Class AccessControlList
AccessControlList is used to restrict access to various items.
Implements
Inherited Members
Namespace: EPiServer.Security
Assembly: EPiServer.dll
Version: 11.20.7Syntax
public class AccessControlList : IEnumerable<KeyValuePair<string, AccessControlEntry>>, IEnumerable, IReadOnly<AccessControlList>, IEditableSecurityDescriptor, IReadOnly, ISecurityDescriptor, IXmlSerializable, IModifiedTrackable, IEquatable<AccessControlList>Remarks
ACL holds the Access Control List for a PageData object. Since PageData has the attribute Property which is a PropertyDataCollection, ACL effectively controls access to the Web page. Keep in mind that the Access Control List applies to all of the PageData object and its attributes. It is not possible to have different access permissions for different properties.
The Access Control List is comprised of an Access Control Entry, ACE, array and is accessed by calling the method ACL.ToRawACEArray.
Examples
The code example below demonstrates the usage of AccessControlList, RawACE and AccessControlEntry.
The example below sets up access rights on a "personal" start page. Administrators gets full access,
the creator gets everything except for administer and any other user/group that
has at least read access on the team start page gets read access rights.
The argument "page" is the page to update the access rights on.
private void SetAccessRights(PageData page)
{
PageData teamStart = Locate.ContentRepository().Get<PageData>(page.ParentLink);
AccessControlList aclClone = page.ACL.CreateWritableClone();
aclClone.IsInherited = false;
aclClone.ClearEntries();
foreach (RawACE ace in teamStart.ACL.ToRawACEArray())
{
if ((ace.Access & AccessLevel.Read) == AccessLevel.Read && ace.Name != PrincipalInfo.Current.Name && ace.Name != "Administrators")
{
aclClone.Add(new AccessControlEntry(ace.Name, AccessLevel.Read, ace.AutomaticEntryType));
}
}
aclClone.Add(new AccessControlEntry("Administrators", AccessLevel.FullAccess, SecurityEntityType.Role));
aclClone.Add(new AccessControlEntry(PrincipalInfo.Current.Name, AccessLevel.FullAccess & ~AccessLevel.Administer, SecurityEntityType.User));
aclClone.Save(SecuritySaveType.Replace);
} The following code example demonstrates the usage of <strong>ToRawACEArray</strong> to enumerate the
Access Control Entries. The example enumerates the <strong>EPiServer.Security.RawAce</strong> objects,
which together form the Access Control List and check if one of them is the Create permission.
foreach (EPiServer.Security.RawACE Ace in CurrentPage.ACL.ToRawACEArray())
{
if ((Ace.Access & EPiServer.Security.AccessLevel.Create) ==
EPiServer.Security.AccessLevel.Create)
{
// Do Something
}
} The following code example demonstrates the usage of <strong>QueryDistinctAccess</strong> to check specific
access for the current user.
if (CurrentPage.ACL.QueryDistinctAccess(EPiServer.Security.AccessLevel.Create))
{
// Checks whether the currently logged-on user has
// Create permission for the current page.
}Constructors
AccessControlList()
Initializes a new instance of the AccessControlList class without any entries.
Declaration
public AccessControlList()AccessControlList(AccessControlList)
Initializes a new instance of the AccessControlList class that has the same entries as the provided list.
Declaration
public AccessControlList(AccessControlList accessControlList)Parameters
| Type | Name | Description |
|---|---|---|
| AccessControlList | accessControlList | The list whose entries should be replicated in the new instance. |
AccessControlList(RawACE[])
Initializes a new instance of the AccessControlList class with values from the provided RawACE array.
Declaration
public AccessControlList(RawACE[] accessControlEntries)Parameters
| Type | Name | Description |
|---|---|---|
| RawACE[] | accessControlEntries | The array of entries to populate the instance with. |
Properties
AccessLevelValues
Gets a list of all the distinct AccessLevel available.
Declaration
public static IEnumerable<AccessLevel> AccessLevelValues { get; }Property Value
| Type | Description |
|---|---|
| System.Collections.Generic.IEnumerable<AccessLevel> |
ChangedBy
Gets or sets what last changed the access control list. This property is only intended for internal use.
Declaration
public AccessControlChangedBy ChangedBy { get; set; }Property Value
| Type | Description |
|---|---|
| AccessControlChangedBy |
Count
Gets the number of AccessControlEntry in the current instance.
Declaration
public int Count { get; }Property Value
| Type | Description |
|---|---|
| System.Int32 |
Remarks
This property does not take inherited entries into account.
Creator
Gets or sets the creator of the object that the ACL is attached to.
Declaration
public virtual string Creator { get; set; }Property Value
| Type | Description |
|---|---|
| System.String |
Remarks
This is used to determine special access rights for the virtual 'CreatorRole'.
Entries
Gets all the access control entries in this security descriptor instance.
Declaration
public virtual IEnumerable<AccessControlEntry> Entries { get; }Property Value
| Type | Description |
|---|---|
| System.Collections.Generic.IEnumerable<AccessControlEntry> |
Remarks
If this descriptor is inherited and the parent implements the IEditableSecurityDescriptor interface, the inherited entries will be returned.
InheritedSecurityDescriptor
Gets the parent security descriptor this instance would inherit should it be set to inherited.
Declaration
protected ISecurityDescriptor InheritedSecurityDescriptor { get; }Property Value
| Type | Description |
|---|---|
| ISecurityDescriptor |
IsInherited
Gets or sets a value that indicates if this ACL is inherited from a parent.
Declaration
public virtual bool IsInherited { get; set; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
IsModified
Gets a value indicating whether this instance has been modified after loading.
Declaration
public bool IsModified { get; protected set; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
|
IsReadOnly
Gets or sets a value indicating whether the current instance is read only.
Declaration
public bool IsReadOnly { get; protected set; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
|
Item[String]
Gets or sets the AccessControlEntry with the specified security entity name.
Declaration
public virtual AccessControlEntry this[string securityEntityName] { get; set; }Parameters
| Type | Name | Description |
|---|---|---|
| System.String | securityEntityName | The name of the security entity entry. |
Property Value
| Type | Description |
|---|---|
| AccessControlEntry | An AccessControlEntry instance. |
Remarks
AccessControlList does not accept null as name and will overwrite any previously added elements with the same name.
Exceptions
| Type | Condition |
|---|---|
| System.ArgumentException | Thrown if trying to add an entry with a different name that the one provided. |
Keys
Gets the ACL keys.
Declaration
public ICollection Keys { get; }Property Value
| Type | Description |
|---|---|
| System.Collections.ICollection |
Remarks
This property does not take inherited entries into account.
SupportsInheritance
Returns true if the access control class supports inherited ACLs
Declaration
public virtual bool SupportsInheritance { get; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
Methods
Add(AccessControlEntry)
Adds an entry to the access control list. If an entry with the same name already exists, an exception will be thrown.
Declaration
public virtual void Add(AccessControlEntry accessControlEntry)Parameters
| Type | Name | Description |
|---|---|---|
| AccessControlEntry | accessControlEntry | The AccessControlEntry to add |
AddEntry(AccessControlEntry)
Adds the provided access control entry to this security descriptor instance.
Declaration
public virtual void AddEntry(AccessControlEntry accessControlEntry)Parameters
| Type | Name | Description |
|---|---|---|
| AccessControlEntry | accessControlEntry | The access control entry to add. |
Clear()
Clears the Creator property an all entries from this security descriptor instance.
Declaration
public virtual void Clear()ClearEntries()
Clears all entries from this security descriptor instance.
Declaration
public virtual void ClearEntries()Contains(String)
Determines if the list contains an entry with the specified security entity name.
Declaration
public virtual bool Contains(string securityEntityName)Parameters
| Type | Name | Description |
|---|---|---|
| System.String | securityEntityName | The name of the security entity entry. |
Returns
| Type | Description |
|---|---|
| System.Boolean |
|
Contains(String, AccessLevel, SecurityEntityType)
Determines if the list contains an entry with the specified name, access level and security entity type.
Declaration
public virtual bool Contains(string securityEntityName, AccessLevel access, SecurityEntityType entityType)Parameters
| Type | Name | Description |
|---|---|---|
| System.String | securityEntityName | The name of the security entity entry. |
| AccessLevel | access | The access level. |
| SecurityEntityType | entityType | The security entity type. |
Returns
| Type | Description |
|---|---|
| System.Boolean |
|
Copy()
Creates a copy of the current instance.
Declaration
public virtual AccessControlList Copy()Returns
| Type | Description |
|---|---|
| AccessControlList | A new AccessControlList instance. |
CreateWritableClone()
Creates a writable clone of the current AccessControlList instance.
Declaration
public AccessControlList CreateWritableClone()Returns
| Type | Description |
|---|---|
| AccessControlList | A writable copy of the current instance. |
EntriesEquals(AccessControlList)
Determines whether the specified AccessControlList has the same entries as the current instance.
Declaration
public virtual bool EntriesEquals(AccessControlList other)Parameters
| Type | Name | Description |
|---|---|---|
| AccessControlList | other | The ACL to compare entries with. |
Returns
| Type | Description |
|---|---|
| System.Boolean |
|
Equals(AccessControlList)
Indicates whether the current AccessControlList instance is equal to another AccessControlList instance.
Declaration
public virtual bool Equals(AccessControlList other)Parameters
| Type | Name | Description |
|---|---|---|
| AccessControlList | other | An AccessControlList to compare with this instance. |
Returns
| Type | Description |
|---|---|
| System.Boolean | true if the current instance is equal to the |
GetAccessLevel(IPrincipal)
Retreives the access level for the specified principal.
Declaration
public AccessLevel GetAccessLevel(IPrincipal principal)Parameters
| Type | Name | Description |
|---|---|---|
| System.Security.Principal.IPrincipal | principal | The principal get access rights for. |
Returns
| Type | Description |
|---|---|
| AccessLevel | The access level that the specified principal has. |
Remarks
Use this method when you want to get the union of all access types granted to this principal. This is most likely only used for display purposes in the user interface. Code that checks access and performs different actions depending on the type of access granted should use the HasAccess method, since it does what you want and has the potential for being much faster.
If the current ISecurityDescriptor is inherited, this method checks the inherited access rights.
GetEnumerator()
Returns an enumerator that iterates through all entries in the collection.
Declaration
public IEnumerator<KeyValuePair<string, AccessControlEntry>> GetEnumerator()Returns
| Type | Description |
|---|---|
| System.Collections.Generic.IEnumerator<System.Collections.Generic.KeyValuePair<System.String, AccessControlEntry>> | A System.Collections.Generic.IEnumerator<T> that can be used to iterate through all entries in the collection. |
Remarks
This method will not return any inherited entries.
GetParentSecurityDescriptor()
Retrieves the security descriptor that this instance would inherited should it be set to inherited.
Declaration
protected virtual ISecurityDescriptor GetParentSecurityDescriptor()Returns
| Type | Description |
|---|---|
| ISecurityDescriptor | The security descriptor that the current instance can inherit from. |
Remarks
Implementors of this method should have their own caching in place, this method may be called a lot and does not store the results in a local variable.
HasAccess(IPrincipal, AccessLevel)
Determines whether the specified principal has the requested access.
Declaration
public bool HasAccess(IPrincipal principal, AccessLevel access)Parameters
| Type | Name | Description |
|---|---|---|
| System.Security.Principal.IPrincipal | principal | The principal to authorize. |
| AccessLevel | access | The requested access level. |
Returns
| Type | Description |
|---|---|
| System.Boolean |
|
Remarks
Note that the access level is a bitmask, i.e. we simply check that all specified access types are granted to the principal.
If the current ISecurityDescriptor is inherited, this method will check the inherited access rights.
LocalizationKey(AccessLevel)
Returns a string that can be used as a key when requesting a localized representation of the access level.
Declaration
public static string LocalizationKey(AccessLevel accessLevel)Parameters
| Type | Name | Description |
|---|---|---|
| AccessLevel | accessLevel | The access level to translate. |
Returns
| Type | Description |
|---|---|
| System.String |
MakeReadOnly()
Locks current instance for changes.
Declaration
public void MakeReadOnly()QueryAccess()
Determines the access level that the current user has for this instance.
Declaration
public AccessLevel QueryAccess()Returns
| Type | Description |
|---|---|
| AccessLevel | The AccessLevel that the current user has. |
QueryAccess(AccessLevel)
Determines the access level that the current user has for this instance limited to the maximum access level provided.
Declaration
public AccessLevel QueryAccess(AccessLevel maxAccess)Parameters
| Type | Name | Description |
|---|---|---|
| AccessLevel | maxAccess | The maximum access required to check. |
Returns
| Type | Description |
|---|---|
| AccessLevel | The AccessLevel that the principal has, at most the maximum access provided. |
QueryAccess(IPrincipal)
Determines the access level that the provided principal has for this instance.
Declaration
public AccessLevel QueryAccess(IPrincipal principal)Parameters
| Type | Name | Description |
|---|---|---|
| System.Security.Principal.IPrincipal | principal | The principal. |
Returns
| Type | Description |
|---|---|
| AccessLevel | The AccessLevel that the provided principal has. |
QueryAccess(IPrincipal, AccessLevel)
Determines the access level that the provided principal has been given.
Declaration
public virtual AccessLevel QueryAccess(IPrincipal principal, AccessLevel maxAccess)Parameters
| Type | Name | Description |
|---|---|---|
| System.Security.Principal.IPrincipal | principal | The principal whose access should be queried. |
| AccessLevel | maxAccess | The maximum access required to check. |
Returns
| Type | Description |
|---|---|
| AccessLevel | The AccessLevel that the principal has, at most the maximum access provided. |
QueryDistinctAccess(AccessLevel)
Verifies that the specific access levels are set for the current user.
Declaration
public bool QueryDistinctAccess(AccessLevel access)Parameters
| Type | Name | Description |
|---|---|---|
| AccessLevel | access | The requested access level |
Returns
| Type | Description |
|---|---|
| System.Boolean | True if the combined access level of all entries that apply to the current user in this ACL has at least the requested access level |
Remarks
This is the fastet way to query for access, and is thus the preferred mechanism.
QueryDistinctAccess(IPrincipal, AccessLevel)
Verify that the specific access levels are set for the specified principal.
Declaration
public bool QueryDistinctAccess(IPrincipal principal, AccessLevel access)Parameters
| Type | Name | Description |
|---|---|---|
| System.Security.Principal.IPrincipal | principal | The principal for the user to check access against. |
| AccessLevel | access | The requested access level |
Returns
| Type | Description |
|---|---|
| System.Boolean | True if the combined access level of all entries that apply to the given principal in this ACL has at least the requested access level |
Remarks
This is the fastet way to query for access, and is thus the preferred mechanism.
ReadXml(XmlReader)
Implementation of IXmlSerializable.ReadXml. Generates an object from its XML representation.
Declaration
protected virtual void ReadXml(XmlReader reader)Parameters
| Type | Name | Description |
|---|---|---|
| System.Xml.XmlReader | reader | The System.Xml.XmlReader stream from which the object is deserialized. |
Remove(String)
Removes the specified security entity from this list.
Declaration
public virtual bool Remove(string securityEntityName)Parameters
| Type | Name | Description |
|---|---|---|
| System.String | securityEntityName | The name of the security entity to remove. |
Returns
| Type | Description |
|---|---|
| System.Boolean | True if an entry with the provided name was found and removed;if no entry with that name was found false is returned. |
RemoveEntry(AccessControlEntry)
Removes the provided access control entry from this security descriptor instance.
Declaration
public virtual void RemoveEntry(AccessControlEntry accessControlEntry)Parameters
| Type | Name | Description |
|---|---|---|
| AccessControlEntry | accessControlEntry | The access control entry to remove. |
ResetModified()
Resets the modified flag on all the data contained on the instance.
Declaration
public void ResetModified()Save()
Saves this instance.
Declaration
[Obsolete("Use IContentSecurityRepository to save changes to ACL")]
public virtual void Save()Save(SecuritySaveType)
Saves the specified type.
Declaration
[Obsolete("Use IContentSecurityRepository to save changes to ACL")]
public virtual void Save(SecuritySaveType type)Parameters
| Type | Name | Description |
|---|---|---|
| SecuritySaveType | type | The type. |
ThrowIfInherited()
Throws an System.InvalidOperationException if current instance is set as inherited.
Declaration
protected void ThrowIfInherited()ThrowIfReadOnly()
Throws an exception if the current instance is set to read-only.
Declaration
protected void ThrowIfReadOnly()ToRawACEArray()
Creates an array of RawACE objects that represents all entries in the Access Control List.
Declaration
public RawACE[] ToRawACEArray()Returns
| Type | Description |
|---|---|
| RawACE[] | An array of RawACE objects. |
Remarks
See AccessControlList for code example.
WriteXml(XmlWriter)
Implementation of IXmlSerializable.WriteXml. Converts an object into its XML representation.
Declaration
protected virtual void WriteXml(XmlWriter writer)Parameters
| Type | Name | Description |
|---|---|---|
| System.Xml.XmlWriter | writer | The System.Xml.XmlWriter stream to which the object is serialized. |
Explicit Interface Implementations
IReadOnly.CreateWritableClone()
Creates writable clone of this object.
Declaration
object IReadOnly.CreateWritableClone()Returns
| Type | Description |
|---|---|
| System.Object | Writable clone object. |
IEnumerable.GetEnumerator()
Declaration
IEnumerator IEnumerable.GetEnumerator()Returns
| Type | Description |
|---|---|
| System.Collections.IEnumerator |
