// TODO: Break in to Supporting Objects, User, Object, and Field Level Security Processing public void ProcessBefore(IParameterCollection inputs, IList<CustomAttributeNamedArgument> customAttributeNamedArguments) { if (_validationContext.EnableValidation) { var parameters = customAttributeNamedArguments.FirstOrDefault(x => x.MemberName == "Parameters").TypedValue.Value as string; if (parameters == null) { parameters = string.Empty; } var parameterList = parameters.Split(new[] {","}, StringSplitOptions.RemoveEmptyEntries); var validationMessages = new List<string>(); var isValid = true; if (parameterList.Length == 0 && inputs.Count > 0) { var flaggedInput = inputs[0]; if (flaggedInput != null) { var response = Validate(flaggedInput); isValid = response.IsValid; validationMessages.AddRange(response.ValidationErrors); } } else { foreach (var parameter in parameterList) { if (!String.IsNullOrWhiteSpace(parameter) && inputs.ContainsParameter(parameter)) { var flaggedInput = inputs[parameter]; if (flaggedInput != null) { var response = Validate(flaggedInput); isValid = isValid && response.IsValid; validationMessages.AddRange(response.ValidationErrors); } } else { throw new ConfigurationErrorsException(string.Format("Incorrect Parameter Specified {0}, Parameter Does Not Exist!", parameter)); } } } if (!isValid) { var validationMessageStringBuilder = new StringBuilder(); foreach (var validationMessage in validationMessages) { validationMessageStringBuilder.Append(validationMessage); validationMessageStringBuilder.Append(" "); } throw new ValidationException(validationMessageStringBuilder.ToString()); } } }
// TODO: Break in to Supporting Objects, User, Object, and Field Level Security Processing public void ProcessBefore(IParameterCollection inputs, IList<CustomAttributeNamedArgument> customAttributeNamedArguments) { var action = customAttributeNamedArguments.FirstOrDefault(x => x.MemberName == "Action").TypedValue.Value as string; if (action == null) { throw new ConfigurationErrorsException("No Security Action Specified for Method!"); } if (_securityContext.EnableUserLevelSecurity) { var response = _securityAuthorizationProvider.CheckUserAuthorization(action); if (!response.IsAuthorized) { throw new SecurityException(response.AuthorizationMessage); } } if (_securityContext.EnableObjectLevelSecurity) { if (action != "Read") { var parameters = customAttributeNamedArguments.FirstOrDefault(x => x.MemberName == "Parameters").TypedValue.Value as string; if (parameters == null) { parameters = string.Empty; } var parameterList = parameters.Split(new[] {","}, StringSplitOptions.RemoveEmptyEntries); foreach (var parameter in parameterList) { if (!String.IsNullOrWhiteSpace(parameter) && inputs.ContainsParameter(parameter)) { var flaggedInput = inputs[parameter]; if (flaggedInput != null && (action == "Update" || action == "Create")) { if (_securityContext.EnableFieldLevelSecurity) { // NOTE: This implementation Makes a Hard Assumption on Mongo // TODO: Decouple from Mongo var flaggedInputType = flaggedInput.GetType(); var originalInput = _objectFactory.Create(flaggedInputType); if (action == "Update") { var flaggedEntity = flaggedInput as IEntity<string>; if (flaggedEntity != null) { originalInput = _genericRepository.GetById(flaggedInput.GetType(), flaggedEntity.Id); } else { throw new SecurityException("Cannot Determine Access!"); } } var response = _securityAuthorizationProvider.CheckObjectAuthorization(flaggedInput, originalInput, action); if (!response.IsAuthorized) { throw new SecurityException(response.AuthorizationMessage); } var flaggedInputPropertyInfoList = flaggedInput.GetType().GetProperties(); var responsePropertyInfoList = response.SecuredObject.GetType().GetProperties(); for (var i = 0; i < flaggedInputPropertyInfoList.Length; i++) { flaggedInputPropertyInfoList[i].SetValue(flaggedInput, responsePropertyInfoList[i].GetValue(response.SecuredObject)); } } else { var response = _securityAuthorizationProvider.CheckObjectAuthorization(flaggedInput, null, action); if (!response.IsAuthorized) { throw new SecurityException(response.AuthorizationMessage); } } } if (action == "Delete") { var response = _securityAuthorizationProvider.CheckObjectAuthorization(flaggedInput, null, action); if (!response.IsAuthorized) { throw new SecurityException(response.AuthorizationMessage); } } } else { throw new ConfigurationErrorsException(string.Format("Incorrect Parameter Specified {0}, Parameter Does Not Exist!", parameter)); } } } } }