public void InheritingRowPermissions()
{
InsertCurrentPrincipal(); // Not related to row permissions.
// Insert the test data (server code bypasses row permissions):
using (var scope = TestScope.Create())
{
var repository = scope.Resolve <Common.DomRepository>();
var context = scope.Resolve <Common.ExecutionContext>();
repository.DemoRowPermissions2.DocumentApproval.Delete(repository.DemoRowPermissions2.DocumentApproval.Query());
repository.DemoRowPermissions2.DocumentComment.Delete(repository.DemoRowPermissions2.DocumentComment.Query());
repository.DemoRowPermissions2.Document.Delete(repository.DemoRowPermissions2.Document.Query());
repository.DemoRowPermissions2.RegionSupervisor.Delete(repository.DemoRowPermissions2.RegionSupervisor.Query());
repository.DemoRowPermissions2.Employee.Delete(repository.DemoRowPermissions2.Employee.Query());
repository.DemoRowPermissions2.Division.Delete(repository.DemoRowPermissions2.Division.Query());
repository.DemoRowPermissions2.Region.Delete(repository.DemoRowPermissions2.Region.Query());
var reg3 = new DemoRowPermissions2.Region {
Name = "reg3"
};
repository.DemoRowPermissions2.Region.Insert(new[] { reg3 });
var div1 = new DemoRowPermissions2.Division {
Name = "div1"
};
var div2 = new DemoRowPermissions2.Division {
Name = "div2"
};
var div3 = new DemoRowPermissions2.Division {
Name = "div3", RegionID = reg3.ID
};
repository.DemoRowPermissions2.Division.Insert(new[] { div1, div2, div3 });
// The current user:
var emp1 = new DemoRowPermissions2.Employee
{
UserName = context.UserInfo.UserName,
DivisionID = div1.ID
};
var emp2 = new DemoRowPermissions2.Employee
{
UserName = "******"
};
repository.DemoRowPermissions2.Employee.Insert(new[] { emp1, emp2 });
var sup3 = new DemoRowPermissions2.RegionSupervisor
{
EmployeeID = emp1.ID,
RegionID = reg3.ID
};
repository.DemoRowPermissions2.RegionSupervisor.Insert(new[] { sup3 });
// The current user can access doc1, because it's in the same division:
var doc1 = new DemoRowPermissions2.Document {
Title = "doc1", DivisionID = div1.ID
};
// The current user cannot access doc2:
var doc2 = new DemoRowPermissions2.Document {
Title = "doc2", DivisionID = div2.ID
};
// The current user can access doc3, because it's in the region he supervises:
var doc3 = new DemoRowPermissions2.Document {
Title = "doc3", DivisionID = div3.ID
};
repository.DemoRowPermissions2.Document.Insert(new[] { doc1, doc2, doc3 });
// The current user can access com1, because it is related to his document:
var com1 = new DemoRowPermissions2.DocumentComment {
DocumentID = doc1.ID, Comment = "com1"
};
// The current user cannot access com2:
var com2 = new DemoRowPermissions2.DocumentComment {
DocumentID = doc2.ID, Comment = "com2"
};
repository.DemoRowPermissions2.DocumentComment.Insert(new[] { com1, com2 });
// The current user can access app1, because it is related to his document:
var app1 = new DemoRowPermissions2.DocumentApproval {
ID = doc1.ID, ApprovedByID = emp1.ID, Note = "app1"
};
// The current user cannot access app2:
var app2 = new DemoRowPermissions2.DocumentApproval {
ID = doc2.ID, ApprovedByID = emp1.ID, Note = "app2"
};
// The current user can read app3, but cannot write it, because it is approved by a different user:
var app3 = new DemoRowPermissions2.DocumentApproval {
ID = doc3.ID, ApprovedByID = emp2.ID, Note = "app3"
};
repository.DemoRowPermissions2.DocumentApproval.Insert(new[] { app1, app2, app3 });
scope.CommitAndClose();
}
// Test the current user's row permissions:
// The test will not execute client requests, but simply directly check the row permissions filters.
using (var scope = TestScope.Create())
{
var allowedReadBrowse =
scope.Resolve <GenericRepository <DemoRowPermissions2.DocumentBrowse> >()
.Load <Common.RowPermissionsReadItems>();
Assert.AreEqual("doc1, doc3", TestUtility.DumpSorted(allowedReadBrowse, browse => browse.Title));
var allowedReadComment =
scope.Resolve <GenericRepository <DemoRowPermissions2.DocumentComment> >()
.Load <Common.RowPermissionsReadItems>();
Assert.AreEqual("com1", TestUtility.DumpSorted(allowedReadComment, comment => comment.Comment));
var allowedReadApproval =
scope.Resolve <GenericRepository <DemoRowPermissions2.DocumentApproval> >()
.Load <Common.RowPermissionsReadItems>();
Assert.AreEqual("app1, app3", TestUtility.DumpSorted(allowedReadApproval, approval => approval.Note));
var allowedWriteApproval =
scope.Resolve <GenericRepository <DemoRowPermissions2.DocumentApproval> >()
.Load <Common.RowPermissionsWriteItems>();
Assert.AreEqual("app1", TestUtility.DumpSorted(allowedWriteApproval, approval => approval.Note));
var allowedReadInfo =
scope.Resolve <GenericRepository <DemoRowPermissions2.DocumentInfo> >()
.Load <Common.RowPermissionsReadItems>();
Assert.AreEqual("doc1_2, doc3_2", TestUtility.DumpSorted(allowedReadInfo, info => info.Title2));
}
}
public void InheritingRowPermissions()
{
InsertCurrentPrincipal(); // Not related to row permissions.
// Insert the test data (server code bypasses row permissions):
using (var container = new RhetosTestContainer(commitChanges: true))
{
var repository = container.Resolve<Common.DomRepository>();
var context = container.Resolve<Common.ExecutionContext>();
repository.DemoRowPermissions2.DocumentApproval.Delete(repository.DemoRowPermissions2.DocumentApproval.All());
repository.DemoRowPermissions2.DocumentComment.Delete(repository.DemoRowPermissions2.DocumentComment.All());
repository.DemoRowPermissions2.Document.Delete(repository.DemoRowPermissions2.Document.All());
repository.DemoRowPermissions2.RegionSupervisor.Delete(repository.DemoRowPermissions2.RegionSupervisor.All());
repository.DemoRowPermissions2.Employee.Delete(repository.DemoRowPermissions2.Employee.All());
repository.DemoRowPermissions2.Division.Delete(repository.DemoRowPermissions2.Division.All());
repository.DemoRowPermissions2.Region.Delete(repository.DemoRowPermissions2.Region.All());
var reg3 = new DemoRowPermissions2.Region { Name = "reg3" };
repository.DemoRowPermissions2.Region.Insert(new[] { reg3 });
var div1 = new DemoRowPermissions2.Division { Name = "div1" };
var div2 = new DemoRowPermissions2.Division { Name = "div2" };
var div3 = new DemoRowPermissions2.Division { Name = "div3", RegionID = reg3.ID };
repository.DemoRowPermissions2.Division.Insert(new[] { div1, div2, div3 });
// The current user:
var emp1 = new DemoRowPermissions2.Employee
{
UserName = context.UserInfo.UserName,
DivisionID = div1.ID
};
var emp2 = new DemoRowPermissions2.Employee
{
UserName = "******"
};
repository.DemoRowPermissions2.Employee.Insert(new[] { emp1, emp2 });
var sup3 = new DemoRowPermissions2.RegionSupervisor
{
EmployeeID = emp1.ID,
RegionID = reg3.ID
};
repository.DemoRowPermissions2.RegionSupervisor.Insert(new[] { sup3 });
// The current user can access doc1, because it's in the same division:
var doc1 = new DemoRowPermissions2.Document { Title = "doc1", DivisionID = div1.ID };
// The current user cannot access doc2:
var doc2 = new DemoRowPermissions2.Document { Title = "doc2", DivisionID = div2.ID };
// The current user can access doc3, because it's in the region he supervises:
var doc3 = new DemoRowPermissions2.Document { Title = "doc3", DivisionID = div3.ID };
repository.DemoRowPermissions2.Document.Insert(new[] { doc1, doc2, doc3 });
// The current user can access com1, because it is related to his document:
var com1 = new DemoRowPermissions2.DocumentComment { DocumentID = doc1.ID, Comment = "com1" };
// The current user cannot access com2:
var com2 = new DemoRowPermissions2.DocumentComment { DocumentID = doc2.ID, Comment = "com2" };
repository.DemoRowPermissions2.DocumentComment.Insert(new[] { com1, com2 });
// The current user can access app1, because it is related to his document:
var app1 = new DemoRowPermissions2.DocumentApproval { ID = doc1.ID, ApprovedByID = emp1.ID, Note = "app1" };
// The current user cannot access app2:
var app2 = new DemoRowPermissions2.DocumentApproval { ID = doc2.ID, ApprovedByID = emp1.ID, Note = "app2" };
// The current user can read app3, but cannot write it, because it is approved by a different user:
var app3 = new DemoRowPermissions2.DocumentApproval { ID = doc3.ID, ApprovedByID = emp2.ID, Note = "app3" };
repository.DemoRowPermissions2.DocumentApproval.Insert(new[] { app1, app2, app3 });
}
// Test the current user's row permissions:
// The test will not execute client requests, but simply directly check the row permissions filters.
using (var container = new RhetosTestContainer())
{
var allowedReadBrowse =
container.Resolve<GenericRepository<DemoRowPermissions2.DocumentBrowse>>()
.Load<Common.RowPermissionsReadItems>();
Assert.AreEqual("doc1, doc3", TestUtility.DumpSorted(allowedReadBrowse, browse => browse.Title));
var allowedReadComment =
container.Resolve<GenericRepository<DemoRowPermissions2.DocumentComment>>()
.Load<Common.RowPermissionsReadItems>();
Assert.AreEqual("com1", TestUtility.DumpSorted(allowedReadComment, comment => comment.Comment));
var allowedReadApproval =
container.Resolve<GenericRepository<DemoRowPermissions2.DocumentApproval>>()
.Load<Common.RowPermissionsReadItems>();
Assert.AreEqual("app1, app3", TestUtility.DumpSorted(allowedReadApproval, approval => approval.Note));
var allowedWriteApproval =
container.Resolve<GenericRepository<DemoRowPermissions2.DocumentApproval>>()
.Load<Common.RowPermissionsWriteItems>();
Assert.AreEqual("app1", TestUtility.DumpSorted(allowedWriteApproval, approval => approval.Note));
}
}
public void CombiningMultipleRules()
{
InsertCurrentPrincipal(); // Not related to row permissions.
// Insert the test data (server code bypasses row permissions):
using (var scope = TestScope.Create())
{
var repository = scope.Resolve <Common.DomRepository>();
var context = scope.Resolve <Common.ExecutionContext>();
repository.DemoRowPermissions2.DocumentApproval.Delete(repository.DemoRowPermissions2.DocumentApproval.Query());
repository.DemoRowPermissions2.DocumentComment.Delete(repository.DemoRowPermissions2.DocumentComment.Query());
repository.DemoRowPermissions2.Document.Delete(repository.DemoRowPermissions2.Document.Query());
repository.DemoRowPermissions2.RegionSupervisor.Delete(repository.DemoRowPermissions2.RegionSupervisor.Query());
repository.DemoRowPermissions2.Employee.Delete(repository.DemoRowPermissions2.Employee.Query());
repository.DemoRowPermissions2.Division.Delete(repository.DemoRowPermissions2.Division.Query());
repository.DemoRowPermissions2.Region.Delete(repository.DemoRowPermissions2.Region.Query());
var reg3 = new DemoRowPermissions2.Region {
Name = "reg3"
};
repository.DemoRowPermissions2.Region.Insert(new[] { reg3 });
var div1 = new DemoRowPermissions2.Division {
Name = "div1"
};
var div2 = new DemoRowPermissions2.Division {
Name = "div2"
};
var div3 = new DemoRowPermissions2.Division {
Name = "div3", RegionID = reg3.ID
};
repository.DemoRowPermissions2.Division.Insert(new[] { div1, div2, div3 });
// The current user:
var emp1 = new DemoRowPermissions2.Employee
{
UserName = context.UserInfo.UserName,
DivisionID = div1.ID
};
repository.DemoRowPermissions2.Employee.Insert(new[] { emp1 });
var sup3 = new DemoRowPermissions2.RegionSupervisor
{
EmployeeID = emp1.ID,
RegionID = reg3.ID
};
repository.DemoRowPermissions2.RegionSupervisor.Insert(new[] { sup3 });
// The user can access doc1, because it's in the same division:
var doc1 = new DemoRowPermissions2.Document {
Title = "doc1", DivisionID = div1.ID
};
// The user cannot access doc2:
var doc2 = new DemoRowPermissions2.Document {
Title = "doc2", DivisionID = div2.ID
};
// The user can access doc3, because it's in the region he supervises:
var doc3 = new DemoRowPermissions2.Document {
Title = "doc3", DivisionID = div3.ID
};
// The user can access doc4 (same division), but cannot edit it (previous year):
var doc4 = new DemoRowPermissions2.Document {
Title = "doc4", DivisionID = div1.ID, Created = DateTime.Now.AddYears(-1)
};
repository.DemoRowPermissions2.Document.Insert(new[] { doc1, doc2, doc3, doc4 });
scope.CommitAndClose();
}
// Simulate client request: Reading all documents (access denied)
using (var scope = TestScope.Create(builder => builder.ConfigureIgnoreClaims()))
{
var processingEngine = scope.Resolve <IProcessingEngine>();
var serverCommand = new ReadCommandInfo
{
DataSource = typeof(DemoRowPermissions2.Document).FullName,
ReadRecords = true
};
var serverResponse = processingEngine.Execute(new[] { serverCommand });
var report = GenerateReport(serverResponse);
Console.WriteLine("Server response: " + report);
Assert.IsTrue(report.Contains("You are not authorized"));
}
// Simulate client request: Reading the user's documents
using (var scope = TestScope.Create(builder => builder.ConfigureIgnoreClaims()))
{
var processingEngine = scope.Resolve <IProcessingEngine>();
var serverCommand = new ReadCommandInfo
{
DataSource = typeof(DemoRowPermissions2.Document).FullName,
ReadRecords = true,
Filters = new[] { new FilterCriteria(typeof(Common.RowPermissionsReadItems)) }
};
var serverResponse = processingEngine.Execute(new[] { serverCommand });
var report = GenerateReport(serverResponse);
Console.WriteLine("Server response: " + report);
Assert.AreEqual("doc1, doc3, doc4", report);
}
// Simulate client request: Edit doc1 (ok)
using (var scope = TestScope.Create(builder => builder.ConfigureIgnoreClaims()))
{
var repository = scope.Resolve <Common.DomRepository>();
var doc1 = repository.DemoRowPermissions2.Document.Query().Where(d => d.Title == "doc1").Single();
doc1.Title += "x";
var processingEngine = scope.Resolve <IProcessingEngine>();
var serverCommand = new SaveEntityCommandInfo
{
Entity = typeof(DemoRowPermissions2.Document).FullName,
DataToUpdate = new[] { doc1 }
};
var serverResponse = processingEngine.Execute(new[] { serverCommand });
var report = GenerateReport(serverResponse);
Console.WriteLine("Server response: " + report);
Assert.AreEqual("Command executed", report);
var documents = repository.DemoRowPermissions2.Document.Query().Select(d => d.Title).OrderBy(t => t);
Assert.AreEqual("doc1x, doc2, doc3, doc4", string.Join(", ", documents));
}
// Simulate client request: Edit doc4 (access denied)
using (var scope = TestScope.Create(builder => builder.ConfigureIgnoreClaims()))
{
var repository = scope.Resolve <Common.DomRepository>();
var doc4 = repository.DemoRowPermissions2.Document.Query().Where(d => d.Title == "doc4").Single();
doc4.Title += "x";
var processingEngine = scope.Resolve <IProcessingEngine>();
var serverCommand = new SaveEntityCommandInfo
{
Entity = typeof(DemoRowPermissions2.Document).FullName,
DataToUpdate = new[] { doc4 }
};
var serverResponse = processingEngine.Execute(new[] { serverCommand });
var report = GenerateReport(serverResponse);
Console.WriteLine("Server response: " + report);
Assert.IsTrue(report.Contains("Insufficient permissions"));
}
}
public void CombiningMultipleRules()
{
InsertCurrentPrincipal(); // Not related to row permissions.
// Insert the test data (server code bypasses row permissions):
using (var container = new RhetosTestContainer(commitChanges: true))
{
var repository = container.Resolve<Common.DomRepository>();
var context = container.Resolve<Common.ExecutionContext>();
repository.DemoRowPermissions2.DocumentApproval.Delete(repository.DemoRowPermissions2.DocumentApproval.All());
repository.DemoRowPermissions2.DocumentComment.Delete(repository.DemoRowPermissions2.DocumentComment.All());
repository.DemoRowPermissions2.Document.Delete(repository.DemoRowPermissions2.Document.All());
repository.DemoRowPermissions2.RegionSupervisor.Delete(repository.DemoRowPermissions2.RegionSupervisor.All());
repository.DemoRowPermissions2.Employee.Delete(repository.DemoRowPermissions2.Employee.All());
repository.DemoRowPermissions2.Division.Delete(repository.DemoRowPermissions2.Division.All());
repository.DemoRowPermissions2.Region.Delete(repository.DemoRowPermissions2.Region.All());
var reg3 = new DemoRowPermissions2.Region { Name = "reg3" };
repository.DemoRowPermissions2.Region.Insert(new[] { reg3 });
var div1 = new DemoRowPermissions2.Division { Name = "div1" };
var div2 = new DemoRowPermissions2.Division { Name = "div2" };
var div3 = new DemoRowPermissions2.Division { Name = "div3", RegionID = reg3.ID };
repository.DemoRowPermissions2.Division.Insert(new[] { div1, div2, div3 });
// The current user:
var emp1 = new DemoRowPermissions2.Employee
{
UserName = context.UserInfo.UserName,
DivisionID = div1.ID
};
repository.DemoRowPermissions2.Employee.Insert(new[] { emp1 });
var sup3 = new DemoRowPermissions2.RegionSupervisor
{
EmployeeID = emp1.ID,
RegionID = reg3.ID
};
repository.DemoRowPermissions2.RegionSupervisor.Insert(new[] { sup3 });
// The user can access doc1, because it's in the same division:
var doc1 = new DemoRowPermissions2.Document { Title = "doc1", DivisionID = div1.ID };
// The user cannot access doc2:
var doc2 = new DemoRowPermissions2.Document { Title = "doc2", DivisionID = div2.ID };
// The user can access doc3, because it's in the region he supervises:
var doc3 = new DemoRowPermissions2.Document { Title = "doc3", DivisionID = div3.ID };
// The user can access doc4 (same division), but cannot edit it (previous year):
var doc4 = new DemoRowPermissions2.Document { Title = "doc4", DivisionID = div1.ID, Created = DateTime.Now.AddYears(-1) };
repository.DemoRowPermissions2.Document.Insert(new[] { doc1, doc2, doc3, doc4 });
}
// Simulate client request: Reading all documents (access denied)
using (var container = new RhetosTestContainer())
{
container.AddIgnoreClaims();
var processingEngine = container.Resolve<IProcessingEngine>();
var serverCommand = new ReadCommandInfo
{
DataSource = typeof(DemoRowPermissions2.Document).FullName,
ReadRecords = true
};
var serverResponse = processingEngine.Execute(new[] { serverCommand });
var report = GenerateReport(serverResponse);
Console.WriteLine("Server response: " + report);
Assert.IsTrue(report.Contains("You are not authorized"));
}
// Simulate client request: Reading the user's documents
using (var container = new RhetosTestContainer())
{
container.AddIgnoreClaims();
var processingEngine = container.Resolve<IProcessingEngine>();
var serverCommand = new ReadCommandInfo
{
DataSource = typeof(DemoRowPermissions2.Document).FullName,
ReadRecords = true,
Filters = new[] { new FilterCriteria(typeof(Common.RowPermissionsReadItems)) }
};
var serverResponse = processingEngine.Execute(new[] { serverCommand });
var report = GenerateReport(serverResponse);
Console.WriteLine("Server response: " + report);
Assert.AreEqual("doc1, doc3, doc4", report);
}
// Simulate client request: Edit doc1 (ok)
using (var container = new RhetosTestContainer())
{
container.AddIgnoreClaims();
var repository = container.Resolve<Common.DomRepository>();
var doc1 = repository.DemoRowPermissions2.Document.Query().Where(d => d.Title == "doc1").Single();
doc1.Title += "x";
var processingEngine = container.Resolve<IProcessingEngine>();
var serverCommand = new SaveEntityCommandInfo
{
Entity = typeof(DemoRowPermissions2.Document).FullName,
DataToUpdate = new[] { doc1 }
};
var serverResponse = processingEngine.Execute(new[] { serverCommand });
var report = GenerateReport(serverResponse);
Console.WriteLine("Server response: " + report);
Assert.AreEqual("Comand executed", report);
var documents = repository.DemoRowPermissions2.Document.Query().Select(d => d.Title).OrderBy(t => t);
Assert.AreEqual("doc1x, doc2, doc3, doc4", string.Join(", ", documents));
}
// Simulate client request: Edit doc4 (acces denied)
using (var container = new RhetosTestContainer())
{
container.AddIgnoreClaims();
var repository = container.Resolve<Common.DomRepository>();
var doc4 = repository.DemoRowPermissions2.Document.Query().Where(d => d.Title == "doc4").Single();
doc4.Title += "x";
var processingEngine = container.Resolve<IProcessingEngine>();
var serverCommand = new SaveEntityCommandInfo
{
Entity = typeof(DemoRowPermissions2.Document).FullName,
DataToUpdate = new[] { doc4 }
};
var serverResponse = processingEngine.Execute(new[] { serverCommand });
var report = GenerateReport(serverResponse);
Console.WriteLine("Server response: " + report);
Assert.IsTrue(report.Contains("Insufficient permissions"));
}
}