Index: Rhino.Security.Tests/AuthorizationService_Explainations_Fixture.cs =================================================================== --- Rhino.Security.Tests/AuthorizationService_Explainations_Fixture.cs (revision 1750) +++ Rhino.Security.Tests/AuthorizationService_Explainations_Fixture.cs (working copy) @@ -339,7 +339,7 @@ } [Test] - public void ExplainWhyAllowedIfPermissionWasGrantedToUsersGroupAssociatedWithUser() + public void ExplainWhyDeniedIfPermissionWasGrantedToEntitiesGroupButNotToGlobal() { permissionsBuilderService .Allow("/Account/Edit") @@ -351,7 +351,7 @@ AuthorizationInformation information = authorizationService.GetAuthorizationInformation(user, "/Account/Edit"); string expected = - @"Permission (level 1) for operation '/Account/Edit' was granted to group 'Administrators' on 'Important Accounts' ('Ayende' is a member of 'Administrators') + @"Permission for operation '/Account/Edit' was not granted to user 'Ayende' or to the groups 'Ayende' is associated with ('Administrators') "; Assert.AreEqual(expected, information.ToString()); } Index: Rhino.Security.Tests/AuthorizationServiceFixture.cs =================================================================== --- Rhino.Security.Tests/AuthorizationServiceFixture.cs (revision 1750) +++ Rhino.Security.Tests/AuthorizationServiceFixture.cs (working copy) @@ -272,6 +272,29 @@ Assert.IsTrue(isAllowed); } + [Test] + public void WillReturnTrueOnGlobalIfPermissionWasAllowedOnGlobalButDeniedOnEntitiesGroup() + { + permissionsBuilderService + .Allow("/Account/Edit") + .For(user) + .OnEverything() + .DefaultLevel() + .Save(); + UnitOfWork.Current.TransactionalFlush(); + + permissionsBuilderService + .Deny("/Account/Edit") + .For(user) + .On("Important Accounts") + .DefaultLevel() + .Save(); + UnitOfWork.Current.TransactionalFlush(); + + bool IsAllowed = authorizationService.IsAllowed(user, "/Account/Edit"); + Assert.IsTrue(IsAllowed); + } + [Test] public void UseSecondLevelCacheForSecurityQuestions_WillBeUpdatedWhenGoingThroughNHiberante() { Index: Rhino.Security.Tests/PermissionsServiceFixture.cs =================================================================== --- Rhino.Security.Tests/PermissionsServiceFixture.cs (revision 1750) +++ Rhino.Security.Tests/PermissionsServiceFixture.cs (working copy) @@ -139,7 +139,7 @@ .Save(); UnitOfWork.Current.TransactionalFlush(); - Permission[] permissions = permissionService.GetPermissionsFor(user, "/Account/Edit"); + Permission[] permissions = permissionService.GetGlobalPermissionsFor(user, "/Account/Edit"); Assert.AreEqual(1, permissions.Length); } @@ -154,11 +154,26 @@ .Save(); UnitOfWork.Current.TransactionalFlush(); - Permission[] permissions = permissionService.GetPermissionsFor(user, "/Account/Edit"); + Permission[] permissions = permissionService.GetGlobalPermissionsFor(user, "/Account/Edit"); Assert.AreEqual(1, permissions.Length); } [Test] + public void CanGetPermissionsByUserAndOpernationName_WhenPermissionOnEverything() + { + permissionsBuilderService + .Allow("/Account") + .For(user) + .OnEverything() + .DefaultLevel() + .Save(); + UnitOfWork.Current.TransactionalFlush(); + + Permission[] permissions = permissionService.GetGlobalPermissionsFor(user, "/Account/Edit"); + Assert.AreEqual(1, permissions.Length); + } + + [Test] public void CanGetPermissionByUserEntityAndOperation() { permissionsBuilderService Index: Rhino.Security/Interfaces/IPermissionsService.cs =================================================================== --- Rhino.Security/Interfaces/IPermissionsService.cs (revision 1750) +++ Rhino.Security/Interfaces/IPermissionsService.cs (working copy) @@ -30,7 +30,7 @@ /// The user. /// Name of the operation. /// - Permission[] GetPermissionsFor(IUser user, string operationName) ; + Permission[] GetGlobalPermissionsFor(IUser user, string operationName) ; /// /// Gets the permissions for the specified etntity Index: Rhino.Security/Services/AuthorizationService.cs =================================================================== --- Rhino.Security/Services/AuthorizationService.cs (revision 1750) +++ Rhino.Security/Services/AuthorizationService.cs (working copy) @@ -92,7 +92,7 @@ /// public bool IsAllowed(IUser user, string operation) { - Permission[] permissions = permissionsService.GetPermissionsFor(user, operation); + Permission[] permissions = permissionsService.GetGlobalPermissionsFor(user, operation); if (permissions.Length == 0) return false; return permissions[0].Allow; @@ -110,7 +110,7 @@ AuthorizationInformation info; if (InitializeAuthorizationInfo(operation, out info)) return info; - Permission[] permissions = permissionsService.GetPermissionsFor(user, operation); + Permission[] permissions = permissionsService.GetGlobalPermissionsFor(user, operation); AddPermissionDescriptionToAuthorizationInformation(operation, info, user, permissions, null); return info; } Index: Rhino.Security/Services/PermissionsService.cs =================================================================== --- Rhino.Security/Services/PermissionsService.cs (revision 1750) +++ Rhino.Security/Services/PermissionsService.cs (working copy) @@ -55,13 +55,14 @@ /// The user. /// Name of the operation. /// - public Permission[] GetPermissionsFor(IUser user, string operationName) + public Permission[] GetGlobalPermissionsFor(IUser user, string operationName) { string[] operationNames = Strings.GetHierarchicalOperationNames(operationName); DetachedCriteria criteria = DetachedCriteria.For() .Add(Expression.Eq("User", user) || Subqueries.PropertyIn("UsersGroup.Id", SecurityCriterions.AllGroups(user).SetProjection(Projections.Id()))) + .Add(Expression.IsNull("EntitiesGroup")) .CreateAlias("Operation", "op") .Add(Expression.In("op.Name", operationNames));