/// <summary>
/// Checks to see if a session has the required right to perform a permission.
/// </summary>
/// <param name="sessionToken">The session to check.</param>
/// <param name="projectName">The project the permission is for.</param>
/// <param name="permission">The permission being checked.</param>
/// <param name="eventType">The event type for logging.</param>
private void CheckSecurity(string sessionToken,
string projectName,
SecurityPermission permission,
SecurityEvent? eventType)
{
// NASTY HACK: Bypass all security if the session override is being used
if (sessionToken == SecurityOverride.SessionIdentifier)
{
return;
}
// Retrieve the project authorisation
IProjectAuthorisation authorisation = null;
bool requiresSession = securityManager.RequiresSession;
string userName = securityManager.GetUserName(sessionToken);
string displayName = securityManager.GetDisplayName(sessionToken, null) ?? userName;
if (!string.IsNullOrEmpty(projectName))
{
IProjectIntegrator projectIntegrator = GetIntegrator(projectName);
if ((projectIntegrator != null) &&
(projectIntegrator.Project != null) &&
(projectIntegrator.Project.Security != null))
{
// The project has been found and it has security
authorisation = projectIntegrator.Project.Security;
requiresSession = authorisation.RequiresSession(securityManager);
// if "Guest" have some rights, the service must be able to check the
// rights for "Guest", but without userName it wont work.
if (string.IsNullOrEmpty(userName))
userName = authorisation.GuestAccountName;
}
else if ((projectIntegrator != null) &&
(projectIntegrator.Project != null) &&
(projectIntegrator.Project.Security == null))
{
// The project is found, but security is missing - application error
string errorMessage = string.Format(CultureInfo.CurrentCulture, "Security not found for project {0}", projectName);
Log.Error(errorMessage);
if (eventType.HasValue)
{
securityManager.LogEvent(projectName,
userName,
eventType.Value,
SecurityRight.Deny,
errorMessage);
}
throw new SecurityException(errorMessage);
}
else
{
// Couldn't find the requested project
string errorMessage = string.Format(CultureInfo.CurrentCulture, "project not found {0}", projectName);
Log.Error(errorMessage);
if (eventType.HasValue)
{
securityManager.LogEvent(projectName,
userName,
eventType.Value,
SecurityRight.Deny,
errorMessage);
}
throw new NoSuchProjectException(projectName);
}
}
if (!requiresSession || (userName != null))
{
if (string.IsNullOrEmpty(projectName))
{
// Checking server-level security
if (!securityManager.CheckServerPermission(userName, permission))
{
string info = string.Format(CultureInfo.CurrentCulture, "{2} [{0}] has been denied {1} permission at the server",
userName, permission, displayName);
Log.Warning(info);
if (eventType.HasValue)
{
securityManager.LogEvent(projectName,
userName,
eventType.Value,
SecurityRight.Deny,
info);
}
throw new PermissionDeniedException(permission.ToString());
}
else
{
string info = string.Format(CultureInfo.CurrentCulture, "{2} [{0}] has been granted {1} permission at the server",
userName, permission, displayName);
Log.Debug(info);
if (eventType.HasValue)
{
securityManager.LogEvent(projectName,
userName,
eventType.Value,
SecurityRight.Allow,
info);
}
return;
}
}
else
{
// Checking project-level security
if (!authorisation.CheckPermission(securityManager,
userName,
permission,
securityManager.GetDefaultRight(permission)))
{
string info = string.Format(CultureInfo.CurrentCulture, "{3} [{0}] has been denied {1} permission on '{2}'",
userName, permission, projectName, displayName);
Log.Warning(info);
if (eventType.HasValue)
{
securityManager.LogEvent(projectName,
userName,
eventType.Value,
SecurityRight.Deny,
info);
}
throw new PermissionDeniedException(permission.ToString());
}
else
{
Log.Debug(string.Format(CultureInfo.CurrentCulture, "{3} [{0}] has been granted {1} permission on '{2}'",
userName,
permission,
projectName,
displayName));
if (eventType.HasValue)
{
securityManager.LogEvent(projectName,
userName,
eventType.Value,
SecurityRight.Allow,
null);
}
return;
}
}
}
else
{
SecurityRight defaultRight = securityManager.GetDefaultRight(permission);
switch (defaultRight)
{
case SecurityRight.Allow:
Log.Debug(string.Format(CultureInfo.CurrentCulture, "{3} [{0}] has been granted {1} permission on '{2}'",
userName,
permission,
projectName,
displayName));
return;
default:
// Tell the user that the session is unknown
var info = string.Format(CultureInfo.CurrentCulture, "Session with token '{0}' is not valid", sessionToken);
Log.Warning(info);
if (eventType.HasValue)
{
securityManager.LogEvent(projectName,
null,
eventType.Value,
SecurityRight.Deny,
info);
}
throw new SessionInvalidException();
}
}
}
/// <summary>
/// Checks to see if a session has the required right to perform a permission.
/// </summary>
/// <param name="sessionToken">The session to check.</param>
/// <param name="projectName">The project the permission is for.</param>
/// <param name="permission">The permission being checked.</param>
/// <param name="eventType">The event type for logging.</param>
/// <returns>The display name of the user if the permission is allowed.</returns>
private string CheckSecurity(string sessionToken,
string projectName,
SecurityPermission permission,
SecurityEvent? eventType)
{
// Retrieve the project authorisation
IProjectAuthorisation authorisation = null;
bool requiresSession = securityManager.RequiresSession;
string userName = securityManager.GetUserName(sessionToken);
string displayName = securityManager.GetDisplayName(sessionToken, null) ?? userName;
if (!string.IsNullOrEmpty(projectName))
{
IProjectIntegrator projectIntegrator = GetIntegrator(projectName);
if ((projectIntegrator != null) &&
(projectIntegrator.Project != null) &&
(projectIntegrator.Project.Security != null))
{
// The project has been found and it has security
authorisation = projectIntegrator.Project.Security;
requiresSession = authorisation.RequiresSession(securityManager);
}
else if ((projectIntegrator != null) &&
(projectIntegrator.Project != null) &&
(projectIntegrator.Project.Security == null))
{
// The project is found, but security is missing - application error
string errorMessage = string.Format("Security not found for project {0}", projectName);
Log.Error(errorMessage);
if (eventType.HasValue)
{
securityManager.LogEvent(projectName,
userName,
eventType.Value,
SecurityRight.Deny,
errorMessage);
}
throw new SecurityException(errorMessage);
}
else
{
// Couldn't find the requested project
string errorMessage = string.Format("project not found {0}", projectName);
Log.Error(errorMessage);
if (eventType.HasValue)
{
securityManager.LogEvent(projectName,
userName,
eventType.Value,
SecurityRight.Deny,
errorMessage);
}
throw new NoSuchProjectException(projectName);
}
}
if (!requiresSession || (userName != null))
{
if (string.IsNullOrEmpty(projectName))
{
// Checking server-level security
if (!securityManager.CheckServerPermission(userName, permission))
{
string info = string.Format("{2} [{0}] has been denied {1} permission at the server",
userName, permission, displayName);
Log.Warning(info);
if (eventType.HasValue)
{
securityManager.LogEvent(projectName,
userName,
eventType.Value,
SecurityRight.Deny,
info);
}
throw new PermissionDeniedException(permission.ToString());
}
else
{
string info = string.Format("{2} [{0}] has been granted {1} permission at the server",
userName, permission, displayName);
Log.Debug(info);
if (eventType.HasValue)
{
securityManager.LogEvent(projectName,
userName,
eventType.Value,
SecurityRight.Allow,
info);
}
return displayName;
}
}
else
{
// Checking project-level security
if (!authorisation.CheckPermission(securityManager,
userName,
permission,
securityManager.GetDefaultRight(permission)))
{
string info = string.Format("{3} [{0}] has been denied {1} permission on '{2}'",
userName, permission, projectName, displayName);
Log.Warning(info);
if (eventType.HasValue)
{
securityManager.LogEvent(projectName,
userName,
eventType.Value,
SecurityRight.Deny,
info);
}
throw new PermissionDeniedException(permission.ToString());
}
else
{
Log.Debug(string.Format("{3} [{0}] has been granted {1} permission on '{2}'",
userName,
permission,
projectName,
displayName));
if (eventType.HasValue)
{
securityManager.LogEvent(projectName,
userName,
eventType.Value,
SecurityRight.Allow,
null);
}
return displayName;
}
}
}
else
{
SecurityRight defaultRight = securityManager.GetDefaultRight(permission);
switch (defaultRight)
{
case SecurityRight.Allow:
Log.Debug(string.Format("{3} [{0}] has been granted {1} permission on '{2}'",
userName,
permission,
projectName,
displayName));
return string.Empty;
default:
// Tell the user that the session is unknown
var info = string.Format("Session with token '{0}' is not valid", sessionToken);
Log.Warning(info);
if (eventType.HasValue)
{
securityManager.LogEvent(projectName,
null,
eventType.Value,
SecurityRight.Deny,
info);
}
throw new SessionInvalidException();
}
}
}