private HashSet<Guid> IsAuthorisedHashSet(Guid? securableParentUid, IEnumerable<Guid> securableObjectUids, params IRight[] requiredRights)
{
/// This user is a Glyma Security Manager, they have access to everything.
if (Web.UserIsSiteAdmin)
{
return new HashSet<Guid>(securableObjectUids);
}
IDbConnectionAbstraction securityDbConnection = GlymaSession.ConnectionFactory.CreateSecurityDbConnection();
SecurityDBDataContext dataContext = null;
SPSite elevatedSite = null;
SPWeb elevatedWeb = null;
try
{
GroupAssociationsOrderedByGroupSPId groupAssociations = new GroupAssociationsOrderedByGroupSPId();
SecurableObjectGenealogyTracker geneaologyTracker = new SecurableObjectGenealogyTracker();
SPSecurity.RunWithElevatedPrivileges(delegate()
{
dataContext = new SecurityDBDataContext(securityDbConnection.Connection);
if (securableParentUid != null)
{
IQueryable<SecurableObject> securableObjectInheritanceInfo = from securableObject in dataContext.SecurableObjects
where securableObject.SecurableContextId == SecurableContextId
select securableObject;
MultipleOrExpressionFilter<SecurableObject, Guid> securableObjectInheritanceInfoFilter = new MultipleOrExpressionFilter<SecurableObject, Guid>(securableObjectInheritanceInfo, securableObjectUids, "SecurableObjectUid");
IQueryable<SecurableObject> filteredSecurableObjectInheritanceInfo = securableObjectInheritanceInfoFilter.FilterResultSet();
geneaologyTracker.AddRange(securableParentUid, filteredSecurableObjectInheritanceInfo);
geneaologyTracker.AddRangeIfNotPreExisting(securableParentUid, securableObjectUids);
}
else
{
geneaologyTracker.AddRange(null, securableObjectUids);
IQueryable<GroupAssociation> groupsAssocationsWithBrokenInheritance = from securableObjectGroupAssocation in dataContext.GroupAssociations
where securableObjectGroupAssocation.SecurableContextId == SecurableContextId && securableObjectGroupAssocation.SecurableObject.BreaksInheritance == true
select securableObjectGroupAssocation;
MultipleOrExpressionFilter<GroupAssociation, Guid> securableObjectInheritanceInfoFilter = new MultipleOrExpressionFilter<GroupAssociation, Guid>(groupsAssocationsWithBrokenInheritance, securableObjectUids, "SecurableParentUid");
IQueryable<GroupAssociation> filteredSecurableObjectInheritanceInfo = securableObjectInheritanceInfoFilter.FilterResultSet();
groupAssociations.AddRange(filteredSecurableObjectInheritanceInfo);
foreach (GroupAssociation securableObjectWithBrokenInheritance in filteredSecurableObjectInheritanceInfo)
{
geneaologyTracker.Add(securableObjectWithBrokenInheritance.SecurableParentUid, securableObjectWithBrokenInheritance.SecurableObjectUid);
}
}
/// Get the group associations for only the securable objects.
IQueryable<GroupAssociation> allAccessibleGroupAssociations;
/// The following needs to be done as Linq doesn't detect the null value in Nullable types and so doesn't generate the correct "IS NULL" SQL.
if (securableParentUid.HasValue && geneaologyTracker.HasIndependentObjects && geneaologyTracker.HasInheritingObjects)
{
allAccessibleGroupAssociations = from securableObject in dataContext.GroupAssociations
where (securableObject.SecurableContextId == SecurableContextId && securableObject.SecurableParentUid == securableParentUid) || (securableObject.SecurableContextId == SecurableContextId && securableObject.SecurableParentUid == null)
select securableObject;
}
else if (securableParentUid.HasValue && geneaologyTracker.HasIndependentObjects)
{
allAccessibleGroupAssociations = from securableObject in dataContext.GroupAssociations
where securableObject.SecurableContextId == SecurableContextId && securableObject.SecurableParentUid == securableParentUid
select securableObject;
}
else /// This means the tracker has only either inheriting objects or domains.
{
allAccessibleGroupAssociations = from securableObject in dataContext.GroupAssociations
where securableObject.SecurableContextId == SecurableContextId && securableObject.SecurableParentUid == null
select securableObject;
}
MultipleOrExpressionFilter<GroupAssociation, Guid> groupAssocationFilter = new MultipleOrExpressionFilter<GroupAssociation, Guid>(allAccessibleGroupAssociations, geneaologyTracker.GetPermissionSources(), "SecurableObjectUid");
IQueryable<GroupAssociation> filteredGroupAssociations = groupAssocationFilter.FilterResultSet();
groupAssociations.AddRange(filteredGroupAssociations);
});
AccessibleObjectsBuilder accessibleObjects = new AccessibleObjectsBuilder();
elevatedSite = GetElevatedSite();
elevatedWeb = GetElevatedWeb(elevatedSite);
foreach (SPRoleAssignment roleAssignment in elevatedWeb.RoleAssignments)
{
SPGroup elevatedGroup = roleAssignment.Member as SPGroup;
if (elevatedGroup != null)
{
SPGroup group = Web.Groups.GetByID(elevatedGroup.ID);
/// Check that we're actually looking at a group, and that this group is on the list of accessible groups, and that this group contains the current user.
if (group != null && group.ContainsCurrentUser)
{
/// Do a check that this group actually has the required right.
foreach (SPRoleDefinition roleDefinition in roleAssignment.RoleDefinitionBindings)
{
IRole role = GetRole(roleDefinition.Name);
IEnumerable<GroupAssociation> accessibleParentObjects;
if (groupAssociations.GetBySPId(group.ID, out accessibleParentObjects))
{
if (role != null && role.HasRights(requiredRights))
{
IEnumerable<Guid> accessibleSecurableObjects = geneaologyTracker.GetSecurableObjectsByPermissionSources(accessibleParentObjects);
accessibleObjects.AddRange(accessibleSecurableObjects);
}
}
}
}
}
}
return accessibleObjects.GetAccessibleObjects();
}
finally
{
if (dataContext != null)
{
dataContext.Dispose();
dataContext = null;
}
if (elevatedWeb != null)
{
elevatedWeb.Dispose();
elevatedWeb = null;
}
if (elevatedSite != null)
{
elevatedSite.Dispose();
elevatedSite = null;
}
if (securityDbConnection != null)
{
securityDbConnection.Dispose();
securityDbConnection = null;
}
}
}
private HashSet <Guid> IsAuthorisedHashSet(Guid?securableParentUid, IEnumerable <Guid> securableObjectUids, params IRight[] requiredRights)
{
/// This user is a Glyma Security Manager, they have access to everything.
if (Web.UserIsSiteAdmin)
{
return(new HashSet <Guid>(securableObjectUids));
}
IDbConnectionAbstraction securityDbConnection = GlymaSession.ConnectionFactory.CreateSecurityDbConnection();
SecurityDBDataContext dataContext = null;
SPSite elevatedSite = null;
SPWeb elevatedWeb = null;
try
{
GroupAssociationsOrderedByGroupSPId groupAssociations = new GroupAssociationsOrderedByGroupSPId();
SecurableObjectGenealogyTracker geneaologyTracker = new SecurableObjectGenealogyTracker();
SPSecurity.RunWithElevatedPrivileges(delegate()
{
dataContext = new SecurityDBDataContext(securityDbConnection.Connection);
if (securableParentUid != null)
{
IQueryable <SecurableObject> securableObjectInheritanceInfo = from securableObject in dataContext.SecurableObjects
where securableObject.SecurableContextId == SecurableContextId
select securableObject;
MultipleOrExpressionFilter <SecurableObject, Guid> securableObjectInheritanceInfoFilter = new MultipleOrExpressionFilter <SecurableObject, Guid>(securableObjectInheritanceInfo, securableObjectUids, "SecurableObjectUid");
IQueryable <SecurableObject> filteredSecurableObjectInheritanceInfo = securableObjectInheritanceInfoFilter.FilterResultSet();
geneaologyTracker.AddRange(securableParentUid, filteredSecurableObjectInheritanceInfo);
geneaologyTracker.AddRangeIfNotPreExisting(securableParentUid, securableObjectUids);
}
else
{
geneaologyTracker.AddRange(null, securableObjectUids);
IQueryable <GroupAssociation> groupsAssocationsWithBrokenInheritance = from securableObjectGroupAssocation in dataContext.GroupAssociations
where securableObjectGroupAssocation.SecurableContextId == SecurableContextId && securableObjectGroupAssocation.SecurableObject.BreaksInheritance == true
select securableObjectGroupAssocation;
MultipleOrExpressionFilter <GroupAssociation, Guid> securableObjectInheritanceInfoFilter = new MultipleOrExpressionFilter <GroupAssociation, Guid>(groupsAssocationsWithBrokenInheritance, securableObjectUids, "SecurableParentUid");
IQueryable <GroupAssociation> filteredSecurableObjectInheritanceInfo = securableObjectInheritanceInfoFilter.FilterResultSet();
groupAssociations.AddRange(filteredSecurableObjectInheritanceInfo);
foreach (GroupAssociation securableObjectWithBrokenInheritance in filteredSecurableObjectInheritanceInfo)
{
geneaologyTracker.Add(securableObjectWithBrokenInheritance.SecurableParentUid, securableObjectWithBrokenInheritance.SecurableObjectUid);
}
}
/// Get the group associations for only the securable objects.
IQueryable <GroupAssociation> allAccessibleGroupAssociations;
/// The following needs to be done as Linq doesn't detect the null value in Nullable types and so doesn't generate the correct "IS NULL" SQL.
if (securableParentUid.HasValue && geneaologyTracker.HasIndependentObjects && geneaologyTracker.HasInheritingObjects)
{
allAccessibleGroupAssociations = from securableObject in dataContext.GroupAssociations
where (securableObject.SecurableContextId == SecurableContextId && securableObject.SecurableParentUid == securableParentUid) || (securableObject.SecurableContextId == SecurableContextId && securableObject.SecurableParentUid == null)
select securableObject;
}
else if (securableParentUid.HasValue && geneaologyTracker.HasIndependentObjects)
{
allAccessibleGroupAssociations = from securableObject in dataContext.GroupAssociations
where securableObject.SecurableContextId == SecurableContextId && securableObject.SecurableParentUid == securableParentUid
select securableObject;
}
else /// This means the tracker has only either inheriting objects or domains.
{
allAccessibleGroupAssociations = from securableObject in dataContext.GroupAssociations
where securableObject.SecurableContextId == SecurableContextId && securableObject.SecurableParentUid == null
select securableObject;
}
MultipleOrExpressionFilter <GroupAssociation, Guid> groupAssocationFilter = new MultipleOrExpressionFilter <GroupAssociation, Guid>(allAccessibleGroupAssociations, geneaologyTracker.GetPermissionSources(), "SecurableObjectUid");
IQueryable <GroupAssociation> filteredGroupAssociations = groupAssocationFilter.FilterResultSet();
groupAssociations.AddRange(filteredGroupAssociations);
});
AccessibleObjectsBuilder accessibleObjects = new AccessibleObjectsBuilder();
elevatedSite = GetElevatedSite();
elevatedWeb = GetElevatedWeb(elevatedSite);
foreach (SPRoleAssignment roleAssignment in elevatedWeb.RoleAssignments)
{
SPGroup elevatedGroup = roleAssignment.Member as SPGroup;
if (elevatedGroup != null)
{
SPGroup group = Web.Groups.GetByID(elevatedGroup.ID);
/// Check that we're actually looking at a group, and that this group is on the list of accessible groups, and that this group contains the current user.
if (group != null && group.ContainsCurrentUser)
{
/// Do a check that this group actually has the required right.
foreach (SPRoleDefinition roleDefinition in roleAssignment.RoleDefinitionBindings)
{
IRole role = GetRole(roleDefinition.Name);
IEnumerable <GroupAssociation> accessibleParentObjects;
if (groupAssociations.GetBySPId(group.ID, out accessibleParentObjects))
{
if (role != null && role.HasRights(requiredRights))
{
IEnumerable <Guid> accessibleSecurableObjects = geneaologyTracker.GetSecurableObjectsByPermissionSources(accessibleParentObjects);
accessibleObjects.AddRange(accessibleSecurableObjects);
}
}
}
}
}
}
return(accessibleObjects.GetAccessibleObjects());
}
finally
{
if (dataContext != null)
{
dataContext.Dispose();
dataContext = null;
}
if (elevatedWeb != null)
{
elevatedWeb.Dispose();
elevatedWeb = null;
}
if (elevatedSite != null)
{
elevatedSite.Dispose();
elevatedSite = null;
}
if (securityDbConnection != null)
{
securityDbConnection.Dispose();
securityDbConnection = null;
}
}
}