From 05071ce3b351a4b9a99f3ed1fd901855a1d68d48 Mon Sep 17 00:00:00 2001
From: Dan Smith <sonomofo@gmail.com>
Date: Fri, 24 Sep 2010 08:54:01 -0400
Subject: [PATCH 1/4] Fix for orphaned EntityReference when entity is detached
 from all EntitiesGroups

---
 .../AuthorizationRepositoryFixture.cs         | 48 +++++++++++++++++++
 .../Services/AuthorizationRepository.cs       |  9 ++++
 2 files changed, 57 insertions(+)

diff --git a/Rhino.Security.Tests/AuthorizationRepositoryFixture.cs b/Rhino.Security.Tests/AuthorizationRepositoryFixture.cs
index 41c2dcb..83374d6 100644
--- a/Rhino.Security.Tests/AuthorizationRepositoryFixture.cs
+++ b/Rhino.Security.Tests/AuthorizationRepositoryFixture.cs
@@ -5,6 +5,7 @@
 namespace Rhino.Security.Tests
 {
     using System;
+    using NHibernate.Criterion;
 
     public class AuthorizationRepositoryFixture : DatabaseFixture
     {
@@ -806,5 +807,52 @@ public void RemovingUserWillAlsoRemoveAssociatedPermissions()
             session.Delete(user);
 
         }
+
+		  [Fact]
+		  public void DetachingEntityFromGroupDoesNotOrphanEntityReference() {
+			  // Create new account and associate it with two groups
+			  Account account = new Account() { Name = "JohnDoe" };
+			  session.Save(account);
+
+			  authorizationRepository.AssociateEntityWith<Account>(account, "Important Accounts");
+			  authorizationRepository.CreateEntitiesGroup("Very Important Accounts");
+			  authorizationRepository.AssociateEntityWith<Account>(account, "Very Important Accounts");
+			  session.Flush();
+
+			  Guid key = Security.ExtractKey(account);
+
+			  // Confirm EntityReference for the new account exists.
+			  EntityReference reference = session.CreateCriteria<EntityReference>()
+					.Add(Restrictions.Eq("EntitySecurityKey", key))
+					.SetCacheable(true)
+					.UniqueResult<EntityReference>();
+
+			  Assert.True(reference != null);
+
+			  // Detach the account from one group and check if its 
+			  // EntityReference still exists.
+			  authorizationRepository.DetachEntityFromGroup<Account>(account, "Important Accounts");
+			  session.Flush();
+
+			  reference = session.CreateCriteria<EntityReference>()
+					.Add(Restrictions.Eq("EntitySecurityKey", key))
+					.SetCacheable(true)
+					.UniqueResult<EntityReference>();
+
+			  Assert.True(reference != null);
+
+
+			  // Detach the account from the other group and check
+			  // if its EntityReference was removed.
+			  authorizationRepository.DetachEntityFromGroup<Account>(account, "Important Accounts");
+			  session.Flush();
+
+			  reference = session.CreateCriteria<EntityReference>()
+					.Add(Restrictions.Eq("EntitySecurityKey", key))
+					.SetCacheable(true)
+					.UniqueResult<EntityReference>();
+
+			  Assert.True(reference == null);
+		  }
     }
 }
\ No newline at end of file
diff --git a/Rhino.Security/Services/AuthorizationRepository.cs b/Rhino.Security/Services/AuthorizationRepository.cs
index b37f484..26459b7 100644
--- a/Rhino.Security/Services/AuthorizationRepository.cs
+++ b/Rhino.Security/Services/AuthorizationRepository.cs
@@ -501,6 +501,7 @@ public void DetachEntityFromGroup<TEntity>(TEntity entity, string entitiesGroupN
 
 			EntityReference reference = GetOrCreateEntityReference<TEntity>(key);
 			entitiesGroup.Entities.Remove(reference);
+			RemoveOrphanedEntityReference<TEntity>(entity, reference);
 		}
 
 
@@ -588,5 +589,13 @@ private EntityType GetOrCreateEntityType<TEntity>()
 			}
 			return entityType;
 		}
+
+		private void RemoveOrphanedEntityReference<TEntity>(TEntity entity, EntityReference reference) where TEntity : class 
+		{
+			EntitiesGroup[] entitiesGroups = this.GetAssociatedEntitiesGroupsFor<TEntity>(entity);
+			if (entitiesGroups.Length <= 1) {
+				session.Delete(reference);
+			}
+		}
 	}
 }

From 360108b9d198e9215ef7dbd08e6eb15ba37c932a Mon Sep 17 00:00:00 2001
From: Dan Smith <sonomofo@gmail.com>
Date: Tue, 28 Sep 2010 10:20:48 -0400
Subject: [PATCH 2/4] Undo previous fix; removed the
 RemoveOrphanedEntityReference method from AuthorizationRepository

- Will use event listener to fix bug
---
 .../AuthorizationRepositoryFixture.cs         | 48 -------------------
 .../Services/AuthorizationRepository.cs       |  9 ----
 2 files changed, 57 deletions(-)

diff --git a/Rhino.Security.Tests/AuthorizationRepositoryFixture.cs b/Rhino.Security.Tests/AuthorizationRepositoryFixture.cs
index 83374d6..41c2dcb 100644
--- a/Rhino.Security.Tests/AuthorizationRepositoryFixture.cs
+++ b/Rhino.Security.Tests/AuthorizationRepositoryFixture.cs
@@ -5,7 +5,6 @@
 namespace Rhino.Security.Tests
 {
     using System;
-    using NHibernate.Criterion;
 
     public class AuthorizationRepositoryFixture : DatabaseFixture
     {
@@ -807,52 +806,5 @@ public void RemovingUserWillAlsoRemoveAssociatedPermissions()
             session.Delete(user);
 
         }
-
-		  [Fact]
-		  public void DetachingEntityFromGroupDoesNotOrphanEntityReference() {
-			  // Create new account and associate it with two groups
-			  Account account = new Account() { Name = "JohnDoe" };
-			  session.Save(account);
-
-			  authorizationRepository.AssociateEntityWith<Account>(account, "Important Accounts");
-			  authorizationRepository.CreateEntitiesGroup("Very Important Accounts");
-			  authorizationRepository.AssociateEntityWith<Account>(account, "Very Important Accounts");
-			  session.Flush();
-
-			  Guid key = Security.ExtractKey(account);
-
-			  // Confirm EntityReference for the new account exists.
-			  EntityReference reference = session.CreateCriteria<EntityReference>()
-					.Add(Restrictions.Eq("EntitySecurityKey", key))
-					.SetCacheable(true)
-					.UniqueResult<EntityReference>();
-
-			  Assert.True(reference != null);
-
-			  // Detach the account from one group and check if its 
-			  // EntityReference still exists.
-			  authorizationRepository.DetachEntityFromGroup<Account>(account, "Important Accounts");
-			  session.Flush();
-
-			  reference = session.CreateCriteria<EntityReference>()
-					.Add(Restrictions.Eq("EntitySecurityKey", key))
-					.SetCacheable(true)
-					.UniqueResult<EntityReference>();
-
-			  Assert.True(reference != null);
-
-
-			  // Detach the account from the other group and check
-			  // if its EntityReference was removed.
-			  authorizationRepository.DetachEntityFromGroup<Account>(account, "Important Accounts");
-			  session.Flush();
-
-			  reference = session.CreateCriteria<EntityReference>()
-					.Add(Restrictions.Eq("EntitySecurityKey", key))
-					.SetCacheable(true)
-					.UniqueResult<EntityReference>();
-
-			  Assert.True(reference == null);
-		  }
     }
 }
\ No newline at end of file
diff --git a/Rhino.Security/Services/AuthorizationRepository.cs b/Rhino.Security/Services/AuthorizationRepository.cs
index 26459b7..b37f484 100644
--- a/Rhino.Security/Services/AuthorizationRepository.cs
+++ b/Rhino.Security/Services/AuthorizationRepository.cs
@@ -501,7 +501,6 @@ public void DetachEntityFromGroup<TEntity>(TEntity entity, string entitiesGroupN
 
 			EntityReference reference = GetOrCreateEntityReference<TEntity>(key);
 			entitiesGroup.Entities.Remove(reference);
-			RemoveOrphanedEntityReference<TEntity>(entity, reference);
 		}
 
 
@@ -589,13 +588,5 @@ private EntityType GetOrCreateEntityType<TEntity>()
 			}
 			return entityType;
 		}
-
-		private void RemoveOrphanedEntityReference<TEntity>(TEntity entity, EntityReference reference) where TEntity : class 
-		{
-			EntitiesGroup[] entitiesGroups = this.GetAssociatedEntitiesGroupsFor<TEntity>(entity);
-			if (entitiesGroups.Length <= 1) {
-				session.Delete(reference);
-			}
-		}
 	}
 }

From e8ac66754dfc7fdfb9985e25143325e377f51351 Mon Sep 17 00:00:00 2001
From: Dan Smith <sonomofo@gmail.com>
Date: Tue, 28 Sep 2010 10:33:29 -0400
Subject: [PATCH 3/4] Event listener to delete security information when an
 entity is deleted from the system.

---
 .../DeleteEntityEventListenerFixture.cs       | 39 +++++++++++++
 .../Rhino.Security.Tests-vs2008.csproj        |  1 +
 Rhino.Security/DeleteEntityEventListener.cs   | 47 +++++++++++++++
 Rhino.Security/Rhino.Security-vs2008.csproj   |  1 +
 Rhino.Security/Security.cs                    | 57 +++++++++++++++----
 5 files changed, 133 insertions(+), 12 deletions(-)
 create mode 100644 Rhino.Security.Tests/DeleteEntityEventListenerFixture.cs
 create mode 100644 Rhino.Security/DeleteEntityEventListener.cs

diff --git a/Rhino.Security.Tests/DeleteEntityEventListenerFixture.cs b/Rhino.Security.Tests/DeleteEntityEventListenerFixture.cs
new file mode 100644
index 0000000..d9f1144
--- /dev/null
+++ b/Rhino.Security.Tests/DeleteEntityEventListenerFixture.cs
@@ -0,0 +1,39 @@
+namespace Rhino.Security.Tests
+{
+	using System;
+	using NHibernate.Criterion;
+	using Rhino.Security.Model;
+	using Xunit;
+
+	public class DeleteEntityEventListenerFixture : DatabaseFixture
+	{
+		[Fact]
+		public void DoesDeletingEntityRemoveEntityReferences() {
+			var account = new Account() { Name = "Bob" };
+			session.Save(account);
+			authorizationRepository.AssociateEntityWith(account, "Important Accounts");
+			session.Flush();
+
+			Guid securityKey = Security.ExtractKey(account);
+
+			// Confirm EntityReference for the new account exists.
+			EntityReference reference = session.CreateCriteria<EntityReference>()
+				 .Add(Restrictions.Eq("EntitySecurityKey", securityKey))
+				 .SetCacheable(true)
+				 .UniqueResult<EntityReference>();
+
+			Assert.NotNull(reference);
+
+			// Delete account and confirm EntityReference was removed
+			session.Delete(account);
+			session.Flush();
+
+			reference = session.CreateCriteria<EntityReference>()
+				 .Add(Restrictions.Eq("EntitySecurityKey", securityKey))
+				 .SetCacheable(true)
+				 .UniqueResult<EntityReference>();
+
+			Assert.Null(reference);
+		}
+	}
+}
diff --git a/Rhino.Security.Tests/Rhino.Security.Tests-vs2008.csproj b/Rhino.Security.Tests/Rhino.Security.Tests-vs2008.csproj
index 6b276e4..0ca58de 100644
--- a/Rhino.Security.Tests/Rhino.Security.Tests-vs2008.csproj
+++ b/Rhino.Security.Tests/Rhino.Security.Tests-vs2008.csproj
@@ -91,6 +91,7 @@
     <Compile Include="AuthorizationService_Queries_Fixture.cs" />
     <Compile Include="PermissionsServiceFixture.cs" />
     <Compile Include="DatabaseFixture.cs" />
+    <Compile Include="DeleteEntityEventListenerFixture.cs" />
     <Compile Include="ScenariosFixture.cs" />
     <Compile Include="SecrityInfoFixture.cs" />
     <Compile Include="SillyContainer.cs" />
diff --git a/Rhino.Security/DeleteEntityEventListener.cs b/Rhino.Security/DeleteEntityEventListener.cs
new file mode 100644
index 0000000..5b056aa
--- /dev/null
+++ b/Rhino.Security/DeleteEntityEventListener.cs
@@ -0,0 +1,47 @@
+namespace Rhino.Security
+{
+	using System;
+	using NHibernate.Event;
+	using Microsoft.Practices.ServiceLocation;
+	using Rhino.Security.Interfaces;
+	using System.Collections.Generic;
+	using Rhino.Security.Model;
+	using Rhino.Security.Services;
+	using NHibernate.Criterion;
+
+	/// <summary>
+	/// Litenens for when a secured entity is deleted from the system and deletes 
+	/// associated security data.
+	/// </summary>
+	[Serializable]
+	public class DeleteEntityEventListener : IPreDeleteEventListener
+	{
+		#region IPreDeleteEventListener Members
+
+		/// <summary>
+		/// Handles PreDelete event to delete an entity's associated security data.
+		/// </summary>
+		/// <param name="deleteEvent">Event object containing the delete operation information.</param>
+		/// <returns>False, indicating the delete operation should not be vetoed.</returns>
+		public bool OnPreDelete(PreDeleteEvent deleteEvent) {
+			var securityKey = Security.ExtractKey(deleteEvent.Entity);
+
+			if (!Guid.Empty.Equals(securityKey)) {
+				EntityReference reference = deleteEvent.Session.CreateCriteria<EntityReference>()
+					 .Add(Restrictions.Eq("EntitySecurityKey", securityKey))
+					 .SetCacheable(true)
+					 .UniqueResult<EntityReference>();
+
+				if (reference != null) {
+					var childSession = deleteEvent.Session.GetSession(NHibernate.EntityMode.Poco);
+					childSession.Delete(reference);
+					childSession.Flush();
+				}
+			}
+
+			return false;
+		}
+
+		#endregion
+	}
+}
diff --git a/Rhino.Security/Rhino.Security-vs2008.csproj b/Rhino.Security/Rhino.Security-vs2008.csproj
index 153bffc..8f1a76e 100644
--- a/Rhino.Security/Rhino.Security-vs2008.csproj
+++ b/Rhino.Security/Rhino.Security-vs2008.csproj
@@ -161,6 +161,7 @@
   </ItemGroup>
   <ItemGroup>
     <Compile Include="Impl\JetBrains.Annotations.cs" />
+    <Compile Include="DeleteEntityEventListener.cs" />
   </ItemGroup>
   <Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
   <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
diff --git a/Rhino.Security/Security.cs b/Rhino.Security/Security.cs
index 6247b8f..cb2c270 100644
--- a/Rhino.Security/Security.cs
+++ b/Rhino.Security/Security.cs
@@ -4,7 +4,7 @@
 using log4net;
 using Microsoft.Practices.ServiceLocation;
 using NHibernate.Cfg;
-using NHibernate.UserTypes;
+using NHibernate.Event;
 using Rhino.Security.Impl;
 using Rhino.Security.Impl.MappingRewriting;
 using Rhino.Security.Interfaces;
@@ -33,11 +33,43 @@ public class Security
 		public static Guid ExtractKey<TEntity>(TEntity entity)
 			where TEntity : class
 		{
-			Guard.Against<ArgumentNullException>(entity == null, "Entity cannot be null");
+			Guard.Against<ArgumentNullException>(entity == null, "entity");
 			var extractor = ServiceLocator.Current.GetInstance<IEntityInformationExtractor<TEntity>>();
 			return extractor.GetSecurityKeyFor(entity);
 		}
 
+		/// <summary>
+		/// Extracts the key from the specified entity using the given object.
+		/// </summary>
+		/// <param name="entity">The entity.</param>
+		/// <returns>If no IEntityInformationExtractor{TEntity} class is registered in the IoC container
+		/// for the entity's runtime type this returns an empty Guid, otherwise the security
+		/// key of the given entity.</returns>
+		/// <remarks>It is recommended to use the ExtractKey{TEntity}(TEntity) method if possible 
+		/// as this code uses reflection to extract the entity security key.</remarks>
+		internal static Guid ExtractKey(object entity) {
+			Guard.Against<ArgumentNullException>(entity == null, "entity");
+			Type[] entityType = { entity.GetType() };
+			Guard.Against<ArgumentException>(!entityType[0].IsClass, "Entity must be a class object");
+
+			Type extractorType = typeof(IEntityInformationExtractor<>);
+			Type genericExtractor = extractorType.MakeGenericType(entityType);
+			object extractor = null;
+
+			try {
+				extractor = ServiceLocator.Current.GetInstance(genericExtractor);
+			}
+			catch (ActivationException) {
+				// If no IEntityInformationExtractor is registered then the entity isn't 
+				// secured by Rhino.Security. Ignore the error and return an empty Guid.
+				return Guid.Empty;
+			}
+
+			object key = genericExtractor.InvokeMember("GetSecurityKeyFor", BindingFlags.InvokeMethod, null, extractor, new object[] { entity });
+			
+			return (Guid)key;
+		}
+
 		/// <summary>
 		/// Gets a human readable description for the specified entity
 		/// </summary>
@@ -74,15 +106,16 @@ internal static string GetSecurityKeyPropertyInternal<TEntity>()
             return ServiceLocator.Current.GetInstance<IEntityInformationExtractor<TEntity>>().SecurityKeyPropertyName;
 		}
 
-        ///<summary>
-        /// Setup NHibernate to include Rhino Security configuration
-        ///</summary>
-        public static void Configure<TUserType>(Configuration cfg, SecurityTableStructure securityTableStructure)
-             where TUserType : IUser
-        {
-            cfg.AddAssembly(typeof (IUser).Assembly);
-            new SchemaChanger(cfg, securityTableStructure).Change();
-            new UserMapper(cfg, typeof(TUserType)).Map();
-        }
+		///<summary>
+		/// Setup NHibernate to include Rhino Security configuration
+		///</summary>
+		public static void Configure<TUserType>(Configuration cfg, SecurityTableStructure securityTableStructure)
+			where TUserType : IUser 
+		{
+			cfg.AddAssembly(typeof (IUser).Assembly);
+			new SchemaChanger(cfg, securityTableStructure).Change();
+			new UserMapper(cfg, typeof(TUserType)).Map();
+			cfg.SetListener(ListenerType.PreDelete, new DeleteEntityEventListener());
+		}
 	}
 }
\ No newline at end of file

From 771d74a087785da5ac30c5376779aaa4216f566a Mon Sep 17 00:00:00 2001
From: Dan Smith <sonomofo@gmail.com>
Date: Mon, 25 Oct 2010 14:42:34 -0400
Subject: [PATCH 4/4] Added code to DeleteEntryEventListener to also delete
 Permissions and EntitiyGroup associations.

Signed-off-by: Dan Smith <sonomofo@gmail.com>
---
 .../DeleteEntityEventListenerFixture.cs       | 22 ++++++++++-
 Rhino.Security/DeleteEntityEventListener.cs   | 38 +++++++++++++++----
 2 files changed, 51 insertions(+), 9 deletions(-)

diff --git a/Rhino.Security.Tests/DeleteEntityEventListenerFixture.cs b/Rhino.Security.Tests/DeleteEntityEventListenerFixture.cs
index d9f1144..a3c3697 100644
--- a/Rhino.Security.Tests/DeleteEntityEventListenerFixture.cs
+++ b/Rhino.Security.Tests/DeleteEntityEventListenerFixture.cs
@@ -24,16 +24,36 @@ public void DoesDeletingEntityRemoveEntityReferences() {
 
 			Assert.NotNull(reference);
 
-			// Delete account and confirm EntityReference was removed
+			// Create a permission for the entity
+			this.permissionsBuilderService.Allow("/Account/Edit").For(this.user).On(account).DefaultLevel().Save();
+
+			// Confirm the permissison for the entity exists
+			Permission permission = session.CreateCriteria<Permission>()
+				.Add(Restrictions.Eq("EntitySecurityKey", securityKey))
+				.SetCacheable(true)
+				.UniqueResult<Permission>();
+
+			Assert.NotNull(permission);
+
+			// Delete account 
 			session.Delete(account);
 			session.Flush();
 
+			// Confirm EntityReference was removed
 			reference = session.CreateCriteria<EntityReference>()
 				 .Add(Restrictions.Eq("EntitySecurityKey", securityKey))
 				 .SetCacheable(true)
 				 .UniqueResult<EntityReference>();
 
 			Assert.Null(reference);
+
+			// Confirm the permissison for the entity was removed
+			permission = session.CreateCriteria<Permission>()
+				.Add(Restrictions.Eq("EntitySecurityKey", securityKey))
+				.SetCacheable(true)
+				.UniqueResult<Permission>();
+
+			Assert.Null(permission);
 		}
 	}
 }
diff --git a/Rhino.Security/DeleteEntityEventListener.cs b/Rhino.Security/DeleteEntityEventListener.cs
index 5b056aa..9f3306c 100644
--- a/Rhino.Security/DeleteEntityEventListener.cs
+++ b/Rhino.Security/DeleteEntityEventListener.cs
@@ -1,13 +1,10 @@
 namespace Rhino.Security
 {
 	using System;
-	using NHibernate.Event;
-	using Microsoft.Practices.ServiceLocation;
-	using Rhino.Security.Interfaces;
 	using System.Collections.Generic;
-	using Rhino.Security.Model;
-	using Rhino.Security.Services;
 	using NHibernate.Criterion;
+	using NHibernate.Event;
+	using Rhino.Security.Model;
 
 	/// <summary>
 	/// Litenens for when a secured entity is deleted from the system and deletes 
@@ -27,14 +24,39 @@ public bool OnPreDelete(PreDeleteEvent deleteEvent) {
 			var securityKey = Security.ExtractKey(deleteEvent.Entity);
 
 			if (!Guid.Empty.Equals(securityKey)) {
-				EntityReference reference = deleteEvent.Session.CreateCriteria<EntityReference>()
+				EntityReference entityReference = deleteEvent.Session.CreateCriteria<EntityReference>()
 					 .Add(Restrictions.Eq("EntitySecurityKey", securityKey))
 					 .SetCacheable(true)
 					 .UniqueResult<EntityReference>();
 
-				if (reference != null) {
+				if (entityReference != null) {
 					var childSession = deleteEvent.Session.GetSession(NHibernate.EntityMode.Poco);
-					childSession.Delete(reference);
+
+					childSession.Delete(entityReference);
+
+					//Also remove EntityReferencesToEntitiesGroups and Permissions that reference this entity
+
+					//Get list of EntitiesGroups that have the entity as a member
+					IEnumerable<EntitiesGroup> entitiesGroups = childSession.CreateCriteria<EntitiesGroup>()
+						.CreateCriteria("Entities")
+						.Add(Restrictions.Eq("EntitySecurityKey", securityKey))
+						.SetCacheable(true)
+						.List<EntitiesGroup>();
+
+					foreach (EntitiesGroup group in entitiesGroups) {
+						group.Entities.Remove(entityReference);
+					}
+
+					////Get list of Permissions that references the entity
+					IEnumerable<Permission> permissions = childSession.CreateCriteria<Permission>()
+						.Add(Restrictions.Eq("EntitySecurityKey", securityKey))
+						.SetCacheable(true)
+						.List<Permission>();
+
+					foreach (Permission permission in permissions) {
+						childSession.Delete(permission);
+					}
+
 					childSession.Flush();
 				}
 			}