Permissions

Basic permissions structure

Core.Framework.Permissions project contains auxiliary classes and interfaces for correct permissions work. It divides into 3 sections (Models, Contract and Helpers).

Contracts section includes IPermissionCommonService interface with main permission methods:

IsAllowed: check if some action allowed to user
GetAccess: get the whole list of IPermissible object operations with values if operations allowed.
SetupDefaultRolePermissions: apply default operation permissions for pre-defined roles (User, Owner and Guest)

Models section includes basic permission classes:

ICorePrincipal: current user.
IPermissible: permissible object must be inherit from this interface to support permissions. Interface members:

 *   PermissionTitle: the title of permissible resource (need be for displaying in Control Panel).
 *   Operations: collection of operations (IPermissionOperation items).

IPermissionOperation: contains properties for single operation description:

 *    Key: the operation key (to store value in database).
 *    Title: the operation title.
 *    PermissionArea: defines where current permission operation will be apply. There are 4 areas in the system: Portal, Applications, Control Panel, Content.
 *    Operation level: the property defines where this operation can be applied. Possible values:
   *  Object: operation belongs to specific object (e.g. specified page or widget instance)
   *  Type: operation belongs whole object type (e.g. all pages or all widgets)
   *  ObjectType: operation belongs both object and object type (e.g. permission to view all pages and particular page)

PermissionOperationLevel

Helpers section includes helper classes:

OperationHelper: contains the following method:

///
/// Convert Enum to collection of IPermissibleOperation members. ///
/// The type of the enum. ///
PermissionsHelper: contains helper method to get EntityType name by object type:

public static String GetEntityType(Type entityType) { return String.Format("{0}.{1}", entityType.Namespace, entityType.Name); }

PermissionsAttribute: specifies permissions required for action executing. Parameters:Operation (operation key) and EntityType (resource type)

     [Permissions((int)BaseEntityOperations.Manage, typeof(Role))]
     public partial class RoleController : Controller
     {
     }

OperationsDescriptionAttribute: specified operation options (area, level, default access)

    [OperationDescription(PermissionArea.Applications, PermissionOperationLevel.ObjectType, GuestDefaultAcess = true, OwnerDefaultAcess = true, UserDefaultAccess = true)]
    View = 1

Permissions database structure

There are some tables in database to store permissions.

EntityTypes table: store all permissible objects, new permissible objects are filling automatically on Application_Start event. The table fields: Id (unique identifier), Title (permissible class namespace + class name, e.g. Core.Web.NHibernate.Models.Page)
Permissions table:
- Id - unique identifier
- EntityId - the entity id (if permissions applies to object, such a particular page, it means pageId)
- RoleId - the role Id
- Permissions - ORing all the actions (operations) of the current entity type (e.g. View | Manage | AddToPage | Permissions).
- EntityTypeId - resource type to check (entity types store in EntityTypes table)

Just a simple code to check Operation permissions:

if ((permissions & operationKey) == operationKey) { has permission }

Allow access to some action:

permissions = permissions | operationKey

Deny access to some action:

permissions = permissions & (~ operationKey)

How to apply permissions to the class?

Each class in the system can provides various operations (actions) which can be delimited by roles.

To register new class that implement permissions, follow the instructions bellow:

Add attribute [Export(typeof(IPermissible))] to class to register IPermissible resource

Inherit from IPermissible interface and implement all Properties and Methods

///

/// Defines page permission operations ///

public enum PageOperations { ///

/// Operation to define who can view the page. ///

[OperationDescription(PermissionArea.Applications,PermissionOperationLevel.Object, GuestDefaultAcess = true, OwnerDefaultAcess = true, UserDefaultAccess = true)] View = 1,

 /// <summary>
 /// Operation to define who can delete the page.
 /// </summary>
 [OperationDescription(PermissionArea.Applications, PermissionOperationLevel.Object, OwnerDefaultAcess = true)]
 Delete = 2,

 /// <summary>
 /// Operation to define who can update the page.
 /// </summary>
 [OperationDescription(PermissionArea.Applications, PermissionOperationLevel.Object, OwnerDefaultAcess = true)]
 Update = 4,

 /// <summary>
 /// Operation to define who can manage the page permissions.
 /// </summary>
 [OperationDescription(PermissionArea.Applications, PermissionOperationLevel.Object, OwnerDefaultAcess = true)]
 Permissions = 8,

 /// <summary>
 /// Operation to define who can add new pages.
 /// </summary>
 [OperationDescription(PermissionArea.Portal, PermissionOperationLevel.Type)]
 AddNewPages = 16

}

[Export(typeof(IPermissible))] public class Page : Entity, IPermissible { public Page() { PermissionTitle = "Pages"; Operations = OperationsHelper.GetOperations(); }

 #region IPermissible Members

 /// <summary>
 /// Gets or sets the permission title.
 /// </summary>
 /// <value>The permission title.</value>
 public virtual string PermissionTitle
 { get; set; }

 /// <summary>
 /// Gets or sets the object permission operations.
 /// </summary>
 /// <value>The object permission operations.</value>
 public virtual IEnumerable<IPermissionOperation> Operations
 { get; set; }

 #endregion

}

Check access to object using helper methods.

permissionService = ServiceLocator.Current.GetInstance();

//Check if user has permissions to manage specific page. //this.CorePrincipal() - current user, (Int32)PageOperations.Update - operation code to check permissions, PermissionOperationLevel.Object - operation level bool isUpdetePageAllowed = permissionService.IsAllowed((Int32)PageOperations.Update, this.CorePrincipal(), typeof(Page), pageId, isPageOwner,PermissionOperationLevel.Object)

Permissions setup

If your registered permissible object includes operations with "Type" or "Object-type" operation level, you can define permissions for roles in Control Panel. (Control Panel -> Users -> Roles -> Permissions).

The operation form presents below:

permissions

Operations with "Object" or "Object-type" belong to specific object. For example, you can define permissions to particular page or widget. Permissions form for page presents below:

page permissions

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Permissions

Basic permissions structure

Permissions database structure

How to apply permissions to the class?

Permissions setup

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally