The only thing we really need it to get a reference to the current session, beyond that, we are more or less home free.The problem isn't actually rhino commons. It is Repository<T>, which I don't much like anymore.
On Sun, Dec 14, 2008 at 8:31 AM, Bart Reyserhove <[email protected]>wrote: > I suppose you want to break it away from IRepository<T> to loose the > dependency on Rhino.Commons. By using Common Service Locator it would than > even be de-coupled from Windsor. > Personally I don't have a problem with the dependency on Rhino.Commons > because I use it ;-). > I do see however that it lowers the entry barrier for other people to start > using Rhino.Security. If it only depends on Nhibernate there will be many > more that can start using it. > > However I do not entirely get how you would support ActiveRecord in such a > scenario? > > On Sat, Dec 13, 2008 at 11:04 PM, Ayende Rahien <[email protected]> wrote: > >> I think we need to make a few more modifications to Rhino Security. Break >> it away from IRepository<T>, for a start, and maybe allow to use it using >> Common Service Locator? >> >> >> On Sat, Dec 13, 2008 at 3:17 PM, Ayende Rahien <[email protected]> wrote: >> >>> Applied with a minor change to make this pass: >>> >>> [Test] >>> public void >>> WillReturnTrueOnGlobalIfPermissionWasAllowedOnGlobalButDeniedOnSpecificEntity() >>> { >>> permissionsBuilderService >>> .Allow("/Account/Edit") >>> .For(user) >>> .OnEverything() >>> .DefaultLevel() >>> .Save(); >>> UnitOfWork.Current.TransactionalFlush(); >>> >>> permissionsBuilderService >>> .Deny("/Account/Edit") >>> .For(user) >>> .On(account) >>> .DefaultLevel() >>> .Save(); >>> UnitOfWork.Current.TransactionalFlush(); >>> >>> bool IsAllowed = authorizationService.IsAllowed(user, >>> "/Account/Edit"); >>> Assert.IsTrue(IsAllowed); >>> >>> } >>> >>> On Sat, Dec 13, 2008 at 5:14 PM, Bart Reyserhove < >>> [email protected]> wrote: >>> >>>> Patch attached. >>>> I also added two new tests and changed the expectation of the one >>>> discussed earlier in this thread. >>>> >>>> Bart >>>> >>>> >>>> On Fri, Dec 12, 2008 at 11:59 PM, Ayende Rahien <[email protected]>wrote: >>>> >>>>> I think that this is a test that should be expected to fail after this >>>>> change. >>>>> >>>>> >>>>> On Fri, Dec 12, 2008 at 11:30 PM, Bart Reyserhove < >>>>> [email protected]> wrote: >>>>> >>>>>> So I changed this method: >>>>>> /// <summary> >>>>>> /// Gets the permissions for the specified etntity >>>>>> /// </summary> >>>>>> /// <param name="user">The user.</param> >>>>>> /// <param name="operationName">Name of the operation.</param> >>>>>> /// <returns></returns> >>>>>> public Permission[] GetPermissionsFor(IUser user, string >>>>>> operationName) >>>>>> { >>>>>> string[] operationNames = Strings.GetHierarchicalOperationNames( >>>>>> operationName); >>>>>> DetachedCriteria criteria = DetachedCriteria.For<Permission>() >>>>>> .Add(Expression.Eq("User", user) >>>>>> || Subqueries.PropertyIn("UsersGroup.Id", >>>>>> SecurityCriterions.AllGroups( >>>>>> user).SetProjection(Projections.Id()))) >>>>>> .CreateAlias("Operation", "op") >>>>>> .Add(Expression.In("op.Name", operationNames)); >>>>>> >>>>>> return FindResults(criteria); >>>>>> } >>>>>> >>>>>> into: >>>>>> >>>>>> /// <summary> >>>>>> /// Gets the global permissions without taking groups into account >>>>>> /// </summary> >>>>>> /// <param name="user">The user.</param> >>>>>> /// <param name="operationName">Name of the operation.</param> >>>>>> /// <returns></returns> >>>>>> public Permission[] GetGlobalPermissionsFor(IUser user, string >>>>>> operationName) >>>>>> { >>>>>> string[] operationNames = >>>>>> Strings.GetHierarchicalOperationNames(operationName); >>>>>> DetachedCriteria criteria = DetachedCriteria.For<Permission>() >>>>>> .Add(Expression.Eq("User", user) >>>>>> || Subqueries.PropertyIn("UsersGroup.Id", >>>>>> >>>>>> SecurityCriterions.AllGroups(user).SetProjection(Projections.Id()))) >>>>>> .Add(Expression.IsNull("EntitiesGroup")) >>>>>> .CreateAlias("Operation", "op") >>>>>> .Add(Expression.In("op.Name", operationNames)); >>>>>> >>>>>> return FindResults(criteria); >>>>>> } >>>>>> >>>>>> I added a test for it and I ran all tests. Two tests are failing now, >>>>>> but it is actually only one case since it is tested for NHibernate and >>>>>> ActiveRecord. >>>>>> >>>>>> The failing test: >>>>>> >>>>>> [Test] >>>>>> public void >>>>>> ExplainWhyAllowedIfPermissionWasGrantedToUsersGroupAssociatedWithUser() >>>>>> { >>>>>> permissionsBuilderService >>>>>> .Allow("/Account/Edit") >>>>>> .For("Administrators") >>>>>> .On("Important Accounts") >>>>>> .DefaultLevel() >>>>>> .Save(); >>>>>> UnitOfWork.Current.TransactionalFlush(); >>>>>> AuthorizationInformation information = >>>>>> authorizationService.GetAuthorizationInformation(user, >>>>>> "/Account/Edit"); >>>>>> string expected = >>>>>> @"Permission (level 1) for operation '/Account/Edit' >>>>>> was granted to group 'Administrators' on 'Important Accounts' ('Ayende' >>>>>> is a >>>>>> member of 'Administrators') >>>>>> "; >>>>>> Assert.AreEqual(expected, information.ToString()); >>>>>> } >>>>>> >>>>>> Knowing the change this is quite logic, because in this test the >>>>>> permission is only granted to a group and checked globally. Functionally >>>>>> seen you could discuss about this. Permission was only granted to the >>>>>> "Important accounts" and the question is "OnEverything". So one could >>>>>> argue >>>>>> that it is correct that the permission is not granted, but of course this >>>>>> could lead to breaking changes... >>>>>> >>>>>> What's your opinion? >>>>>> >>>>>> Bart >>>>>> >>>>>> >>>>>> On Fri, Dec 12, 2008 at 8:27 AM, Bart Reyserhove < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> All right. I'll make a patch this weekend. >>>>>>> >>>>>>> >>>>>>> On Thu, Dec 11, 2008 at 10:21 PM, Ayende Rahien >>>>>>> <[email protected]>wrote: >>>>>>> >>>>>>>> Yes, so in this case, you are right.What we need to do is to change >>>>>>>> the name of the method to GetGlobalPermissionsFor >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Dec 11, 2008 at 3:33 PM, Bart Reyserhove < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> I ask the question: IsAllowed(IUser user, string operation) >>>>>>>>> I checked where GetPermissionsFor(IUser user, string operationName) >>>>>>>>> is used and it is used in the following two methods: >>>>>>>>> >>>>>>>>> /// <summary> >>>>>>>>> /// Determines whether the specified user is allowed to perform the >>>>>>>>> /// specified operation on the entity. >>>>>>>>> /// </summary> >>>>>>>>> /// <param name="user">The user.</param> >>>>>>>>> /// <param name="operation">The operation.</param> >>>>>>>>> /// <returns> >>>>>>>>> /// <c>true</c> if the specified user is allowed; otherwise, >>>>>>>>> <c>false</c>. >>>>>>>>> /// </returns> >>>>>>>>> public bool IsAllowed(IUser user, string operation) >>>>>>>>> { >>>>>>>>> Permission[] permissions = >>>>>>>>> permissionsService.GetPermissionsFor(user, operation); >>>>>>>>> if (permissions.Length == 0) >>>>>>>>> return false; >>>>>>>>> return permissions[0].Allow; >>>>>>>>> } >>>>>>>>> >>>>>>>>> /// <summary> >>>>>>>>> /// Gets the authorization information for the specified user and >>>>>>>>> operation, >>>>>>>>> /// allows to easily understand why a given operation was granted >>>>>>>>> / denied. >>>>>>>>> /// </summary> >>>>>>>>> /// <param name="user">The user.</param> >>>>>>>>> /// <param name="operation">The operation.</param> >>>>>>>>> /// <returns></returns> >>>>>>>>> public AuthorizationInformation GetAuthorizationInformation(IUser >>>>>>>>> user, string operation) >>>>>>>>> { >>>>>>>>> AuthorizationInformation info; >>>>>>>>> if (InitializeAuthorizationInfo(operation, out info)) >>>>>>>>> return info; >>>>>>>>> Permission[] permissions = >>>>>>>>> permissionsService.GetPermissionsFor(user, operation); >>>>>>>>> AddPermissionDescriptionToAuthorizationInformation<object>(operation, >>>>>>>>> info, user, permissions, null); >>>>>>>>> return info; >>>>>>>>> } >>>>>>>>> >>>>>>>>> Both methods above do not take the entity into accoutn since the >>>>>>>>> entity is not passed. >>>>>>>>> >>>>>>>>> I understand that you have to take the situation into account where >>>>>>>>> the permission is directly given on the entity but shouldn't I use >>>>>>>>> IsAllowed<TEntity>(IUser >>>>>>>>> user, TEntity entity, string operation) where TEntity : class >>>>>>>>> then? >>>>>>>>> >>>>>>>>> Bart >>>>>>>>> >>>>>>>>> >>>>>>>>> On Thu, Dec 11, 2008 at 4:56 PM, Ayende Rahien >>>>>>>>> <[email protected]>wrote: >>>>>>>>> >>>>>>>>>> What question are you asking? >>>>>>>>>> Get permissions isn't actually that useful for the user, it is the >>>>>>>>>> question that you ask when you want to know if it has a permission >>>>>>>>>> to do X >>>>>>>>>> on anything. Anything include entities group. >>>>>>>>>> The question that you are likely asking is IsAllowed(), and in >>>>>>>>>> this case, I think that you are correct, if it is allowed to do this >>>>>>>>>> in >>>>>>>>>> general, it is allowed to do so. >>>>>>>>>> The problem is that I am not sure that your solution is the >>>>>>>>>> appropriate one. >>>>>>>>>> GetPermissionsFor is used by the Rhino Security infrastructure, >>>>>>>>>> and we need to review this to make sure it doesn't break things. >>>>>>>>>> For that matter, we also need to handle the case where a >>>>>>>>>> permission was given directly on an entity. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Thu, Dec 11, 2008 at 3:18 AM, Bart Reyserhove < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> The "PermissionsService" contains the following method: >>>>>>>>>>> /// <summary> >>>>>>>>>>> /// Gets the permissions for the specified etntity >>>>>>>>>>> /// </summary> >>>>>>>>>>> /// <param name="user">The user.</param> >>>>>>>>>>> /// <param name="operationName">Name of the operation.</param> >>>>>>>>>>> /// <returns></returns> >>>>>>>>>>> public Permission[] GetPermissionsFor(IUser user, string >>>>>>>>>>> operationName) >>>>>>>>>>> { >>>>>>>>>>> string[] operationNames = >>>>>>>>>>> Strings.GetHierarchicalOperationNames(operationName); >>>>>>>>>>> DetachedCriteria criteria = DetachedCriteria.For<Permission>() >>>>>>>>>>> .Add(Expression.Eq("User", user) >>>>>>>>>>> || Subqueries.PropertyIn("UsersGroup.Id", >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> SecurityCriterions.AllGroups(user).SetProjection(Projections.Id()))) >>>>>>>>>>> >>>>>>>>>>> .CreateAlias("Operation", "op") >>>>>>>>>>> .Add(Expression.In("op.Name", operationNames)); >>>>>>>>>>> >>>>>>>>>>> return FindResults(criteria); >>>>>>>>>>> } >>>>>>>>>>> >>>>>>>>>>> This method returns all permissions for a user for a certain >>>>>>>>>>> operation. With "All" I mean also the ones that are defined on >>>>>>>>>>> entitiesgroups. I have for example an operation "/Department/List" >>>>>>>>>>> with the >>>>>>>>>>> permission "on everything" set to "allow" and with the permission >>>>>>>>>>> on group >>>>>>>>>>> "departments of company x" set on "deny". Now if the user wants to >>>>>>>>>>> access >>>>>>>>>>> the "http://localhost/Department/List"; it is not allowed because >>>>>>>>>>> Rhino.Security finds a "deny" permission for a certain >>>>>>>>>>> entitiesgroup. In my >>>>>>>>>>> opinion it should not take the permissions on entititiesgroups into >>>>>>>>>>> account >>>>>>>>>>> in this case. It could also be that I have configured it in the >>>>>>>>>>> wrong way of >>>>>>>>>>> course. >>>>>>>>>>> >>>>>>>>>>> This fixed it for me: >>>>>>>>>>> >>>>>>>>>>> /// <summary> >>>>>>>>>>> /// Gets the permissions for the specified etntity >>>>>>>>>>> /// </summary> >>>>>>>>>>> /// <param name="user">The user.</param> >>>>>>>>>>> /// <param name="operationName">Name of the operation.</param> >>>>>>>>>>> /// <returns></returns> >>>>>>>>>>> public Permission[] GetPermissionsFor(IUser user, string >>>>>>>>>>> operationName) >>>>>>>>>>> { >>>>>>>>>>> string[] operationNames = >>>>>>>>>>> Strings.GetHierarchicalOperationNames(operationName); >>>>>>>>>>> DetachedCriteria criteria = DetachedCriteria.For<Permission>() >>>>>>>>>>> .Add(Expression.Eq("User", user) >>>>>>>>>>> || Subqueries.PropertyIn("UsersGroup.Id", >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> SecurityCriterions.AllGroups(user).SetProjection(Projections.Id()))) >>>>>>>>>>> .Add(Expression.IsNull("EntitiesGroup")) >>>>>>>>>>> .CreateAlias("Operation", "op") >>>>>>>>>>> .Add(Expression.In("op.Name", operationNames)); >>>>>>>>>>> >>>>>>>>>>> return FindResults(criteria); >>>>>>>>>>> } >>>>>>>>>>> >>>>>>>>>>> Bart >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >> >> >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Rhino Tools Dev" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rhino-tools-dev?hl=en -~----------~----~----~----~------~----~------~--~---
