Programming Security: Permissions

Programming Security: Permissions

April 24, 2009 0 Comments

The content you're reading is getting on in years
This post is on the older side and its content may be out of date.
Be sure to visit our blogs homepage for our latest news, updates and information.

This article is part of the documentation preview for the Programming Security section of the Developer manual. You can view the temporary TOC here

In Sitefinity, permission classes work this way:

  • Initialize
  • Request to do an operation

You might wonder, how do we request a permission to do an operation? This is done by using rights. Rights in Sitefinity are bit fields. As a common practice, we define a class that has public static properties that emulate the behaviour of an enumeration (because in code you won't have to convert to an integer). Most modules use CrudRights.

When you implement a Permission class, you will have to implement Telerik.Security.Permissions.ApplicationPermission. This class provides the basic functionality and all you will need to do is provide a set of constructors and override its CheckDemand() method.

ApplicationPermission's public constructors

Since the most code will be in constructors, it makes sense to know what ApplicatonPermission's constructors are:

  • ApplicationPermission()
    Initializes a new instance of ApplicationPermission class and sets the permission state to PermissionState.None.
  • ApplicationPermission(PermissionState state)
    Initializes a new instance of ApplicationPermission class and sets the permission state.
  • ApplicationPermission(ISecured securedObject, int requestRights)
    Initializes a new instance of ApplicationPermission class with the specified secured object and access rights to test against the current user roles.
    Parameters:
  • public ApplicationPermission(int grant, int deny)
    Initializes a new instance of ApplicationPermission class with the specified granted and denied permissions.
    Parameters:

Sample implementation

Here is how the Permission class is implemented in the sample pluggable Contacts module :

 

publicclass GlobalPermission : ApplicationPermission 
    /// <summary>
    ///     Initializes a new instance of the <see cref="GlobalPermission"/> class for the
    ///     specified provider name.
    /// </summary>
    /// <param name="providerName">The name of the provider for which the permissions will be checked.</param>
    public GlobalPermission(string providerName) 
        : this(new GlobalPermissions(providerName)) 
    { 
    } 
 
    /// <summary>
    ///     Initializes a new instance of the <see cref="GlobalPermission"/> class with
    ///     the specified secured object.
    /// </summary>
    /// <param name="secObj"><see cref="GlobalPermissions"/> secured object.</param>
    public GlobalPermission(GlobalPermissions secObj) 
        : base(secObj, 0) 
    { 
    } 
 
    /// <summary>
    ///     Initializes a new instance of the <see cref="GlobalPermission"/> class for the
    ///     specified provider name and rights.
    /// </summary>
    /// <param name="providerName">The name of the provider for which the permissions will be checked.</param>
    /// <param name="requestedRights">The requested rights to check permissions for.</param>
    public GlobalPermission(string providerName, int requestedRights) 
        : this(new GlobalPermissions(providerName), requestedRights) 
    { 
    } 
 
    /// <summary>
    ///     Initializes a new instance of the <see cref="GlobalPermission"/> class for the
    ///     specified secured object and rights.
    /// </summary>
    /// <param name="secObj"><see cref="GlobalPermissions"/> secured object.</param>
    /// <param name="requestedRights">The requested rights to check permissions for.</param>
    public GlobalPermission(GlobalPermissions secObj, int requestedRights) 
        : base(secObj, requestedRights) 
    { 
    } 
 
    /// <summary>
    ///     Initializes a new instance of the <see cref="GlobalPermission"/> class for the
    ///     specified secured object and named list.
    /// </summary>
    /// <param name="secObj"><see cref="GlobalPermissions"/> secured object.</param>
    /// <param name="namedList"><see cref="INamedList"/> object.</param>
    public GlobalPermission(GlobalPermissions secObj, IContact contact) 
        : base(secObj, 0) 
    { 
        this.contact = contact; 
    } 
 
    /// <summary>
    ///     Initializes a new instance of the <see cref="GlobalPermission"/> class for the
    ///     specified secured object, rights and named list.
    /// </summary>
    /// <param name="secObj"><see cref="GlobalPermissions"/> secured object.</param>
    /// <param name="requestedRights">The requested rights to check permissions for.</param>
    /// <param name="namedList"><see cref="INamedList"/> object</param>
    public GlobalPermission(GlobalPermissions secObj, int requestedRights, IContact contact) 
        : base(secObj, requestedRights) 
    { 
        this.contact = contact; 
    } 
 
    /// <summary>
    /// Checks if the current user has granted permissions.
    /// </summary>
    /// <returns>true if has permissions; otherwise false.</returns>
    publicoverridebool CheckDemand() 
    { 
        if (SecurityManager.IsCurrentUserUnrestricted()) 
            returntrue
 
        returnbase.CheckDemand(); 
    } 
 
    private IContact contact; 
The code is clear and speaks for itself. For all constructors a base (ApplicationPermission) constructor is called.

 

What determines whether a permission is granted or not is the CheckPermission override. In this sample, if the current user is part of the special administrators role, he/she is granted permission. Otherwise, the persisted value is returned. If you want to check again specific rights, check the Grant and Deny properties, which contain the bitwize OR'ed combination of requested rights.

One might wonder: why don't we override OnDemand(int rights)? Well, here is how the method is implemented in the base class, ApplicationPermission:
publicvirtualbool CheckDemand(int rights) 
    this.grant = rights; 
    returnthis.CheckDemand(); 
progress-logo

The Progress Guys

View all posts from The Progress Guys on the Progress blog. Connect with us about all things application development and deployment, data integration and digital business.

Comments
Comments are disabled in preview mode.
Topics
 
 
Latest Stories in
Your Inbox
Subscribe
More From Progress
d12fcc0bdb669b804e7f71198c9619a7
5 Questions Automakers Should Ask to Improve Asset Uptime
Download Whitepaper
 
SF_MQ_WCM
2018 Gartner Magic Quadrant Web Content Management (WCM)
Download Whitepaper
 
What-Serverless-Means-For-Enterprice-Apps-Kinvey
What Serverless Means for Enterprise Apps
Watch Webinar