StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>Given the above information we can write some simple tooling, in my case I am working with a content management system so my ACL's are about page access. </p> <p>First I define what my ACL entries look like ...</p> <pre><code>using System; namespace Core.Objects.CMS { /// <summary> /// Represents a record on an access control list /// </summary> public class PageACLEntry { /// <summary> /// Gets or sets the access control entry id. /// </summary> /// <value> /// The access control entry id. /// </value> public int PageACLEntryId { get; set; } /// <summary> /// Gets or sets the page id. /// </summary> /// <value> /// The page id. /// </value> public int PageId { get; set; } /// <summary> /// Gets or sets the name of the role. /// </summary> /// <value> /// The name of the role. /// </value> public string RoleName { get; set; } /// <summary> /// Gets or sets the read. /// </summary> /// <value> /// The read. /// </value> public bool? Read { get; set; } /// <summary> /// Gets or sets the content of the update. /// </summary> /// <value> /// The content of the update. /// </value> public bool? UpdateContent { get; set; } /// <summary> /// Gets or sets the update meta. /// </summary> /// <value> /// The update meta. /// </value> public bool? UpdateMeta { get; set; } /// <summary> /// Gets or sets the delete. /// </summary> /// <value> /// The delete. /// </value> public bool? Delete { get; set; } /// <summary> /// Gets or sets the full control. /// </summary> /// <value> /// The full control. /// </value> public bool? FullControl { get; set; } } } </code></pre> <p>Then I create a helper class to handle the evaluations ...</p> <pre><code>using System.Collections.Generic; using System.Security.Principal; using Core.Objects.CMS; namespace Core.Utilities { /// <summary> /// Tools for permission calculation /// </summary> public static class PermissionHelper { /// <summary> /// Calculates the page permissions the given user has on the given page. /// </summary> /// <param name="page">The page.</param> /// <param name="user">The user.</param> /// <returns>the effective permissions</returns> private static PageACLEntry CalculatePagePermissions(Page page, IPrincipal user) { PageACLEntry result = new PageACLEntry(); // start with acl for the current page List<PageACLEntry> acl = new List<PageACLEntry>(page.AclRules); // append all the way up the tree until parent == null acl = AppendTreePermissions(acl, page, user); // reverse the list so we evaluate root first then work up to here acl.Reverse(); // because of the order in which these are applied the most local rules overrule the less local // the wider the scope the less it applies acl.ForEach(ace => { // only apply rules that apply to roles that our current user is in if (user.IsInRole(ace.RoleName)) { result.Read = Eval(result.Read, ace.Read); result.Delete = Eval(result.Delete, ace.Delete); result.UpdateMeta = Eval(result.UpdateMeta, ace.UpdateMeta); result.UpdateContent = Eval(result.UpdateContent, ace.UpdateContent); result.FullControl = Eval(result.FullControl, ace.FullControl); } }); return result; } /// <summary> /// Evaluates the specified permission level. /// </summary> /// <param name="target">The target.</param> /// <param name="suggestion">The suggestion.</param> /// <returns>evaluation result</returns> private static bool? Eval(bool? target, bool? suggestion) { bool? result = null; switch (target) { case false: result = false; break; case true: result = true; break; case null: break; } return result; } /// <summary> /// Appends the tree acl from the tree root up to this point. /// </summary> /// <param name="acl">The acl.</param> /// <param name="page">The page.</param> /// <param name="user">The user.</param> /// <returns>the complete acl</returns> private static List<PageACLEntry> AppendTreePermissions(List<PageACLEntry> acl, Page page, IPrincipal user) { Page currentPage = page.Parent; while (currentPage != null) { acl.AddRange(currentPage.AclRules); currentPage = page.Parent; } return acl; } /// <summary> /// Determines if the current User can read the given page. /// Unless an explicit deny rule is in place the default is to make everything read only. /// </summary> /// <param name="page">The page.</param> /// <param name="user">The user.</param> /// <returns> /// access right indication as bool /// </returns> public static bool UserCanRead(Page page, IPrincipal user) { PageACLEntry permissions = CalculatePagePermissions(page, user); if (permissions.Read != false) { return true; } return false; } /// <summary> /// Determines if the current User can delete the given page. /// </summary> /// <param name="page">The page.</param> /// <param name="user">The user.</param> /// <returns> /// access right indication as bool /// </returns> public static bool UserCanDelete(Page page, IPrincipal user) { PageACLEntry permissions = CalculatePagePermissions(page, user); if (permissions.FullControl == true || permissions.Delete == true) { return true; } return false; } /// <summary> /// Determines if the current User can update the given page. /// </summary> /// <param name="page">The page.</param> /// <param name="user">The user.</param> /// <returns> /// access right indication as bool /// </returns> public static bool UserCanUpdate(Page page, IPrincipal user) { PageACLEntry permissions = CalculatePagePermissions(page, user); if (permissions.FullControl == true || permissions.UpdateMeta == true) { return true; } return false; } public static bool UserCanUpdateContent(Page page, IPrincipal user) { PageACLEntry permissions = CalculatePagePermissions(page, user); if (permissions.FullControl == true || permissions.UpdateContent == true) { return true; } return false; } /// <summary> /// Determines if the current User can append children to the given page. /// </summary> /// <param name="page">The page.</param> /// <param name="user">The user.</param> /// <returns> /// access right indication as bool /// </returns> public static bool UserCanAddChildTo(Page page, IPrincipal user) { PageACLEntry permissions = CalculatePagePermissions(page, user); if (permissions.FullControl == true || permissions.UpdateMeta == true) { return true; } return false; } } } </code></pre> <p>This now gives me all the control I simply pass that a page and an IPrincipal object and I get back an ACLEntry that represents the level of access. </p> <p>I decided to further abstract away my security implementation by making the Calculation method private and only the CanX methods public.</p> <p>So now it's as simple as </p> <pre><code>bool result = PermissionsHelper.UserCanRead(page, user); </code></pre> <p>It seems like theres a lot of code but if you take out the formatting and comments (to meet coding standards) there's actually very little code, and if you copy this in in to a class file in Visual Studio it's actually very easy to follow and maintain.</p> <p>You may also note, not once do I pass in a repository or service class to get data, that's because I use this to build objects that are written using code first EF modelling an i'm using lazy loading, so your implementation might require a bit more than page.parent.AClEntries to go crawling up the tree. </p> <p>Oh just in case you need it here's my page class ...</p> <pre><code>using System.Collections.Generic; using System.ComponentModel.DataAnnotations; namespace Core.Objects.CMS { /// <summary> /// Represents a managed CMS page /// </summary> [Table("Pages")] public class Page { /// <summary> /// Gets or sets the page id. /// </summary> /// <value> /// The page id. /// </value> public int PageId { get; set; } /// <summary> /// Gets or sets the version. /// </summary> /// <value> /// The version. /// </value> public int Version { get; set; } /// <summary> /// Gets or sets the title. /// </summary> /// <value> /// The title. /// </value> public string Title { get; set; } /// <summary> /// Gets or sets the template. /// </summary> /// <value> /// The template. /// </value> public string Template { get; set; } /// <summary> /// Gets or sets the path. /// </summary> /// <value> /// The path. /// </value> public string Path { get; set; } /// <summary> /// Gets or sets the parent. /// </summary> /// <value> /// The parent. /// </value> public virtual Page Parent { get; set; } /// <summary> /// Gets or sets the children. /// </summary> /// <value> /// The children. /// </value> public virtual List<Page> Children { get; set; } /// <summary> /// Gets or sets the content. /// </summary> /// <value> /// The content. /// </value> public virtual List<PageContent> Content { get; set; } /// <summary> /// Gets or sets the component stacks. /// </summary> /// <value> /// The component stacks. /// </value> public virtual List<Stack> ComponentStacks { get; set; } /// <summary> /// Gets or sets the acl rules. /// </summary> /// <value> /// The acl rules. /// </value> public virtual List<PageACLEntry> AclRules { get; set; } } } </code></pre> <p>Very simple poco ... using the power of EF to do all my on demand SQL crawling. The one down side ... i doubt it's particularly efficient if you have a page deeply nested in a tree. </p> <p>I'm still open to suggestions on improving this but this felt like the cleanest way to implement a managable solution at the time. Now i have total visibility of the problem I can look to make those efficiency gains.</p> <p>But at least you have a point of reference right :)</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload