- Users, Roles and Permissions are now hooked up together via an implementation of IAuthorizationService based on Roles. IAuthorizationService.CheckAccess is the API for module developers to check for custom permissions and the default implementation relies on the roles a user belongs to.

- Administrator is a special user that by default has all permissions.
- A non-logged or anonymous user by default doesn't have any permissions.
- Adding GetRoleByName to IRoleService.

--HG--
extra : convert_revision : svn%3A5ff7c347-ad56-4c35-b696-ccb81de16e03/trunk%4039999

src/Orchard.Web/Packages/Orchard.Roles/Models/UserRolesModel.cs

@@ -2,7 +2,7 @@ using System.Collections.Generic;
 using Orchard.Models;
 
 namespace Orchard.Roles.Models.NoRecord {
-    public interface IUserRoles {
+    public interface IUserRoles : IModel {
         IList<string> Roles { get; }
     }
 

src/Orchard.Web/Packages/Orchard.Roles/Services/RoleService.cs

@@ -10,6 +10,7 @@ namespace Orchard.Roles.Services {
     public interface IRoleService : IDependency {
         IEnumerable<RoleRecord> GetRoles();
         RoleRecord GetRole(int id);
+        RoleRecord GetRoleByName(string name);
         void CreateRole(string roleName);
         void CreatePermissionForRole(string roleName, string permissionName);
         void UpdateRole(int id, string roleName, IEnumerable<string> rolePermissions);
@@ -45,6 +46,10 @@ namespace Orchard.Roles.Services {
             return _roleRepository.Get(id);
         }
 
+        public RoleRecord GetRoleByName(string name) {
+            return _roleRepository.Get(x => x.Name == name);
+        }
+
         public void CreateRole(string roleName) {
             _roleRepository.Create(new RoleRecord { Name = roleName });
         }
@@ -57,7 +62,7 @@ namespace Orchard.Roles.Services {
                                                                       PackageName = GetPackageName(permissionName)
                                                                   });
             }
-            RoleRecord roleRecord = _roleRepository.Get(x => x.Name == roleName);
+            RoleRecord roleRecord = GetRoleByName(roleName);
             PermissionRecord permissionRecord = _permissionRepository.Get(x => x.Name == permissionName);
             roleRecord.RolesPermissions.Add(new RolesPermissions { Permission = permissionRecord, Role = roleRecord });
         }

src/Orchard.Web/Packages/Orchard.Roles/Services/RolesBasedAuthorizationService.cs

@@ -1,4 +1,8 @@
-using Orchard.Logging;
+using System;
+using System.Collections.Generic;
+using Orchard.Logging;
+using Orchard.Roles.Models;
+using Orchard.Roles.Models.NoRecord;
 using Orchard.Security;
 using Orchard.Security.Permissions;
 
@@ -16,10 +20,25 @@ namespace Orchard.Roles.Services {
         #region Implementation of IAuthorizationService
 
         public bool CheckAccess(IUser user, Permission permission) {
-            //TODO: Get roles for user
-            //TODO: Get permissions for Roles of the IUser from the role service
-            //TODO: Return false if current user doesn't have the permission
-            return true;
+            if (user == null) {
+                return false;
+            }
+
+            if (String.Equals(user.UserName, "Administrator", StringComparison.OrdinalIgnoreCase)) {
+                return true;
+            }
+
+            IEnumerable<string> rolesForUser = user.As<IUserRoles>().Roles;
+            foreach (var role in rolesForUser) {
+                RoleRecord roleRecord = _roleService.GetRoleByName(role);
+                foreach (var permissionName in _roleService.GetPermissionsForRole(roleRecord.Id)) {
+                    if (String.Equals(permissionName, permission.Name, StringComparison.OrdinalIgnoreCase)) {
+                        return true;
+                    }
+                }
+            }
+
+            return false;
         }
 
         #endregion