public void SetPermission_Unrestricted () { SecurityPermission sp = new SecurityPermission (PermissionState.Unrestricted); PermissionSet ps = new PermissionSet (PermissionState.Unrestricted); Assert.AreEqual (0, ps.Count, "Empty"); Assert.IsTrue (ps.IsUnrestricted (), "State-Unrestricted"); ZoneIdentityPermission zip = new ZoneIdentityPermission (SecurityZone.MyComputer); ZoneIdentityPermission zipr = (ZoneIdentityPermission)ps.SetPermission (zip); Assert.AreEqual (1, ps.Count, "ZoneIdentityPermission"); Assert.AreEqual (SecurityZone.MyComputer, zipr.SecurityZone, "SecurityZone"); #if NET_2_0 // Adding a non unrestricted identity permission now results in // a permission set loosing it's unrestricted status Assert.IsTrue (!ps.IsUnrestricted (), "State-Unrestricted-2"); #else Assert.IsTrue (ps.IsUnrestricted (), "State-Unrestricted-2"); #endif zip = new ZoneIdentityPermission (SecurityZone.Intranet); zipr = (ZoneIdentityPermission)ps.SetPermission (zip); Assert.AreEqual (1, ps.Count, "ZoneIdentityPermission-2"); Assert.AreEqual (SecurityZone.Intranet, zipr.SecurityZone, "SecurityZone-2"); SecurityPermission result = (SecurityPermission)ps.SetPermission (sp); Assert.AreEqual (2, ps.Count, "SecurityPermission"); Assert.AreEqual (SecurityPermissionFlag.AllFlags, result.Flags, "Flags"); Assert.IsTrue (!ps.IsUnrestricted (), "State-None"); sp = new SecurityPermission (SecurityPermissionFlag.ControlAppDomain); result = (SecurityPermission)ps.SetPermission (sp); Assert.AreEqual (2, ps.Count, "SecurityPermission-2"); Assert.AreEqual (SecurityPermissionFlag.ControlAppDomain, result.Flags, "Flags-2"); }
public void Correctly_determines_permissions() { // Execution has to be always granted. Otherwise this code wouldn't run in the first place. var securityPermission = new SecurityPermission(SecurityPermissionFlag.Execution); Assert.IsTrue(securityPermission.IsGranted()); }
public void ReflectionFormatterReadSecurityExceptionPropertiesWithoutPermissionTest() { SecurityPermission denyPermission = new SecurityPermission(SecurityPermissionFlag.ControlPolicy | SecurityPermissionFlag.ControlEvidence); PermissionSet permissions = new PermissionSet(PermissionState.None); permissions.AddPermission(denyPermission); permissions.Deny(); StringBuilder sb = new StringBuilder(); StringWriter writer = new StringWriter(sb); SecurityException exception = null; try { DemandException(denyPermission); } catch (SecurityException e) { exception = e; } MockTextExceptionFormatter formatter = new MockTextExceptionFormatter(writer, exception, Guid.Empty); formatter.Format(); CodeAccessPermission.RevertDeny(); formatter = new MockTextExceptionFormatter(writer, exception, Guid.Empty); formatter.Format(); Assert.AreEqual(exception.Demanded.ToString(), formatter.properties["Demanded"]); }
// static default constructor. This will be called before any of the static members are accessed. static CodeAccessSecurityEngine() { #pragma warning disable 618 AssertPermission = new SecurityPermission(SecurityPermissionFlag.Assertion); #pragma warning restore 618 AssertPermissionToken = PermissionToken.GetToken(AssertPermission); }
static BaseCredentialsPrompt() { lock (_lockObject) { _unmanagedCodePermission = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode); } }
public void RunApp(string FileName, string arg) { SecurityPermission SP = new SecurityPermission(SecurityPermissionFlag.AllFlags); SP.Assert(); //ProcessStartInfo process = new ProcessStartInfo("cmd", "/c " + FileName )); System.Diagnostics.Process process = new System.Diagnostics.Process(); process.StartInfo.WindowStyle = ProcessWindowStyle.Normal; //process.StartInfo.UseShellExecute = false; //process.StartInfo.RedirectStandardOutput = true; //process.StartInfo.RedirectStandardError = true; //process.StartInfo.CreateNoWindow = true; process.StartInfo.FileName = FileName; process.StartInfo.Arguments = arg; process.StartInfo.WorkingDirectory = System.IO.Path.GetDirectoryName(FileName); //Vista or higher check if (System.Environment.OSVersion.Version.Major >= 6) process.StartInfo.Verb = "runas"; try { process.Start(); process.WaitForExit(); process.Close(); } catch (InvalidOperationException) { //e.ExceptionObject.ToString(); } }
public void CanReflectOnSecurityExceptionWithoutPermission() { SecurityPermission denyPermission = new SecurityPermission(SecurityPermissionFlag.ControlPolicy | SecurityPermissionFlag.ControlEvidence); PermissionSet permissions = new PermissionSet(PermissionState.None); permissions.AddPermission(denyPermission); permissions.Deny(); SecurityException exception = null; try { DemandException(denyPermission); } catch (SecurityException e) { exception = e; } ExceptionFormatter formatter = new ExceptionFormatter(); String message = formatter.GetMessage(exception); Match demandedMatch = DemandedEntryRegex.Match(message); Assert.IsNotNull(demandedMatch); Assert.AreEqual(Resources.PropertyAccessFailed, demandedMatch.Groups[1].Value); CodeAccessPermission.RevertDeny(); message = formatter.GetMessage(exception); demandedMatch = DemandedEntryRegex.Match(message); Assert.IsNotNull(demandedMatch); Assert.AreNotEqual(Resources.PropertyAccessFailed, demandedMatch.Groups[1].Value); }
public static void SetAppDomainData() { SecurityPermission sp = new SecurityPermission(SecurityPermissionFlag.ControlAppDomain); sp.Assert(); AppDomain.CurrentDomain.SetData("SQLServerCompactEditionUnderWebHosting", true); }
public Clerk(string compensator, string description, CompensatorOptions flags) { SecurityPermission permission = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode); permission.Demand(); permission.Assert(); this.Init(compensator, description, flags); }
public override void Install(IDictionary stateSaver) { try { SecurityPermission permission = new SecurityPermission(PermissionState.Unrestricted); permission.Demand(); } catch (SecurityException) { throw new InstallException( "You have insufficient privileges to " + "register a trust relationship. Start Excel " + "and confirm the trust dialog to run the addin."); } Uri deploymentManifestLocation = null; // NodeXLModification // // "deploymentManifestLocation" parameter name changed to // "deploymentLocation" to make it consistent with // ClickOnceInstaller.cs. if (Uri.TryCreate(Context.Parameters["deploymentLocation"], UriKind.RelativeOrAbsolute, out deploymentManifestLocation) == false) { throw new InstallException( "The location of the deployment manifest is missing or invalid."); } AddInSecurityEntry entry = new AddInSecurityEntry( deploymentManifestLocation, RSA_PublicKey); UserInclusionList.Add(entry); stateSaver.Add("entryKey", deploymentManifestLocation); base.Install(stateSaver); }
/// <summary> /// Initializes UnmanagedCodePermission for the <see cref="Credential" /> class. /// </summary> static Credential() { lock (LockObject) { UnmanagedCodePermission = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode); } }
public ClerkMonitor() { SecurityPermission permission = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode); permission.Demand(); permission.Assert(); this._monitor = new CrmMonitor(); this._version = 0; }
public Clerk(Type compensator, string description, CompensatorOptions flags) { SecurityPermission permission = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode); permission.Demand(); permission.Assert(); this.ValidateCompensator(compensator); string str = "{" + Marshal.GenerateGuidForType(compensator) + "}"; this.Init(str, description, flags); }
internal static void AnimateWindow(Control control, int time, AnimationFlags flags) { try { SecurityPermission sp = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode); sp.Demand(); AnimateWindow(new HandleRef(control, control.Handle), time, flags); } catch (SecurityException) { } }
public void Assert() { // We must have the "Assertion" security flag for this to work. SecurityPermission perm; perm = new SecurityPermission(SecurityPermissionFlag.Assertion); perm.Demand(); // Assert this permission. Assert(2); }
internal static PermissionSet _UnsafeGetAssertPermSet() { PermissionSet set = new PermissionSet(PermissionState.None); RegistryPermission perm = new RegistryPermission(PermissionState.Unrestricted); set.AddPermission(perm); EnvironmentPermission permission2 = new EnvironmentPermission(PermissionState.Unrestricted); set.AddPermission(permission2); SecurityPermission permission3 = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode); set.AddPermission(permission3); return set; }
internal static void SetTopMost(Control control) { try { System.Security.Permissions.SecurityPermission securityPermission = new System.Security.Permissions.SecurityPermission(System.Security.Permissions.SecurityPermissionFlag.UnmanagedCode); securityPermission.Demand(); NativeMethods.SetWindowPos(new System.Runtime.InteropServices.HandleRef(control, control.Handle), NativeMethods.HWND_TOPMOST, 0, 0, 0, 0, 19); } catch (System.Security.SecurityException) { } }
internal static void AnimateWindow(Control control, int time, NativeMethods.AnimationFlags flags) { try { System.Security.Permissions.SecurityPermission securityPermission = new System.Security.Permissions.SecurityPermission(System.Security.Permissions.SecurityPermissionFlag.UnmanagedCode); securityPermission.Demand(); NativeMethods.AnimateWindow(new System.Runtime.InteropServices.HandleRef(control, control.Handle), time, flags); } catch (System.Security.SecurityException) { } }
public void DoWork() { // Note that because DoDangerousThing is public, this // security check does not resolve the violation. // This only checks callers that go through DoWork(). SecurityPermission secPerm = new SecurityPermission( SecurityPermissionFlag.ControlPolicy | SecurityPermissionFlag.ControlEvidence ); secPerm.Demand(); DoDangerousThing(); }
internal static void AnimateWindow(Control control, int time, AnimationFlags flags) { Contract.Requires<ArgumentNullException>(control != null); try { SecurityPermission sp = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode); sp.Demand(); AnimateWindow(new HandleRef(control, control.Handle), time, flags); } catch (SecurityException) { } }
[System.Security.SecuritySafeCritical] // auto-generated static RemotingServices() { System.Security.CodeAccessPermission.Assert(true); s_RemotingInfrastructurePermission= new SecurityPermission(SecurityPermissionFlag.Infrastructure); s_MscorlibAssembly = typeof(RemotingServices).Assembly; s_FieldGetterMB = null; s_FieldSetterMB = null; s_bRemoteActivationConfigured = false; s_bRegisteredWellKnownChannels = false; s_bInProcessOfRegisteringWellKnownChannels = false; s_delayLoadChannelLock = new Object(); }
/// <summary> /// Static Constructor is used to set the CanBinarySerialize value only once for the given security policy /// </summary> static Serializer() { SecurityPermission sp = new SecurityPermission(SecurityPermissionFlag.SerializationFormatter); try { sp.Demand(); CanBinarySerialize = true; } catch(SecurityException) { CanBinarySerialize = false; } }
/// <summary> /// Creates a new TRACKMOUSEEVENT struct with default settings /// </summary> public TRACKMOUSEEVENT() { // Marshal.SizeOf() uses SecurityAction.LinkDemand to prevent // it from being called from untrusted code, so make sure we // have permission to call it SecurityPermission permission = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode); permission.Demand(); this.cbSize = Marshal.SizeOf(typeof(TRACKMOUSEEVENT)); this.dwFlags = 0; this.hwndTrack = IntPtr.Zero; this.dwHoverTime = 100; }
public override void RemoveEventHandler(object target, Delegate handler) { if (Marshal.IsComObject(target)) { // retrieve sourceIid and dispid Guid sourceIid; int dispid; GetDataForComInvocation(_innerEventInfo, out sourceIid, out dispid); // now validate the caller can call into native and redirect to ComEventHelpers.Combine SecurityPermission perm = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode); perm.Demand(); System.Runtime.InteropServices.ComEventsHelper.Remove(target, sourceIid, dispid, handler); } else { // we are dealing with a managed object - just add the delegate through relection _innerEventInfo.RemoveEventHandler(target, handler); } }
/// <summary> /// /// </summary> /// <param name="stream"></param> /// <param name="evidence"></param> /// <returns></returns> public static Assembly ReadAssembly(Stream stream, Evidence evidence) { SecurityPermission securityPermission = new SecurityPermission(SecurityPermissionFlag.ControlEvidence); securityPermission.Assert(); int num = (int)stream.Length; byte[] array = new byte[num]; stream.Read(array, 0, num); try { return Assembly.Load(array, null, evidence); } finally { CodeAccessPermission.RevertAssert(); } }
public override void Install(System.Collections.IDictionary stateSaver) { try { SecurityPermission permission = new SecurityPermission(PermissionState.Unrestricted); permission.Demand(); } catch (SecurityException) { throw new InstallException( "You have insufficient privileges to " + "install the add-in into the ClickOnce cache. " + "Please contact your system administrator."); } string deploymentLocation = Context.Parameters["deploymentLocation"]; if (String.IsNullOrEmpty(deploymentLocation)) { throw new InstallException("Deployment location not configured. Setup unable to continue"); } string arguments = String.Format( "/S /I \"{0}\"", deploymentLocation); int exitCode = ExecuteVSTOInstaller(arguments); if (exitCode != 0) { string message = null; switch (exitCode) { case -300: message = String.Format( "The Visual Studio Tools for Office solution was signed by an untrusted publisher and as such cannot be installed automatically. Please use your browser to navigate to {0} in order to install the solution manually. You will be prompted if the solution is trusted for execution.", deploymentLocation); break; default: message = String.Format( "The installation of the ClickOnce solution failed with exit code {0}", exitCode); break; } throw new InstallException(message); } stateSaver.Add("deploymentLocation", deploymentLocation); base.Install(stateSaver); }
internal static Win32Exception CreateSafeWin32Exception(int error) { Win32Exception newException = null; // Need to assert SecurtiyPermission, otherwise Win32Exception // will not be able to get the error message. At this point the right // permissions have already been demanded. SecurityPermission securityPermission = new SecurityPermission(PermissionState.Unrestricted); securityPermission.Assert(); try { if (error == 0) newException = new Win32Exception(); else newException = new Win32Exception(error); } finally { SecurityPermission.RevertAssert(); } return newException; }
internal static PermissionSet _UnsafeGetAssertPermSet() { // SEC_NOTE: All callers should already be guarded by EventLogPermission demand. PermissionSet permissionSet = new PermissionSet(PermissionState.None); // We need RegistryPermission RegistryPermission registryPermission = new RegistryPermission(PermissionState.Unrestricted); permissionSet.AddPermission(registryPermission); // It is not enough to just assert RegistryPermission, for some regkeys // we need to assert EnvironmentPermission too EnvironmentPermission environmentPermission = new EnvironmentPermission(PermissionState.Unrestricted); permissionSet.AddPermission(environmentPermission); // For remote machine registry access UnmanagdCodePermission is required. SecurityPermission securityPermission = new SecurityPermission(SecurityPermissionFlag.UnmanagedCode); permissionSet.AddPermission(securityPermission); return permissionSet; }
static private bool CheckExecution() { if (checkExecution == -1) { checkExecution = (GetGlobalFlags() & CheckExecutionRightsDisabledFlag) != 0 ? 0 : 1; } if (checkExecution == 1) { if (securityPermissionType == null) { securityPermissionType = typeof(System.Security.Permissions.SecurityPermission); executionSecurityPermission = new SecurityPermission(SecurityPermissionFlag.Execution); } DEBUG_OUT("Execution checking ON"); return(true); } else { DEBUG_OUT("Execution checking OFF"); return(false); } }
[System.Security.SecurityCritical] // auto-generated internal virtual String InternalToString() { try { #pragma warning disable 618 SecurityPermission sp= new SecurityPermission(SecurityPermissionFlag.ControlEvidence | SecurityPermissionFlag.ControlPolicy); #pragma warning restore 618 sp.Assert(); } catch { //under normal conditions there should be no exceptions //however if something wrong happens we still can call the usual ToString } // Get the current stack trace string. return ToString(true, true); }
public void SetPermission_None () { PermissionSet ps = new PermissionSet (PermissionState.None); Assert.AreEqual (0, ps.Count, "Empty"); Assert.IsTrue (!ps.IsUnrestricted (), "State-None"); SecurityPermission sp = new SecurityPermission (PermissionState.Unrestricted); SecurityPermission result = (SecurityPermission)ps.SetPermission (sp); Assert.AreEqual (1, ps.Count, "SecurityPermission"); Assert.AreEqual (SecurityPermissionFlag.AllFlags, result.Flags, "Flags"); Assert.IsTrue (!ps.IsUnrestricted (), "State-None-2"); sp = new SecurityPermission (SecurityPermissionFlag.ControlAppDomain); result = (SecurityPermission)ps.SetPermission (sp); Assert.AreEqual (1, ps.Count, "SecurityPermission-2"); Assert.AreEqual (SecurityPermissionFlag.ControlAppDomain, result.Flags, "Flags"); ZoneIdentityPermission zip = new ZoneIdentityPermission (SecurityZone.MyComputer); ZoneIdentityPermission zipr = (ZoneIdentityPermission) ps.SetPermission (zip); Assert.AreEqual (2, ps.Count, "ZoneIdentityPermission"); Assert.AreEqual (SecurityZone.MyComputer, zipr.SecurityZone, "SecurityZone"); zip = new ZoneIdentityPermission (SecurityZone.Intranet); zipr = (ZoneIdentityPermission)ps.SetPermission (zip); Assert.AreEqual (2, ps.Count, "ZoneIdentityPermission"); Assert.AreEqual (SecurityZone.Intranet, zipr.SecurityZone, "SecurityZone"); }
public void RemovePermission_Unrestricted () { PermissionSet ps = new PermissionSet (PermissionState.Unrestricted); Assert.IsNull (ps.RemovePermission (typeof (SecurityPermission)), "Empty"); SecurityPermission sp = new SecurityPermission (SecurityPermissionFlag.Assertion); ps.AddPermission (sp); Assert.IsNull (ps.RemovePermission (typeof (SecurityPermission)), "SecurityPermissionn"); ZoneIdentityPermission zip = new ZoneIdentityPermission (SecurityZone.MyComputer); ps.AddPermission (zip); ZoneIdentityPermission removed = (ZoneIdentityPermission)ps.RemovePermission (typeof (ZoneIdentityPermission)); #if NET_2_0 // identity permissions aren't added to unrestricted permission sets // so they cannot be removed later (hence the null) Assert.IsNull (removed, "ZoneIdentityPermission"); #else Assert.IsNotNull (removed, "ZoneIdentityPermission"); #endif }
public void RemovePermission_None () { PermissionSet ps = new PermissionSet (PermissionState.None); Assert.IsNull (ps.RemovePermission (typeof (SecurityPermission)), "Empty"); SecurityPermission sp = new SecurityPermission (SecurityPermissionFlag.Assertion); ps.AddPermission (sp); SecurityPermission removed = (SecurityPermission) ps.RemovePermission (typeof (SecurityPermission)); Assert.IsNotNull (removed, "SecurityPermission"); Assert.AreEqual (sp.Flags, removed.Flags, "Flags"); Assert.IsNull (ps.RemovePermission (typeof (SecurityPermission)), "Empty-Again"); }
static private PermissionSet ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, out PermissionSet denied, bool checkExecutionPermission) { PermissionSet requested; PermissionSet optional; PermissionSet allowed; Exception savedException = null; // We don't want to recurse back into here as a result of a // stackwalk during resolution. So simply assert full trust (this // implies that custom permissions cannot use any permissions that // don't implement IUnrestrictedPermission. // PermissionSet.s_fullTrust.Assert(); // The requested set is the union of the minimal request and the // optional request. Minimal request defaults to empty, optional // is "AllPossible" (includes any permission that can be defined) // which is symbolized by null. optional = optPset; if (reqdPset == null) { requested = optional; } else { // If optional is null, the requested set becomes null/"AllPossible". requested = optional == null ? null : reqdPset.Union(optional); } // Make sure that the right to execute is requested (if this feature is // enabled). if (requested != null && !requested.IsUnrestricted() && CheckExecution()) { requested.AddPermission(executionSecurityPermission); } if (InitPolicy()) { // If we aren't passed any evidence, just make an empty object // If we are passed evidence, copy it before passing it // to the policy manager. // Note: this is not a deep copy, the pieces of evidence within the // Evidence object can still be altered and affect the originals. if (evidence == null) { evidence = new Evidence(); } else { evidence = evidence.ShallowCopy(); } evidence.AddHost(new PermissionRequestEvidence(reqdPset, optPset, denyPset)); // We need to make sure that no stray exceptions come out of Resolve so // we wrap it in a try block. try { allowed = polmgr.Resolve(evidence, requested); } catch (Exception e) { #if _DEBUG if (debug) { DEBUG_OUT("Exception during resolve"); DEBUG_OUT(e.GetType().FullName); DEBUG_OUT(e.Message); DEBUG_OUT(e.StackTrace); } #endif // If we get a policy exception, we are done are we are going to fail to // load no matter what. if (e is PolicyException) { throw e; } // If we get any other kid of exception, we set the allowed set to the // empty set and continue processing as normal. This allows assemblies // that make no request to be loaded but blocks any assembly that // makes a request from being loaded. This seems like a valid design to // me -- gregfee 6/19/2000 savedException = e; allowed = new PermissionSet(); } } else { denied = null; return(null); } #if _DEBUG if (debug) { DEBUG_OUT("ResolvePolicy:"); IEnumerator enumerator = evidence.GetEnumerator(); DEBUG_OUT("Evidence:"); while (enumerator.MoveNext()) { Object obj = enumerator.Current; if (obj is Site) { DEBUG_OUT(((Site)obj).ToXml().ToString()); } else if (obj is Zone) { DEBUG_OUT(((Zone)obj).ToXml().ToString()); } else if (obj is Url) { DEBUG_OUT(((Url)obj).ToXml().ToString()); } else if (obj is Publisher) { DEBUG_OUT(((Publisher)obj).ToXml().ToString()); } else if (obj is StrongName) { DEBUG_OUT(((StrongName)obj).ToXml().ToString()); } else if (obj is PermissionRequestEvidence) { DEBUG_OUT(((PermissionRequestEvidence)obj).ToXml().ToString()); } } DEBUG_OUT("Required permissions:"); DEBUG_OUT(reqdPset != null ? reqdPset.ToString() : "<null>"); DEBUG_OUT("Optional permissions:"); DEBUG_OUT(optPset != null ? optPset.ToString() : "<null>"); DEBUG_OUT("Denied permissions:"); DEBUG_OUT(denyPset != null ? denyPset.ToString() : "<null>"); DEBUG_OUT("Requested permissions:"); DEBUG_OUT(requested != null ? requested.ToString() : "<null>"); DEBUG_OUT("Granted permissions:"); DEBUG_OUT(allowed != null ? allowed.ToString() : "<null>"); } #endif // Check that we were granted the right to execute. if (!allowed.IsUnrestricted() && checkExecutionPermission && CheckExecution()) { SecurityPermission secPerm = (SecurityPermission)allowed.GetPermission(securityPermissionType); if (secPerm == null || !executionSecurityPermission.IsSubsetOf(secPerm)) { #if _DEBUG DEBUG_OUT("No execute permission"); #endif throw new PolicyException(Environment.GetResourceString("Policy_NoExecutionPermission"), System.__HResults.CORSEC_E_NO_EXEC_PERM, savedException); } } // Check that we were granted at least the minimal set we asked for. Do // this before pruning away any overlap with the refused set so that // users have the flexability of defining minimal permissions that are // only expressable as set differences (e.g. allow access to "C:\" but // disallow "C:\Windows"). if (reqdPset != null && !reqdPset.IsSubsetOf(allowed)) { #if _DEBUG DEBUG_OUT("Didn't get required permissions"); #endif throw new PolicyException(Environment.GetResourceString("Policy_NoRequiredPermission"), System.__HResults.CORSEC_E_MIN_GRANT_FAIL, savedException); } // Remove any granted permissions that are safe subsets of some denied // permission. The remaining denied permissions (if any) are returned // along with the modified grant set for use in checks. if (denyPset != null) { denied = denyPset.Copy(); allowed.MergeDeniedSet(denied); if (denied.IsEmpty()) { denied = null; } } else { denied = null; } #if _DEBUG if (debug) { DEBUG_OUT("Final denied permissions:"); DEBUG_OUT(denied != null ? denied.ToString() : "<null>"); } #endif return(allowed); }