Free cookie consent management tool by TermsFeed Policy Generator

source: branches/HiveProjectManagement/HeuristicLab.Services.Hive/3.3/Manager/AuthorizationManager.cs @ 15508

Last change on this file since 15508 was 15508, checked in by jzenisek, 6 years ago

#2839 finalized permission checks in AddTask and revised implementation of ResourcePermission methods
File size: 4.8 KB
Line 
1#region License Information
2/* HeuristicLab
3 * Copyright (C) 2002-2016 Heuristic and Evolutionary Algorithms Laboratory (HEAL)
4 *
5 * This file is part of HeuristicLab.
6 *
7 * HeuristicLab is free software: you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * HeuristicLab is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with HeuristicLab. If not, see <http://www.gnu.org/licenses/>.
19 */
20#endregion
21
22using System;
23using System.Security;
24using HeuristicLab.Services.Access;
25using HeuristicLab.Services.Hive.DataAccess;
26using HeuristicLab.Services.Hive.DataAccess.Interfaces;
27using DA = HeuristicLab.Services.Hive.DataAccess;
28using DT = HeuristicLab.Services.Hive.DataTransfer;
29using System.Collections.Generic;
30using System.Linq;
31
32namespace HeuristicLab.Services.Hive {
33  public class AuthorizationManager : IAuthorizationManager {
34
35    private const string NOT_AUTHORIZED = "Current user is not authorized to access the requested resource";
36    private IPersistenceManager PersistenceManager {
37      get { return ServiceLocator.Instance.PersistenceManager; }
38    }
39
40    private IUserManager UserManager {
41      get { return ServiceLocator.Instance.UserManager; }
42    }
43
44    private IRoleVerifier RoleVerifier {
45      get { return ServiceLocator.Instance.RoleVerifier; }
46    }
47
48    public void Authorize(Guid userId) {
49      if (userId != ServiceLocator.Instance.UserManager.CurrentUserId)
50        throw new SecurityException(NOT_AUTHORIZED);
51    }
52
53    public void AuthorizeForTask(Guid taskId, DT.Permission requiredPermission) {
54      if (ServiceLocator.Instance.RoleVerifier.IsInRole(HiveRoles.Slave)) return; // slave-users can access all tasks
55      var pm = PersistenceManager;
56      var taskDao = pm.TaskDao;
57      pm.UseTransaction(() => {
58        var task = taskDao.GetById(taskId);
59        if (task == null) throw new SecurityException(NOT_AUTHORIZED);
60        AuthorizeJob(pm, task.JobId, requiredPermission);
61      });
62    }
63
64    public void AuthorizeForJob(Guid jobId, DT.Permission requiredPermission) {
65      var pm = PersistenceManager;
66      pm.UseTransaction(() => {
67        AuthorizeJob(pm, jobId, requiredPermission);
68      });
69    }
70
71    public void AuthorizeForResourceAdministration(Guid resourceId) {
72      var pm = PersistenceManager;
73      var resourceDao = pm.ResourceDao;
74      pm.UseTransaction(() => {
75        var resource = resourceDao.GetById(resourceId);
76        if (resource == null) throw new SecurityException(NOT_AUTHORIZED);
77        if (resource.OwnerUserId != UserManager.CurrentUserId
78            && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
79          throw new SecurityException(NOT_AUTHORIZED);
80        }
81      });
82    }
83
84    public void AuthorizeForProjectAdministration(Guid projectId) {
85      var pm = PersistenceManager;
86      var projectDao = pm.ProjectDao;
87      pm.UseTransaction(() => {
88        var project = projectDao.GetById(projectId);
89        if (project == null) throw new SecurityException(NOT_AUTHORIZED);
90
91        var projectTree = new List<Project>() { project };
92        projectTree.AddRange(projectDao.GetProjectsByChildId(projectId));
93        if(!projectTree.Select(x => x.OwnerUserId).Contains(UserManager.CurrentUserId)
94            && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
95          throw new SecurityException(NOT_AUTHORIZED);
96        }
97      });
98    }
99
100    private DA.Permission GetPermissionForJob(IPersistenceManager pm, Guid jobId, Guid userId) {
101      var jobDao = pm.JobDao;
102      var jobPermissionDao = pm.JobPermissionDao;
103      var job = jobDao.GetById(jobId);
104      if (job == null) return DA.Permission.NotAllowed;
105      if (job.OwnerUserId == userId) return DA.Permission.Full;
106      var jobPermission = jobPermissionDao.GetByJobAndUserId(jobId, userId);
107      if (jobPermission == null) return DA.Permission.NotAllowed;
108      return jobPermission.Permission;
109    }
110
111    private void AuthorizeJob(IPersistenceManager pm, Guid jobId, DT.Permission requiredPermission) {
112      var requiredPermissionEntity = requiredPermission.ToEntity();
113      DA.Permission permission = GetPermissionForJob(pm, jobId, UserManager.CurrentUserId);
114      if (permission == Permission.NotAllowed
115          || ((permission != requiredPermissionEntity) && requiredPermissionEntity == Permission.Full)) {
116        throw new SecurityException(NOT_AUTHORIZED);
117      }
118    }
119  }
120}
Note: See TracBrowser for help on using the repository browser.