void OnBeforeDelete(object sender, OnBeforeDeleteEventArgs e) { if (e.SkipSecurity) { return; } // Security is applied during delete traversal stage only (since predicates require relations to be loaded etc, can't work during commit phase) if (e.IsCommitPhase) { return; } var authentication = ApplicationSettings.Container.Resolve <IAuthentication>(); var claims = authentication.GetCurrentUserClaims(); string message = null; SecurityPredicate predicate = null; var permissionLevel = ApplicationSettings.Container.Resolve <IAuthorizations>().CanDelete(e.Entity, claims, out message, out predicate); if (permissionLevel != PermissionLevel.Authorized) { authentication.ThrowAccessDenied(new GOServerException("accessDenied", String.IsNullOrEmpty(message) ? "unauthorized access" : message, new ForbiddenAccessException("forbidden access"))); } // If there is filter defined => we should verify the data accessed complies with the filter if (predicate != null) { e.FilterExpression = predicate.Filter; } }
private void OnBeforeDelete(object sender, OnBeforeDeleteEventArgs e) { // We're effectively disabled during actual deletion if (e.IsCommitPhase) { return; } // If we get here, we're traversing the delete graph. // Traversing means we're looping round doing a depth first cascade through relations, and we add each 'leaf' instance to the ordered list of objects to be deleted // But we're not actually goind any deleting during this phase, so we flag isHandled to block the delete at DataProvider level (means it skips the actual Delete call) e.IsHandled = true; // Initialise Init(e.Parameters); // Get the instance (e.Entity is only used to pass through the PK) var instance = Data.Get(e.Entity as TEntity, parameters: e.Parameters, skipSecurity: true); if (instance == null) { return; } // Ripple the delete through relations / subtypes var settings = new DataProviderDeleteSettings(e); settings.SkipSecurity = true; Ripple(instance, settings, e.Parameters); }