104 lines
3.6 KiB
C#
104 lines
3.6 KiB
C#
using System;
|
|
using Oqtane.Models;
|
|
using Oqtane.Shared;
|
|
|
|
namespace Oqtane.Security
|
|
{
|
|
public class UserSecurity
|
|
{
|
|
// permission collections are stored in format {permissionname1:permissions}{permissionname2:permissions}...
|
|
public static string GetPermissions(string PermissionName, string Permissions)
|
|
{
|
|
string permissions = "";
|
|
foreach(string permission in Permissions.Split(new char[] { '{' }, StringSplitOptions.RemoveEmptyEntries))
|
|
{
|
|
if (permission.StartsWith(PermissionName + ":"))
|
|
{
|
|
permissions = permission.Replace(PermissionName + ":", "").Replace("}", "");
|
|
break;
|
|
}
|
|
}
|
|
return permissions;
|
|
}
|
|
|
|
public static string SetPermissions(string PermissionName, string Permissions)
|
|
{
|
|
return "{" + PermissionName + ":" + Permissions + "}";
|
|
}
|
|
|
|
// permissions are stored in the format "!rolename1;![userid1];rolename2;rolename3;[userid2];[userid3]" where "!" designates Deny permissions
|
|
public static bool IsAuthorized(User User, string PermissionName, string Permissions)
|
|
{
|
|
Permissions = GetPermissions(PermissionName, Permissions);
|
|
if (User == null)
|
|
{
|
|
return IsAuthorized(-1, "", Permissions); // user is not authenticated but may have access to resource
|
|
}
|
|
else
|
|
{
|
|
return IsAuthorized(User.UserId, User.Roles, Permissions);
|
|
}
|
|
}
|
|
|
|
private static bool IsAuthorized(int UserId, string Roles, string Permissions)
|
|
{
|
|
bool IsAuthorized = false;
|
|
|
|
if (Permissions != null)
|
|
{
|
|
foreach (string permission in Permissions.Split(new[] { ';' }, StringSplitOptions.RemoveEmptyEntries))
|
|
{
|
|
bool? allowed = VerifyPermission(UserId, Roles, permission);
|
|
if (allowed.HasValue)
|
|
{
|
|
IsAuthorized = allowed.Value;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
return IsAuthorized;
|
|
}
|
|
|
|
private static bool? VerifyPermission(int UserId, string Roles, string Permission)
|
|
{
|
|
bool? allowed = null;
|
|
//permissions strings are encoded with deny permissions at the beginning and grant permissions at the end for optimal performance
|
|
if (!String.IsNullOrEmpty(Permission))
|
|
{
|
|
// deny permission
|
|
if (Permission.StartsWith("!"))
|
|
{
|
|
string denyRole = Permission.Replace("!", "");
|
|
if (denyRole == Constants.AllUsersRole || IsAllowed(UserId, Roles, denyRole))
|
|
{
|
|
allowed = false;
|
|
}
|
|
}
|
|
else // grant permission
|
|
{
|
|
if (Permission == Constants.AllUsersRole || IsAllowed(UserId, Roles, Permission))
|
|
{
|
|
allowed = true;
|
|
}
|
|
}
|
|
}
|
|
return allowed;
|
|
}
|
|
|
|
private static bool IsAllowed(int UserId, string Roles, string Permission)
|
|
{
|
|
if ("[" + UserId + "]" == Permission)
|
|
{
|
|
return true;
|
|
}
|
|
|
|
if (Roles != null)
|
|
{
|
|
return Roles.IndexOf(";" + Permission + ";") != -1;
|
|
}
|
|
return false;
|
|
}
|
|
}
|
|
}
|