RavenDB-4117

ravendb · Dec 27, 2015 · 4cfc3d3 · 4cfc3d3
1 parent abced5d
commit 4cfc3d3
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 2 deletions.
diff --git a/Bundles/Raven.Bundles.Authorization/AuthorizationDecisions.cs b/Bundles/Raven.Bundles.Authorization/AuthorizationDecisions.cs
@@ -174,14 +174,26 @@ private static IEnumerable<string> GetHierarchicalNames(IEnumerable<string> name
 
         private static bool OperationMatches(string op1, string op2)
         {
-            return op2.StartsWith(op1, StringComparison.InvariantCultureIgnoreCase);
+            return IsHierarchicPrefix(op2,op1);
         }
 
         private static bool TagsMatch(IEnumerable<string> permissionTags, IEnumerable<string> documentTags)
         {
-            return permissionTags.All(p => documentTags.Any(d => d.StartsWith(p, StringComparison.InvariantCultureIgnoreCase)));
+            return permissionTags.All(p => documentTags.Any(d => IsHierarchicPrefix(d,p)));
         }
 
+        private static bool IsHierarchicPrefix(string fullPath,string prefix)
+        {
+            if (!fullPath.StartsWith(prefix, StringComparison.InvariantCultureIgnoreCase))
+                return false;
+            //strings are equal
+            if (fullPath.Length == prefix.Length)
+                return true;
+            //strings are hierarchic to one another
+            if (fullPath[prefix.Length] == '/')
+                return true;
+            return false;
+        }
         private T GetDocumentAsEntity<T>(string documentId) where T : class
         {
             var document = database.Documents.Get(documentId, null);

diff --git a/Raven.Tests.Bundles/Authorization/CanHandleAuthQuestions.cs b/Raven.Tests.Bundles/Authorization/CanHandleAuthQuestions.cs
@@ -607,5 +607,44 @@ public void WhenThereIsNoAuthorizationWillAllow()
             var isAllowed = authorizationDecisions.IsAllowed(userId, operation, company.Id, jsonDocument.Metadata, null);
             Assert.True(isAllowed);
         }
+        [Fact]
+        public void WhenGivingUserPermissionForTagStartingWithSameNameAndTaggingDocumentWillFail()
+        {
+            var company = new Company
+            {
+                Name = "Hibernating Rhinos"
+            };
+            using (var s = store.OpenSession(DatabaseName))
+            {
+                s.Store(new client::Raven.Bundles.Authorization.Model.AuthorizationUser
+                {
+                    Id = userId,
+                    Name = "Ayende Rahien",
+                    Permissions =
+            {
+              new client::Raven.Bundles.Authorization.Model.OperationPermission
+              {
+                Allow = true,
+                Operation = operation,
+                Tags = { "Companies/Imp" }
+              }
+            }
+                });
+
+                s.Store(company);
+
+                client::Raven.Client.Authorization.AuthorizationClientExtensions.SetAuthorizationFor(s, company, new client::Raven.Bundles.Authorization.Model.DocumentAuthorization
+                {
+                    Tags = { "Companies/Important" }
+                });
+
+                s.SaveChanges();
+            }
+
+            var jsonDocument = Database.Documents.Get(company.Id, null);
+            var isAllowed = authorizationDecisions.IsAllowed(userId, operation, company.Id, jsonDocument.Metadata, null);
+            Assert.False(isAllowed);
+        }
+
     }
 }