current page up to the root page contains an inactive page, deny the assertion
if (IsInactivePath(page))
{
return(false);
}
var userRoles = this.GetUserRoles();
// when we use rule scope we're checking permissions for parent page of web file
// and we need to check permissions only for one level
var useInheritance = !useScope;
// Get all rules applicable to the page and its parent path, grouping equivalent rules. (Rules that
// target the same web page and confer the same right are equivalent.)
var ruleGroupings =
from rule in this.GetRulesApplicableToWebPage(page, useInheritance)
where rule.WebPage != null && rule.Right != null
group rule by new { WebPageId = rule.WebPage.Id, Right = ParseRightOption(rule.Right.Value) } into ruleGrouping
select ruleGrouping;
// Order the rule groupings so that all GrantChange rules will be evaluated first.
ruleGroupings = ruleGroupings.OrderByDescending(grouping => grouping.Key.Right, new RightOptionComparer());
foreach (var ruleGrouping in ruleGroupings)
{
// Collect the names of all the roles that apply to this rule grouping
var ruleGroupingRoles = ruleGrouping.SelectMany(
rule => rule.WebRoles.Where(role => BelongsToWebsite(page.Website, role))
.Select(role => role.Name));
// Determine if the user belongs to any of the roles that apply to this rule grouping
var userIsInAnyRoleForThisRule = ruleGroupingRoles.Any(role => userRoles.Any(userRole => userRole == role));
// If the user belongs to one of the roles...
if (userIsInAnyRoleForThisRule)
{
// ...and the rule is GrantChange...
if (ruleGrouping.Key.Right == RightOption.GrantChange)
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format("User has right Change on web page ({0}). Permission granted.", ruleGrouping.Key.WebPageId));
// ...the user has all rights.
return(true);
}
}
// If the user does not belong to any of the roles, the rule restricts read, and the desired right
// is read...
else if (ruleGrouping.Key.Right == RightOption.RestrictRead && right == CrmEntityRight.Read)
{
if (useScope && ruleGrouping.Any(rule => rule.Scope.HasValue && (ScopeOption)rule.Scope.Value == ScopeOption.ExcludeDirectChildWebFiles))
{
// Ignore read restriction for web files where scope is ExcludeDirectChildWebFiles
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format("Ignoring web page ({0}) read restriction due to ExcludeDirectChildWebFiles", ruleGrouping.Key.WebPageId));
}
else
{
if (page.Parent == null && page.PartialUrl == "/")
{
ADXTrace.Instance.TraceError(TraceCategory.Application, string.Format("\"Restrict Read\" right on web page({0}) ({1}).", ruleGrouping.Key.WebPageId, page.Name));
}
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format("User does not have right Read due to read restriction on web page ({0}). Permission denied.", ruleGrouping.Key.WebPageId));
// ...the user has no right.
return(false);
}
}
}
ADXTrace.Instance.TraceInfo(TraceCategory.Application, "No access control rules apply to the current user and page. Allowing Read, but not Change.");
// If none of the above rules apply, grant Read by default, and deny Change by default.
return(right == CrmEntityRight.Read);
}
/// <summary> The try assert. </summary>
/// <param name="context"> The context. </param>
/// <param name="entity"> The entity. </param>
/// <param name="right"> The right. </param>
/// <param name="dependencies"> The dependencies. </param>
/// <param name="map"> The map. </param>
/// <returns> The <see cref="bool"/>. </returns>
protected override bool TryAssert(OrganizationServiceContext context, Entity entity, CrmEntityRight right, CrmEntityCacheDependencyTrace dependencies, ContentMap map)
{
return(this.TryAssert(context, entity, right, dependencies, map, false));
}
public override bool TryAssert(OrganizationServiceContext context, Entity entity, CrmEntityRight right, CrmEntityCacheDependencyTrace dependencies)
{
var info = CacheInfoFactory.GetCacheInfo(context, entity, right);
if (!info.IsCacheable)
{
return(UnderlyingProvider.TryAssert(context, entity, right, dependencies));
}
// No locking is required here because the Items collection is already per-thread/per-request.
var cachedValue = HttpContext.Current.Items[info.Key];
if (cachedValue is bool)
{
return((bool)cachedValue);
}
var value = UnderlyingProvider.TryAssert(context, entity, right, dependencies);
// We ignore whether the value is cacheable or not and always cache it at this level, as the result
// will always be the same per-request.
HttpContext.Current.Items[info.Key] = value;
return(value);
}
private bool HasRight <TEntity>(OrganizationServiceContext context, TEntity entity, CrmEntityRight right) where TEntity : Entity
{
return(_securityProvider.TryAssert(context, entity, right));
}
private bool TryAssertBlogPostComment(OrganizationServiceContext serviceContext, Entity entity, CrmEntityRight right, CrmEntityCacheDependencyTrace dependencies)
{
var blogPostReference = entity.GetAttributeValue <EntityReference>("adx_blogpostid");
if (blogPostReference == null)
{
return(false);
}
var blogPost = serviceContext.RetrieveSingle(
"adx_blogpost",
new[] { "adx_blogid" },
new Condition("adx_blogpostid", ConditionOperator.Equal, blogPostReference.Id));
if (blogPost == null)
{
return(false);
}
var approved = entity.GetAttributeValue <bool?>("adx_approved").GetValueOrDefault(false);
return(this.TryAssert(
serviceContext,
blogPost,
(right == CrmEntityRight.Read && approved ? CrmEntityRight.Read : CrmEntityRight.Change),
dependencies));
}
protected override bool TryAssert(OrganizationServiceContext context, Entity forum, CrmEntityRight right, CrmEntityCacheDependencyTrace dependencies, ContentMap map)
{
forum.AssertEntityName("adx_communityforum");
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format("Testing right {0} on forum '{1}' ({2}).", right, forum.GetAttributeValue <string>("adx_name"), forum.Id));
this.AddDependencies(dependencies, forum, new [] { "adx_webrole", "adx_communityforumaccesspermission" });
if (!Roles.Enabled)
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, "Roles are not enabled for this application. Allowing Read, but not Change.");
// If roles are not enabled on the site, grant Read, deny Change.
return(right == CrmEntityRight.Read);
}
var userRoles = this.GetUserRoles();
// Get all rules applicable to the forum, grouping equivalent rules. (Rules that
// target the same forum and confer the same right are equivalent.)
var ruleGroupings = from rule in this.GetRulesApplicableToForum(forum, dependencies, map)
let forumReference = rule.GetAttributeValue <EntityReference>("adx_forumid")
let rightOption = rule.GetAttributeValue <OptionSetValue>("adx_right")
where forumReference != null && rightOption != null
group rule by new { ForumID = forumReference.Id, Right = ParseRightOption(rightOption.Value) } into ruleGrouping
select ruleGrouping;
var websiteReference = forum.GetAttributeValue <EntityReference>("adx_websiteid");
// Order the rule groupings so that all GrantChange rules will be evaluated first.
ruleGroupings = ruleGroupings.OrderByDescending(grouping => grouping.Key.Right, new RightOptionComparer());
foreach (var ruleGrouping in ruleGroupings)
{
// Collect the names of all the roles that apply to this rule grouping
var ruleGroupingRoles = ruleGrouping.SelectMany(rule => GetRolesForGrouping(map, rule, websiteReference));
// Determine if the user belongs to any of the roles that apply to this rule grouping
var userIsInAnyRoleForThisRule = ruleGroupingRoles.Any(role => userRoles.Any(userRole => userRole == role));
// If the user belongs to one of the roles...
if (userIsInAnyRoleForThisRule)
{
// ...and the rule is GrantChange...
if (ruleGrouping.Key.Right == RightOption.GrantChange)
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format("User has right Change on forum ({0}). Permission granted.", ruleGrouping.Key.ForumID));
// ...the user has all rights.
return(true);
}
}
// If the user does not belong to any of the roles, the rule restricts read, and the desired right
// is read...
else if (ruleGrouping.Key.Right == RightOption.RestrictRead && right == CrmEntityRight.Read)
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format("User does not have right Read due to read restriction on forum ({0}). Permission denied.", ruleGrouping.Key.ForumID));
// ...the user has no right.
return(false);
}
}
// If none of the above rules apply, assert on parent webpage.
var parentWebPage = forum.GetAttributeValue <EntityReference>("adx_parentpageid");
WebPageNode parentPageNode;
map.TryGetValue(parentWebPage, out parentPageNode);
// If there is no parent web page, grant Read by default, and deny Change.
if (parentWebPage == null || parentPageNode == null)
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, "No access control rules apply to the current user and forum. Allowing Read, but not Change.");
return(right == CrmEntityRight.Read);
}
ADXTrace.Instance.TraceInfo(TraceCategory.Application, "No access control rules apply to the current user and forum. Asserting right on parent web page.");
return(this._webPageAccessControlProvider.TryAssert(context, parentPageNode.ToEntity(), right, dependencies));
}
protected override bool TryAssert(OrganizationServiceContext serviceContext, Entity entity, CrmEntityRight right, CrmEntityCacheDependencyTrace dependencies, ContentMap map)
{
if (entity == null)
{
throw new ArgumentNullException("entity");
}
if (entity.LogicalName == "adx_blog")
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format(@"Testing right {0} on adx_blog ({1}).", right, entity.Id));
return(this.TryAssertBlog(serviceContext, entity, right, dependencies, map));
}
if (entity.LogicalName == "adx_blogpost")
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format(@"Testing right {0} on adx_blogpost ({1}).", right, entity.Id));
dependencies.AddEntityDependency(entity);
return(this.TryAssertBlogPost(serviceContext, entity, right, dependencies));
}
if (entity.LogicalName == "adx_blogpostcomment")
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format(@"Testing right {0} on adx_blogpostcomment ({1}).", right, entity.Id));
dependencies.AddEntityDependency(entity);
return(this.TryAssertBlogPostComment(serviceContext, entity, right, dependencies));
}
throw new NotSupportedException("Entities of type {0} are not supported by this provider.".FormatWith(entity.LogicalName));
}
/// <summary> The try assert. </summary>
/// <param name="context"> The context. </param>
/// <param name="entity"> The entity. </param>
/// <param name="right"> The right. </param>
/// <param name="dependencies"> The dependencies. </param>
/// <returns> The assertion. </returns>
public override bool TryAssert(OrganizationServiceContext context, Entity entity, CrmEntityRight right, CrmEntityCacheDependencyTrace dependencies)
{
return(this.ContentMapProvider.Using(map => this.TryAssert(context, entity, right, dependencies, map)));
}
private bool TryAssertBlog(OrganizationServiceContext serviceContext, Entity entity, CrmEntityRight right, CrmEntityCacheDependencyTrace dependencies, ContentMap map)
{
var pageReference = entity.GetAttributeValue <EntityReference>("adx_parentpageid");
if (pageReference == null)
{
return(false);
}
var parentPage = serviceContext.RetrieveSingle(
"adx_webpage",
new[] { "adx_name" },
new Condition("adx_webpageid", ConditionOperator.Equal, pageReference.Id));
if (right == CrmEntityRight.Read)
{
return(parentPage != null && this.WebPageSecurityProvider.TryAssert(serviceContext, parentPage, right, dependencies));
}
if (!Roles.Enabled)
{
ADXTrace.Instance.TraceError(TraceCategory.Application, "Roles are not enabled for this application. Denying Change.");
return(false);
}
IEnumerable <Entity> authorRoles = new List <Entity>();
EntityNode blogNode;
if (!map.TryGetValue(entity, out blogNode))
{
return(false);
}
if (blogNode is BlogNode)
{
authorRoles = ((BlogNode)blogNode).WebRoles.Select(wr => wr.ToEntity());
}
if (!authorRoles.Any())
{
return(false);
}
dependencies.AddEntityDependencies(authorRoles);
var userRoles = this.GetUserRoles();
return(authorRoles.Select(e => e.GetAttributeValue <string>("adx_name")).Intersect(userRoles, StringComparer.InvariantCulture).Any() ||
(parentPage != null && this.WebPageSecurityProvider.TryAssert(serviceContext, parentPage, right, dependencies)));
}
public override bool TryAssert(OrganizationServiceContext context, Entity entity, CrmEntityRight right, CrmEntityCacheDependencyTrace dependencies)
{
var info = CacheInfoFactory.GetCacheInfo(context, entity, right);
if (!info.IsCacheable)
{
return(UnderlyingProvider.TryAssert(context, entity, right, dependencies));
}
Stopwatch stopwatch = null;
return(ObjectCacheManager.Get(info.Key,
cache =>
{
stopwatch = Stopwatch.StartNew();
var value = UnderlyingProvider.TryAssert(context, entity, right, dependencies);
stopwatch.Stop();
return value;
},
(cache, value) =>
{
if (dependencies.IsCacheable)
{
cache.Insert(info.Key, value, dependencies);
if (stopwatch != null)
{
cache.AddCacheItemTelemetry(info.Key, new CacheItemTelemetry {
Duration = stopwatch.Elapsed
});
}
}
}));
}
public override bool TryAssert(OrganizationServiceContext context, Entity entity, CrmEntityRight right)
{
if (entity == null || entity.Id == Guid.Empty)
{
return(false);
}
entity.AssertEntityName(_handledEntityNames);
CrmEntityInactiveInfo inactiveInfo;
if (CrmEntityInactiveInfo.TryGetInfo(entity.LogicalName, out inactiveInfo) && inactiveInfo.IsInactive(entity))
{
return(false);
}
var website = context.GetWebsite(entity);
if (website == null)
{
return(false);
}
if (right == CrmEntityRight.Read)
{
return(true);
}
if (HttpContext.Current.User == null ||
HttpContext.Current.User.Identity == null ||
HttpContext.Current.User.Identity.Name == null ||
!HttpContext.Current.User.Identity.IsAuthenticated)
{
return(false);
}
var roleName = context.GetSiteSettingValueByName(website, SiteSettingName);
var result = !string.IsNullOrEmpty(roleName) && Roles.IsUserInRole(roleName);
return(result);
}
public override bool TryAssert(OrganizationServiceContext context, Entity website, CrmEntityRight right, CrmEntityCacheDependencyTrace dependencies)
{
if (website == null)
{
return(false);
}
var securityProvider = new WebsiteAccessPermissionProvider(website, HttpContext.Current);
return(securityProvider.TryAssertRightProperty(context, "adx_previewunpublishedentities", dependencies));
}
public override bool TryAssert(OrganizationServiceContext serviceContext, Entity entity, CrmEntityRight right, CrmEntityCacheDependencyTrace dependencies)
{
entity.ThrowOnNull("entity");
if (entity.LogicalName == "adx_issueforum")
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format(@"Testing right {0} on adx_issueforum ({1}).", right, entity.Id));
dependencies.AddEntityDependency(entity);
dependencies.AddEntitySetDependency("adx_webrole");
return(right == CrmEntityRight.Change
? UserInRole("adx_webrole_issueforum_write", false, serviceContext, entity, dependencies)
: UserInRole("adx_webrole_issueforum_read", true, serviceContext, entity, dependencies) ||
UserInRole("adx_webrole_issueforum_write", false, serviceContext, entity, dependencies));
}
if (entity.LogicalName == "adx_issue")
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format(@"Testing right {0} on adx_issue ({1}).", right, entity.Id));
dependencies.AddEntityDependency(entity);
var issueForum = entity.GetRelatedEntity(serviceContext, new Relationship("adx_issueforum_issue"));
if (issueForum == null)
{
return(false);
}
var approved = entity.GetAttributeValue <bool?>("adx_approved").GetValueOrDefault(false);
// If the right being asserted is Read, and the issue is approved, assert whether the issue forum is readable.
if (right == CrmEntityRight.Read && approved)
{
return(TryAssert(serviceContext, issueForum, right, dependencies));
}
return(TryAssert(serviceContext, issueForum, CrmEntityRight.Change, dependencies));
}
if (entity.LogicalName == "adx_issuecomment")
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format(@"Testing right {0} on adx_issuecomment ({1}).", right, entity.Id));
dependencies.AddEntityDependency(entity);
var issue = entity.GetRelatedEntity(serviceContext, new Relationship("adx_issue_issuecomment"));
if (issue == null)
{
return(false);
}
var approved = entity.GetAttributeValue <bool?>("adx_approved").GetValueOrDefault(false);
// If the right being asserted is Read, and the comment is approved, assert whether the issue is readable.
if (right == CrmEntityRight.Read && approved)
{
return(TryAssert(serviceContext, issue, right, dependencies));
}
return(TryAssert(serviceContext, issue, CrmEntityRight.Change, dependencies));
}
if (entity.LogicalName == "adx_issuevote")
{
ADXTrace.Instance.TraceInfo(TraceCategory.Application, string.Format(@"Testing right {0} on adx_issuevote ({1}).", entity.Id));
dependencies.AddEntityDependency(entity);
var issue = entity.GetRelatedEntity(serviceContext, new Relationship("adx_issue_issuevote"));
return(issue != null && TryAssert(serviceContext, issue, right, dependencies));
}
throw new NotSupportedException("Entities of type {0} are not supported by this provider.".FormatWith(entity.LogicalName));
}
protected virtual bool TryAssertCrmEntityRight(OrganizationServiceContext context, Entity entity, CrmEntityRight right)
{
var securityProvider = PortalCrmConfigurationManager.CreateCrmEntitySecurityProvider(PortalName);
return(securityProvider.TryAssert(context, entity, right));
}
private bool TryAssertSecurity(EntityNode node, CrmEntityRight right)
{
return(TryAssertSecurity(node.ToEntity(), right));
}
