public bool IsAuthorised(Guid?domainUid, Guid rootMapUid, params IRight[] requiredRights) { using (SecurityDBDataContext dataContext = new SecurityDBDataContext(Connection)) { var accessibleGroups = from securableObject in dataContext.GroupAssociations where securableObject.SecurableContextId == SecurableContextId && securableObject.SecurableParentUid == domainUid && securableObject.SecurableObjectUid == rootMapUid && securableObject.Group.GroupSPID != null select securableObject.Group; Dictionary <int, Group> sortedGroups = accessibleGroups.ToDictionary(x => x.GroupSPID.Value); foreach (SPRoleAssignment roleAssignment in Web.RoleAssignments) { SPGroup group = roleAssignment.Member as SPGroup; /// Check that we're actually looking at a group, that this group contains the current user, and that this group is on the list of accessible groups. if (group != null && group.ContainsCurrentUser) { /// Do a check that this group actually has the required right. foreach (SPRoleDefinition roleDefinition in roleAssignment.RoleDefinitionBindings) { IRole role = null; switch (roleDefinition.Name) { case GlymaSecurityManagerRoleName: /// This user is a Glyma Security Manager, they have access to everything. return(true); case GlymaProjectManagerRoleName: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaProjectManagerRole; break; case GlymaMapManagerRoleName: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapManagerRole; break; case GlymaMapAuthorRoleName: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapAuthorRole; break; case GlymaMapReaderRoleName: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapReaderRole; break; case OldGlymaMapAuthorRoleName: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapAuthorRole; break; case OldGlymaMapReaderRoleName: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapReaderRole; break; default: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapReaderRole; break; } if (sortedGroups.ContainsKey(group.ID)) { if (role.HasRights(requiredRights)) { return(true); } } } } } return(false); } }
public IEnumerable <Guid> IsAuthorised(Guid?domainUid, IEnumerable <Guid> rootMapUids, params IRight[] requiredRights) { using (SecurityDBDataContext dataContext = new SecurityDBDataContext(Connection)) { List <Guid> authorisedObjects = new List <Guid>(); /// Only get the securable objects for the securable context ID we have access and the domain ID we were provided. var accessibleGroupAssociations = from securableObject in dataContext.GroupAssociations where securableObject.SecurableContextId == SecurableContextId// && securableObject.SecurableParentUid == domainUid && securableObject.Group.GroupSPID != null select securableObject; //foreach (Guid rootMapUid in rootMapUids) //{ // accessibleGroupAssociations = from securableObject in accessibleGroupAssociations // where securableObject.SecurableObjectUid == rootMapUid // select securableObject; //} /// Only get the securable objects for the root map IDs we were supplied with. //var accessibleAndRelevantGroupAssociations = from securableObject in accessibleGroupAssociations // where rootMapUids.Any(x => x == securableObject.SecurableObjectUid) // select securableObject; Dictionary <int, List <Guid> > organisedGroupAssociations = new Dictionary <int, List <Guid> >(); foreach (var groupAssociation in accessibleGroupAssociations) { if (groupAssociation.Group.GroupSPID == null) { continue; } List <Guid> groupAssociations; if (!organisedGroupAssociations.ContainsKey(groupAssociation.Group.GroupSPID.Value)) { groupAssociations = new List <Guid>(); organisedGroupAssociations[groupAssociation.Group.GroupSPID.Value] = groupAssociations; } else { groupAssociations = organisedGroupAssociations[groupAssociation.Group.GroupSPID.Value]; } if (groupAssociation.SecurableObjectUid != null) { groupAssociations.Add(groupAssociation.SecurableObjectUid.Value); } } List <Guid> accessibleObjects = new List <Guid>(); foreach (SPRoleAssignment roleAssignment in Web.RoleAssignments) { SPGroup group = roleAssignment.Member as SPGroup; /// Check that we're actually looking at a group, and that this group is on the list of accessible groups, and that this group contains the current user. if (group != null && group.ContainsCurrentUser) { /// Do a check that this group actually has the required right. foreach (SPRoleDefinition roleDefinition in roleAssignment.RoleDefinitionBindings) { IRole role = null; switch (roleDefinition.Name) { case GlymaSecurityManagerRoleName: /// This user is a Glyma Security Manager, they have access to everything. return(rootMapUids); case GlymaProjectManagerRoleName: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaProjectManagerRole; break; case GlymaMapManagerRoleName: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapManagerRole; break; case GlymaMapAuthorRoleName: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapAuthorRole; break; case GlymaMapReaderRoleName: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapReaderRole; break; case OldGlymaMapAuthorRoleName: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapAuthorRole; break; case OldGlymaMapReaderRoleName: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapReaderRole; break; default: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapReaderRole; break; } if (organisedGroupAssociations.ContainsKey(group.ID)) { if (role.HasRights(requiredRights)) { accessibleObjects.AddRange(organisedGroupAssociations[group.ID]); } } } } } return(accessibleObjects.ToArray()); //Dictionary<Guid, SecurityPair> sortedGroups = accessibleGroups.ToDictionary(x => x.SecurableObjectUid.Value); //foreach (SPRoleAssignment roleAssignment in Web.RoleAssignments) //{ // SPGroup group = roleAssignment.Member as SPGroup; // /// Check that we're actually looking at a group, that this group contains the current user, and that this group is on the list of accessible groups. // if (group != null && group.ContainsCurrentUser && sortedGroups.ContainsKey(group.ID)) // { // /// Do a check that this group actually has the required right. // foreach (SPRoleDefinition roleDefinition in roleAssignment.RoleDefinitionBindings) // { // IRole role = null; // switch (roleDefinition.Name) // { // case GlymaSecurityManagerRoleName: // role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaSecurityManagerRole; // break; // case GlymaProjectManagerRoleName: // role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaProjectManagerRole; // break; // case GlymaMapManagerRoleName: // role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapManagerRole; // break; // case GlymaMapAuthorRoleName: // role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapAuthorRole; // break; // case GlymaMapReaderRoleName: // role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapReaderRole; // break; // case OldGlymaMapAuthorRoleName: // role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapAuthorRole; // break; // case OldGlymaMapReaderRoleName: // role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapReaderRole; // break; // default: // role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapReaderRole; // break; // } // if (role.HasRights(requiredRights)) // { // } // } // } //} //return false; } }
public bool IsAuthorised(params IRight[] requiredRights) { /// We need to filter out only the rights for which kind of query is going to be permitted. In this case only the following rights should be allowed. /// 1. All Glyma Security Manager rights as they have unrestricted access to the entire securable context. /// 2. Glyma Project Manager create right as they have unrestricted rights to create new domains. /// 3. The transaction right as this is a requires transaction to do anything other than reading. /// 4. The benign access right as this right doesn't actually have access to do anything and should be given to anyone that has access to the system, even unauthorised people. List <IRight> rightsPermittedForThisQuery = new List <IRight>(); foreach (IRight requiredRight in requiredRights) { if (requiredRight == SPGlymaRightFactory.Instance.SecurableContextManageRight || requiredRight == SPGlymaRightFactory.Instance.RootMapCreateRight || requiredRight == SPGlymaRightFactory.Instance.TransactionRight || requiredRight == SPGlymaRightFactory.Instance.BenignAccessRight) { rightsPermittedForThisQuery.Add(requiredRight); } } IRight[] permittedRights = rightsPermittedForThisQuery.ToArray(); foreach (SPRoleAssignment roleAssignment in Web.RoleAssignments) { SPGroup group = roleAssignment.Member as SPGroup; /// Check that we're actually looking at a group, that this group contains the current user, and that this group is on the list of accessible groups. if (group != null && group.ContainsCurrentUser) { /// Do a check that this group actually has the required right. foreach (SPRoleDefinition roleDefinition in roleAssignment.RoleDefinitionBindings) { IRole role = null; switch (roleDefinition.Name) { case GlymaSecurityManagerRoleName: /// This user is a Glyma Security Manager, they have access to everything. return(true); case GlymaProjectManagerRoleName: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaProjectManagerRole; break; case GlymaMapManagerRoleName: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapManagerRole; break; case GlymaMapAuthorRoleName: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapAuthorRole; break; case GlymaMapReaderRoleName: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapReaderRole; break; case OldGlymaMapAuthorRoleName: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapAuthorRole; break; case OldGlymaMapReaderRoleName: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapReaderRole; break; default: role = SPGlymaRoleFactory.GetInstance(SecurableContextId.Value).GlymaMapReaderRole; break; } if (role.HasRights(permittedRights)) { return(true); } } } } return(false); }