2019-05-16 22:57:26 +00:00
parent 8fe776a3ac
commit 73c4fdd93e
7 changed files with 19 additions and 17 deletions
--- a/server/AyaNova/ControllerHelpers/Authorized.cs
+++ b/server/AyaNova/ControllerHelpers/Authorized.cs
@@ -6,6 +6,8 @@ using AyaNova.Biz;
 namespace AyaNova.Api.ControllerHelpers
 {

+    //AUTHORIZATION ROLES: NOTE - this is only 'stage1' of generally checking rights, individual objects can also have business rules that affect access exactly as these roles do
+    //Most objects won't need more than this but some specialized ones will have further checks depending on biz rules

    internal static class Authorized
    {
@@ -104,13 +106,13 @@ namespace AyaNova.Api.ControllerHelpers
        /// </summary>
        /// <param name="HttpContextItems"></param>
        /// <param name="objectType"></param>
-       
+
        /// <returns></returns>
        internal static bool HasModifyRole(IDictionary<object, object> HttpContextItems, AyaType objectType)
        {
            AuthorizationRoles currentUserRoles = UserRolesFromContext.Roles(HttpContextItems);
-            
-            return HasModifyRole(currentUserRoles,  objectType);
+
+            return HasModifyRole(currentUserRoles, objectType);
        }


@@ -157,7 +159,7 @@ namespace AyaNova.Api.ControllerHelpers
            if (currentUserRoles.HasAnyFlags(BizRoles.GetRoleSet(objectType).Change))
                return true;

-            
+
            return false;
        }

--- a/server/AyaNova/Controllers/AttachmentController.cs
+++ b/server/AyaNova/Controllers/AttachmentController.cs
@@ -195,7 +195,7 @@ namespace AyaNova.Api.Controllers
                    // else
                    // {
                        // User needs modify rights to the object type in question
-                        if (!Authorized.IsAuthorizedToModify(HttpContext.Items, attachToObject.ObjectType, attachToObjectOwnerId))
+                        if (!Authorized.HasModifyRole(HttpContext.Items, attachToObject.ObjectType))
                        {
                            //delete temp files
                            DeleteTempFileUploadDueToBadRequest(uploadFormData);
@@ -293,7 +293,7 @@ namespace AyaNova.Api.Controllers

            long UserId = UserIdFromContext.Id(HttpContext.Items);

-            if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, dbObj.AttachToObjectType, dbObj.OwnerId))
+            if (!Authorized.HasDeleteRole(HttpContext.Items, dbObj.AttachToObjectType))
            {
                return StatusCode(403, new ApiNotAuthorizedResponse());
            }
--- a/server/AyaNova/Controllers/DataFilterController.cs
+++ b/server/AyaNova/Controllers/DataFilterController.cs
@@ -127,7 +127,7 @@ namespace AyaNova.Api.Controllers
            if (o == null)
                return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));

-            if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId))
+            if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType))
                return StatusCode(403, new ApiNotAuthorizedResponse());

            try
@@ -206,7 +206,7 @@ namespace AyaNova.Api.Controllers
            if (o == null)
                return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));

-            if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, biz.BizType, o.OwnerId))
+            if (!Authorized.HasDeleteRole(HttpContext.Items, biz.BizType))
                return StatusCode(403, new ApiNotAuthorizedResponse());

            if (!biz.Delete(o))
--- a/server/AyaNova/Controllers/FormCustomController.cs
+++ b/server/AyaNova/Controllers/FormCustomController.cs
@@ -200,7 +200,7 @@ namespace AyaNova.Api.Controllers
            if (o == null)
                return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));

-            if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId))
+            if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType))
                return StatusCode(403, new ApiNotAuthorizedResponse());

            try
--- a/server/AyaNova/Controllers/LocaleController.cs
+++ b/server/AyaNova/Controllers/LocaleController.cs
@@ -233,7 +233,7 @@ namespace AyaNova.Api.Controllers
                return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
            }

-            if (!Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.Locale, oDbParent.OwnerId))
+            if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.Locale))
            {
                return StatusCode(403, new ApiNotAuthorizedResponse());
            }
@@ -299,7 +299,7 @@ namespace AyaNova.Api.Controllers
            }


-            if (!Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.Locale, oFromDb.OwnerId))
+            if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.Locale))
            {
                return StatusCode(403, new ApiNotAuthorizedResponse());
            }
@@ -367,7 +367,7 @@ namespace AyaNova.Api.Controllers
                return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
            }

-            if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, AyaType.Locale, dbObj.OwnerId))
+            if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.Locale))
            {
                return StatusCode(403, new ApiNotAuthorizedResponse());
            }
--- a/server/AyaNova/Controllers/UserController.cs
+++ b/server/AyaNova/Controllers/UserController.cs
@@ -214,7 +214,7 @@ namespace AyaNova.Api.Controllers
            //Instantiate the business object handler       
            UserBiz biz = UserBiz.GetBiz(ct, HttpContext);

-            if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId))
+            if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType))
            {
                return StatusCode(403, new ApiNotAuthorizedResponse());
            }
@@ -278,7 +278,7 @@ namespace AyaNova.Api.Controllers
                return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
            }

-            if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId))
+            if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType))
            {
                return StatusCode(403, new ApiNotAuthorizedResponse());
            }
@@ -392,7 +392,7 @@ namespace AyaNova.Api.Controllers
                return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
            }

-            if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, biz.BizType, dbObj.OwnerId))
+            if (!Authorized.HasDeleteRole(HttpContext.Items, biz.BizType))
            {
                return StatusCode(403, new ApiNotAuthorizedResponse());
            }
--- a/server/AyaNova/Controllers/UserOptionsController.cs
+++ b/server/AyaNova/Controllers/UserOptionsController.cs
@@ -120,7 +120,7 @@ namespace AyaNova.Api.Controllers
                return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
            }

-            if (id != UserId && !Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.UserOptions, o.OwnerId))
+            if (id != UserId && !Authorized.HasModifyRole(HttpContext.Items, AyaType.UserOptions, o.OwnerId))
            {
                return StatusCode(403, new ApiNotAuthorizedResponse());
            }
@@ -189,7 +189,7 @@ namespace AyaNova.Api.Controllers
                return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
            }

-            if (id != UserId && !Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.UserOptions, o.OwnerId))
+            if (id != UserId && !Authorized.HasModifyRole(HttpContext.Items, AyaType.UserOptions, o.OwnerId))
            {
                return StatusCode(403, new ApiNotAuthorizedResponse());
            }