Just standard NH operations.I think that Reposiotry<T> has gotten to big, that is all
On Mon, Dec 15, 2008 at 8:59 AM, Bart Reyserhove <[email protected]>wrote: > What direction are you heading than if you do not like Repository<T> > anymore. Linq? > > > On Sun, Dec 14, 2008 at 7:30 PM, Ayende Rahien <[email protected]> wrote: > >> The only thing we really need it to get a reference to the current >> session, beyond that, we are more or less home free. The problem isn't >> actually rhino commons. It is Repository<T>, which I don't much like >> anymore. >> >> >> On Sun, Dec 14, 2008 at 8:31 AM, Bart Reyserhove < >> [email protected]> wrote: >> >>> I suppose you want to break it away from IRepository<T> to loose the >>> dependency on Rhino.Commons. By using Common Service Locator it would than >>> even be de-coupled from Windsor. >>> Personally I don't have a problem with the dependency on Rhino.Commons >>> because I use it ;-). >>> I do see however that it lowers the entry barrier for other people to >>> start using Rhino.Security. If it only depends on Nhibernate there will be >>> many more that can start using it. >>> >>> However I do not entirely get how you would support ActiveRecord in such >>> a scenario? >>> >>> On Sat, Dec 13, 2008 at 11:04 PM, Ayende Rahien <[email protected]>wrote: >>> >>>> I think we need to make a few more modifications to Rhino Security. Break >>>> it away from IRepository<T>, for a start, and maybe allow to use it using >>>> Common Service Locator? >>>> >>>> >>>> On Sat, Dec 13, 2008 at 3:17 PM, Ayende Rahien <[email protected]>wrote: >>>> >>>>> Applied with a minor change to make this pass: >>>>> >>>>> [Test] >>>>> public void >>>>> WillReturnTrueOnGlobalIfPermissionWasAllowedOnGlobalButDeniedOnSpecificEntity() >>>>> { >>>>> permissionsBuilderService >>>>> .Allow("/Account/Edit") >>>>> .For(user) >>>>> .OnEverything() >>>>> .DefaultLevel() >>>>> .Save(); >>>>> UnitOfWork.Current.TransactionalFlush(); >>>>> >>>>> permissionsBuilderService >>>>> .Deny("/Account/Edit") >>>>> .For(user) >>>>> .On(account) >>>>> .DefaultLevel() >>>>> .Save(); >>>>> UnitOfWork.Current.TransactionalFlush(); >>>>> >>>>> bool IsAllowed = authorizationService.IsAllowed(user, >>>>> "/Account/Edit"); >>>>> Assert.IsTrue(IsAllowed); >>>>> >>>>> } >>>>> >>>>> On Sat, Dec 13, 2008 at 5:14 PM, Bart Reyserhove < >>>>> [email protected]> wrote: >>>>> >>>>>> Patch attached. >>>>>> I also added two new tests and changed the expectation of the one >>>>>> discussed earlier in this thread. >>>>>> >>>>>> Bart >>>>>> >>>>>> >>>>>> On Fri, Dec 12, 2008 at 11:59 PM, Ayende Rahien <[email protected]>wrote: >>>>>> >>>>>>> I think that this is a test that should be expected to fail after >>>>>>> this change. >>>>>>> >>>>>>> >>>>>>> On Fri, Dec 12, 2008 at 11:30 PM, Bart Reyserhove < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> So I changed this method: >>>>>>>> /// <summary> >>>>>>>> /// Gets the permissions for the specified etntity >>>>>>>> /// </summary> >>>>>>>> /// <param name="user">The user.</param> >>>>>>>> /// <param name="operationName">Name of the operation.</param> >>>>>>>> /// <returns></returns> >>>>>>>> public Permission[] GetPermissionsFor(IUser user, string >>>>>>>> operationName) >>>>>>>> { >>>>>>>> string[] operationNames = Strings.GetHierarchicalOperationNames( >>>>>>>> operationName); >>>>>>>> DetachedCriteria criteria = DetachedCriteria.For<Permission>() >>>>>>>> .Add(Expression.Eq("User", user) >>>>>>>> || Subqueries.PropertyIn("UsersGroup.Id", >>>>>>>> SecurityCriterions.AllGroups( >>>>>>>> user).SetProjection(Projections.Id()))) >>>>>>>> .CreateAlias("Operation", "op") >>>>>>>> .Add(Expression.In("op.Name", operationNames)); >>>>>>>> >>>>>>>> return FindResults(criteria); >>>>>>>> } >>>>>>>> >>>>>>>> into: >>>>>>>> >>>>>>>> /// <summary> >>>>>>>> /// Gets the global permissions without taking groups into account >>>>>>>> /// </summary> >>>>>>>> /// <param name="user">The user.</param> >>>>>>>> /// <param name="operationName">Name of the operation.</param> >>>>>>>> /// <returns></returns> >>>>>>>> public Permission[] GetGlobalPermissionsFor(IUser user, string >>>>>>>> operationName) >>>>>>>> { >>>>>>>> string[] operationNames = >>>>>>>> Strings.GetHierarchicalOperationNames(operationName); >>>>>>>> DetachedCriteria criteria = DetachedCriteria.For<Permission>() >>>>>>>> .Add(Expression.Eq("User", user) >>>>>>>> || Subqueries.PropertyIn("UsersGroup.Id", >>>>>>>> >>>>>>>> SecurityCriterions.AllGroups(user).SetProjection(Projections.Id()))) >>>>>>>> .Add(Expression.IsNull("EntitiesGroup")) >>>>>>>> .CreateAlias("Operation", "op") >>>>>>>> .Add(Expression.In("op.Name", operationNames)); >>>>>>>> >>>>>>>> return FindResults(criteria); >>>>>>>> } >>>>>>>> >>>>>>>> I added a test for it and I ran all tests. Two tests are failing >>>>>>>> now, but it is actually only one case since it is tested for >>>>>>>> NHibernate and >>>>>>>> ActiveRecord. >>>>>>>> >>>>>>>> The failing test: >>>>>>>> >>>>>>>> [Test] >>>>>>>> public void >>>>>>>> ExplainWhyAllowedIfPermissionWasGrantedToUsersGroupAssociatedWithUser() >>>>>>>> { >>>>>>>> permissionsBuilderService >>>>>>>> .Allow("/Account/Edit") >>>>>>>> .For("Administrators") >>>>>>>> .On("Important Accounts") >>>>>>>> .DefaultLevel() >>>>>>>> .Save(); >>>>>>>> UnitOfWork.Current.TransactionalFlush(); >>>>>>>> AuthorizationInformation information = >>>>>>>> >>>>>>>> authorizationService.GetAuthorizationInformation(user, >>>>>>>> "/Account/Edit"); >>>>>>>> string expected = >>>>>>>> @"Permission (level 1) for operation '/Account/Edit' >>>>>>>> was granted to group 'Administrators' on 'Important Accounts' >>>>>>>> ('Ayende' is a >>>>>>>> member of 'Administrators') >>>>>>>> "; >>>>>>>> Assert.AreEqual(expected, information.ToString()); >>>>>>>> } >>>>>>>> >>>>>>>> Knowing the change this is quite logic, because in this test the >>>>>>>> permission is only granted to a group and checked globally. >>>>>>>> Functionally >>>>>>>> seen you could discuss about this. Permission was only granted to >>>>>>>> the "Important accounts" and the question is "OnEverything". So one >>>>>>>> could >>>>>>>> argue that it is correct that the permission is not granted, but of >>>>>>>> course >>>>>>>> this could lead to breaking changes... >>>>>>>> >>>>>>>> What's your opinion? >>>>>>>> >>>>>>>> Bart >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Dec 12, 2008 at 8:27 AM, Bart Reyserhove < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> All right. I'll make a patch this weekend. >>>>>>>>> >>>>>>>>> >>>>>>>>> On Thu, Dec 11, 2008 at 10:21 PM, Ayende Rahien <[email protected] >>>>>>>>> > wrote: >>>>>>>>> >>>>>>>>>> Yes, so in this case, you are right.What we need to do is to >>>>>>>>>> change the name of the method to GetGlobalPermissionsFor >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Thu, Dec 11, 2008 at 3:33 PM, Bart Reyserhove < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> I ask the question: IsAllowed(IUser user, string operation) >>>>>>>>>>> I checked where GetPermissionsFor(IUser user, string >>>>>>>>>>> operationName) is used and it is used in the following two methods: >>>>>>>>>>> >>>>>>>>>>> /// <summary> >>>>>>>>>>> /// Determines whether the specified user is allowed to perform >>>>>>>>>>> the >>>>>>>>>>> /// specified operation on the entity. >>>>>>>>>>> /// </summary> >>>>>>>>>>> /// <param name="user">The user.</param> >>>>>>>>>>> /// <param name="operation">The operation.</param> >>>>>>>>>>> /// <returns> >>>>>>>>>>> /// <c>true</c> if the specified user is allowed; otherwise, >>>>>>>>>>> <c>false</c>. >>>>>>>>>>> /// </returns> >>>>>>>>>>> public bool IsAllowed(IUser user, string operation) >>>>>>>>>>> { >>>>>>>>>>> Permission[] permissions = >>>>>>>>>>> permissionsService.GetPermissionsFor(user, operation); >>>>>>>>>>> if (permissions.Length == 0) >>>>>>>>>>> return false; >>>>>>>>>>> return permissions[0].Allow; >>>>>>>>>>> } >>>>>>>>>>> >>>>>>>>>>> /// <summary> >>>>>>>>>>> /// Gets the authorization information for the specified user and >>>>>>>>>>> operation, >>>>>>>>>>> /// allows to easily understand why a given operation was >>>>>>>>>>> granted / denied. >>>>>>>>>>> /// </summary> >>>>>>>>>>> /// <param name="user">The user.</param> >>>>>>>>>>> /// <param name="operation">The operation.</param> >>>>>>>>>>> /// <returns></returns> >>>>>>>>>>> public AuthorizationInformation GetAuthorizationInformation(IUser >>>>>>>>>>> user, string operation) >>>>>>>>>>> { >>>>>>>>>>> AuthorizationInformation info; >>>>>>>>>>> if (InitializeAuthorizationInfo(operation, out info)) >>>>>>>>>>> return info; >>>>>>>>>>> Permission[] permissions = >>>>>>>>>>> permissionsService.GetPermissionsFor(user, operation); >>>>>>>>>>> >>>>>>>>>>> AddPermissionDescriptionToAuthorizationInformation<object>(operation, >>>>>>>>>>> info, user, permissions, null); >>>>>>>>>>> return info; >>>>>>>>>>> } >>>>>>>>>>> >>>>>>>>>>> Both methods above do not take the entity into accoutn since the >>>>>>>>>>> entity is not passed. >>>>>>>>>>> >>>>>>>>>>> I understand that you have to take the situation into account >>>>>>>>>>> where the permission is directly given on the entity but shouldn't >>>>>>>>>>> I use IsAllowed<TEntity>(IUser >>>>>>>>>>> user, TEntity entity, string operation) where TEntity : class >>>>>>>>>>> then? >>>>>>>>>>> >>>>>>>>>>> Bart >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Thu, Dec 11, 2008 at 4:56 PM, Ayende Rahien < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> What question are you asking? >>>>>>>>>>>> Get permissions isn't actually that useful for the user, it is >>>>>>>>>>>> the question that you ask when you want to know if it has a >>>>>>>>>>>> permission to do >>>>>>>>>>>> X on anything. Anything include entities group. >>>>>>>>>>>> The question that you are likely asking is IsAllowed(), and in >>>>>>>>>>>> this case, I think that you are correct, if it is allowed to do >>>>>>>>>>>> this in >>>>>>>>>>>> general, it is allowed to do so. >>>>>>>>>>>> The problem is that I am not sure that your solution is the >>>>>>>>>>>> appropriate one. >>>>>>>>>>>> GetPermissionsFor is used by the Rhino Security infrastructure, >>>>>>>>>>>> and we need to review this to make sure it doesn't break things. >>>>>>>>>>>> For that matter, we also need to handle the case where a >>>>>>>>>>>> permission was given directly on an entity. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Thu, Dec 11, 2008 at 3:18 AM, Bart Reyserhove < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> The "PermissionsService" contains the following method: >>>>>>>>>>>>> /// <summary> >>>>>>>>>>>>> /// Gets the permissions for the specified etntity >>>>>>>>>>>>> /// </summary> >>>>>>>>>>>>> /// <param name="user">The user.</param> >>>>>>>>>>>>> /// <param name="operationName">Name of the >>>>>>>>>>>>> operation.</param> >>>>>>>>>>>>> /// <returns></returns> >>>>>>>>>>>>> public Permission[] GetPermissionsFor(IUser user, string >>>>>>>>>>>>> operationName) >>>>>>>>>>>>> { >>>>>>>>>>>>> string[] operationNames = >>>>>>>>>>>>> Strings.GetHierarchicalOperationNames(operationName); >>>>>>>>>>>>> DetachedCriteria criteria = DetachedCriteria.For<Permission>() >>>>>>>>>>>>> .Add(Expression.Eq("User", user) >>>>>>>>>>>>> || Subqueries.PropertyIn("UsersGroup.Id", >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> SecurityCriterions.AllGroups(user).SetProjection(Projections.Id()))) >>>>>>>>>>>>> >>>>>>>>>>>>> .CreateAlias("Operation", "op") >>>>>>>>>>>>> .Add(Expression.In("op.Name", operationNames)); >>>>>>>>>>>>> >>>>>>>>>>>>> return FindResults(criteria); >>>>>>>>>>>>> } >>>>>>>>>>>>> >>>>>>>>>>>>> This method returns all permissions for a user for a certain >>>>>>>>>>>>> operation. With "All" I mean also the ones that are defined on >>>>>>>>>>>>> entitiesgroups. I have for example an operation >>>>>>>>>>>>> "/Department/List" with the >>>>>>>>>>>>> permission "on everything" set to "allow" and with the permission >>>>>>>>>>>>> on group >>>>>>>>>>>>> "departments of company x" set on "deny". Now if the user wants >>>>>>>>>>>>> to access >>>>>>>>>>>>> the "http://localhost/Department/List"; it is not allowed >>>>>>>>>>>>> because Rhino.Security finds a "deny" permission for a certain >>>>>>>>>>>>> entitiesgroup. In my opinion it should not take the permissions on >>>>>>>>>>>>> entititiesgroups into account in this case. It could also be that >>>>>>>>>>>>> I have >>>>>>>>>>>>> configured it in the wrong way of course. >>>>>>>>>>>>> >>>>>>>>>>>>> This fixed it for me: >>>>>>>>>>>>> >>>>>>>>>>>>> /// <summary> >>>>>>>>>>>>> /// Gets the permissions for the specified etntity >>>>>>>>>>>>> /// </summary> >>>>>>>>>>>>> /// <param name="user">The user.</param> >>>>>>>>>>>>> /// <param name="operationName">Name of the >>>>>>>>>>>>> operation.</param> >>>>>>>>>>>>> /// <returns></returns> >>>>>>>>>>>>> public Permission[] GetPermissionsFor(IUser user, string >>>>>>>>>>>>> operationName) >>>>>>>>>>>>> { >>>>>>>>>>>>> string[] operationNames = >>>>>>>>>>>>> Strings.GetHierarchicalOperationNames(operationName); >>>>>>>>>>>>> DetachedCriteria criteria = DetachedCriteria.For<Permission>() >>>>>>>>>>>>> .Add(Expression.Eq("User", user) >>>>>>>>>>>>> || Subqueries.PropertyIn("UsersGroup.Id", >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> SecurityCriterions.AllGroups(user).SetProjection(Projections.Id()))) >>>>>>>>>>>>> .Add(Expression.IsNull("EntitiesGroup")) >>>>>>>>>>>>> .CreateAlias("Operation", "op") >>>>>>>>>>>>> .Add(Expression.In("op.Name", operationNames)); >>>>>>>>>>>>> >>>>>>>>>>>>> return FindResults(criteria); >>>>>>>>>>>>> } >>>>>>>>>>>>> >>>>>>>>>>>>> Bart >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> >>>> >>> >>> >>> >> >> >> > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Rhino Tools Dev" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rhino-tools-dev?hl=en -~----------~----~----~----~------~----~------~--~---
