server/AyaNova/ControllerHelpers/Authorized.cs

@@ -6,6 +6,8 @@ using AyaNova.Biz;
 namespace AyaNova.Api.ControllerHelpers
 {
 
+    //AUTHORIZATION ROLES: NOTE - this is only 'stage1' of generally checking rights, individual objects can also have business rules that affect access exactly as these roles do
+    //Most objects won't need more than this but some specialized ones will have further checks depending on biz rules
 
     internal static class Authorized
     {
@@ -104,13 +106,13 @@ namespace AyaNova.Api.ControllerHelpers
         /// </summary>
         /// <param name="HttpContextItems"></param>
         /// <param name="objectType"></param>
-       
+
         /// <returns></returns>
         internal static bool HasModifyRole(IDictionary<object, object> HttpContextItems, AyaType objectType)
         {
             AuthorizationRoles currentUserRoles = UserRolesFromContext.Roles(HttpContextItems);
-            
+
-            return HasModifyRole(currentUserRoles,  objectType);
+            return HasModifyRole(currentUserRoles, objectType);
         }
 
 
@@ -157,7 +159,7 @@ namespace AyaNova.Api.ControllerHelpers
             if (currentUserRoles.HasAnyFlags(BizRoles.GetRoleSet(objectType).Change))
                 return true;
 
-            
+
             return false;
         }
 

server/AyaNova/Controllers/AttachmentController.cs

@@ -195,7 +195,7 @@ namespace AyaNova.Api.Controllers
                     // else
                     // {
                         // User needs modify rights to the object type in question
-                        if (!Authorized.IsAuthorizedToModify(HttpContext.Items, attachToObject.ObjectType, attachToObjectOwnerId))
+                        if (!Authorized.HasModifyRole(HttpContext.Items, attachToObject.ObjectType))
                         {
                             //delete temp files
                             DeleteTempFileUploadDueToBadRequest(uploadFormData);
@@ -293,7 +293,7 @@ namespace AyaNova.Api.Controllers
 
             long UserId = UserIdFromContext.Id(HttpContext.Items);
 
-            if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, dbObj.AttachToObjectType, dbObj.OwnerId))
+            if (!Authorized.HasDeleteRole(HttpContext.Items, dbObj.AttachToObjectType))
             {
                 return StatusCode(403, new ApiNotAuthorizedResponse());
             }

server/AyaNova/Controllers/DataFilterController.cs

@@ -127,7 +127,7 @@ namespace AyaNova.Api.Controllers
             if (o == null)
                 return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
 
-            if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId))
+            if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType))
                 return StatusCode(403, new ApiNotAuthorizedResponse());
 
             try
@@ -206,7 +206,7 @@ namespace AyaNova.Api.Controllers
             if (o == null)
                 return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
 
-            if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, biz.BizType, o.OwnerId))
+            if (!Authorized.HasDeleteRole(HttpContext.Items, biz.BizType))
                 return StatusCode(403, new ApiNotAuthorizedResponse());
 
             if (!biz.Delete(o))

server/AyaNova/Controllers/FormCustomController.cs

@@ -200,7 +200,7 @@ namespace AyaNova.Api.Controllers
             if (o == null)
                 return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
 
-            if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId))
+            if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType))
                 return StatusCode(403, new ApiNotAuthorizedResponse());
 
             try

server/AyaNova/Controllers/LocaleController.cs

@@ -233,7 +233,7 @@ namespace AyaNova.Api.Controllers
                 return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
             }
 
-            if (!Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.Locale, oDbParent.OwnerId))
+            if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.Locale))
             {
                 return StatusCode(403, new ApiNotAuthorizedResponse());
             }
@@ -299,7 +299,7 @@ namespace AyaNova.Api.Controllers
             }
 
 
-            if (!Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.Locale, oFromDb.OwnerId))
+            if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.Locale))
             {
                 return StatusCode(403, new ApiNotAuthorizedResponse());
             }
@@ -367,7 +367,7 @@ namespace AyaNova.Api.Controllers
                 return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
             }
 
-            if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, AyaType.Locale, dbObj.OwnerId))
+            if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.Locale))
             {
                 return StatusCode(403, new ApiNotAuthorizedResponse());
             }

server/AyaNova/Controllers/UserController.cs

@@ -214,7 +214,7 @@ namespace AyaNova.Api.Controllers
             //Instantiate the business object handler       
             UserBiz biz = UserBiz.GetBiz(ct, HttpContext);
 
-            if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId))
+            if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType))
             {
                 return StatusCode(403, new ApiNotAuthorizedResponse());
             }
@@ -278,7 +278,7 @@ namespace AyaNova.Api.Controllers
                 return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
             }
 
-            if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId))
+            if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType))
             {
                 return StatusCode(403, new ApiNotAuthorizedResponse());
             }
@@ -392,7 +392,7 @@ namespace AyaNova.Api.Controllers
                 return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
             }
 
-            if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, biz.BizType, dbObj.OwnerId))
+            if (!Authorized.HasDeleteRole(HttpContext.Items, biz.BizType))
             {
                 return StatusCode(403, new ApiNotAuthorizedResponse());
             }

server/AyaNova/Controllers/UserOptionsController.cs

@@ -120,7 +120,7 @@ namespace AyaNova.Api.Controllers
                 return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
             }
 
-            if (id != UserId && !Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.UserOptions, o.OwnerId))
+            if (id != UserId && !Authorized.HasModifyRole(HttpContext.Items, AyaType.UserOptions, o.OwnerId))
             {
                 return StatusCode(403, new ApiNotAuthorizedResponse());
             }
@@ -189,7 +189,7 @@ namespace AyaNova.Api.Controllers
                 return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
             }
 
-            if (id != UserId && !Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.UserOptions, o.OwnerId))
+            if (id != UserId && !Authorized.HasModifyRole(HttpContext.Items, AyaType.UserOptions, o.OwnerId))
             {
                 return StatusCode(403, new ApiNotAuthorizedResponse());
             }