private static ICriterion GetPermissionQueryInternal(IUser user, string operation, string securityKeyProperty)
{
string[] operationNames = Strings.GetHierarchicalOperationNames(operation);
DetachedCriteria criteria = DetachedCriteria.For <Permission>("permission")
.CreateAlias("Operation", "op")
.CreateAlias("EntitiesGroup", "entityGroup", JoinType.LeftOuterJoin)
.CreateAlias("entityGroup.Entities", "entityKey", JoinType.LeftOuterJoin)
.SetProjection(Projections.Property("Allow"))
.Add(Restrictions.In("op.Name", operationNames))
.Add(Restrictions.Eq("User", user) ||
Subqueries.PropertyIn("UsersGroup.Id",
SecurityCriterions.AllGroups(user).SetProjection(Projections.Id())))
.Add(
Property.ForName(securityKeyProperty).EqProperty("permission.EntitySecurityKey") ||
Property.ForName(securityKeyProperty).EqProperty("entityKey.EntitySecurityKey") ||
(
Restrictions.IsNull("permission.EntitySecurityKey") &&
Restrictions.IsNull("permission.EntitiesGroup")
)
)
.SetMaxResults(1)
.AddOrder(Order.Desc("Level"))
.AddOrder(Order.Asc("Allow"));
return(Subqueries.Eq(true, criteria));
}
/// <summary>
/// Gets all permissions for the specified group
/// </summary>
/// <param name="group">The group</param>
/// <returns></returns>
public Permission[] GetPermissionsFor(UsersGroup group)
{
DetachedCriteria criteria = DetachedCriteria.For <Permission>()
.Add(Subqueries.PropertyIn("UsersGroup.Id",
SecurityCriterions.AllGroups(group).SetProjection(Projections.Id())));
return(FindResults(criteria));
}
/// <summary>
/// Gets the permissions for the specified user
/// </summary>
/// <param name="user">The user.</param>
/// <returns></returns>
public Permission[] GetPermissionsFor(IUser user)
{
DetachedCriteria criteria = DetachedCriteria.For <Permission>()
.Add(Expression.Eq("User", user) ||
Subqueries.PropertyIn("UsersGroup.Id",
SecurityCriterions.AllGroups(user).SetProjection(Projections.Id())));
return(FindResults(criteria));
}
/// <summary>
/// Gets the groups the specified entity is associated with
/// </summary>
/// <typeparam name="TEntity">The type of the entity.</typeparam>
/// <param name="entity">The entity.</param>
/// <returns></returns>
public virtual EntitiesGroup[] GetAssociatedEntitiesGroupsFor <TEntity>(TEntity entity) where TEntity : class
{
ICollection <EntitiesGroup> entitiesGroups =
SecurityCriterions.AllGroups(entity)
.GetExecutableCriteria(session)
.AddOrder(Order.Asc("Name"))
.SetCacheable(true)
.List <EntitiesGroup>();
return(entitiesGroups.ToArray());
}
/// <summary>
/// Gets the associated users group for the specified user.
/// </summary>
/// <param name="user">The user.</param>
public virtual UsersGroup[] GetAssociatedUsersGroupFor(IUser user)
{
ICollection <UsersGroup> usersGroups =
SecurityCriterions.AllGroups(user)
.GetExecutableCriteria(session)
.AddOrder(Order.Asc("Name"))
.SetCacheable(true)
.List <UsersGroup>();
return(usersGroups.ToArray());
}
/// <summary>
/// Gets the permissions for the specified user and entity
/// </summary>
/// <typeparam name="TEntity"></typeparam>
/// <param name="user">The user.</param>
/// <param name="entity"></param>
/// <returns></returns>
public Permission[] GetPermissionsFor <TEntity>(IUser user, TEntity entity) where TEntity : class
{
Guid key = Security.ExtractKey(entity);
EntitiesGroup[] entitiesGroups = authorizationRepository.GetAssociatedEntitiesGroupsFor(entity);
DetachedCriteria criteria = DetachedCriteria.For <Permission>()
.Add(Expression.Eq("User", user) ||
Subqueries.PropertyIn("UsersGroup.Id",
SecurityCriterions.AllGroups(user).SetProjection(Projections.Id())))
.Add(Expression.Eq("EntitySecurityKey", key) || Expression.In("EntitiesGroup", entitiesGroups));
return(FindResults(criteria));
}
/// <summary>
/// Gets the permissions for the specified entity
/// </summary>
/// <param name="user">The user.</param>
/// <param name="operationName">Name of the operation.</param>
/// <returns></returns>
public Permission[] GetGlobalPermissionsFor(IUser user, string operationName)
{
string[] operationNames = Strings.GetHierarchicalOperationNames(operationName);
DetachedCriteria criteria = DetachedCriteria.For <Permission>()
.Add(Expression.Eq("User", user) ||
Subqueries.PropertyIn("UsersGroup.Id",
SecurityCriterions.AllGroups(user).SetProjection(Projections.Id())))
.Add(Expression.IsNull("EntitiesGroup"))
.Add(Expression.IsNull("EntitySecurityKey"))
.CreateAlias("Operation", "op")
.Add(Expression.In("op.Name", operationNames));
return(FindResults(criteria));
}
/// <summary>
/// Gets the ancestry association of an entity with the named entity group.
/// This allows to track how an entity is associated to a group through
/// their ancestry.
/// </summary>
/// <param name="entity">The entity.</param>
/// <param name="entityGroupName">Name of the entity group.</param>
/// <returns></returns>
public virtual EntitiesGroup[] GetAncestryAssociationOfEntity <TEntity>(TEntity entity, string entityGroupName) where TEntity : class
{
EntitiesGroup desiredGroup = GetEntitiesGroupByName(entityGroupName);
ICollection <EntitiesGroup> directGroups =
SecurityCriterions.DirectEntitiesGroups(entity)
.GetExecutableCriteria(session)
.SetCacheable(true)
.List <EntitiesGroup>();
if (directGroups.Contains(desiredGroup))
{
return(new[] { desiredGroup });
}
// as a nice benefit, this does an eager load of all the groups in the hierarchy
// in an efficient way, so we don't have SELECT N + 1 here, nor do we need
// to load the Entities collection (which may be very large) to check if we are associated
// directly or not
EntitiesGroup[] associatedGroups = GetAssociatedEntitiesGroupsFor(entity);
if (Array.IndexOf(associatedGroups, desiredGroup) == -1)
{
return(new EntitiesGroup[0]);
}
// now we need to find out the path to it
List <EntitiesGroup> shortest = new List <EntitiesGroup>();
foreach (EntitiesGroup entitiesGroup in associatedGroups)
{
List <EntitiesGroup> path = new List <EntitiesGroup>();
EntitiesGroup current = entitiesGroup;
while (current != null && current != desiredGroup)
{
path.Add(current);
current = current.Parent;
}
if (current != null)
{
path.Add(current);
}
// Valid paths are those that are contains the desired group
// and start in one of the groups that are directly associated
// with the user
if (path.Contains(desiredGroup) && directGroups.Contains(path[0]))
{
shortest = Min(shortest, path);
}
}
return(shortest.ToArray());
}
/// <summary>
/// Removes the user from rhino security.
/// This does NOT delete the user itself, merely reset all the
/// information that rhino security knows about it.
/// It also allows it to be removed by external API without violating
/// FK constraints
/// </summary>
/// <param name="user">The user.</param>
public void RemoveUser(IUser user)
{
ICollection <UsersGroup> groups =
SecurityCriterions.DirectUsersGroups((user))
.GetExecutableCriteria(session)
.SetCacheable(true)
.List <UsersGroup>();
foreach (UsersGroup group in groups)
{
group.Users.Remove(user);
}
session.CreateQuery("delete Permission p where p.User = :user")
.SetEntity("user", user)
.ExecuteUpdate();
}
/// <summary>
/// Gets the permissions for the specified operations
/// </summary>
/// <param name="user">The user.</param>
/// <param name="operationNames">Names of the operations.</param>
/// <returns></returns>
public Permission[] GetGlobalPermissionsFor(IUser user, string[] operationNames)
{
if (operationNames == null)
{
throw new ArgumentNullException("operationNames");
}
//string[] allOperationNames = Strings.GetHierarchicalOperationNames(operationNames);
DetachedCriteria criteria = DetachedCriteria.For <Permission>()
.Add(UserRestriction(user) ||
Subqueries.PropertyIn("UsersGroup.Id",
SecurityCriterions.AllGroups(user).SetProjection(Projections.Id())))
.Add(Restrictions.IsNull("EntitiesGroup"))
.Add(Restrictions.IsNull("EntitySecurityKey"))
.CreateAlias("Operation", "op")
.Add(Restrictions.In("op.Name", operationNames));
return(FindResults(criteria));
}
/// <summary>
/// Gets the permissions for the specified entity
/// </summary>
/// <typeparam name="TEntity">The type of the entity.</typeparam>
/// <param name="user">The user.</param>
/// <param name="entity">The entity.</param>
/// <param name="operationNames">Names of the operations.</param>
/// <returns></returns>
public Permission[] GetPermissionsFor <TEntity>(IUser user, TEntity entity, string[] operationNames) where TEntity : class
{
Guid key = Security.ExtractKey(entity);
string[] allOperationNames = Strings.GetHierarchicalOperationNames(operationNames);
EntitiesGroup[] entitiesGroups = authorizationRepository.GetAssociatedEntitiesGroupsFor(entity);
AbstractCriterion onCriteria =
(Restrictions.Eq("EntitySecurityKey", key) || Restrictions.In("EntitiesGroup", entitiesGroups)) ||
(Restrictions.IsNull("EntitiesGroup") && Restrictions.IsNull("EntitySecurityKey"));
DetachedCriteria criteria = DetachedCriteria.For <Permission>()
.Add(Restrictions.Eq("User", user) ||
Subqueries.PropertyIn("UsersGroup.Id",
SecurityCriterions.AllGroups(user).SetProjection(Projections.Id())))
.Add(onCriteria)
.CreateAlias("Operation", "op")
.Add(Restrictions.In("op.Name", allOperationNames));
return(FindResults(criteria));
}
