Reputation: 378
RavenDB Authorization Bundle proper user of SecureFor
I am attempting to use RavenDB's authorization bundle to limit the results of a query (on WorkItems) by the permissions that have been explicitly set on WorkItem documents.
For example:
I have a user [email protected] with a userId of /users/1 and a WorkItem that has the following permissions set in the Meta-Data:
"Raven-Document-Authorization": {
"Tags": [],
"Permissions": [
{
"Operation": "/Operations/WorkItem/Search",
"User": "users/1",
"Role": null,
"Allow": true,
"Priority": 1
}
]
}
I would then expect the following code to limit a query (from Bob's perspective) to this one WorkItem, because that is all he has permission to.
using (var session = documentStore.OpenSession())
{
session.SecureFor("raven/authorization/users/1", "/Operations/WorkItem/Search");
var workItemsQuery = from wi in session.Query<WorkItem>()
select wi;
var debts = workItemsQuery.ToList();
// do something with the work items
}
I based my code on the following example from RavenDB's documentation (Context & User section): http://ravendb.net/docs/2.5/server/extending/bundles/authorization-bundle-design
What I am getting instead is WorkItems that have no explicit permissions set. This is very puzzling to me because if I run the following code:
using (var session = mDocumentStore.OpenSession())
{
var answer = session.Advanced.IsOperationAllowedOnDocument(userId, operation, securableId);
var allowed = answer.IsAllowed;
}
allowed is true.
One additional item of note, I am attempting to ignore or simply not use the authorization bundle's concept of role and I wonder if this is having some unintended effect.
It is very possible that I am misunderstanding their example, could anyone shed any light on this subject for me? Thanks in advance.
Also, I wondered if the issue I am encountering was related to this StackOverflow question: RavenDB: Raven Query not returning correct count with document authorization, but their issue seems to be with the count and not necessarily the actual results.
Upvotes: 4
Views: 340
Answers (1)
Reputation: 378
Just to tiddy up this question, I will provide an answer to what was causing my problem. The issue was related to the use of "raven/authorization/users/1" syntax. When I changed the search command to simply use, "users/1" it worked correctly.
Upvotes: 1
Related Questions
- Authentication error occurred in RavenDB Studio
- RavenDB Authentication and Authorization
- RavenDb - Unable to create Database. Error:- Unauthorized Unauthorized
- Ravendb studio authentication
- Connecting to RavenDb via. username and password
- Securing the Raven Database
- Extending RavenDB AuthenticationUser
- Why Raven/AnonymousUserAccessMode value="Get"?
- RavenDB IIS authentication/authorization
- RavenDB: how to check permissions for a user, wanting to perform an operation on a specific document