/// <summary>
/// REVOKE
/// 1. Provided the user trying to revoke someone's access has the raise privilege to do so,
/// we remove the permission from the my_permissions table
/// </summary>
/// <param name="revokeAction">Suggested action to perform (includes the user ATTEMPTING TO REVOKE, the user BEING REVOKED,
/// the table to remove permission on, and the rights for the user (being revoked)</param>
public void Revoke(Domains.GrantAction revokeAction)
{
int userId_grantor = 0, userId_grantee = 0;
string query = string.Empty;
List <string> result = null;
//Get user IDs for the grantor and grantee
userId_grantor = GetUserId(revokeAction.grantor_name);
userId_grantee = GetUserId(revokeAction.grantee_name);
if (userId_grantor == 0 || userId_grantee == 0)
{
return; //User was not found
}
//Check that the user is permitted to grant (implies permission to revoke)
if (revokeAction.operation == Domains.Operation_Type.SELECT)
{
query = string.Format(query_ISALLOWEDTOGRANT_SELECT, userId_grantor, revokeAction.table_name);
}
else
{
query = string.Format(query_ISALLOWEDTOGRANT_INSERT, userId_grantor, revokeAction.table_name);
}
result = GetRecords(query);
if (result.Count == 0 || string.IsNullOrEmpty(result[0]) || (result[0] == "0"))
{
throw new Exception("ERROR: USER NOT PERMITTED TO REVOKE", null); //not in my_permissions
}
query = null;
result = null;
//User is allowed to grant to others on that table
//Proceed to revoking the action
if (revokeAction.operation == Domains.Operation_Type.SELECT)
{
if (revokeAction.grant)
{
query = string.Format(delete_REVOKE, userId_grantee, revokeAction.table_name, 0, 1);
}
else
{
query = string.Format(delete_REVOKE, userId_grantee, revokeAction.table_name, 0, 0);
}
}
else
{
if (revokeAction.grant)
{
query = string.Format(delete_REVOKE, userId_grantee, revokeAction.table_name, 1, 1);
}
else
{
query = string.Format(delete_REVOKE, userId_grantee, revokeAction.table_name, 1, 0);
}
}
//Execute the delete statement
NonQuery(query);
}
/// <summary>
/// GRANT attempts to make an entry in the my_permissions table, if their are rules which say it can be done
/// 1. Check that the USER TRYING TO PERFORM GRANT can infact do so (via my_permissions)
/// 2. Check that the USER BEING GRANTED the action is permitted to (via permitted_list)
/// 3. PERFORMS GRANT
/// If either of those checks fail, we reject the action, first we much check if this is a reportable incident
/// 1. Check that the USER IS FORBIDDEN TO PERFORM GRANT on this table (via forbidden_list)
/// 2. Check that the USER BEING GRANTED is FORBIDDEN TO HAVE THIS PRIVILEGE (via forbidden_list)
/// If forbidden, an exception is throw (and handled on the UI level of the program)
/// otherwise, simply do not perform the action.
/// </summary>
/// <param name="grantAction">Suggested action to perform (includes the user ATTEMPTING TO GRANT, the user BEING GRANTED,
/// the table to give permission on, and the rights for the user (being granted) to pass this on to others</param>
public void Grant(Domains.GrantAction grantAction)
{
//Check if this is allowed and permitted
//IF SO, PERFORM THE GRANT
if (IsGrantPermitted(grantAction))
{
int userId_grantee = 0, operation = 0, grant = 0;
string query = string.Empty;
//Get the ID of the user being granted access
userId_grantee = GetUserId(grantAction.grantee_name);
//Convert value to boolean (int) (select == 0, insert == 1)
if (grantAction.operation == Domains.Operation_Type.INSERT)
{
operation = 1;
}
//Convert grant value to boolean (int)
if (grantAction.grant)
{
grant = 1;
}
//Format query
query = string.Format(insert_GRANT, userId_grantee, grantAction.table_name, operation, grant);
//Check that this isn't already in my_permissions
string check_query = string.Format(query_PERMISSIONEXISTS, userId_grantee, grantAction.table_name, operation, grant);
List <string> result = GetRecords(check_query);
if (result.Count != 0 && !string.IsNullOrEmpty(result[0]) && (result[0] != "0"))
{
throw new Exception("Attempted grant permission already exists or is superseded by a more powerful permission", null);
}
//Add this user/table/action to my_permissions!
NonQuery(query);
return;
}
else if (IsGrantForbidden(grantAction))
{
//Do NOT perform action.
//Format exception message to throw
string exMessage = string.Format("FORBIDDEN ACTION ATTEMPTED!\n[{0}] attempted <{1}, {2}, {3}, {4}>",
grantAction.grantor_name,
grantAction.grantee_name,
grantAction.table_name,
grantAction.operation.ToString(),
grantAction.grant.ToString());
throw new Exception(exMessage, null);
}
else
{
throw new Exception("Sorry, the requested action is not permitted", null);
}
}
/// <summary>
/// ISCONFLICTING
/// Checks that a suggested permission (either permit or forbid) doesn't conflict with an existing entry
/// </summary>
/// <param name="permission"></param>
/// <returns>TRUE if conflict exists. False if this is a completely legal action</returns>
private bool IsConflicting(CS505Project1.Domains.Permission permission)
{
//Get UserID:
int userId = GetUserId(permission.user_name);
//Using a grantAction object because it's the same idea, and Admin has all permissions permitted
Domains.GrantAction grantAction = new Domains.GrantAction()
{
grantor_name = "admin", grantee_name = permission.user_name, table_name = permission.table_name, grant = permission.grant
};
if (permission.write)
{
grantAction.operation = Domains.Operation_Type.INSERT;
}
else
{
grantAction.operation = Domains.Operation_Type.SELECT;
}
//Check if permitting or forbidding an action:
if (permission.type == Domains.Permission_Type.PERMITTED)
{
//Check that this isn't already forbidden:
if (IsGrantForbidden(grantAction))
{
throw new Exception("CONFLICT while attempting to permit action!", null);
return(true); //conflict
}
else
{
return(false);
}
}
else
{
if (IsPermitted(grantAction))
{
throw new Exception("CONFLICT while attempting to forbid action!", null);
return(true); //conflict
}
else
{
return(false);
}
}
}
