Permission-based authorization utilizing Policies
This commit is contained in:
Shaun Walker
103
Oqtane.Shared/Security/UserSecurity.cs
Normal file
103
Oqtane.Shared/Security/UserSecurity.cs
Normal file
@ -0,0 +1,103 @@
|
||||
using System;
|
||||
using Oqtane.Models;
|
||||
using Oqtane.Shared;
|
||||
|
||||
namespace Oqtane.Security
|
||||
{
|
||||
public class UserSecurity
|
||||
{
|
||||
// permission collections are stored in format {permissionname1:permissions}{permissionname2:permissions}...
|
||||
public static string GetPermissions(string PermissionName, string Permissions)
|
||||
{
|
||||
string permissions = "";
|
||||
foreach(string permission in Permissions.Split(new char[] { '{' }, StringSplitOptions.RemoveEmptyEntries))
|
||||
{
|
||||
if (permission.StartsWith(PermissionName + ":"))
|
||||
{
|
||||
permissions = permission.Replace(PermissionName + ":", "").Replace("}", "");
|
||||
break;
|
||||
}
|
||||
}
|
||||
return permissions;
|
||||
}
|
||||
|
||||
public static string SetPermissions(string PermissionName, string Permissions)
|
||||
{
|
||||
return "{" + PermissionName + ":" + Permissions + "}";
|
||||
}
|
||||
|
||||
// permissions are stored in the format "!rolename1;![userid1];rolename2;rolename3;[userid2];[userid3]" where "!" designates Deny permissions
|
||||
public static bool IsAuthorized(User User, string PermissionName, string Permissions)
|
||||
{
|
||||
Permissions = GetPermissions(PermissionName, Permissions);
|
||||
if (User == null)
|
||||
{
|
||||
return IsAuthorized(-1, "", Permissions); // user is not authenticated but may have access to resource
|
||||
}
|
||||
else
|
||||
{
|
||||
return IsAuthorized(User.UserId, User.Roles, Permissions);
|
||||
}
|
||||
}
|
||||
|
||||
private static bool IsAuthorized(int UserId, string Roles, string Permissions)
|
||||
{
|
||||
bool IsAuthorized = false;
|
||||
|
||||
if (Permissions != null)
|
||||
{
|
||||
foreach (string permission in Permissions.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries))
|
||||
{
|
||||
bool? allowed = VerifyPermission(UserId, Roles, permission);
|
||||
if (allowed.HasValue)
|
||||
{
|
||||
IsAuthorized = allowed.Value;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return IsAuthorized;
|
||||
}
|
||||
|
||||
private static bool? VerifyPermission(int UserId, string Roles, string Permission)
|
||||
{
|
||||
bool? allowed = null;
|
||||
//permissions strings are encoded with deny permissions at the beginning and grant permissions at the end for optimal performance
|
||||
if (!String.IsNullOrEmpty(Permission))
|
||||
{
|
||||
// deny permission
|
||||
if (Permission.StartsWith("!"))
|
||||
{
|
||||
string denyRole = Permission.Replace("!", "");
|
||||
if (denyRole == Constants.AllUsersRole || IsAllowed(UserId, Roles, denyRole))
|
||||
{
|
||||
allowed = false;
|
||||
}
|
||||
}
|
||||
else // grant permission
|
||||
{
|
||||
if (Permission == Constants.AllUsersRole || IsAllowed(UserId, Roles, Permission))
|
||||
{
|
||||
allowed = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
return allowed;
|
||||
}
|
||||
|
||||
private static bool IsAllowed(int UserId, string Roles, string Permission)
|
||||
{
|
||||
if ("[" + UserId + "]" == Permission)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
if (Roles != null)
|
||||
{
|
||||
return Roles.IndexOf(";" + Permission + ";") != -1;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user