public void Adjust(CheckAccessContext context)
{
if (!context.Granted &&
context.Content.Is <ICommonPart>())
{
if (OwnerVariationExists(context.Permission) &&
HasOwnership(context.User, context.Content))
{
context.Adjusted = true;
context.Permission = GetOwnerVariation(context.Permission);
}
var typeDefinition = context.Content.ContentItem.TypeDefinition;
// replace permission if a content type specific version exists
if (typeDefinition.Settings.GetModel <ContentTypeSettings>().Securable)
{
var permission = GetContentTypeVariation(context.Permission);
if (permission != null)
{
context.Adjusted = true;
context.Permission = DynamicPermissions.CreateDynamicPermission(permission, typeDefinition);
}
}
}
}
public void Adjust(CheckAccessContext context)
{
if (context.Content.Is <OrderPart>())
{
if (context.Permission.Name == Orchard.Core.Contents.Permissions.PublishContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.PublishOwnContent.Name)
{
context.Granted = false;
context.Adjusted = true;
context.Permission = OrdersPermissions.CreateOrders;
}
else if (context.Permission.Name == Orchard.Core.Contents.Permissions.EditContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.EditOwnContent.Name)
{
context.Granted = false;
context.Adjusted = true;
context.Permission = OrdersPermissions.ManageOrders;
}
else if (context.Permission.Name == Orchard.Core.Contents.Permissions.DeleteContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.DeleteOwnContent.Name)
{
context.Granted = false;
context.Adjusted = true;
context.Permission = OrdersPermissions.ManageOrders;
}
else if (context.Permission.Name == Orchard.Core.Contents.Permissions.ViewContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.ViewOwnContent.Name)
{
context.Granted = false;
context.Adjusted = true;
context.Permission = OrdersPermissions.ViewOrders;
}
}
}
private static Permission TryGetOwnerVariation(Permission permission, CheckAccessContext context)
{
if (HasOwnership(context.User, context.Content))
{
if (permission.Name == Core.Contents.Permissions.PublishContent.Name)
{
return(Core.Contents.Permissions.PublishOwnContent);
}
if (permission.Name == Core.Contents.Permissions.EditContent.Name)
{
return(Core.Contents.Permissions.EditOwnContent);
}
if (permission.Name == Core.Contents.Permissions.DeleteContent.Name)
{
return(Core.Contents.Permissions.DeleteOwnContent);
}
if (permission.Name == Core.Contents.Permissions.ViewContent.Name)
{
return(Core.Contents.Permissions.ViewOwnContent);
}
if (permission.Name == Core.Contents.Permissions.PreviewContent.Name)
{
return(Core.Contents.Permissions.PreviewOwnContent);
}
return(null);
}
else
{
return(permission);
}
}
public void Adjust(CheckAccessContext context)
{
Permission permission = context.Permission;
if (context.Content.Is <ICommonPart>())
{
var typeDefinition = context.Content.ContentItem.TypeDefinition;
// adjusting permissions only if the content is not securable
if (!typeDefinition.Settings.GetModel <ContentTypeSettings>().Securable)
{
string stereotype;
if (context.Permission == Core.Contents.Permissions.ViewContent || context.Permission == Core.Contents.Permissions.ViewOwnContent)
{
if (context.Content.Is <WidgetPart>())
{
context.Granted = true;
context.Adjusted = false;
}
else if (context.Content != null &&
((context.Content.ContentItem.TypeDefinition.Settings.TryGetValue("Stereotype", out stereotype) && stereotype == "MenuItem") ||
context.Content.ContentItem.ContentType == "Menu"))
{
context.Granted = true;
context.Adjusted = false;
}
}
}
}
}
public void Adjust(CheckAccessContext context)
{
// when checking permissions for WidgetExPart inside a WidgetContainer
// use the permission to ManageWidgetContainer
// If we haven't yet granted the user permission to do whatever they are trying to, and
// we are testing for one of the "manage" permissions from Orchard.Core.Contents
// (with safety checks to ensure we are checking on a content item):
if (!context.Granted && IsCoreManagePermission(context.Permission) &&
context.Content != null && context.Content.ContentItem != null)
{
// We are only going to worry about widgets that aren't securable, because
// those we assume will have been configured properly. If they haven't, we have
// other levers to handle that precisely anyway.
var typeDefinition = context.Content.ContentItem.TypeDefinition;
if (!typeDefinition.Settings.GetModel <ContentTypeSettings>().Securable)
{
// We are only going to worry about widgets
if (context.Content.ContentItem.Is <WidgetExPart>())
{
// Checking for the ability for a user to manage this widget.
// All this we are doing doesn't apply on the page/controller for a site's widgets
// but only for widgets within a WidgetsContainer.
if (!RequestIsInWidgetsAdmin())
{
context.Granted = false;
context.Adjusted = true;
context.Permission = Permissions.ManageContainerWidgets;
}
}
}
}
}
public void Complete(CheckAccessContext context)
{
if (context.Content.As <WishListListPart>() != null)
{
_wishListsPermissionsService.Complete(context);
}
}
public void Checking(CheckAccessContext context)
{
Permission permission = context.Permission;
if (context.Content.Is <ICommonPart>())
{
var typeDefinition = context.Content.ContentItem.TypeDefinition;
// adjusting permissions only if the content is not securable
if (!typeDefinition.Settings.GetModel <ContentTypeSettings>().Securable)
{
if (context.Content.Is <TermPart>())
{
if (context.Permission == Core.Contents.Permissions.CreateContent)
{
permission = Permissions.CreateTerm;
}
else if (context.Permission == Core.Contents.Permissions.EditContent)
{
permission = Permissions.EditTerm;
}
else if (context.Permission == Core.Contents.Permissions.PublishContent)
{
permission = Permissions.EditTerm;
}
else if (context.Permission == Core.Contents.Permissions.DeleteContent)
{
permission = Permissions.DeleteTerm;
}
}
else if (context.Content.Is <TaxonomyPart>())
{
if (context.Permission == Core.Contents.Permissions.CreateContent)
{
permission = Permissions.CreateTaxonomy;
}
else if (context.Permission == Core.Contents.Permissions.EditContent)
{
permission = Permissions.CreateTaxonomy;
}
else if (context.Permission == Core.Contents.Permissions.PublishContent)
{
permission = Permissions.CreateTaxonomy;
}
else if (context.Permission == Core.Contents.Permissions.DeleteContent)
{
permission = Permissions.ManageTaxonomies;
}
}
if (permission != context.Permission)
{
context.Granted = false; //Force granted to false so next adjust iteration will check against the new permission starting from an unauthorized condition
context.Permission = permission;
context.Adjusted = true;
}
}
}
}
public void Adjust(CheckAccessContext context)
{
Permission permission = context.Permission;
// adjusting permissions only if the content is not securable
if (!context.Granted &&
context.Content.Is <ICommonPart>())
{
var typeDefinition = context.Content.ContentItem.TypeDefinition;
if (!typeDefinition.Settings.GetModel <ContentTypeSettings>().Securable)
{
if (context.Content.Is <TermPart>())
{
if (context.Permission == Core.Contents.Permissions.CreateContent)
{
permission = Permissions.CreateTerm;
}
else if (context.Permission == TryGetOwnerVariation(Core.Contents.Permissions.EditContent, context))
{
permission = Permissions.EditTerm;
}
else if (context.Permission == TryGetOwnerVariation(Core.Contents.Permissions.PublishContent, context))
{
permission = Permissions.EditTerm;
}
else if (context.Permission == TryGetOwnerVariation(Core.Contents.Permissions.DeleteContent, context))
{
permission = Permissions.DeleteTerm;
}
}
else if (context.Content.Is <TaxonomyPart>())
{
if (context.Permission == Core.Contents.Permissions.CreateContent)
{
permission = Permissions.CreateTaxonomy;
}
else if (context.Permission == TryGetOwnerVariation(Core.Contents.Permissions.EditContent, context))
{
permission = Permissions.CreateTaxonomy;
}
else if (context.Permission == TryGetOwnerVariation(Core.Contents.Permissions.PublishContent, context))
{
permission = Permissions.CreateTaxonomy;
}
else if (context.Permission == TryGetOwnerVariation(Core.Contents.Permissions.DeleteContent, context))
{
permission = Permissions.ManageTaxonomies;
}
}
if (permission != context.Permission)
{
context.Permission = permission;
context.Adjusted = true;
}
}
}
}
public void Adjust(CheckAccessContext context)
{
var mediaPart = context.Content.As <MediaPart>();
if (mediaPart != null)
{
context.Granted = _mediaLibraryService.CheckMediaFolderPermission(context.Permission, mediaPart.FolderPath);
}
}
public void Adjust(CheckAccessContext context)
{
if (context.Granted || context.Permission != Permissions.ViewProfiles || context.Content != context.User)
{
return;
}
context.Adjusted = true;
context.Permission = Permissions.ViewOwnProfile;
}
public void Checking(CheckAccessContext context)
{
if (context.User != null && this.userService.IsSkautIsUser(context.User))
{
var userPart = context.User.As <SkautIsUserPart>();
RefreshUserToken(userPart);
AddRoles(userPart);
}
}
public void Adjust(CheckAccessContext context)
{
if (!context.Granted &&
context.Permission.Name == Orchard.Core.Contents.Permissions.EditContent.Name &&
context.Content != null &&
context.Content.ContentItem.ContentType == "CustomForm")
{
context.Adjusted = true;
context.Permission = Permissions.CreateSubmitPermission(context.Content.ContentItem.As <CustomFormPart>().ContentType);
}
}
public void Adjust(CheckAccessContext context)
{
if (!context.Granted)
{
// Are we checking for a "PublishOwn" type permission?
if (context.Permission.Name.StartsWith("PublishOwn_"))
{
// Hmmm...
}
}
}
public void Complete(CheckAccessContext context)
{
//if we granted permission for the contact, we still need to check for the
//ShowContacts permission. This is because if the role for the user has "ViewContent" permission
//it will be able to view everything.
//With ShowContacts we want to restrict that.
if (context.Granted &&
context.Content.Is <CommunicationContactPart>())
{
context.Granted = _authorizer.Authorize(Permissions.ShowContacts);
}
}
public void Complete(CheckAccessContext context)
{
//If we granted permissions for the content, we still need to check for the
//permission specific for questionnaires. Thisd is because if a Rolw has the "ViewContent"
//permission it will be able to view everything even though it does not have the
//permission that is specific to questionnaires
if (context.Granted &&
context.Content.Is <QuestionnairePart>())
{
context.Granted = _authorizer.Authorize(Permissions.SubmitQuestionnaire);
}
}
public void Complete(CheckAccessContext context)
{
if (context.Content != null)
{
var ci = _dataProtectionCheckerService.CheckDataRestricitons(context.Content.ContentItem, context.Permission);
if (ci == null)
{
context.Granted = false;
context.Adjusted = true;
}
}
}
public void Adjust(CheckAccessContext context)
{
if (!context.Granted &&
context.Content.Is <CommunicationContactPart>())
{
//If we are trying to view a contact, check for the correct permission
if (context.Permission.Name == Contents.Permissions.ViewContent.Name)
{
context.Adjusted = true;
context.Permission = Permissions.ShowContacts; //will check this permission next
}
}
}
public void Adjust(CheckAccessContext context)
{
if (!context.Granted &&
context.Content.Is <QuestionnairePart>())
{
//If we are trying to view a Questionnaire, check for the correct permission
if (context.Permission.Name == Contents.Permissions.ViewContent.Name)
{
context.Adjusted = true;
context.Permission = Permissions.SubmitQuestionnaire; //will check this permission next
}
}
}
public void Adjust(CheckAccessContext context)
{
if (!context.Granted &&
context.Content.Is <ICommonPart>())
{
if (OwnerVariationExists(context.Permission) &&
HasOwnership(context.User, context.Content))
{
context.Adjusted = true;
context.Permission = GetOwnerVariation(context.Permission);
}
}
}
public void Adjust(CheckAccessContext context)
{
if (context.Content.Is <CustomerPart>() || context.Content.Is <CustomerAddressPart>())
{
if (context.Permission.Name == Orchard.Core.Contents.Permissions.PublishContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.PublishOwnContent.Name)
{
context.Granted = false;
context.Adjusted = true;
context.Permission = HasOwnership(context.User, context.Content) ? CustomersPermissions.EditOwnCustomerAccount : CustomersPermissions.ManageCustomerAccounts;
}
else if (context.Permission.Name == Orchard.Core.Contents.Permissions.EditContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.EditOwnContent.Name)
{
context.Granted = false;
context.Adjusted = true;
context.Permission = HasOwnership(context.User, context.Content) ? CustomersPermissions.EditOwnCustomerAccount : CustomersPermissions.ManageCustomerAccounts;
}
else if (context.Permission.Name == Orchard.Core.Contents.Permissions.DeleteContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.DeleteOwnContent.Name)
{
context.Granted = false;
context.Adjusted = true;
context.Permission = HasOwnership(context.User, context.Content) ? CustomersPermissions.EditOwnCustomerAccount : CustomersPermissions.ManageCustomerAccounts;
}
else if (context.Permission.Name == Orchard.Core.Contents.Permissions.ViewContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.ViewOwnContent.Name)
{
context.Granted = false;
context.Adjusted = true;
context.Permission = HasOwnership(context.User, context.Content) ? CustomersPermissions.ViewOwnCustomerAccount : CustomersPermissions.ViewCustomerAccounts;
}
}
else if (context.Content.Is <CustomerOrderPart>())
{
if (context.Permission.Name == Orchard.Core.Contents.Permissions.PublishContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.PublishOwnContent.Name)
{
context.Granted = false;
context.Adjusted = true;
context.Permission = HasOwnership(context.User, context.Content) ? OrdersPermissions.CreateOrders : OrdersPermissions.ManageOrders;
}
else if (context.Permission.Name == Orchard.Core.Contents.Permissions.ViewContent.Name || context.Permission.Name == Orchard.Core.Contents.Permissions.ViewOwnContent.Name)
{
context.Granted = false;
context.Adjusted = true;
context.Permission = HasOwnership(context.User, context.Content) ? OrdersPermissions.ViewOwnOrders : OrdersPermissions.ViewOrders;
}
else if (!context.Granted && context.Permission.Name == OrdersPermissions.ViewOrders.Name && HasOwnership(context.User, context.Content))
{
context.Adjusted = true;
context.Permission = OrdersPermissions.ViewOwnOrders;
}
}
}
public void Adjust(CheckAccessContext context)
{
if (!context.Granted && context.Permission.Name == Permissions.ManageMenus.Name && context.Content != null)
{
var menuAsContentItem = context.Content.As <ContentItem>();
if (menuAsContentItem == null || menuAsContentItem.Id <= 0)
{
return;
}
context.Adjusted = true;
context.Permission = DynamicPermissions.CreateMenuPermission(menuAsContentItem, _contentManager);
}
}
public void Adjust(CheckAccessContext context)
{
// If the authorization is already granted, nothing to adjust here
if (context.Granted)
{
return;
}
// If we are testing the ViewProfiles Permission, we may have to adjust for the Own permission
// as long as the content IS the user
if (context.Permission == Permissions.ViewProfiles && context.User != null && context.Content != null && context.Content.As <IUser>()?.Id == context.User.Id)
{
context.Adjusted = true;
context.Permission = Permissions.ViewOwnProfile;
return;
}
// If we are testing the ViewContent Permission, check whether the test comes from the path of
// the SecureFileField controller, for a field that is hosted in a User
if (context.Permission == Orchard.Core.Contents.Permissions.ViewContent)
{
var routeData = _workContextAccessor.GetContext()
.HttpContext.Request.RequestContext.RouteData.Values;
if ("CloudConstruct".Equals(routeData["area"].ToString(), StringComparison.OrdinalIgnoreCase) &&
"SecureFileField".Equals(routeData["controller"].ToString(), StringComparison.OrdinalIgnoreCase) &&
"GetSecureFile".Equals(routeData["action"].ToString(), StringComparison.OrdinalIgnoreCase)
)
{
// The check for authorizations has been invoked in a call to the SecureFileField controller
var userPart = context.Content.As <IUser>();
if (userPart == null)
{
// We only adjust permissions when the content is a user
return;
}
// If the user matches the current user, adjust to the Own permission, otherwise adjust to the
// generic one
if (userPart.Id == context.User.Id)
{
context.Permission = Permissions.ViewOwnProfile;
}
else
{
context.Permission = Permissions.ViewProfiles;
}
context.Adjusted = true;
return;
}
}
// No other case to handle
}
public void Adjust(CheckAccessContext context)
{
if (!context.Granted &&
context.Content.Is <TerritoryPart>())
{
var typeDefinition = context.Content.ContentItem.TypeDefinition;
//replace permission if there is one specific for the content type
if (typeDefinition.Parts.Any(ctpd => ctpd.PartDefinition.Name == TerritoryPart.PartName) &&
context.Permission == TerritoriesPermissions.ManageTerritories)
{
context.Adjusted = true;
context.Permission = TerritoriesPermissions.GetTerritoryPermission(typeDefinition);
}
}
}
public void Complete(CheckAccessContext context)
{
/*
* context.Permission: the permission we are checking
* context.User: The request's current user
* context.Content: the content item we are trying to access
* context.Granted: set to true if we grant permission; false otherwise
* context.Adjusted: set to true if we changed the value of Granted
*/
if (context.Content.As <WishListListPart>() != null)
{
var owner = context.Content.As <CommonPart>().Owner;
var oldGranted = context.Granted;
context.Granted &= owner == context.User; //wish lists are always private
context.Adjusted = context.Granted != oldGranted;
}
}
public void Complete(CheckAccessContext context)
{
if (context.Content == null)
{
return;
}
var part = context.Content.As <ContentMenuItemPart>();
// if the content item has no right attached, check on the container
if (part == null)
{
return;
}
context.Granted = _authorizationService.TryCheckAccess(context.Permission, context.User, part.Content);
context.Adjusted = true;
}
public void Adjust(CheckAccessContext context)
{
if (!context.Granted &&
context.Content.Is <ICommonPart>())
{
if (context.Permission.Name == Orchard.Core.Contents.Permissions.PublishContent.Name && context.Content.ContentItem.ContentType == "BlogPost")
{
context.Adjusted = true;
context.Permission = Permissions.PublishBlogPost;
}
else if (OwnerVariationExists(context.Permission) &&
HasOwnership(context.User, context.Content))
{
context.Adjusted = true;
context.Permission = GetOwnerVariation(context.Permission);
}
}
}
public void Adjust(CheckAccessContext context)
{
var mediaPart = context.Content.As <MediaPart>();
if (mediaPart != null)
{
if (_authorizer.Authorize(Permissions.ManageMediaContent))
{
context.Granted = true;
return;
}
if (_authorizer.Authorize(Permissions.ManageOwnMedia))
{
context.Granted = _mediaLibraryService.CanManageMediaFolder(mediaPart.FolderPath);
}
}
}
public void Adjust(CheckAccessContext context)
{
if (!context.Granted &&
context.Content.Is <ICommonPart>())
{
if ((context.Permission.Name == OCore.Contents.Permissions.PublishContent.Name && context.Content.ContentItem.ContentType == "CommunicationAdvertising") || (context.Permission.Name == OCore.Contents.Permissions.PublishOwnContent.Name && context.Content.ContentItem.ContentType == "CommunicationAdvertising"))
{
context.Adjusted = true;
context.Permission = Permissions.ManageCommunicationAdv;
}
else if (OwnerVariationExists(context.Permission) &&
HasOwnership(context.User, context.Content))
{
context.Adjusted = true;
context.Permission = GetOwnerVariation(context.Permission);
}
}
}
public void Adjust(CheckAccessContext context)
{
if (!context.Granted && context.Permission is EncryptedStringFieldEditPermission)
{
var fieldPermission = context.Permission as EncryptedStringFieldEditPermission;
if (HasOwnership(context.User, context.Content))
{
// Own Permission.
context.Permission = _secureFieldService.GetOwnPermission(fieldPermission.Part, fieldPermission.Field);
context.Adjusted = true;
}
else
{
// All Permission.
context.Permission = _secureFieldService.GetAllPermission(fieldPermission.Part, fieldPermission.Field);;
context.Adjusted = true;
}
}
}
public void Adjust(CheckAccessContext context)
{
if (!context.Granted)
{
if (context.Permission is HiddenFieldEditPermission)
{
// permission edit
var fieldPermission = context.Permission as HiddenFieldEditPermission;
if (HasOwnership(context.User, context.Content))
{
// Own Permission.
context.Permission = _hiddenFieldService.GetOwnPermission(fieldPermission.Part, fieldPermission.Field);
context.Adjusted = true;
}
else
{
// All Permission.
context.Permission = _hiddenFieldService.GetAllPermission(fieldPermission.Part, fieldPermission.Field);
context.Adjusted = true;
}
}
else if (context.Permission is HiddenFieldSeePermission)
{
// permission see
var fieldPermission = context.Permission as HiddenFieldSeePermission;
if (HasOwnership(context.User, context.Content))
{
// Own Permission.
context.Permission = _hiddenFieldService.GetSeeOwnPermission(fieldPermission.Part, fieldPermission.Field);
context.Adjusted = true;
}
else
{
// All Permission.
context.Permission = _hiddenFieldService.GetSeeAllPermission(fieldPermission.Part, fieldPermission.Field);
context.Adjusted = true;
}
}
}
}
public bool TryCheckAccess(Permission permission, IUser user, IContent content)
{
var context = new CheckAccessContext { Permission = permission, User = user };
_authorizationServiceEventHandler.Checking(context);
for (var adjustmentLimiter = 0; adjustmentLimiter != 3; ++adjustmentLimiter)
{
if (!context.Granted && context.User != null)
{
//if (!String.IsNullOrEmpty(_workContextAccessor.GetContext().CurrentSite.SuperUser) &&
// String.Equals(context.User.UserName, _workContextAccessor.GetContext().CurrentSite.SuperUser, StringComparison.Ordinal))
//{
// context.Granted = true;
//}
}
if (!context.Granted)
{
// determine which set of permissions would satisfy the access check
var grantingNames = PermissionNames(context.Permission, Enumerable.Empty<string>()).Distinct().ToArray();
// determine what set of roles should be examined by the access check
IEnumerable<string> rolesToExamine;
if (context.User == null)
{
rolesToExamine = AnonymousRole;
}
//else if (context.User.Has<IUserRoles>())
//{
// // the current user is not null, so get his roles and add "Authenticated" to it
// rolesToExamine = context.User.As<IUserRoles>().Roles;
// // when it is a simulated anonymous user in the admin
// if (!rolesToExamine.Contains(AnonymousRole[0]))
// {
// rolesToExamine = rolesToExamine.Concat(AuthenticatedRole);
// }
//}
else
{
// the user is not null and has no specific role, then it's just "Authenticated"
rolesToExamine = AuthenticatedRole;
}
foreach (var role in rolesToExamine)
{
foreach (var permissionName in _roleService.GetPermissionsForRoleByName(role))
{
string possessedName = permissionName;
if (grantingNames.Any(grantingName => String.Equals(possessedName, grantingName, StringComparison.OrdinalIgnoreCase)))
{
context.Granted = true;
}
if (context.Granted)
break;
}
if (context.Granted)
break;
}
}
context.Adjusted = false;
_authorizationServiceEventHandler.Adjust(context);
if (!context.Adjusted)
break;
}
_authorizationServiceEventHandler.Complete(context);
return context.Granted;
}
/// <summary>
/// 尝试检查访问权限。
/// </summary>
/// <param name="permission">需要的许可。</param>
/// <param name="user">用户模型。</param>
/// <returns>如果可以访问则返回true,否则返回false。</returns>
/// <exception cref="ArgumentNullException"><paramref name="permission"/> 为 null。</exception>
public bool TryCheckAccess(Permission permission, IUser user)
{
permission.NotNull("permission");
var context = new CheckAccessContext { Permission = permission, User = user };
foreach (var authorizationServiceEventHandler in _authorizationServiceEventHandlers)
authorizationServiceEventHandler.Checking(context);
//尝试3次授权检查。
for (var adjustmentLimiter = 0; adjustmentLimiter != 3; ++adjustmentLimiter)
{
//未通过认证并且当前用户不等于null。
if (!context.Granted && context.User != null)
{
//如果当前用户是超级用户则通过检查。
if (string.Equals(context.User.UserName, _workContextAccessor.GetContext().CurrentTenant.SuperUser, StringComparison.Ordinal))
context.Granted = true;
}
//未通过认证。
if (!context.Granted)
{
//确定哪组权限将满足访问检查(当前许可、所有者许可、隐含许可)
var grantingNames = PermissionNames(context.Permission, Enumerable.Empty<string>()).Distinct().ToArray();
//确定哪些组角色应该由访问检查检查
IEnumerable<string> rolesToExamine;
//如果没有用户则标记为匿名角色组。
if (context.User == null)
rolesToExamine = AnonymousRole;
else if (context.User is IUserRoles)
{
//当前用户不为空,所以得到他的角色,并添加“已验证”
rolesToExamine = (context.User as IUserRoles).Roles;
//当它是在管理模拟匿名用户
if (!rolesToExamine.Contains(AnonymousRole[0]))
{
rolesToExamine = rolesToExamine.Concat(AuthenticatedRole);
}
}
else
{
//用户不为空,也没有特定的角色,那么它只是“身份验证”
rolesToExamine = AuthenticatedRole;
}
if (rolesToExamine != null)
{
foreach (var role in rolesToExamine.ToArray())
{
foreach (var permissionName in _roleService.GetPermissionsForRoleByName(role))
{
var possessedName = permissionName;
if (grantingNames.Any(grantingName => string.Equals(possessedName, grantingName, StringComparison.OrdinalIgnoreCase)))
{
context.Granted = true;
}
if (context.Granted)
break;
}
if (context.Granted)
break;
}
}
}
context.Adjusted = false;
//进行调整。
foreach (var authorizationServiceEventHandler in _authorizationServiceEventHandlers)
authorizationServiceEventHandler.Adjust(context);
//如果不再需要调整则退出许可检查。
if (!context.Adjusted)
break;
}
//完成授权。
foreach (var authorizationServiceEventHandler in _authorizationServiceEventHandlers)
authorizationServiceEventHandler.Complete(context);
//是否通过授权检查。
return context.Granted;
}
