I am trying to use the RavenDB authorization pool to restrict the query results (on WorkItems) to the permissions explicitly set on WorkItem documents.
For instance:
I have a user bob@bob.com with userId from / users / 1 and WorkItem, which has the following permissions set in the metadata:
"Raven-Document-Authorization": { "Tags": [], "Permissions": [ { "Operation": "/Operations/WorkItem/Search", "User": "users/1", "Role": null, "Allow": true, "Priority": 1 } ] }
Then I would expect the following code to limit the request (from Bob's point of view) to this one WorkItem, because thatโs all it has permission for.
using (var session = documentStore.OpenSession()) { session.SecureFor("raven/authorization/users/1", "/Operations/WorkItem/Search"); var workItemsQuery = from wi in session.Query<WorkItem>() select wi; var debts = workItemsQuery.ToList();
I based my code in the following example from the RavenDB documentation ("Context and User" section): http://ravendb.net/docs/2.5/server/extending/bundles/authorization-bundle-design
Instead, I get WorkItems that do not have explicit permissions. This is very puzzling to me, because if I run the following code:
using (var session = mDocumentStore.OpenSession()) { var answer = session.Advanced.IsOperationAllowedOnDocument(userId, operation, securableId); var allowed = answer.IsAllowed; }
permissible.
One more point of the note: I am trying to ignore or simply not use the concept of authorization roles, and I am wondering if this has any unintended effect.
It is very possible that I misunderstand their example, can someone shed some light on this subject for me? Thanks in advance.
Also, I was wondering if there was a problem that I am facing with this question. StackOverflow: RavenDB: Raven Query does not return the correct score with document authorization , but their problem seems to be with the score and not necessarily the actual results.