public void Operation_Deny_Direct_To_User()
{
EngineFactory factory = new EngineFactory();
ISecurityEngine engine = factory.CreateEngine();
ISecurityItem operation1 = engine.Store.AddSecurityItem().AddBagItem(Name, "Operation1");
ISecurityItem operation2 = engine.Store.AddSecurityItem().AddBagItem(Name, "Operation2");
ISecurityItem task = engine.Store.AddSecurityItem().AddBagItem(Name, "Task");
task.Children.Add(operation1);
task.Children.Add(operation2);
ISecurityItem hasNoAccessFromUserOperation = engine.Store.AddSecurityItem().AddBagItem(Name, "HasNoAccessFromUserOperation");
ISecurityIdentity user = engine.Store.AddSecurityIdentity().AddBagItem(Name, "user");
engine.Store.AccessAuthorize(user, task);
engine.Store.AccessAuthorize(user, operation1).Deny();
ICheckAccessResult operation1AccessResult = engine.CheckAccess(user, operation1);
ICheckAccessResult operation2AccessResult = engine.CheckAccess(user, operation2);
ICheckAccessResult taskAccessResult = engine.CheckAccess(user, task);
ICheckAccessResult hasNoAccessFromUserOperationAccessResult = engine.CheckAccess(user, hasNoAccessFromUserOperation);
Assert.False(operation1AccessResult.HasAccess());
Assert.True(operation2AccessResult.HasAccess());
Assert.True(taskAccessResult.HasAccess());
Assert.False(hasNoAccessFromUserOperationAccessResult.HasAccess());
}
public void Operation_Access_Operation_Direct_To_User()
{
EngineFactory factory = new EngineFactory();
ISecurityEngine engine = factory.CreateEngine();
ISecurityItem operation = engine.Store.AddSecurityItem().AddBagItem(Name, "Operation");
ISecurityItem hasNoAccessFromUserOperation = engine.Store.AddSecurityItem().AddBagItem(Name, "HasNoAccessFromUserOperation");
ISecurityIdentity user = engine.Store.AddSecurityIdentity().AddBagItem(Name, "user");
engine.Store.AccessAuthorize(user, operation);
ICheckAccessResult operationAccessResult = engine.CheckAccess(user, operation);
ICheckAccessResult hasNoAccessFromUserOperationAccessResult = engine.CheckAccess(user, hasNoAccessFromUserOperation);
Assert.True(operationAccessResult.HasAccess());
Assert.False(hasNoAccessFromUserOperationAccessResult.HasAccess());
}
public void Operation_Access_To_Group()
{
EngineFactory factory = new EngineFactory();
ISecurityEngine engine = factory.CreateEngine();
ISecurityItem operation = engine.Store.AddSecurityItem().AddBagItem(Name, "Operation");
ISecurityIdentity user1 = engine.Store.AddSecurityIdentity().AddBagItem(Name, "user1");
ISecurityIdentity user2 = engine.Store.AddSecurityIdentity().AddBagItem(Name, "user2");
ISecurityIdentity adminGroup = engine.Store.AddSecurityIdentity().AddBagItem(Name, "adminGroup");
adminGroup.Children.Add(user1);
engine.Store.AccessAuthorize(adminGroup, operation);
ICheckAccessResult user1AccessResult = engine.CheckAccess(user1, operation);
ICheckAccessResult user2AccessResult = engine.CheckAccess(user2, operation);
Assert.True(user1AccessResult.HasAccess());
Assert.False(user2AccessResult.HasAccess());
}
public ICheckAccessResult CheckAccess(ISecurityItem securityItem)
{
ICheckAccessResult checkAccessResult = OnlyCheckAccessSelf(securityItem);
if (checkAccessResult.AccessType == AccessType.Deny)
return checkAccessResult;
IList<ICheckAccessResult> allowedParentCheckAccessResults = new List<ICheckAccessResult>();
foreach (ISecurityIdentity parent in _securityIdentity.Parents)
{
ISecurityIdentityAuthorizer securityIdentityAuthorizer = _securityIdentityAuthorizerFactory.CreateCache(parent);
ICheckAccessResult parentCheckAccessResult = securityIdentityAuthorizer.CheckAccess(securityItem);
if (parentCheckAccessResult.AccessType == AccessType.Deny)
return parentCheckAccessResult;
if (parentCheckAccessResult.AccessType == AccessType.Allow)
allowedParentCheckAccessResults.Add(parentCheckAccessResult);
}
if (checkAccessResult.AccessType == AccessType.Allow)
return checkAccessResult;
if (allowedParentCheckAccessResults.Count>0)
return new CheckAccessResult(AccessType.Allow, allowedParentCheckAccessResults.SelectMany(r => r.AffectedAuthorizations));
return new CheckAccessResult(AccessType.Neutral,Enumerable.Empty<IAccessAuthorization>());
}
public static bool HasAccess(this ICheckAccessResult checkAccessResult)
{
return(checkAccessResult.AccessType == AccessType.Allow);
}
