public Authorization GetAuthorization(IUserGroup group, ISecurableAction action)
{
var viewAlbumItem = action as ViewAction<AlbumItem>;
if (viewAlbumItem == null || !viewAlbumItem.Target.IsProposedToBeDeleted || !(group is IUser))
return Authorization.Unknown;
return viewAlbumItem.Target.ProposedToBeDeletedBy == group ? Authorization.Unknown : Authorization.Denied;
}
public void AuthorizeTo(ISecurableAction action, IEnumerable<IUserGroup> userGroups)
{
var provider = this.providers.OrderByDescending(p => p.Priority)
.FirstOrDefault(p => p.CanSetPermissions(action));
if (provider == null)
throw new NotSupportedException();
provider.SetPermissions(action, userGroups);
}
public IEnumerable<IUserGroup> GetAuthorizedTo(ISecurableAction action)
{
var authorizedByProviders = (
from provider in this.providers
where provider.CanGetPermissions(action)
from @group in provider.GetPermissions(action)
select @group
).ToSet();
var allGroups = this.userGroupRepository.Query().ToList();
foreach (var group in allGroups) {
var groupAuthorization = GetAuthorization(@group, action, authorizedByProviders);
if (groupAuthorization == Authorization.UndeniablyAllowed) {
yield return group;
continue;
}
var allMembers = ((IUserGroup) group).GetUsers().ToArray();
var authorizedMembers = (
from member in allMembers
let memberAuthorization = GetAuthorization(member, action, authorizedByProviders)
where memberAuthorization == Authorization.UndeniablyAllowed
|| (groupAuthorization != Authorization.Denied && memberAuthorization == Authorization.Allowed)
|| (groupAuthorization == Authorization.Allowed && memberAuthorization != Authorization.Denied)
select member
).ToList();
if (authorizedMembers.Count == 0)
continue;
if (authorizedMembers.Count == allMembers.Length) {
yield return @group;
continue;
}
foreach (var member in authorizedMembers) {
yield return member;
}
}
}
public Authorization GetAuthorization(IUserGroup group, ISecurableAction action)
{
return group.Name == Owners ? Authorization.UndeniablyAllowed : Authorization.Unknown;
}
public Authorization GetAuthorization(IUserGroup group, ISecurableAction action)
{
return action is ViewAction<AlbumItem> ? Authorization.Allowed : Authorization.Unknown;
}
private Authorization GetAuthorization(IUserGroup @group, ISecurableAction action, HashSet<IUserGroup> authorizedByProviders)
{
var authorization = GetAuthorizationAccordingToRules(group, action);
if (authorization == Authorization.Unknown && authorizedByProviders.Contains(@group))
authorization = Authorization.Allowed;
return authorization;
}
public bool IsAuthorized(IUser user, ISecurableAction action)
{
return user == KnownUser.System
|| GetAuthorizedTo(action).Any(g => g.GetUsers().Contains(user));
}
private Authorization GetAuthorizationAccordingToRules(IUserGroup @group, ISecurableAction action)
{
var authorization = Authorization.Unknown;
foreach (var rule in this.rules) {
var result = rule.GetAuthorization(@group, action);
if (result == Authorization.Unknown)
continue;
if (result == Authorization.UndeniablyAllowed)
return result;
if (result == Authorization.Allowed && authorization == Authorization.Unknown)
authorization = result;
if (result == Authorization.Denied)
authorization = result;
}
return authorization;
}
