Yes, so in this case, you are right.What we need to do is to change the name of the method to GetGlobalPermissionsFor
On Thu, Dec 11, 2008 at 3:33 PM, Bart Reyserhove <[email protected]>wrote: > I ask the question: IsAllowed(IUser user, string operation) > I checked where GetPermissionsFor(IUser user, string operationName) is used > and it is used in the following two methods: > > /// <summary> > /// Determines whether the specified user is allowed to perform the > /// specified operation on the entity. > /// </summary> > /// <param name="user">The user.</param> > /// <param name="operation">The operation.</param> > /// <returns> > /// <c>true</c> if the specified user is allowed; otherwise, > <c>false</c>. > /// </returns> > public bool IsAllowed(IUser user, string operation) > { > Permission[] permissions = permissionsService.GetPermissionsFor(user, > operation); > if (permissions.Length == 0) > return false; > return permissions[0].Allow; > } > > /// <summary> > /// Gets the authorization information for the specified user and > operation, > /// allows to easily understand why a given operation was granted / > denied. > /// </summary> > /// <param name="user">The user.</param> > /// <param name="operation">The operation.</param> > /// <returns></returns> > public AuthorizationInformation GetAuthorizationInformation(IUser user, > string operation) > { > AuthorizationInformation info; > if (InitializeAuthorizationInfo(operation, out info)) > return info; > Permission[] permissions = permissionsService.GetPermissionsFor(user, > operation); > AddPermissionDescriptionToAuthorizationInformation<object>(operation, > info, user, permissions, null); > return info; > } > > Both methods above do not take the entity into accoutn since the entity is > not passed. > > I understand that you have to take the situation into account where the > permission is directly given on the entity but shouldn't I use > IsAllowed<TEntity>(IUser > user, TEntity entity, string operation) where TEntity : class then? > > Bart > > > On Thu, Dec 11, 2008 at 4:56 PM, Ayende Rahien <[email protected]> wrote: > >> What question are you asking? >> Get permissions isn't actually that useful for the user, it is the >> question that you ask when you want to know if it has a permission to do X >> on anything. Anything include entities group. >> The question that you are likely asking is IsAllowed(), and in this case, >> I think that you are correct, if it is allowed to do this in general, it is >> allowed to do so. >> The problem is that I am not sure that your solution is the appropriate >> one. >> GetPermissionsFor is used by the Rhino Security infrastructure, and we >> need to review this to make sure it doesn't break things. >> For that matter, we also need to handle the case where a permission was >> given directly on an entity. >> >> >> On Thu, Dec 11, 2008 at 3:18 AM, Bart Reyserhove < >> [email protected]> wrote: >> >>> The "PermissionsService" contains the following method: >>> /// <summary> >>> /// Gets the permissions for the specified etntity >>> /// </summary> >>> /// <param name="user">The user.</param> >>> /// <param name="operationName">Name of the operation.</param> >>> /// <returns></returns> >>> public Permission[] GetPermissionsFor(IUser user, string operationName) >>> { >>> string[] operationNames = >>> Strings.GetHierarchicalOperationNames(operationName); >>> DetachedCriteria criteria = DetachedCriteria.For<Permission>() >>> .Add(Expression.Eq("User", user) >>> || Subqueries.PropertyIn("UsersGroup.Id", >>> >>> SecurityCriterions.AllGroups(user).SetProjection(Projections.Id()))) >>> >>> .CreateAlias("Operation", "op") >>> .Add(Expression.In("op.Name", operationNames)); >>> >>> return FindResults(criteria); >>> } >>> >>> This method returns all permissions for a user for a certain operation. >>> With "All" I mean also the ones that are defined on entitiesgroups. I have >>> for example an operation "/Department/List" with the permission "on >>> everything" set to "allow" and with the permission on group "departments of >>> company x" set on "deny". Now if the user wants to access the " >>> http://localhost/Department/List"; it is not allowed because >>> Rhino.Security finds a "deny" permission for a certain entitiesgroup. In my >>> opinion it should not take the permissions on entititiesgroups into account >>> in this case. It could also be that I have configured it in the wrong way of >>> course. >>> >>> This fixed it for me: >>> >>> /// <summary> >>> /// Gets the permissions for the specified etntity >>> /// </summary> >>> /// <param name="user">The user.</param> >>> /// <param name="operationName">Name of the operation.</param> >>> /// <returns></returns> >>> public Permission[] GetPermissionsFor(IUser user, string operationName) >>> { >>> string[] operationNames = >>> Strings.GetHierarchicalOperationNames(operationName); >>> DetachedCriteria criteria = DetachedCriteria.For<Permission>() >>> .Add(Expression.Eq("User", user) >>> || Subqueries.PropertyIn("UsersGroup.Id", >>> >>> SecurityCriterions.AllGroups(user).SetProjection(Projections.Id()))) >>> .Add(Expression.IsNull("EntitiesGroup")) >>> .CreateAlias("Operation", "op") >>> .Add(Expression.In("op.Name", operationNames)); >>> >>> return FindResults(criteria); >>> } >>> >>> Bart >>> >>> >>> >>> >> >> >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Rhino Tools Dev" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rhino-tools-dev?hl=en -~----------~----~----~----~------~----~------~--~---
