+1-888-365-2779
Try Now
More in this section
Categories
Bloggers
Blogs RSS feed

Programming Security: Permissions

by Dilyan Rusev

This article is part of the documentation preview for the Programming Security section of the Developer manual. You can view the temporary TOC here

In Sitefinity, permission classes work this way:

  • Initialize
  • Request to do an operation

You might wonder, how do we request a permission to do an operation? This is done by using rights. Rights in Sitefinity are bit fields. As a common practice, we define a class that has public static properties that emulate the behaviour of an enumeration (because in code you won't have to convert to an integer). Most modules use CrudRights.

When you implement a Permission class, you will have to implement Telerik.Security.Permissions.ApplicationPermission. This class provides the basic functionality and all you will need to do is provide a set of constructors and override its CheckDemand() method.

ApplicationPermission's public constructors

Since the most code will be in constructors, it makes sense to know what ApplicatonPermission's constructors are:

  • ApplicationPermission()
    Initializes a new instance of ApplicationPermission class and sets the permission state to PermissionState.None.
  • ApplicationPermission(PermissionState state)
    Initializes a new instance of ApplicationPermission class and sets the permission state.
  • ApplicationPermission(ISecured securedObject, int requestRights)
    Initializes a new instance of ApplicationPermission class with the specified secured object and access rights to test against the current user roles.
    Parameters:
  • public ApplicationPermission(int grant, int deny)
    Initializes a new instance of ApplicationPermission class with the specified granted and denied permissions.
    Parameters:

Sample implementation

Here is how the Permission class is implemented in the sample pluggable Contacts module :

 

publicclass GlobalPermission : ApplicationPermission 
    /// <summary>
    ///     Initializes a new instance of the <see cref="GlobalPermission"/> class for the
    ///     specified provider name.
    /// </summary>
    /// <param name="providerName">The name of the provider for which the permissions will be checked.</param>
    public GlobalPermission(string providerName) 
        : this(new GlobalPermissions(providerName)) 
    { 
    } 
 
    /// <summary>
    ///     Initializes a new instance of the <see cref="GlobalPermission"/> class with
    ///     the specified secured object.
    /// </summary>
    /// <param name="secObj"><see cref="GlobalPermissions"/> secured object.</param>
    public GlobalPermission(GlobalPermissions secObj) 
        : base(secObj, 0) 
    { 
    } 
 
    /// <summary>
    ///     Initializes a new instance of the <see cref="GlobalPermission"/> class for the
    ///     specified provider name and rights.
    /// </summary>
    /// <param name="providerName">The name of the provider for which the permissions will be checked.</param>
    /// <param name="requestedRights">The requested rights to check permissions for.</param>
    public GlobalPermission(string providerName, int requestedRights) 
        : this(new GlobalPermissions(providerName), requestedRights) 
    { 
    } 
 
    /// <summary>
    ///     Initializes a new instance of the <see cref="GlobalPermission"/> class for the
    ///     specified secured object and rights.
    /// </summary>
    /// <param name="secObj"><see cref="GlobalPermissions"/> secured object.</param>
    /// <param name="requestedRights">The requested rights to check permissions for.</param>
    public GlobalPermission(GlobalPermissions secObj, int requestedRights) 
        : base(secObj, requestedRights) 
    { 
    } 
 
    /// <summary>
    ///     Initializes a new instance of the <see cref="GlobalPermission"/> class for the
    ///     specified secured object and named list.
    /// </summary>
    /// <param name="secObj"><see cref="GlobalPermissions"/> secured object.</param>
    /// <param name="namedList"><see cref="INamedList"/> object.</param>
    public GlobalPermission(GlobalPermissions secObj, IContact contact) 
        : base(secObj, 0) 
    { 
        this.contact = contact; 
    } 
 
    /// <summary>
    ///     Initializes a new instance of the <see cref="GlobalPermission"/> class for the
    ///     specified secured object, rights and named list.
    /// </summary>
    /// <param name="secObj"><see cref="GlobalPermissions"/> secured object.</param>
    /// <param name="requestedRights">The requested rights to check permissions for.</param>
    /// <param name="namedList"><see cref="INamedList"/> object</param>
    public GlobalPermission(GlobalPermissions secObj, int requestedRights, IContact contact) 
        : base(secObj, requestedRights) 
    { 
        this.contact = contact; 
    } 
 
    /// <summary>
    /// Checks if the current user has granted permissions.
    /// </summary>
    /// <returns>true if has permissions; otherwise false.</returns>
    publicoverridebool CheckDemand() 
    { 
        if (SecurityManager.IsCurrentUserUnrestricted()) 
            returntrue
 
        returnbase.CheckDemand(); 
    } 
 
    private IContact contact; 
The code is clear and speaks for itself. For all constructors a base (ApplicationPermission) constructor is called.

 

What determines whether a permission is granted or not is the CheckPermission override. In this sample, if the current user is part of the special administrators role, he/she is granted permission. Otherwise, the persisted value is returned. If you want to check again specific rights, check the Grant and Deny properties, which contain the bitwize OR'ed combination of requested rights.

One might wonder: why don't we override OnDemand(int rights)? Well, here is how the method is implemented in the base class, ApplicationPermission:
publicvirtualbool CheckDemand(int rights) 
    this.grant = rights; 
    returnthis.CheckDemand(); 

1 comment

Leave a comment
  1. Ivan Pelovski Jul 21, 2009
    Hi there,
    Please revise this article. The author referred two times to the CheckDemand method and the both times he misspelled it (CheckPermission and OnDemand). And one more thing "The code is clear and speaks for itself." didn't help me understand why there is a "private IContact contact;" field and where it is used.
    Best regards,
    Ivan

    Leave a comment