PermissionChecker should check for multitenancy side.

7 years ago · 6bf2cb94d4
4 changed files with 44 additions and 4 deletions
--- a/framework/src/Volo.Abp.Authorization/Volo/Abp/Authorization/Permissions/PermissionChecker.cs
+++ b/framework/src/Volo.Abp.Authorization/Volo/Abp/Authorization/Permissions/PermissionChecker.cs
@ -4,8 +4,10 @@ using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Security.Claims;
+using System.Security.Principal;
 using System.Threading.Tasks;
 using Volo.Abp.DependencyInjection;
+using Volo.Abp.MultiTenancy;
 using Volo.Abp.Security.Claims;

 namespace Volo.Abp.Authorization.Permissions
@ -18,6 +20,8 @@ namespace Volo.Abp.Authorization.Permissions

        protected ICurrentPrincipalAccessor PrincipalAccessor { get; }

+        protected ICurrentTenant CurrentTenant { get; }
+
        protected PermissionOptions Options { get; }

        private readonly Lazy<List<IPermissionValueProvider>> _lazyProviders;
@ -26,10 +30,12 @@ namespace Volo.Abp.Authorization.Permissions
            IOptions<PermissionOptions> options,
            IServiceProvider serviceProvider,
            ICurrentPrincipalAccessor principalAccessor,
-            IPermissionDefinitionManager permissionDefinitionManager)
+            IPermissionDefinitionManager permissionDefinitionManager, 
+            ICurrentTenant currentTenant)
        {
            PrincipalAccessor = principalAccessor;
            PermissionDefinitionManager = permissionDefinitionManager;
+            CurrentTenant = currentTenant;
            Options = options.Value;

            _lazyProviders = new Lazy<List<IPermissionValueProvider>>(
@ -50,9 +56,17 @@ namespace Volo.Abp.Authorization.Permissions
        {
            Check.NotNull(name, nameof(name));

-            var isGranted = false;
-
            var permission = PermissionDefinitionManager.Get(name);
+
+            var multiTenancySide = claimsPrincipal?.GetMultiTenancySide()
+                                   ?? CurrentTenant.GetMultiTenancySide();
+
+            if (!permission.MultiTenancySide.HasFlag(multiTenancySide))
+            {
+                return false;
+            }
+
+            var isGranted = false;
            var context = new PermissionValueCheckContext(permission, claimsPrincipal);
            foreach (var provider in ValueProviders)
            {
--- a/modules/permission-management/test/Volo.Abp.PermissionManagement.TestBase/Volo/Abp/PermissionManagement/PermissionTestDataBuilder.cs
+++ b/modules/permission-management/test/Volo.Abp.PermissionManagement.TestBase/Volo/Abp/PermissionManagement/PermissionTestDataBuilder.cs
@ -29,6 +29,15 @@ namespace Volo.Abp.PermissionManagement
                    User1Id.ToString()
                )
            );
+
+            _permissionGrantRepository.Insert(
+                new PermissionGrant(
+                    _guidGenerator.Create(),
+                    "MyPermission3",
+                    UserPermissionValueProvider.ProviderName,
+                    User1Id.ToString()
+                )
+            );
        }
    }
 }
--- a/modules/permission-management/test/Volo.Abp.PermissionManagement.TestBase/Volo/Abp/PermissionManagement/TestPermissionDefinitionProvider.cs
+++ b/modules/permission-management/test/Volo.Abp.PermissionManagement.TestBase/Volo/Abp/PermissionManagement/TestPermissionDefinitionProvider.cs
@ -1,4 +1,5 @@
 using Volo.Abp.Authorization.Permissions;
+using Volo.Abp.MultiTenancy;

 namespace Volo.Abp.PermissionManagement
 {
@ -12,6 +13,8 @@ namespace Volo.Abp.PermissionManagement

            var myPermission2 = testGroup.AddPermission("MyPermission2");
            myPermission2.AddChild("MyPermission2.ChildPermission1");
+
+            testGroup.AddPermission("MyPermission3", multiTenancySide: MultiTenancySides.Host);
        }
    }
 }
--- a/modules/permission-management/test/Volo.Abp.PermissionManagement.Tests/Volo/Abp/PermissionManagement/PermissionChecker_User_Tests.cs
+++ b/modules/permission-management/test/Volo.Abp.PermissionManagement.Tests/Volo/Abp/PermissionManagement/PermissionChecker_User_Tests.cs
@ -44,7 +44,16 @@ namespace Volo.Abp.PermissionManagement
            )).ShouldBeFalse();
        }

-        private static ClaimsPrincipal CreatePrincipal(Guid? userId)
+        [Fact]
+        public async Task Should_Not_Allow_Host_Permission_To_Tenant_User_Even_Granted_Before()
+        {
+            (await _permissionChecker.IsGrantedAsync(
+                CreatePrincipal(PermissionTestDataBuilder.User1Id, Guid.NewGuid()),
+                "MyPermission3"
+            )).ShouldBeFalse();
+        }
+
+        private static ClaimsPrincipal CreatePrincipal(Guid? userId, Guid? tenantId = null)
        {
            var claimsIdentity = new ClaimsIdentity();

@ -53,6 +62,11 @@ namespace Volo.Abp.PermissionManagement
                claimsIdentity.AddClaim(new Claim(AbpClaimTypes.UserId, userId.ToString()));
            }

+            if (tenantId != null)
+            {
+                claimsIdentity.AddClaim(new Claim(AbpClaimTypes.TenantId, tenantId.ToString()));
+            }
+
            return new ClaimsPrincipal(claimsIdentity);
        }
    }