All right. I'll make a patch this weekend. On Thu, Dec 11, 2008 at 10:21 PM, Ayende Rahien <[email protected]> wrote:
> Yes, so in this case, you are right.What we need to do is to change the > name of the method to GetGlobalPermissionsFor > > > On Thu, Dec 11, 2008 at 3:33 PM, Bart Reyserhove < > [email protected]> wrote: > >> I ask the question: IsAllowed(IUser user, string operation) >> I checked where GetPermissionsFor(IUser user, string operationName) is >> used and it is used in the following two methods: >> >> /// <summary> >> /// Determines whether the specified user is allowed to perform the >> /// specified operation on the entity. >> /// </summary> >> /// <param name="user">The user.</param> >> /// <param name="operation">The operation.</param> >> /// <returns> >> /// <c>true</c> if the specified user is allowed; otherwise, >> <c>false</c>. >> /// </returns> >> public bool IsAllowed(IUser user, string operation) >> { >> Permission[] permissions = permissionsService.GetPermissionsFor(user, >> operation); >> if (permissions.Length == 0) >> return false; >> return permissions[0].Allow; >> } >> >> /// <summary> >> /// Gets the authorization information for the specified user and >> operation, >> /// allows to easily understand why a given operation was granted / >> denied. >> /// </summary> >> /// <param name="user">The user.</param> >> /// <param name="operation">The operation.</param> >> /// <returns></returns> >> public AuthorizationInformation GetAuthorizationInformation(IUser user, >> string operation) >> { >> AuthorizationInformation info; >> if (InitializeAuthorizationInfo(operation, out info)) >> return info; >> Permission[] permissions = permissionsService.GetPermissionsFor(user, >> operation); >> AddPermissionDescriptionToAuthorizationInformation<object>(operation, >> info, user, permissions, null); >> return info; >> } >> >> Both methods above do not take the entity into accoutn since the entity is >> not passed. >> >> I understand that you have to take the situation into account where the >> permission is directly given on the entity but shouldn't I use >> IsAllowed<TEntity>(IUser >> user, TEntity entity, string operation) where TEntity : class then? >> >> Bart >> >> >> On Thu, Dec 11, 2008 at 4:56 PM, Ayende Rahien <[email protected]> wrote: >> >>> What question are you asking? >>> Get permissions isn't actually that useful for the user, it is the >>> question that you ask when you want to know if it has a permission to do X >>> on anything. Anything include entities group. >>> The question that you are likely asking is IsAllowed(), and in this case, >>> I think that you are correct, if it is allowed to do this in general, it is >>> allowed to do so. >>> The problem is that I am not sure that your solution is the appropriate >>> one. >>> GetPermissionsFor is used by the Rhino Security infrastructure, and we >>> need to review this to make sure it doesn't break things. >>> For that matter, we also need to handle the case where a permission was >>> given directly on an entity. >>> >>> >>> On Thu, Dec 11, 2008 at 3:18 AM, Bart Reyserhove < >>> [email protected]> wrote: >>> >>>> The "PermissionsService" contains the following method: >>>> /// <summary> >>>> /// Gets the permissions for the specified etntity >>>> /// </summary> >>>> /// <param name="user">The user.</param> >>>> /// <param name="operationName">Name of the operation.</param> >>>> /// <returns></returns> >>>> public Permission[] GetPermissionsFor(IUser user, string >>>> operationName) >>>> { >>>> string[] operationNames = >>>> Strings.GetHierarchicalOperationNames(operationName); >>>> DetachedCriteria criteria = DetachedCriteria.For<Permission>() >>>> .Add(Expression.Eq("User", user) >>>> || Subqueries.PropertyIn("UsersGroup.Id", >>>> >>>> SecurityCriterions.AllGroups(user).SetProjection(Projections.Id()))) >>>> >>>> .CreateAlias("Operation", "op") >>>> .Add(Expression.In("op.Name", operationNames)); >>>> >>>> return FindResults(criteria); >>>> } >>>> >>>> This method returns all permissions for a user for a certain operation. >>>> With "All" I mean also the ones that are defined on entitiesgroups. I have >>>> for example an operation "/Department/List" with the permission "on >>>> everything" set to "allow" and with the permission on group "departments of >>>> company x" set on "deny". Now if the user wants to access the " >>>> http://localhost/Department/List"; it is not allowed because >>>> Rhino.Security finds a "deny" permission for a certain entitiesgroup. In my >>>> opinion it should not take the permissions on entititiesgroups into account >>>> in this case. It could also be that I have configured it in the wrong way >>>> of >>>> course. >>>> >>>> This fixed it for me: >>>> >>>> /// <summary> >>>> /// Gets the permissions for the specified etntity >>>> /// </summary> >>>> /// <param name="user">The user.</param> >>>> /// <param name="operationName">Name of the operation.</param> >>>> /// <returns></returns> >>>> public Permission[] GetPermissionsFor(IUser user, string >>>> operationName) >>>> { >>>> string[] operationNames = >>>> Strings.GetHierarchicalOperationNames(operationName); >>>> DetachedCriteria criteria = DetachedCriteria.For<Permission>() >>>> .Add(Expression.Eq("User", user) >>>> || Subqueries.PropertyIn("UsersGroup.Id", >>>> >>>> SecurityCriterions.AllGroups(user).SetProjection(Projections.Id()))) >>>> .Add(Expression.IsNull("EntitiesGroup")) >>>> .CreateAlias("Operation", "op") >>>> .Add(Expression.In("op.Name", operationNames)); >>>> >>>> return FindResults(criteria); >>>> } >>>> >>>> Bart >>>> >>>> >>>> >>>> >>> >>> >>> >> >> >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Rhino Tools Dev" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rhino-tools-dev?hl=en -~----------~----~----~----~------~----~------~--~---
