prs/prs.desktop/Panels/Security/Global/GlobalTokenGrid.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading;
using System.Windows;
using System.Windows.Controls;
using System.Windows.Input;
using System.Windows.Media.Imaging;
using InABox.Clients;
using InABox.Core;
using InABox.DynamicGrid;
using InABox.WPF;
using javax.sql.rowset;

namespace PRSDesktop;

public class GlobalTokenGrid : DynamicGrid<SecurityDescriptor>
{
    private List<SecurityDescriptor>? _descriptors;
    private static readonly BitmapImage defaultdisabled = PRSDesktop.Resources.disabled.Fade(0.25F).AsBitmapImage();
    private static readonly BitmapImage defaulttick = PRSDesktop.Resources.tick.Fade(0.25F).AsBitmapImage();
    private static readonly BitmapImage disabled = PRSDesktop.Resources.disabled.AsBitmapImage();

    private static readonly BitmapImage tick = PRSDesktop.Resources.tick.AsBitmapImage();

    public GlobalTokenGrid()
    {
        GroupNames = new Dictionary<Guid, string>();
        UserNames = new Dictionary<Guid, string>();
        UserGroups = new Dictionary<Guid, Guid>();
        GroupID = Guid.Empty;

        Items = new List<SecurityTokenItem>();

        HiddenColumns.Add(x => x.Descriptor);
        HiddenColumns.Add(x => x.Default);

        HeaderHeight = 125;
    }

    protected override void DoReconfigure(DynamicGridOptions options)
    {
        base.DoReconfigure(options);
        options.FilterRows = true;
    }

    public Dictionary<Guid, string> GroupNames { get; }
    public Dictionary<Guid, string> UserNames { get; }
    public Dictionary<Guid, Guid> UserGroups { get; }

    public List<SecurityTokenItem> Items { get; }

    public Guid GroupID { get; set; }

    private const string ENABLED_TOKENS = "Enabled";
    private const string DISABLED_TOKENS = "Disabled";
    private const string OVERRIDDEN_TOKENS = "Overridden";
    private const string DEFAULT_TOKENS = "Default";

    private static readonly string[] ENABLED_FILTERS = new[] { ENABLED_TOKENS, DISABLED_TOKENS };
    private static readonly string[] OVERRIDDEN_FILTERS = new[] { OVERRIDDEN_TOKENS, DEFAULT_TOKENS };
    private static readonly string[] ALL_FILTERS = new[] { ENABLED_TOKENS, DISABLED_TOKENS, OVERRIDDEN_TOKENS, DEFAULT_TOKENS }; 

    protected override DynamicGridColumns LoadColumns()
    {

        var columns = new DynamicGridColumns<SecurityDescriptor>();
        columns.Add(x => x.Group, width: 150, alignment: Alignment.MiddleCenter);
        columns.Add(x => x.Description, width: 0, alignment: Alignment.MiddleLeft);
        columns.Add(x => x.Category, width: 200, alignment: Alignment.MiddleCenter);

        ActionColumns.Clear();

        if (GroupID == Guid.Empty)
        {
            ActionColumns.Add(
                new DynamicImageColumn(
                    GlobalImage, 
                    r => r != null 
                        ? GlobalAction(new CoreRow[] { r }, TokenAction.Toggle)
                        : CreateGlobalMenu()
                )
                {
                    HeaderText = "Default",
                    GetFilter = () => new FuncCheckBoxDynamicGridColumnFilter(GlobalFilter, AllFilterData)
                });
            
            foreach (var groupid in GroupNames.Keys)
                ActionColumns.Add(
                    new DynamicImageColumn(
                        r => GroupImage(r, groupid),
                        r => r != null 
                            ? GroupAction(new CoreRow[] { r }, groupid, TokenAction.Toggle)
                            : CreateGroupMenu(groupid)
                    )
                    {
                        HeaderText = GroupNames[groupid],
                        GetFilter = () => new FuncCheckBoxDynamicGridColumnFilter((row, pred) => GroupFilter(row, pred, groupid), AllFilterData)
                    }
                );
        }
        else
        {
            ActionColumns.Add(
                new DynamicImageColumn(
                    r => GroupImage(r, GroupID),
                    r => r != null 
                        ? GroupAction(new CoreRow[] { r }, GroupID, TokenAction.Toggle)
                        : CreateGroupMenu(GroupID)
                )
                {
                    HeaderText = GroupNames[GroupID],
                    GetFilter = () => new FuncCheckBoxDynamicGridColumnFilter((row, pred) => GroupFilter(row, pred, GroupID), AllFilterData)
                }
            );

            foreach (var userid in UserNames.Keys)
                if (UserGroups[userid] == GroupID)
                    ActionColumns.Add(
                        new DynamicImageColumn(
                            r => UserImage(r, GroupID, userid),
                            r => r != null 
                                ? UserAction(new CoreRow[] { r }, GroupID, userid, TokenAction.Toggle)
                                : CreateUserMenu(GroupID, userid)
                        )
                        {
                            HeaderText = UserNames[userid],
                            GetFilter = () => new FuncCheckBoxDynamicGridColumnFilter((row, pred) => UserFilter(row, pred, GroupID, userid), AllFilterData)
                        }
                    );
        }

        return columns;
    }

    private static bool MatchFilter(Predicate<object?> filter, string[] test)
    {
        return test.All(x => filter(x));
    }

    private IEnumerable<Tuple<string, object?>> AllFilterData()
    {
        return ALL_FILTERS.Select(x => new Tuple<string, object?>(x, x));
    }
    
    private bool GlobalFilter(CoreRow row, Predicate<object?> filter)
    {
        if (MatchFilter(filter, ALL_FILTERS))
            return true;

        var descriptor = row.Get<SecurityDescriptor, String>(c => c.Descriptor);
        var globaldefault = row.Get<SecurityDescriptor, bool>(c => c.Default);
        
        if (!MatchFilter(filter, ENABLED_FILTERS))
        {
            bool isenabled = GetGlobalOrDefault(descriptor, globaldefault);
            var check = (filter(ENABLED_TOKENS) && isenabled) || (filter(DISABLED_TOKENS) && !isenabled);
            if (!check)
                return false;
        }

        if (!MatchFilter(filter, OVERRIDDEN_FILTERS))
        {
            bool isoverridden = Items.Any(x => String.Equals(x.Descriptor, descriptor) && (x.Type == SecurityTokenType.Global));
            var check = (filter(OVERRIDDEN_TOKENS) && isoverridden) || (filter(DEFAULT_TOKENS) && !isoverridden);
            if (!check)
                return false;
        }
        
        return true;
    }

    private bool GroupFilter(CoreRow row, Predicate<object?> filter, Guid groupid)
    {
        if (MatchFilter(filter, ALL_FILTERS))
            return true;

        string descriptor = row.Get<SecurityDescriptor, String>(c => c.Descriptor);
        bool globaldefault = row.Get<SecurityDescriptor, bool>(c => c.Default);
        
        if (!MatchFilter(filter, ENABLED_FILTERS))
        {
            bool isenabled = GetGroupOrDefault(descriptor, groupid, globaldefault);
            var check = (filter(ENABLED_TOKENS) && isenabled) || (filter(DISABLED_TOKENS) && !isenabled);
            if (!check)
                return false;
        }

        if (!MatchFilter(filter, OVERRIDDEN_FILTERS))
        {
            bool isoverridden = Items.Any(x => String.Equals(x.Descriptor, descriptor) && (x.Type == SecurityTokenType.Group) && x.ID == groupid);
            var check = (filter(OVERRIDDEN_TOKENS) && isoverridden) || (filter(DEFAULT_TOKENS) && !isoverridden);
            if (!check)
                return false;
        }
        
        return true;
    }

    private bool UserFilter(CoreRow row, Predicate<object?> filter, Guid groupid, Guid userid)
    {
        if (MatchFilter(filter, ALL_FILTERS))
            return true;

        var descriptor = row.Get<SecurityDescriptor, string>(c => c.Descriptor);
        var globaldefault = row.Get<SecurityDescriptor, bool>(c => c.Default);
        
        if (!MatchFilter(filter, ENABLED_FILTERS))
        {
            bool isenabled = GetUserOrDefault(descriptor, userid, groupid, globaldefault);
            var check = (filter(ENABLED_TOKENS) && isenabled) || (filter(DISABLED_TOKENS) && !isenabled);
            if (!check)
                return false;
        }

        if (!MatchFilter(filter, OVERRIDDEN_FILTERS))
        {
            bool isoverridden = Items.Any(x => string.Equals(x.Descriptor, descriptor) && (x.Type == SecurityTokenType.User) && x.ID == userid);
            var check = (filter(OVERRIDDEN_TOKENS) && isoverridden) || (filter(DEFAULT_TOKENS) && !isoverridden);
            if (!check)
                return false;
        }
        
        return true;
    }

    public override SecurityDescriptor LoadItem(CoreRow row)
    {
        if(_descriptors is null)
        {
            throw new Exception("LoadItem() called before Reload()");
        }
        return _descriptors[row.Index];
    }

    private CoreTable? _table = null;
    
    protected override void Reload(
    	Filters<SecurityDescriptor> criteria, Columns<SecurityDescriptor> columns, ref SortOrder<SecurityDescriptor>? sort,
    	CancellationToken token, Action<CoreTable?, Exception?> action)
    {

        if (_table == null)
        {
            Progress.ShowModal("Scanning Tokens..", (progress) =>
            {
                _table = new CoreTable();
                _table.LoadColumns(columns);

                if (_descriptors == null)
                {
                    _descriptors = new List<SecurityDescriptor>();
                    var list = Security.Descriptors.Where(x => x.Visible).ToArray();
                    foreach (var descriptor in list)
                    {
                        progress.Report($"Loading Tokens ({(double)(_descriptors.Count+1) * 100.0D / (double)list.Length:F2}% complete)");
                        var _descriptor = new SecurityDescriptor
                        {
                            Category = descriptor.Category,
                            Group = descriptor.Type,
                            Descriptor = descriptor.Code,
                            Description = descriptor.Description,
                            Default = descriptor.Value,
                            IsGlobal = descriptor.HasScope(SecurityDescriptorScope.Global),
                            IsGroup = descriptor.HasScope(SecurityDescriptorScope.Group),
                            IsUser = descriptor.HasScope(SecurityDescriptorScope.User)
                        };

                        _descriptors.Add(_descriptor);
                        _table.LoadRow(_descriptor);
                    }
                }
                
            });
        }

        action.Invoke(_table, null);
    }

    private bool GetGlobalOrDefault(string code, bool globaldefault)
    {
        var global = Items.FirstOrDefault(x => x.Type.Equals(SecurityTokenType.Global) && string.Equals(x.Descriptor, code));
        if (global != null)
            return global.Enabled;
        return globaldefault;
    }

    private bool GetGroupOrDefault(string code, Guid groupid, bool globaldefault)
    {
        var group = Items.FirstOrDefault(
            x => string.Equals(x.Descriptor, code) && x.Type.Equals(SecurityTokenType.Group) && Equals(x.ID, groupid));
        if (group != null)
            return group.Enabled;
        return GetGlobalOrDefault(code, globaldefault);
    }

    private bool GetUserOrDefault(string code, Guid userid, Guid groupid, bool globaldefault)
    {
        var user = Items.FirstOrDefault(x => string.Equals(x.Descriptor, code) && x.Type.Equals(SecurityTokenType.User) && Equals(x.ID, userid));
        if (user != null)
            return user.Enabled;
        return GetGroupOrDefault(code, groupid, globaldefault);
    }



    private BitmapImage? GlobalImage(CoreRow? row)
    {
        if (row == null)
            return null;
        var code = row.Get<SecurityDescriptor, string>(c => c.Descriptor);
        var item = Items.FirstOrDefault(x => string.Equals(x.Descriptor, code) && x.Type.Equals(SecurityTokenType.Global));
        if (item != null)
            return item.Enabled ? tick : disabled;
        return row.Get<SecurityDescriptor, bool>(c => c.Default) ? defaulttick : defaultdisabled;
    }

    private BitmapImage? GroupImage(CoreRow? row, Guid groupid)
    {
        if (row == null)
            return null;
        var code = row.Get<SecurityDescriptor, string>(c => c.Descriptor);
        var group = Items.FirstOrDefault(
            x => string.Equals(x.Descriptor, code) && x.Type.Equals(SecurityTokenType.Group) && Equals(x.ID, groupid));
        if (group != null)
            return group.Enabled ? tick : disabled;
        return GetGlobalOrDefault(code, row.Get<SecurityDescriptor, bool>(c => c.Default))
            ? defaulttick
            : defaultdisabled;
    }

    private BitmapImage? UserImage(CoreRow? row, Guid groupid, Guid userid)
    {
        if (row == null)
            return null;
        var code = row.Get<SecurityDescriptor, string>(c => c.Descriptor);
        var user = Items.FirstOrDefault(x => string.Equals(x.Descriptor, code) && x.Type.Equals(SecurityTokenType.User) && Equals(x.ID, userid));
        if (user != null)
            return user.Enabled ? tick : disabled;
        return GetGroupOrDefault(code, groupid, row.Get<SecurityDescriptor, bool>(c => c.Default))
            ? defaulttick
            : defaultdisabled;
    }

    private void ResetGlobals(IEnumerable<string> codes)
    {
        var globals = Items.Where(x => codes.Contains(x.Descriptor) && x.Type.Equals(SecurityTokenType.Global));
        if (!globals.Any())
            return;
        var globalupdates = globals.Select(x => new GlobalSecurityToken { ID = x.RecordID }).ToArray();
        new Client<GlobalSecurityToken>().Delete(globalupdates, "", (o, e) => { });
        Items.RemoveAll(x => globals.Contains(x));
    }

    private void ResetGroups(Guid groupid, IEnumerable<string> codes)
    {
        var groups = groupid == Guid.Empty
            ? Items.Where(x => codes.Contains(x.Descriptor) && x.Type.Equals(SecurityTokenType.Group))
            : Items.Where(x => codes.Contains(x.Descriptor) && x.Type.Equals(SecurityTokenType.Group) && Equals(groupid, x.ID));
        var groupupdates = groups.Select(x => new SecurityToken { ID = x.RecordID }).ToArray();
        new Client<SecurityToken>().Delete(groupupdates, "", (o, e) => { });
        Items.RemoveAll(x => groups.Contains(x));
    }

    private void ResetUsers(Guid groupid, IEnumerable<string> codes)
    {
        var users = groupid == Guid.Empty
            ? Items.Where(x => codes.Contains(x.Descriptor) && x.Type.Equals(SecurityTokenType.User))
            : Items.Where(x => codes.Contains(x.Descriptor) && x.Type.Equals(SecurityTokenType.User) && UserGroups[x.ID].Equals(groupid));
        var userupdates = users.Select(x => new UserSecurityToken { ID = x.RecordID }).ToArray();
        new Client<UserSecurityToken>().Delete(userupdates, "", (o, e) => { });
        Items.RemoveAll(x => users.Contains(x));
    }

    private void ResetUser(Guid userid, IEnumerable<string> codes)
    {
        var users = Items.Where(x => codes.Contains(x.Descriptor) && x.Type.Equals(SecurityTokenType.User) && Equals(userid, x.ID));
        var userupdates = users.Select(x => new UserSecurityToken { ID = x.RecordID }).ToArray();
        new Client<UserSecurityToken>().Delete(userupdates, "", (o, e) => { });
        Items.RemoveAll(x => users.Contains(x));
    }
    
    
    private enum TokenAction
    {
        Enable,
        Disable,
        Toggle,
        Reset
    }

    private readonly Dictionary<TokenAction, Tuple<String,String>> _tokennames = new()
    {
        { TokenAction.Enable, new("Enable", "Enabling") },
        { TokenAction.Disable, new("Disable", "Enabling")  },
        { TokenAction.Toggle, new("Toggle", "Enabling") },
        { TokenAction.Reset, new("Reset", "Enabling") },
    };        
    
    private bool CreateGlobalMenu()
    {
        var menu = new ContextMenu();
        menu.Items.Add(new MenuItem() { Header = "Enable All Tokens", Command = new Command((o) => GlobalAction(GetVisibleRows(), TokenAction.Enable)) });
        menu.Items.Add(new MenuItem() { Header = "Disable All Tokens", Command = new Command((o) => GlobalAction(GetVisibleRows(), TokenAction.Disable)) });
        menu.Items.Add(new Separator());
        menu.Items.Add(new MenuItem() { Header = "Reset All Tokens", Command = new Command((o) => GlobalAction(GetVisibleRows(), TokenAction.Reset)) });
        menu.IsOpen = true;
        return false;
    }
    
    private bool CreateGroupMenu(Guid groupid)
    {
        var menu = new ContextMenu();
        menu.Items.Add(new MenuItem() { Header = "Enable All Tokens", Command = new Command((o) => GroupAction(GetVisibleRows(), groupid, TokenAction.Enable)) });
        menu.Items.Add(new MenuItem() { Header = "Disable All Tokens", Command = new Command((o) => GroupAction(GetVisibleRows(), groupid, TokenAction.Disable)) });
        menu.Items.Add(new Separator());
        menu.Items.Add(new MenuItem() { Header = "Reset All Tokens", Command = new Command((o) => GroupAction(GetVisibleRows(), groupid, TokenAction.Reset)) });
        menu.IsOpen = true;
        return false;
    }
    
    private bool CreateUserMenu(Guid groupid, Guid userid)
    {
        var menu = new ContextMenu();
        menu.Items.Add(new MenuItem() { Header = "Enable All Tokens", Command = new Command((o) => UserAction(GetVisibleRows(), groupid, userid, TokenAction.Enable)) });
        menu.Items.Add(new MenuItem() { Header = "Disable All Tokens", Command = new Command((o) => UserAction(GetVisibleRows(), groupid, userid, TokenAction.Disable)) });
        menu.Items.Add(new Separator());
        menu.Items.Add(new MenuItem() { Header = "Reset All Tokens", Command = new Command((o) => UserAction(GetVisibleRows(), groupid, userid, TokenAction.Reset)) });
        menu.IsOpen = true;
        return false;
    }

    private bool GlobalAction(IList<CoreRow> rows, TokenAction action)
    {
        
        if (!rows.Any())
            return false;
        
        var descriptors = rows.Select(r =>r.Get<SecurityDescriptor, string>(c => c.Descriptor)).ToArray();
        var resetchildren = Items.Where(x => descriptors.Contains(x.Descriptor) && !x.Type.Equals(SecurityTokenType.Global)).Any();
        if (resetchildren)
        {
            var confirm = MessageBox.Show($"{_tokennames[action].Item1} Group and User Tokens as well?", $"{_tokennames[action].Item1} All",
                MessageBoxButton.YesNoCancel);
            if (confirm == MessageBoxResult.Cancel)
                return false;
            resetchildren = confirm == MessageBoxResult.Yes;
        }
        
        var resetusers = new List<string>();
        var resetgroups = new List<string>();
        var resetglobals = new List<string>();
        var updates = new List<GlobalSecurityToken>();
        
        Progress.ShowModal($"{_tokennames[action].Item2} Tokens", (progress) =>
        {


            int i = 1;
            foreach (var row in rows)
            {
                progress.Report($"{_tokennames[action].Item2} Tokens ({(double)(i) * 100.0D / (double)rows.Count:F2}% complete)");
                i++;
                
                string descriptor = row.Get<SecurityToken, String>(c => c.Descriptor);
                bool defaultvalue = row.Get<SecurityDescriptor, bool>(c => c.Default);
                bool desiredvalue = action switch
                {
                    TokenAction.Enable => true,
                    TokenAction.Disable => false,
                    TokenAction.Reset => defaultvalue,
                    _ => !GetGlobalOrDefault(descriptor, defaultvalue)
                };
                var currentvalue = GetGlobalOrDefault(descriptor, row.Get<SecurityDescriptor, bool>(c => c.Default));

                if (currentvalue != defaultvalue)
                    resetglobals.Add(descriptor);
                
                if (resetchildren)
                {
                    resetgroups.Add(descriptor);
                    resetusers.Add(descriptor);
                }
                
                if (desiredvalue != defaultvalue)
                {
                    // ResetGlobals(new[] { descriptor });
                    //
                    // if (resetchildren)
                    // {
                    //     ResetGroups(Guid.Empty, new[] { descriptor });
                    //     ResetUsers(Guid.Empty, new[] { descriptor });
                    // }

                    if (currentvalue == defaultvalue)
                    {
                        var token = new GlobalSecurityToken
                        {
                            Descriptor = descriptor,
                            Enabled = !currentvalue
                        };
                        updates.Add(token);
                        // new Client<GlobalSecurityToken>().Save(token, "");
                        // var item = new SecurityTokenItem
                        // {
                        //     Type = SecurityTokenType.Global,
                        //     Descriptor = descriptor,
                        //     ID = Guid.Empty,
                        //     RecordID = token.ID,
                        //     Enabled = token.Enabled
                        // };
                        // Items.Add(item);

                    }
                }
            }
            
            progress.Report("Clearing Old Tokens...");
            if (resetusers.Any())
                ResetUsers(Guid.Empty,resetusers);
            if (resetgroups.Any())
                ResetGroups(Guid.Empty, resetgroups);
            if (resetglobals.Any())
                ResetGlobals(resetglobals);
            progress.Report("Creating new Tokens...");
            if (updates.Any())
            {
                new Client<GlobalSecurityToken>().Save(updates, "");
                Items.AddRange(updates.Select(x => new SecurityTokenItem()
                {
                    Type = SecurityTokenType.Global,
                    Descriptor = x.Descriptor,
                    ID = Guid.Empty,
                    RecordID = x.ID,
                    Enabled = x.Enabled
                }));
            }


        });

        Refresh(false, true);
        return false;
    }

    
    private bool GroupAction(IList<CoreRow> rows, Guid groupid, TokenAction action)
    {
        
        if (!rows.Any())
            return false;

        
        var descriptors = rows.Select(r =>r.Get<SecurityDescriptor, string>(c => c.Descriptor)).ToArray();
        var resetchildren = Items.Where(x => descriptors.Contains(x.Descriptor) && x.Type.Equals(SecurityTokenType.User) && UserGroups[x.ID].Equals(groupid)).Any();
        
        if (resetchildren)
        {
            var confirm = MessageBox.Show($"{_tokennames[action].Item1} User Tokens as well?", $"{_tokennames[action].Item1} All",
                MessageBoxButton.YesNoCancel);
            if (confirm == MessageBoxResult.Cancel)
                return false;
            resetchildren = confirm == MessageBoxResult.Yes;
        }
        
        var resetusers = new List<string>();
        var resetgroups = new List<string>();
        var updates = new List<SecurityToken>();
        
        Progress.ShowModal($"{_tokennames[action].Item2} Tokens", (progress) =>
        {
            int i = 1;
            foreach (var row in rows)
            {
                
                progress.Report($"{_tokennames[action].Item2} Tokens ({(double)(i) * 100.0D / (double)rows.Count:F2}% complete)");
                i++;
                
                string descriptor = row.Get<SecurityDescriptor, String>(c => c.Descriptor);
                bool globaldefault = row.Get<SecurityDescriptor, bool>(c => c.Default);
                bool defaultvalue = GetGlobalOrDefault(descriptor, globaldefault);
                var currentvalue = GetGroupOrDefault(descriptor, groupid, globaldefault);
                
                bool desiredvalue = action switch
                {
                    TokenAction.Enable => true,
                    TokenAction.Disable => false,
                    TokenAction.Reset => GetGlobalOrDefault(descriptor, defaultvalue),
                    _ => !GetGroupOrDefault(descriptor, groupid, defaultvalue)
                };
                
                if (currentvalue != defaultvalue)
                    resetgroups.Add(descriptor);
                if (resetchildren)
                    resetusers.Add(descriptor);
                
                if (desiredvalue != defaultvalue)
                { 
                    var token = new SecurityToken
                    {
                        Descriptor = descriptor,
                        Enabled = desiredvalue
                    };
                    token.Group.ID = groupid;
                    updates.Add(token);
                }
            }
            
            progress.Report("Clearing Old Tokens...");
            if (resetusers.Any())
                ResetUsers(groupid,resetusers);
            if (resetgroups.Any())
                ResetGroups(groupid, resetgroups);
            progress.Report("Creating new Tokens...");
            if (updates.Any())
            {
                new Client<SecurityToken>().Save(updates, "");
                Items.AddRange(updates.Select(x => new SecurityTokenItem()
                {
                    Type = SecurityTokenType.Group,
                    Descriptor = x.Descriptor,
                    ID = groupid,
                    RecordID = x.ID,
                    Enabled = x.Enabled
                }));
            }
            
        });
        Refresh(false, true);
        return false;
    }

    private bool UserAction(IList<CoreRow> rows, Guid groupid, Guid userid, TokenAction action)
    {
        if (!rows.Any())
            return false;

        Progress.ShowModal($"{_tokennames[action].Item2} Tokens", (progress) =>
        {
            var resets = new List<string>();
            var updates = new List<UserSecurityToken>();

            int i = 1;
            foreach (var row in rows)
            {

                progress.Report($"{_tokennames[action].Item2} Tokens ({(double)(i) * 100.0D / (double)rows.Count:F2}% complete)");
                i++;
                
                var descriptor = row.Get<SecurityDescriptor, string>(c => c.Descriptor);
                bool globaldefault = row.Get<SecurityDescriptor, bool>(c => c.Default);
                bool defaultvalue = GetGroupOrDefault(descriptor, groupid, globaldefault);
                var currentvalue = GetUserOrDefault(descriptor, userid, groupid, defaultvalue);

                bool desiredvalue = action switch
                {
                    TokenAction.Enable => true,
                    TokenAction.Disable => false,
                    TokenAction.Toggle => !currentvalue,
                    _ => GetGroupOrDefault(descriptor, groupid, globaldefault)
                };

                if (currentvalue != defaultvalue)
                    resets.Add(descriptor);

                if (desiredvalue != defaultvalue)
                {
                    var token = new UserSecurityToken
                    {
                        Descriptor = descriptor,
                        Enabled = desiredvalue
                    };
                    token.User.ID = userid;
                    updates.Add(token);
                }

            }

            progress.Report("Clearing Old Tokens...");
            if (resets.Any())
                ResetUser(userid, resets);
            progress.Report("Creating new Tokens...");
            if (updates.Any())
            {
                new Client<UserSecurityToken>().Save(updates, "");
                Items.AddRange(updates.Select(x => new SecurityTokenItem()
                {
                    Type = SecurityTokenType.User,
                    Descriptor = x.Descriptor,
                    ID = userid,
                    RecordID = x.ID,
                    Enabled = x.Enabled
                }));
            }

        });

        Refresh(false, true); 
        return false;
    }

    public override void DeleteItems(params CoreRow[] row)
    {
        // Not required or implemented
    }

    public override void SaveItem(SecurityDescriptor item)
    {
        // Not required or implemented
    }
}