From a5f9759a7c17829c256de99fc85f941991a69fad Mon Sep 17 00:00:00 2001 From: John Cardinal Date: Tue, 4 Sep 2018 19:07:42 +0000 Subject: [PATCH] --- .../AyaNova/ControllerHelpers/Authorized.cs | 6 ++-- .../Controllers/AttachmentController.cs | 2 +- .../AyaNova/Controllers/EventLogController.cs | 4 +-- .../Controllers/ImportAyaNova7Controller.cs | 2 +- .../Controllers/JobOperationsController.cs | 4 +-- .../AyaNova/Controllers/LicenseController.cs | 2 +- .../AyaNova/Controllers/LogFilesController.cs | 4 +-- .../AyaNova/Controllers/MetricsController.cs | 4 +-- server/AyaNova/Controllers/TagController.cs | 4 +-- .../AyaNova/Controllers/TagMapController.cs | 8 ++--- server/AyaNova/Controllers/UserController.cs | 4 +-- .../AyaNova/Controllers/WidgetController.cs | 8 ++--- server/AyaNova/biz/BizRoleSet.cs | 2 +- server/AyaNova/biz/BizRoles.cs | 31 +++++++++---------- test/raven-integration/Widget/WidgetRights.cs | 2 +- 15 files changed, 43 insertions(+), 44 deletions(-) diff --git a/server/AyaNova/ControllerHelpers/Authorized.cs b/server/AyaNova/ControllerHelpers/Authorized.cs index 798ce7b1..14108cef 100644 --- a/server/AyaNova/ControllerHelpers/Authorized.cs +++ b/server/AyaNova/ControllerHelpers/Authorized.cs @@ -27,12 +27,12 @@ namespace AyaNova.Api.ControllerHelpers /// - /// READ / GENERAL ACCESS + /// READ FULL RECORD (not just name and id) /// /// /// /// - internal static bool IsAuthorizedToRead(IDictionary HttpContextItems, AyaType objectType) + internal static bool IsAuthorizedToReadFullRecord(IDictionary HttpContextItems, AyaType objectType) { AuthorizationRoles currentUserRoles = UserRolesFromContext.Roles(HttpContextItems); @@ -40,7 +40,7 @@ namespace AyaNova.Api.ControllerHelpers if (currentUserRoles.HasAnyFlags(BizRoles.GetRoleSet(objectType).Change)) return true; - if (currentUserRoles.HasAnyFlags(BizRoles.GetRoleSet(objectType).Read)) + if (currentUserRoles.HasAnyFlags(BizRoles.GetRoleSet(objectType).ReadFullRecord)) return true; return false; diff --git a/server/AyaNova/Controllers/AttachmentController.cs b/server/AyaNova/Controllers/AttachmentController.cs index 2be62cc1..1c6a1fb8 100644 --- a/server/AyaNova/Controllers/AttachmentController.cs +++ b/server/AyaNova/Controllers/AttachmentController.cs @@ -369,7 +369,7 @@ namespace AyaNova.Api.Controllers } //is this allowed? - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, dbObj.AttachToObjectType)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, dbObj.AttachToObjectType)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } diff --git a/server/AyaNova/Controllers/EventLogController.cs b/server/AyaNova/Controllers/EventLogController.cs index fab9f960..59496292 100644 --- a/server/AyaNova/Controllers/EventLogController.cs +++ b/server/AyaNova/Controllers/EventLogController.cs @@ -61,7 +61,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, opt.AyType)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, opt.AyType)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } @@ -97,7 +97,7 @@ namespace AyaNova.Api.Controllers long UserId = UserIdFromContext.Id(HttpContext.Items); //If not authorized to read a user and also not the current user asking for their own log then NO LOG FOR YOU! - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.User) && opt.AyId != UserId) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.User) && opt.AyId != UserId) { return StatusCode(401, new ApiNotAuthorizedResponse()); } diff --git a/server/AyaNova/Controllers/ImportAyaNova7Controller.cs b/server/AyaNova/Controllers/ImportAyaNova7Controller.cs index f8caf17c..bb54b262 100644 --- a/server/AyaNova/Controllers/ImportAyaNova7Controller.cs +++ b/server/AyaNova/Controllers/ImportAyaNova7Controller.cs @@ -197,7 +197,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.AyaNova7Import)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.AyaNova7Import)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } diff --git a/server/AyaNova/Controllers/JobOperationsController.cs b/server/AyaNova/Controllers/JobOperationsController.cs index 61546829..1b171098 100644 --- a/server/AyaNova/Controllers/JobOperationsController.cs +++ b/server/AyaNova/Controllers/JobOperationsController.cs @@ -63,7 +63,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.JobOperations)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.JobOperations)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } @@ -102,7 +102,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.JobOperations)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.JobOperations)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } diff --git a/server/AyaNova/Controllers/LicenseController.cs b/server/AyaNova/Controllers/LicenseController.cs index 6d05e206..420d8736 100644 --- a/server/AyaNova/Controllers/LicenseController.cs +++ b/server/AyaNova/Controllers/LicenseController.cs @@ -60,7 +60,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.License)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.License)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } diff --git a/server/AyaNova/Controllers/LogFilesController.cs b/server/AyaNova/Controllers/LogFilesController.cs index 43a1ba16..eec13b0c 100644 --- a/server/AyaNova/Controllers/LogFilesController.cs +++ b/server/AyaNova/Controllers/LogFilesController.cs @@ -60,7 +60,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.LogFile)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.LogFile)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } @@ -107,7 +107,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.LogFile)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.LogFile)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } diff --git a/server/AyaNova/Controllers/MetricsController.cs b/server/AyaNova/Controllers/MetricsController.cs index 12045c76..01e9346a 100644 --- a/server/AyaNova/Controllers/MetricsController.cs +++ b/server/AyaNova/Controllers/MetricsController.cs @@ -60,7 +60,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.Metrics)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.Metrics)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } @@ -91,7 +91,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.Metrics)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.Metrics)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } diff --git a/server/AyaNova/Controllers/TagController.cs b/server/AyaNova/Controllers/TagController.cs index 804f5799..a904d02c 100644 --- a/server/AyaNova/Controllers/TagController.cs +++ b/server/AyaNova/Controllers/TagController.cs @@ -59,7 +59,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.Tag)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.Tag)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } @@ -107,7 +107,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.Tag))//Note: anyone can read a tag, but that might change in future so keeping this code in + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.Tag))//Note: anyone can read a tag, but that might change in future so keeping this code in { return StatusCode(401, new ApiNotAuthorizedResponse()); } diff --git a/server/AyaNova/Controllers/TagMapController.cs b/server/AyaNova/Controllers/TagMapController.cs index dbd44040..e242082b 100644 --- a/server/AyaNova/Controllers/TagMapController.cs +++ b/server/AyaNova/Controllers/TagMapController.cs @@ -57,7 +57,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.TagMap)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.TagMap)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } @@ -78,7 +78,7 @@ namespace AyaNova.Api.Controllers } //Check rights to parent tagged object - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, o.TagToObjectType)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, o.TagToObjectType)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } @@ -216,7 +216,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.Tag))//Note: anyone can read a tag, but that might change in future so keeping this code in + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.Tag))//Note: anyone can read a tag, but that might change in future so keeping this code in { return StatusCode(401, new ApiNotAuthorizedResponse()); } @@ -228,7 +228,7 @@ namespace AyaNova.Api.Controllers //Check rights to parent tagged object - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, inObj.ObjectType)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, inObj.ObjectType)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } diff --git a/server/AyaNova/Controllers/UserController.cs b/server/AyaNova/Controllers/UserController.cs index 69a04e83..05a83e5c 100644 --- a/server/AyaNova/Controllers/UserController.cs +++ b/server/AyaNova/Controllers/UserController.cs @@ -62,7 +62,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.User)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.User)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } @@ -107,7 +107,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.User)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.User)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } diff --git a/server/AyaNova/Controllers/WidgetController.cs b/server/AyaNova/Controllers/WidgetController.cs index 1976a2f7..afe19226 100644 --- a/server/AyaNova/Controllers/WidgetController.cs +++ b/server/AyaNova/Controllers/WidgetController.cs @@ -65,7 +65,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.Widget)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.Widget)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } @@ -108,7 +108,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.Widget)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.Widget)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } @@ -437,7 +437,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.Widget)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.Widget)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } @@ -457,7 +457,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); } - if (!Authorized.IsAuthorizedToRead(HttpContext.Items, AyaType.Widget)) + if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.Widget)) { return StatusCode(401, new ApiNotAuthorizedResponse()); } diff --git a/server/AyaNova/biz/BizRoleSet.cs b/server/AyaNova/biz/BizRoleSet.cs index 985131ec..401511ba 100644 --- a/server/AyaNova/biz/BizRoleSet.cs +++ b/server/AyaNova/biz/BizRoleSet.cs @@ -8,7 +8,7 @@ namespace AyaNova.Biz { public AuthorizationRoles Change { get; set; } public AuthorizationRoles EditOwn { get; set; } - public AuthorizationRoles Read { get; set; } + public AuthorizationRoles ReadFullRecord { get; set; } }//eoc diff --git a/server/AyaNova/biz/BizRoles.cs b/server/AyaNova/biz/BizRoles.cs index 1bf7075a..704e079f 100644 --- a/server/AyaNova/biz/BizRoles.cs +++ b/server/AyaNova/biz/BizRoles.cs @@ -22,8 +22,8 @@ namespace AyaNova.Biz //HOW THIS WORKS / WHATS EXPECTED //CHANGE = CREATE, RETRIEVE, UPDATE, DELETE - Full rights //EDITOWN = special subset of CHANGE: You can create and if it's one you created then you have rights to edit it or delete, but you can't edit ones others have created - //READ = You can read *all* the fields of the record, but can't modify it. - //PICKLIST NOTE: this does not control getting a list of names for selection which is role independent because it's required for so much indirectly + //READ = You can read *all* the fields of the record, but can't modify it. Change is automatically checked for so only add different roles from change + //PICKLIST NOTE: this does not control getting a list of names for selection which is role independent because it's required for so much indirectly //DELETE = There is no specific delete right for now though it's checked for by routes in Authorized.cs in case we want to add it in future as a separate right from create. #region All roles initialization @@ -35,7 +35,7 @@ namespace AyaNova.Biz { Change = AuthorizationRoles.BizAdminFull, EditOwn = AuthorizationRoles.NoRole,//no one can make a user but a bizadminfull - Read = AuthorizationRoles.BizAdminFull | AuthorizationRoles.BizAdminLimited + ReadFullRecord = AuthorizationRoles.BizAdminLimited }); //////////////////////////////////////////////////////////// @@ -45,7 +45,7 @@ namespace AyaNova.Biz { Change = AuthorizationRoles.BizAdminFull | AuthorizationRoles.InventoryFull, EditOwn = AuthorizationRoles.TechFull, - Read = AuthorizationRoles.AnyRole + ReadFullRecord = AuthorizationRoles.BizAdminLimited | AuthorizationRoles.InventoryLimited }); //////////////////////////////////////////////////////////// @@ -55,7 +55,7 @@ namespace AyaNova.Biz { Change = AuthorizationRoles.OpsAdminFull, EditOwn = AuthorizationRoles.NoRole, - Read = AuthorizationRoles.AnyRole + ReadFullRecord = AuthorizationRoles.AnyRole }); @@ -66,7 +66,7 @@ namespace AyaNova.Biz { Change = AuthorizationRoles.BizAdminFull | AuthorizationRoles.OpsAdminFull, EditOwn = AuthorizationRoles.NoRole, - Read = AuthorizationRoles.BizAdminLimited | AuthorizationRoles.OpsAdminLimited + ReadFullRecord = AuthorizationRoles.BizAdminLimited | AuthorizationRoles.OpsAdminLimited }); //////////////////////////////////////////////////////////// @@ -76,7 +76,7 @@ namespace AyaNova.Biz { Change = AuthorizationRoles.NoRole, EditOwn = AuthorizationRoles.NoRole, - Read = AuthorizationRoles.OpsAdminFull | AuthorizationRoles.OpsAdminLimited + ReadFullRecord = AuthorizationRoles.OpsAdminFull | AuthorizationRoles.OpsAdminLimited }); //////////////////////////////////////////////////////////// @@ -86,7 +86,7 @@ namespace AyaNova.Biz { Change = AuthorizationRoles.BizAdminFull | AuthorizationRoles.DispatchFull | AuthorizationRoles.InventoryFull | AuthorizationRoles.TechFull | AuthorizationRoles.AccountingFull, EditOwn = AuthorizationRoles.NoRole, - Read = AuthorizationRoles.AnyRole + ReadFullRecord = AuthorizationRoles.AnyRole }); //////////////////////////////////////////////////////////// @@ -96,30 +96,29 @@ namespace AyaNova.Biz { Change = AuthorizationRoles.AnyRole, EditOwn = AuthorizationRoles.NoRole, - Read = AuthorizationRoles.AnyRole + ReadFullRecord = AuthorizationRoles.AnyRole }); //////////////////////////////////////////////////////////// - //OPERATIONS + //OPERATIONS / JOBS //Only opsfull can change operations //ops and biz admin can view operations roles.Add(AyaType.JobOperations, new BizRoleSet() { Change = AuthorizationRoles.OpsAdminFull, EditOwn = AuthorizationRoles.NoRole, - Read = AuthorizationRoles.OpsAdminLimited | AuthorizationRoles.BizAdminFull | AuthorizationRoles.BizAdminLimited + ReadFullRecord = AuthorizationRoles.OpsAdminLimited | AuthorizationRoles.BizAdminFull | AuthorizationRoles.BizAdminLimited }); //////////////////////////////////////////////////////////// //AyaNova7Import - //Only opsfull can change operations - //opsfull can view operations + //Only opsfull can change operations and view roles.Add(AyaType.AyaNova7Import, new BizRoleSet() { Change = AuthorizationRoles.OpsAdminFull, EditOwn = AuthorizationRoles.NoRole, - Read = AuthorizationRoles.OpsAdminFull + ReadFullRecord = AuthorizationRoles.NoRole }); @@ -130,7 +129,7 @@ namespace AyaNova.Biz { Change = AuthorizationRoles.NoRole, EditOwn = AuthorizationRoles.NoRole, - Read = AuthorizationRoles.OpsAdminFull | AuthorizationRoles.OpsAdminLimited + ReadFullRecord = AuthorizationRoles.OpsAdminFull | AuthorizationRoles.OpsAdminLimited }); @@ -141,7 +140,7 @@ namespace AyaNova.Biz { Change = AuthorizationRoles.BizAdminFull | AuthorizationRoles.OpsAdminFull, EditOwn = AuthorizationRoles.NoRole, - Read = AuthorizationRoles.AnyRole + ReadFullRecord = AuthorizationRoles.AnyRole }); diff --git a/test/raven-integration/Widget/WidgetRights.cs b/test/raven-integration/Widget/WidgetRights.cs index 124c7392..9c2a927f 100644 --- a/test/raven-integration/Widget/WidgetRights.cs +++ b/test/raven-integration/Widget/WidgetRights.cs @@ -28,7 +28,7 @@ namespace raven_integration [Fact] public async void ServerShouldNotAllowReadUnauthorizedAccess() { - ApiResponse a = await Util.GetAsync("Widget/list", await Util.GetTokenAsync( "OpsAdminFull")); + ApiResponse a = await Util.GetAsync("Widget/listwidgets", await Util.GetTokenAsync( "OpsAdminFull")); //2004 unauthorized Util.ValidateErrorCodeResponse(a, 2004, 401); }