admin/raven
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Browse Source
This commit is contained in:
John Cardinal
2019-05-16 22:28:28 +00:00
parent acc40671a0
commit 8fe776a3ac
21 changed files with 137 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
devdocs/specs/core-roles.txt
View File

@@ -5,17 +5,18 @@ From case https://rockfish.ayanova.com/default.htm#!/rfcaseEdit/1809
RAVEN will replace security rights system of v7 with a role based system instead
I'm using an int flags enum which means a maximum of 32 possible roles unless I bump it up to a long but don't really want to as this number will be thrown around the api a lot
TODO: Fill this out as I code.
ROLES set general accessibility to change or delete or read objects, however Business rules may further restrict on top of that.
**DELETE RIGHTS***
If you can modify an object you can delete an object
If you can modify an object you can delete an object unless business rules say otherwise
**LIMITED ROLES / BUSINESS RULES LIMITATIONS **
(formerly self owned)
In some cases business rules may further restrict what a user can do.
For example a SubContractorLimited has the change right to a workorder, but in fact the workorder itself has business rules that limit that drastically down to almost nothing but a single area entry in labor
**OWNER LIMITED ROLES**
Limited roles in some cases can create an object but can only edit or delete objects they created
?? STILL BEING PLANNED OUT SEE BELOW AT BOTTOM ??
## ROLES

15
devdocs/todo.txt
View File

@@ -6,9 +6,20 @@ Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOiIxNTQ3NTgwMzg2IiwiZXhwIjoi
## IMMEDIATE ITEMS
Do I need ownerId for anything if it's not being used anymore for rules??
- Get rid of it in all rights stuff first, then widget then the rest and rename for the below specific things to UserId instead
- DataFilter uses it for a different purpose in that there are public and private filters
- After removing everywhere else maybe if this is the only holdout rename the field to userID or something?
- Semantically makes more sense
- Also helps so we can have no remnants of ownerId anywhere to make it easier to see what's been fixed / changed.
- EventLog uses it to log people's changes so an eventlog entry might be owned by Jim but it refers to an action Jim made on another object such as edit it maybe
- Could be renamed to UserId as well
- Event object uses it see eventlog above
- FormCustom uses it much like DataFilter does, could also be renamed to UserId and semantically be better
EDIT OWN PLANNING FIRST
- Now all in core-roles.txt
OwnerID is put on httpcontext in startup.cs, will it still be necessary?
Clean up owner ID and rules now that it's deprecated
Fix tests until they run properly
NOT THIS: QB TLS STUFF, SERVER UPDATES, MAIL SERVER CONFIG CHECK AND UPDATE
AFTER THAT FIGURE OUT SELF OWNED RIGHTS / SUBCONTRACTOR

49
server/AyaNova/ControllerHelpers/Authorized.cs
View File

@@ -43,10 +43,10 @@ namespace AyaNova.Api.ControllerHelpers
/// <param name="HttpContextItems"></param>
/// <param name="objectType"></param>
/// <returns></returns>
internal static bool IsAuthorizedToReadFullRecord(IDictionary<object, object> HttpContextItems, AyaType objectType)
internal static bool HasReadFullRole(IDictionary<object, object> HttpContextItems, AyaType objectType)
{
AuthorizationRoles currentUserRoles = UserRolesFromContext.Roles(HttpContextItems);
return IsAuthorizedToReadFullRecord(currentUserRoles, objectType);
return HasReadFullRole(currentUserRoles, objectType);
}
/// <summary>
@@ -55,7 +55,7 @@ namespace AyaNova.Api.ControllerHelpers
/// <param name="currentUserRoles"></param>
/// <param name="objectType"></param>
/// <returns></returns>
internal static bool IsAuthorizedToReadFullRecord(AuthorizationRoles currentUserRoles, AyaType objectType)
internal static bool HasReadFullRole(AuthorizationRoles currentUserRoles, AyaType objectType)
{
//NOTE: this assumes that if you can change you can read
if (currentUserRoles.HasAnyFlags(BizRoles.GetRoleSet(objectType).Change))
@@ -75,10 +75,10 @@ namespace AyaNova.Api.ControllerHelpers
/// <param name="HttpContextItems"></param>
/// <param name="objectType"></param>
/// <returns></returns>
internal static bool IsAuthorizedToCreate(IDictionary<object, object> HttpContextItems, AyaType objectType)
internal static bool HasCreateRole(IDictionary<object, object> HttpContextItems, AyaType objectType)
{
AuthorizationRoles currentUserRoles = UserRolesFromContext.Roles(HttpContextItems);
return IsAuthorizedToCreate(currentUserRoles, objectType);
return HasCreateRole(currentUserRoles, objectType);
}
/// <summary>
@@ -87,14 +87,11 @@ namespace AyaNova.Api.ControllerHelpers
/// <param name="currentUserRoles"></param>
/// <param name="objectType"></param>
/// <returns></returns>
internal static bool IsAuthorizedToCreate(AuthorizationRoles currentUserRoles, AyaType objectType)
internal static bool HasCreateRole(AuthorizationRoles currentUserRoles, AyaType objectType)
{
if (currentUserRoles.HasAnyFlags(BizRoles.GetRoleSet(objectType).Change))
return true;
if (currentUserRoles.HasAnyFlags(BizRoles.GetRoleSet(objectType).EditOwn))
return true;
return false;
}
@@ -107,13 +104,13 @@ namespace AyaNova.Api.ControllerHelpers
/// </summary>
/// <param name="HttpContextItems"></param>
/// <param name="objectType"></param>
/// <param name="ownerId"></param>
/// <returns></returns>
internal static bool IsAuthorizedToModify(IDictionary<object, object> HttpContextItems, AyaType objectType, long ownerId = -1)
internal static bool HasModifyRole(IDictionary<object, object> HttpContextItems, AyaType objectType)
{
AuthorizationRoles currentUserRoles = UserRolesFromContext.Roles(HttpContextItems);
long currentUserId = UserIdFromContext.Id(HttpContextItems);
return IsAuthorizedToModify(currentUserRoles, currentUserId, objectType, ownerId);
return HasModifyRole(currentUserRoles, objectType);
}
@@ -121,19 +118,12 @@ namespace AyaNova.Api.ControllerHelpers
/// MODIFY
/// </summary>
/// <param name="currentUserRoles"></param>
/// <param name="currentUserId"></param>
/// <param name="objectType"></param>
/// <param name="ownerId"></param>
/// <returns></returns>
internal static bool IsAuthorizedToModify(AuthorizationRoles currentUserRoles, long currentUserId, AyaType objectType, long ownerId = -1)
internal static bool HasModifyRole(AuthorizationRoles currentUserRoles, AyaType objectType)
{
if (currentUserRoles.HasAnyFlags(BizRoles.GetRoleSet(objectType).Change))
return true;
if (ownerId != -1)
if (currentUserRoles.HasAnyFlags(BizRoles.GetRoleSet(objectType).EditOwn) && ownerId == currentUserId)
return true;
return false;
}
@@ -145,34 +135,29 @@ namespace AyaNova.Api.ControllerHelpers
/// </summary>
/// <param name="HttpContextItems"></param>
/// <param name="objectType"></param>
/// <param name="ownerId"></param>
/// <returns></returns>
//For now just going to treat as a modify, but for maximum flexibility keeping this as a separate method in case we change our minds in future
internal static bool IsAuthorizedToDelete(IDictionary<object, object> HttpContextItems, AyaType objectType, long ownerId = 1)
internal static bool HasDeleteRole(IDictionary<object, object> HttpContextItems, AyaType objectType)
{
AuthorizationRoles currentUserRoles = UserRolesFromContext.Roles(HttpContextItems);
long currentUserId = UserIdFromContext.Id(HttpContextItems);
return IsAuthorizedToDelete(currentUserRoles, currentUserId, objectType, ownerId);
return HasDeleteRole(currentUserRoles, objectType);
}
/// <summary>
/// DELETE
/// </summary>
/// <param name="currentUserRoles"></param>
/// <param name="currentUserId"></param>
/// <param name="objectType"></param>
/// <param name="ownerId"></param>
/// <param name="currentUserRoles"></param>
/// <param name="objectType"></param>
/// <returns></returns>
//For now just going to treat as a modify, but for maximum flexibility keeping this as a separate method in case we change our minds in future
internal static bool IsAuthorizedToDelete(AuthorizationRoles currentUserRoles, long currentUserId, AyaType objectType, long ownerId = 1)
internal static bool HasDeleteRole(AuthorizationRoles currentUserRoles, AyaType objectType)
{
if (currentUserRoles.HasAnyFlags(BizRoles.GetRoleSet(objectType).Change))
return true;
if (currentUserRoles.HasAnyFlags(BizRoles.GetRoleSet(objectType).EditOwn) && ownerId == currentUserId)
return true;
return false;
}

20
server/AyaNova/Controllers/AttachmentController.cs
View File

@@ -186,14 +186,14 @@ namespace AyaNova.Api.Controllers
if (!badRequest)
{
//check if object exists
long attachToObjectOwnerId = attachToObject.OwnerId(ct);
if (attachToObjectOwnerId == -1)
{
badRequest = true;
errorMessage = "Invalid attach object";
}
else
{
// long attachToObjectOwnerId = attachToObject.OwnerId(ct);
// if (attachToObjectOwnerId == -1)
// {
// badRequest = true;
// errorMessage = "Invalid attach object";
// }
// else
// {
// User needs modify rights to the object type in question
if (!Authorized.IsAuthorizedToModify(HttpContext.Items, attachToObject.ObjectType, attachToObjectOwnerId))
{
@@ -202,7 +202,7 @@ namespace AyaNova.Api.Controllers
return StatusCode(403, new ApiNotAuthorizedResponse());
}
}
//}
}
@@ -369,7 +369,7 @@ namespace AyaNova.Api.Controllers
}
//is this allowed?
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, dbObj.AttachToObjectType))
if (!Authorized.HasReadFullRole(HttpContext.Items, dbObj.AttachToObjectType))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}

6
server/AyaNova/Controllers/DataFilterController.cs
View File

@@ -61,7 +61,7 @@ namespace AyaNova.Api.Controllers
//Instantiate the business object handler
DataFilterBiz biz = DataFilterBiz.GetBiz(ct, HttpContext);
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, biz.BizType))
if (!Authorized.HasReadFullRole(HttpContext.Items, biz.BizType))
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)
@@ -71,7 +71,7 @@ namespace AyaNova.Api.Controllers
if (o == null)
return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
return Ok(ApiOkResponse.Response(o, !Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType)));
return Ok(ApiOkResponse.Response(o, !Authorized.HasModifyRole(HttpContext.Items, biz.BizType)));
}
@@ -164,7 +164,7 @@ namespace AyaNova.Api.Controllers
DataFilterBiz biz = DataFilterBiz.GetBiz(ct, HttpContext);
//If a user has change roles, or editOwnRoles then they can create, true is passed for isOwner since they are creating so by definition the owner
if (!Authorized.IsAuthorizedToCreate(HttpContext.Items, biz.BizType))
if (!Authorized.HasCreateRole(HttpContext.Items, biz.BizType))
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)

4
server/AyaNova/Controllers/EventLogController.cs
View File

@@ -61,7 +61,7 @@ namespace AyaNova.Api.Controllers
return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason));
}
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, opt.AyType))
if (!Authorized.HasReadFullRole(HttpContext.Items, opt.AyType))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}
@@ -97,7 +97,7 @@ namespace AyaNova.Api.Controllers
long UserId = UserIdFromContext.Id(HttpContext.Items);
//If not authorized to read a user and also not the current user asking for their own log then NO LOG FOR YOU!
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.User) && opt.AyId != UserId)
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.User) && opt.AyId != UserId)
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}

12
server/AyaNova/Controllers/FormCustomController.cs
View File

@@ -66,7 +66,7 @@ namespace AyaNova.Api.Controllers
FormCustomBiz biz = FormCustomBiz.GetBiz(ct, HttpContext);
//Just have to be authenticated for this one
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, biz.BizType))
if (!Authorized.HasReadFullRole(HttpContext.Items, biz.BizType))
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)
@@ -87,7 +87,7 @@ namespace AyaNova.Api.Controllers
}
}
return Ok(ApiOkResponse.Response(o, !Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType)));
return Ok(ApiOkResponse.Response(o, !Authorized.HasModifyRole(HttpContext.Items, biz.BizType)));
}
@@ -109,7 +109,7 @@ namespace AyaNova.Api.Controllers
if (serverState.IsClosed)
return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason));
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.FormCustom))
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.FormCustom))
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)
@@ -140,7 +140,7 @@ namespace AyaNova.Api.Controllers
if (serverState.IsClosed)
return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason));
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.FormCustom))
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.FormCustom))
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)
@@ -164,7 +164,7 @@ namespace AyaNova.Api.Controllers
if (serverState.IsClosed)
return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason));
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.FormCustom))
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.FormCustom))
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)
@@ -236,7 +236,7 @@ namespace AyaNova.Api.Controllers
FormCustomBiz biz = FormCustomBiz.GetBiz(ct, HttpContext);
//check rights
if (!Authorized.IsAuthorizedToCreate(HttpContext.Items, biz.BizType))
if (!Authorized.HasCreateRole(HttpContext.Items, biz.BizType))
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)

8
server/AyaNova/Controllers/ImportAyaNova7Controller.cs
View File

@@ -71,7 +71,7 @@ namespace AyaNova.Api.Controllers
return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason));
}
if (!Authorized.IsAuthorizedToCreate(HttpContext.Items, AyaType.AyaNova7Import))
if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.AyaNova7Import))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}
@@ -164,7 +164,7 @@ namespace AyaNova.Api.Controllers
}
if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, AyaType.AyaNova7Import))
if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.AyaNova7Import))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}
@@ -192,7 +192,7 @@ namespace AyaNova.Api.Controllers
return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason));
}
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.AyaNova7Import))
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.AyaNova7Import))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}
@@ -245,7 +245,7 @@ namespace AyaNova.Api.Controllers
// #endif
//Create, in that they are creating new data in AyaNova
if (!Authorized.IsAuthorizedToCreate(HttpContext.Items, AyaType.AyaNova7Import))
if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.AyaNova7Import))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}

4
server/AyaNova/Controllers/JobOperationsController.cs
View File

@@ -63,7 +63,7 @@ namespace AyaNova.Api.Controllers
return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason));
}
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.JobOperations))
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.JobOperations))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}
@@ -102,7 +102,7 @@ namespace AyaNova.Api.Controllers
return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason));
}
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.JobOperations))
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.JobOperations))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}

6
server/AyaNova/Controllers/LicenseController.cs
View File

@@ -60,7 +60,7 @@ namespace AyaNova.Api.Controllers
return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason));
}
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.License))
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.License))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}
@@ -92,7 +92,7 @@ namespace AyaNova.Api.Controllers
return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason));
}
if (!Authorized.IsAuthorizedToCreate(HttpContext.Items, AyaType.License))
if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.License))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}
@@ -155,7 +155,7 @@ namespace AyaNova.Api.Controllers
return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason));
}
if (!Authorized.IsAuthorizedToCreate(HttpContext.Items, AyaType.License))
if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.License))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}

4
server/AyaNova/Controllers/LogFilesController.cs
View File

@@ -60,7 +60,7 @@ namespace AyaNova.Api.Controllers
return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason));
}
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.LogFile))
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.LogFile))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}
@@ -107,7 +107,7 @@ namespace AyaNova.Api.Controllers
return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason));
}
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.LogFile))
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.LogFile))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}

4
server/AyaNova/Controllers/MetricsController.cs
View File

@@ -60,7 +60,7 @@ namespace AyaNova.Api.Controllers
return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason));
}
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.Metrics))
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.Metrics))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}
@@ -90,7 +90,7 @@ namespace AyaNova.Api.Controllers
return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason));
}
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.Metrics))
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.Metrics))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}

2
server/AyaNova/Controllers/ServerStateController.cs
View File

@@ -68,7 +68,7 @@ namespace AyaNova.Api.Controllers
[Authorize]
public ActionResult PostServerState([FromBody] ServerStateModel state)
{
if (!Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.ServerState))
if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.ServerState))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}

10
server/AyaNova/Controllers/UserController.cs
View File

@@ -65,7 +65,7 @@ namespace AyaNova.Api.Controllers
//Instantiate the business object handler
UserBiz biz = UserBiz.GetBiz(ct, HttpContext);
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, biz.BizType))
if (!Authorized.HasReadFullRole(HttpContext.Items, biz.BizType))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}
@@ -83,7 +83,7 @@ namespace AyaNova.Api.Controllers
return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
}
return Ok(ApiOkResponse.Response(o, !Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType)));
return Ok(ApiOkResponse.Response(o, !Authorized.HasModifyRole(HttpContext.Items, biz.BizType)));
}
@@ -105,7 +105,7 @@ namespace AyaNova.Api.Controllers
//Instantiate the business object handler
UserBiz biz = UserBiz.GetBiz(ct, HttpContext);
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, biz.BizType))
if (!Authorized.HasReadFullRole(HttpContext.Items, biz.BizType))
return StatusCode(403, new ApiNotAuthorizedResponse());
return Ok(new
@@ -135,7 +135,7 @@ namespace AyaNova.Api.Controllers
//Instantiate the business object handler
UserBiz biz = UserBiz.GetBiz(ct, HttpContext);
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, biz.BizType))
if (!Authorized.HasReadFullRole(HttpContext.Items, biz.BizType))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}
@@ -328,7 +328,7 @@ namespace AyaNova.Api.Controllers
UserBiz biz = UserBiz.GetBiz(ct, HttpContext);
//If a user has change roles, or editOwnRoles then they can create, true is passed for isOwner since they are creating so by definition the owner
if (!Authorized.IsAuthorizedToCreate(HttpContext.Items, biz.BizType))
if (!Authorized.HasCreateRole(HttpContext.Items, biz.BizType))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}

4
server/AyaNova/Controllers/UserOptionsController.cs
View File

@@ -68,7 +68,7 @@ namespace AyaNova.Api.Controllers
var UserId = UserIdFromContext.Id(HttpContext.Items);
//Different than normal here: a user is *always* allowed to retrieve their own user options object
if (id != UserId && !Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.UserOptions))
if (id != UserId && !Authorized.HasReadFullRole(HttpContext.Items, AyaType.UserOptions))
{
return StatusCode(403, new ApiNotAuthorizedResponse());
}
@@ -83,7 +83,7 @@ namespace AyaNova.Api.Controllers
return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
}
return Ok(ApiOkResponse.Response(o, !Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType)));
return Ok(ApiOkResponse.Response(o, !Authorized.HasModifyRole(HttpContext.Items, biz.BizType)));
}

22
server/AyaNova/Controllers/WidgetController.cs
View File

@@ -64,7 +64,8 @@ namespace AyaNova.Api.Controllers
//Instantiate the business object handler
WidgetBiz biz = WidgetBiz.GetBiz(ct, HttpContext);
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, biz.BizType))
//NOTE: This is the first check and often the only check but in some cases with some objects this will also need to check biz object rules
if (!Authorized.HasReadFullRole(HttpContext.Items, biz.BizType))
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)
@@ -74,7 +75,10 @@ namespace AyaNova.Api.Controllers
if (o == null)
return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
return Ok(ApiOkResponse.Response(o, !Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType)));
// NOTE: HERE would be the second check of biz rules before returning the object
// in cases where there is also a business rule to affect retrieval on top of basic rights
return Ok(ApiOkResponse.Response(o, !Authorized.HasModifyRole(HttpContext.Items, biz.BizType)));
}
@@ -95,7 +99,7 @@ namespace AyaNova.Api.Controllers
//Instantiate the business object handler
WidgetBiz biz = WidgetBiz.GetBiz(ct, HttpContext);
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, biz.BizType))
if (!Authorized.HasReadFullRole(HttpContext.Items, biz.BizType))
return StatusCode(403, new ApiNotAuthorizedResponse());
return Ok(new
@@ -121,7 +125,7 @@ namespace AyaNova.Api.Controllers
//Instantiate the business object handler
WidgetBiz biz = WidgetBiz.GetBiz(ct, HttpContext);
if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, biz.BizType))
if (!Authorized.HasReadFullRole(HttpContext.Items, biz.BizType))
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)
@@ -185,7 +189,7 @@ namespace AyaNova.Api.Controllers
if (o == null)
return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId))
if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType))
return StatusCode(403, new ApiNotAuthorizedResponse());
try
@@ -234,7 +238,7 @@ namespace AyaNova.Api.Controllers
if (o == null)
return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId))
if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType))
return StatusCode(403, new ApiNotAuthorizedResponse());
try
@@ -272,7 +276,7 @@ namespace AyaNova.Api.Controllers
WidgetBiz biz = WidgetBiz.GetBiz(ct, HttpContext);
//If a user has change roles, or editOwnRoles then they can create, true is passed for isOwner since they are creating so by definition the owner
if (!Authorized.IsAuthorizedToCreate(HttpContext.Items, biz.BizType))
if (!Authorized.HasCreateRole(HttpContext.Items, biz.BizType))
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)
@@ -315,7 +319,7 @@ namespace AyaNova.Api.Controllers
if (o == null)
return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, biz.BizType, o.OwnerId))
if (!Authorized.HasDeleteRole(HttpContext.Items, biz.BizType))
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!biz.Delete(o))
@@ -360,7 +364,7 @@ namespace AyaNova.Api.Controllers
if (!serverState.IsOpen)
return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason));
if (!Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.JobOperations))
if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.JobOperations))
return StatusCode(403, new ApiNotAuthorizedResponse());
//Create the job here

64
server/AyaNova/biz/AyaObjectOwnerId.cs
View File

@@ -1,48 +1,48 @@
using AyaNova.Models;
using AyaNova.Biz;
// using AyaNova.Models;
// using AyaNova.Biz;
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Metadata;
using System.Reflection;
using System;
// using Microsoft.EntityFrameworkCore;
// using Microsoft.EntityFrameworkCore.Metadata;
// using System.Reflection;
// using System;
namespace AyaNova.Biz
{
// namespace AyaNova.Biz
// {
/// <summary>
/// Returns owner Id if the object exists or 0 if exists but there is no owner ID property or -1 if the object doesn't exist
/// </summary>
internal static class AyaObjectOwnerId
{
internal static long Get(AyaTypeId o, AyContext ct)
{
if (o.IsEmpty) return -1;
// /// <summary>
// /// Returns owner Id if the object exists or 0 if exists but there is no owner ID property or -1 if the object doesn't exist
// /// </summary>
// internal static class AyaObjectOwnerId
// {
// internal static long Get(AyaTypeId o, AyContext ct)
// {
// if (o.IsEmpty) return -1;
//Get the type of the model of AyaObject
Type t = Type.GetType("AyaNova.Models." + o.ObjectType.ToString());
// //Get the type of the model of AyaObject
// Type t = Type.GetType("AyaNova.Models." + o.ObjectType.ToString());
//Run a find query on the db context based on the model's type
object record = ct.Find(t, o.ObjectId);
if (record == null)
{
return -1;
}
// //Run a find query on the db context based on the model's type
// object record = ct.Find(t, o.ObjectId);
// if (record == null)
// {
// return -1;
// }
PropertyInfo ownerIdPropertyInfo = record.GetType().GetProperty("OwnerId");
// PropertyInfo ownerIdPropertyInfo = record.GetType().GetProperty("OwnerId");
if (ownerIdPropertyInfo == null)
return 0;//object exists and it doesn't have an ownerID property
// if (ownerIdPropertyInfo == null)
// return 0;//object exists and it doesn't have an ownerID property
long ret = (long)ownerIdPropertyInfo.GetValue(record, null);
// long ret = (long)ownerIdPropertyInfo.GetValue(record, null);
return ret;
// return ret;
}
// }
}
// }
}//eons
// }//eons

18
server/AyaNova/biz/AyaTypeId.cs
View File

@@ -71,15 +71,15 @@ namespace AyaNova.Biz
}
}
/// <summary>
/// Get the ownerId for the object in question
/// </summary>
/// <param name="ct">db context</param>
/// <returns>0 if object doesn't have an owner Id, the owner Id or -1 if the object doesn't exist in the db</returns>
public long OwnerId(AyContext ct)
{
return AyaObjectOwnerId.Get(this, ct);
}
// /// <summary>
// /// Get the ownerId for the object in question
// /// </summary>
// /// <param name="ct">db context</param>
// /// <returns>0 if object doesn't have an owner Id, the owner Id or -1 if the object doesn't exist in the db</returns>
// public long OwnerId(AyContext ct)
// {
// return AyaObjectOwnerId.Get(this, ct);
// }
/// <summary>

3
server/AyaNova/biz/BizRoleSet.cs
View File

@@ -6,8 +6,7 @@ namespace AyaNova.Biz
/// </summary>
public class BizRoleSet
{
public AuthorizationRoles Change { get; set; }
public AuthorizationRoles EditOwn { get; set; }
public AuthorizationRoles Change { get; set; }
public AuthorizationRoles ReadFullRecord { get; set; }
}//eoc

14
server/AyaNova/biz/BizRoles.cs
View File

@@ -36,8 +36,7 @@ namespace AyaNova.Biz
//
roles.Add(AyaType.User, new BizRoleSet()
{
Change = AuthorizationRoles.BizAdminFull,
EditOwn = AuthorizationRoles.NoRole,//no one can make a user but a bizadminfull
Change = AuthorizationRoles.BizAdminFull,
ReadFullRecord = AuthorizationRoles.BizAdminLimited
});
@@ -48,7 +47,6 @@ namespace AyaNova.Biz
roles.Add(AyaType.UserOptions, new BizRoleSet()
{
Change = AuthorizationRoles.BizAdminFull,
EditOwn = AuthorizationRoles.NoRole,//no one can make a user but a bizadminfull
ReadFullRecord = AuthorizationRoles.BizAdminLimited
});
@@ -60,7 +58,6 @@ namespace AyaNova.Biz
roles.Add(AyaType.Widget, new BizRoleSet()
{
Change = AuthorizationRoles.BizAdminFull | AuthorizationRoles.InventoryFull,
EditOwn = AuthorizationRoles.TechFull,
ReadFullRecord = AuthorizationRoles.BizAdminLimited | AuthorizationRoles.InventoryLimited
});
@@ -70,7 +67,6 @@ namespace AyaNova.Biz
roles.Add(AyaType.ServerState, new BizRoleSet()
{
Change = AuthorizationRoles.OpsAdminFull,
EditOwn = AuthorizationRoles.NoRole,
ReadFullRecord = AuthorizationRoles.AnyRole
});
@@ -81,7 +77,6 @@ namespace AyaNova.Biz
roles.Add(AyaType.License, new BizRoleSet()
{
Change = AuthorizationRoles.BizAdminFull | AuthorizationRoles.OpsAdminFull,
EditOwn = AuthorizationRoles.NoRole,
ReadFullRecord = AuthorizationRoles.BizAdminLimited | AuthorizationRoles.OpsAdminLimited
});
@@ -91,7 +86,6 @@ namespace AyaNova.Biz
roles.Add(AyaType.LogFile, new BizRoleSet()
{
Change = AuthorizationRoles.NoRole,
EditOwn = AuthorizationRoles.NoRole,
ReadFullRecord = AuthorizationRoles.OpsAdminFull | AuthorizationRoles.OpsAdminLimited
});
@@ -105,7 +99,6 @@ namespace AyaNova.Biz
roles.Add(AyaType.JobOperations, new BizRoleSet()
{
Change = AuthorizationRoles.OpsAdminFull,
EditOwn = AuthorizationRoles.NoRole,
ReadFullRecord = AuthorizationRoles.OpsAdminLimited | AuthorizationRoles.BizAdminFull | AuthorizationRoles.BizAdminLimited
});
@@ -115,7 +108,6 @@ namespace AyaNova.Biz
roles.Add(AyaType.AyaNova7Import, new BizRoleSet()
{
Change = AuthorizationRoles.OpsAdminFull,
EditOwn = AuthorizationRoles.NoRole,
ReadFullRecord = AuthorizationRoles.NoRole
});
@@ -126,7 +118,6 @@ namespace AyaNova.Biz
roles.Add(AyaType.Metrics, new BizRoleSet()
{
Change = AuthorizationRoles.NoRole,
EditOwn = AuthorizationRoles.NoRole,
ReadFullRecord = AuthorizationRoles.OpsAdminFull | AuthorizationRoles.OpsAdminLimited
});
@@ -137,7 +128,6 @@ namespace AyaNova.Biz
roles.Add(AyaType.Locale, new BizRoleSet()
{
Change = AuthorizationRoles.BizAdminFull | AuthorizationRoles.OpsAdminFull,
EditOwn = AuthorizationRoles.NoRole,
ReadFullRecord = AuthorizationRoles.AnyRole
});
@@ -148,7 +138,6 @@ namespace AyaNova.Biz
roles.Add(AyaType.DataFilter, new BizRoleSet()
{
Change = AuthorizationRoles.BizAdminFull,
EditOwn = AuthorizationRoles.AnyRole,
ReadFullRecord = AuthorizationRoles.AnyRole
});
@@ -159,7 +148,6 @@ namespace AyaNova.Biz
{
//Only BizAdminFull can modify forms
Change = AuthorizationRoles.BizAdminFull,
EditOwn = AuthorizationRoles.NoRole,
ReadFullRecord = AuthorizationRoles.AnyRole
});

2
server/AyaNova/biz/Search.cs
View File

@@ -313,7 +313,7 @@ namespace AyaNova.Biz
List<AyaTypeId> CanReadMatchingObjects = new List<AyaTypeId>();
foreach (AyaTypeId t in MatchingObjects)
{
if (AyaNova.Api.ControllerHelpers.Authorized.IsAuthorizedToReadFullRecord(currentUserRoles, t.ObjectType))
if (AyaNova.Api.ControllerHelpers.Authorized.HasReadFullRole(currentUserRoles, t.ObjectType))
{
CanReadMatchingObjects.Add(t);
}