From 73c4fdd93e072148b7c223c2cbb3da2c7f03d520 Mon Sep 17 00:00:00 2001 From: John Cardinal Date: Thu, 16 May 2019 22:57:26 +0000 Subject: [PATCH] --- server/AyaNova/ControllerHelpers/Authorized.cs | 10 ++++++---- server/AyaNova/Controllers/AttachmentController.cs | 4 ++-- server/AyaNova/Controllers/DataFilterController.cs | 4 ++-- server/AyaNova/Controllers/FormCustomController.cs | 2 +- server/AyaNova/Controllers/LocaleController.cs | 6 +++--- server/AyaNova/Controllers/UserController.cs | 6 +++--- server/AyaNova/Controllers/UserOptionsController.cs | 4 ++-- 7 files changed, 19 insertions(+), 17 deletions(-) diff --git a/server/AyaNova/ControllerHelpers/Authorized.cs b/server/AyaNova/ControllerHelpers/Authorized.cs index ea5e0428..73224a59 100644 --- a/server/AyaNova/ControllerHelpers/Authorized.cs +++ b/server/AyaNova/ControllerHelpers/Authorized.cs @@ -6,6 +6,8 @@ using AyaNova.Biz; namespace AyaNova.Api.ControllerHelpers { + //AUTHORIZATION ROLES: NOTE - this is only 'stage1' of generally checking rights, individual objects can also have business rules that affect access exactly as these roles do + //Most objects won't need more than this but some specialized ones will have further checks depending on biz rules internal static class Authorized { @@ -104,13 +106,13 @@ namespace AyaNova.Api.ControllerHelpers /// /// /// - + /// internal static bool HasModifyRole(IDictionary HttpContextItems, AyaType objectType) { AuthorizationRoles currentUserRoles = UserRolesFromContext.Roles(HttpContextItems); - - return HasModifyRole(currentUserRoles, objectType); + + return HasModifyRole(currentUserRoles, objectType); } @@ -157,7 +159,7 @@ namespace AyaNova.Api.ControllerHelpers if (currentUserRoles.HasAnyFlags(BizRoles.GetRoleSet(objectType).Change)) return true; - + return false; } diff --git a/server/AyaNova/Controllers/AttachmentController.cs b/server/AyaNova/Controllers/AttachmentController.cs index 8c0a99e1..3316bda3 100644 --- a/server/AyaNova/Controllers/AttachmentController.cs +++ b/server/AyaNova/Controllers/AttachmentController.cs @@ -195,7 +195,7 @@ namespace AyaNova.Api.Controllers // else // { // User needs modify rights to the object type in question - if (!Authorized.IsAuthorizedToModify(HttpContext.Items, attachToObject.ObjectType, attachToObjectOwnerId)) + if (!Authorized.HasModifyRole(HttpContext.Items, attachToObject.ObjectType)) { //delete temp files DeleteTempFileUploadDueToBadRequest(uploadFormData); @@ -293,7 +293,7 @@ namespace AyaNova.Api.Controllers long UserId = UserIdFromContext.Id(HttpContext.Items); - if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, dbObj.AttachToObjectType, dbObj.OwnerId)) + if (!Authorized.HasDeleteRole(HttpContext.Items, dbObj.AttachToObjectType)) { return StatusCode(403, new ApiNotAuthorizedResponse()); } diff --git a/server/AyaNova/Controllers/DataFilterController.cs b/server/AyaNova/Controllers/DataFilterController.cs index efb3c29d..f549bdc9 100644 --- a/server/AyaNova/Controllers/DataFilterController.cs +++ b/server/AyaNova/Controllers/DataFilterController.cs @@ -127,7 +127,7 @@ namespace AyaNova.Api.Controllers if (o == null) return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND)); - if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId)) + if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType)) return StatusCode(403, new ApiNotAuthorizedResponse()); try @@ -206,7 +206,7 @@ namespace AyaNova.Api.Controllers if (o == null) return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND)); - if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, biz.BizType, o.OwnerId)) + if (!Authorized.HasDeleteRole(HttpContext.Items, biz.BizType)) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!biz.Delete(o)) diff --git a/server/AyaNova/Controllers/FormCustomController.cs b/server/AyaNova/Controllers/FormCustomController.cs index e7c0eb63..fd02dd3d 100644 --- a/server/AyaNova/Controllers/FormCustomController.cs +++ b/server/AyaNova/Controllers/FormCustomController.cs @@ -200,7 +200,7 @@ namespace AyaNova.Api.Controllers if (o == null) return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND)); - if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId)) + if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType)) return StatusCode(403, new ApiNotAuthorizedResponse()); try diff --git a/server/AyaNova/Controllers/LocaleController.cs b/server/AyaNova/Controllers/LocaleController.cs index fd42293d..43f3306e 100644 --- a/server/AyaNova/Controllers/LocaleController.cs +++ b/server/AyaNova/Controllers/LocaleController.cs @@ -233,7 +233,7 @@ namespace AyaNova.Api.Controllers return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND)); } - if (!Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.Locale, oDbParent.OwnerId)) + if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.Locale)) { return StatusCode(403, new ApiNotAuthorizedResponse()); } @@ -299,7 +299,7 @@ namespace AyaNova.Api.Controllers } - if (!Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.Locale, oFromDb.OwnerId)) + if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.Locale)) { return StatusCode(403, new ApiNotAuthorizedResponse()); } @@ -367,7 +367,7 @@ namespace AyaNova.Api.Controllers return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND)); } - if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, AyaType.Locale, dbObj.OwnerId)) + if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.Locale)) { return StatusCode(403, new ApiNotAuthorizedResponse()); } diff --git a/server/AyaNova/Controllers/UserController.cs b/server/AyaNova/Controllers/UserController.cs index f181e8fa..b25194bc 100644 --- a/server/AyaNova/Controllers/UserController.cs +++ b/server/AyaNova/Controllers/UserController.cs @@ -214,7 +214,7 @@ namespace AyaNova.Api.Controllers //Instantiate the business object handler UserBiz biz = UserBiz.GetBiz(ct, HttpContext); - if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId)) + if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType)) { return StatusCode(403, new ApiNotAuthorizedResponse()); } @@ -278,7 +278,7 @@ namespace AyaNova.Api.Controllers return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND)); } - if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId)) + if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType)) { return StatusCode(403, new ApiNotAuthorizedResponse()); } @@ -392,7 +392,7 @@ namespace AyaNova.Api.Controllers return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND)); } - if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, biz.BizType, dbObj.OwnerId)) + if (!Authorized.HasDeleteRole(HttpContext.Items, biz.BizType)) { return StatusCode(403, new ApiNotAuthorizedResponse()); } diff --git a/server/AyaNova/Controllers/UserOptionsController.cs b/server/AyaNova/Controllers/UserOptionsController.cs index af539122..46f8b66a 100644 --- a/server/AyaNova/Controllers/UserOptionsController.cs +++ b/server/AyaNova/Controllers/UserOptionsController.cs @@ -120,7 +120,7 @@ namespace AyaNova.Api.Controllers return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND)); } - if (id != UserId && !Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.UserOptions, o.OwnerId)) + if (id != UserId && !Authorized.HasModifyRole(HttpContext.Items, AyaType.UserOptions, o.OwnerId)) { return StatusCode(403, new ApiNotAuthorizedResponse()); } @@ -189,7 +189,7 @@ namespace AyaNova.Api.Controllers return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND)); } - if (id != UserId && !Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.UserOptions, o.OwnerId)) + if (id != UserId && !Authorized.HasModifyRole(HttpContext.Items, AyaType.UserOptions, o.OwnerId)) { return StatusCode(403, new ApiNotAuthorizedResponse()); }