Permission-based authorization utilizing Policies

2019-08-27 17:14:41 -04:00
parent f037898c6e
commit 3ce7f1a227
54 changed files with 1104 additions and 388 deletions
--- a/Oqtane.Client/Services/Interfaces/IUserService.cs
+++ b/Oqtane.Client/Services/Interfaces/IUserService.cs
@ -21,7 +21,5 @@ namespace Oqtane.Services
        Task<User> LoginUserAsync(User User, bool SetCookie, bool IsPersistent);

        Task LogoutUserAsync();
-
-        bool IsAuthorized(User User, string AccessControlList);
    }
 }
--- a/Oqtane.Client/Services/UserService.cs
+++ b/Oqtane.Client/Services/UserService.cs
@ -67,78 +67,5 @@ namespace Oqtane.Services
            // best practices recommend post is preferrable to get for logout
            await http.PostJsonAsync(apiurl + "/logout", null); 
        }
-
-        // ACLs are stored in the format "!rolename1;![userid1];rolename2;rolename3;[userid2];[userid3]" where "!" designates Deny permissions
-        public bool IsAuthorized(User User, string AccessControlList)
-        {
-            bool isAllowed = false;
-
-            if (User != null)
-            {
-                // super user always has full access
-                isAllowed = User.IsSuperUser;
-            }
-
-            if (!isAllowed)
-            {
-                if (AccessControlList != null)
-                {
-                    foreach (string permission in AccessControlList.Split(new[] { ';' }))
-                    {
-                        bool? allowed = VerifyPermission(User, permission);
-                        if (allowed.HasValue)
-                        {
-                            isAllowed = allowed.Value;
-                            break;
-                        }
-                    }
-                }
-            }
-            return isAllowed;
-        }
-
-        private bool? VerifyPermission(User user, string permission)
-        {
-            bool? allowed = null;
-            //permissions strings are encoded with deny permissions at the beginning and grant permissions at the end for optimal performance
-            if (!String.IsNullOrEmpty(permission))
-            {
-                // deny permission
-                if (permission.StartsWith("!"))
-                {
-                    string denyRole = permission.Replace("!", "");
-                    if (denyRole == Constants.AllUsersRole || IsAllowed(user, denyRole))
-                    {
-                        allowed = false;
-                    }
-                }
-                else // grant permission
-                {
-                    if (permission == Constants.AllUsersRole || IsAllowed(user, permission))
-                    {
-                        allowed = true;
-                    }
-                }
-            }
-            return allowed;
-        }
-
-        private bool IsAllowed(User user, string permission)
-        {
-            if (user != null)
-            {
-                if ("[" + user.UserId + "]" == permission)
-                {
-                    return true;
-                }
-
-                var roles = user.Roles;
-                if (roles != null)
-                {
-                    return roles.IndexOf(";" + permission + ";") != -1;
-                }
-            }
-            return false;
-        }
    }
 }