[rhino-tools-dev] Rhino.Security - design question

Thu, 11 Dec 2008 00:18:58 -0800 

The "PermissionsService" contains the following method:
/// <summary>
/// Gets the permissions for the specified etntity
/// </summary>
/// <param name="user">The user.</param>
/// <param name="operationName">Name of the operation.</param>
/// <returns></returns>
public Permission[] GetPermissionsFor(IUser user, string operationName)
{
string[] operationNames =
Strings.GetHierarchicalOperationNames(operationName);
DetachedCriteria criteria = DetachedCriteria.For<Permission>()
.Add(Expression.Eq("User", user)
     || Subqueries.PropertyIn("UsersGroup.Id",

 SecurityCriterions.AllGroups(user).SetProjection(Projections.Id())))

.CreateAlias("Operation", "op")
.Add(Expression.In("op.Name", operationNames));

return FindResults(criteria);
}

This method returns all permissions for a user for a certain operation. With
"All" I mean also the ones that are defined on entitiesgroups. I have for
example an operation "/Department/List" with the permission "on everything"
set to "allow" and with the permission on group "departments of company x"
set on "deny". Now if the user wants to access the "
http://localhost/Department/List"; it is not allowed because Rhino.Security
finds a "deny" permission for a certain entitiesgroup. In my opinion it
should not take the permissions on entititiesgroups into account in this
case. It could also be that I have configured it in the wrong way of course.

This fixed it for me:

/// <summary>
/// Gets the permissions for the specified etntity
/// </summary>
/// <param name="user">The user.</param>
/// <param name="operationName">Name of the operation.</param>
/// <returns></returns>
public Permission[] GetPermissionsFor(IUser user, string operationName)
{
string[] operationNames =
Strings.GetHierarchicalOperationNames(operationName);
DetachedCriteria criteria = DetachedCriteria.For<Permission>()
.Add(Expression.Eq("User", user)
     || Subqueries.PropertyIn("UsersGroup.Id",

 SecurityCriterions.AllGroups(user).SetProjection(Projections.Id())))
                .Add(Expression.IsNull("EntitiesGroup"))
.CreateAlias("Operation", "op")
.Add(Expression.In("op.Name", operationNames));

return FindResults(criteria);
}

Bart

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Rhino Tools Dev" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/rhino-tools-dev?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to