From f25706b02e22a0f9d2af0c650b2ba77d94cbc7e3 Mon Sep 17 00:00:00 2001 From: John Cardinal Date: Mon, 7 Dec 2020 16:19:47 +0000 Subject: [PATCH] --- server/AyaNova/Controllers/UserController.cs | 68 +++++++++++++------- 1 file changed, 43 insertions(+), 25 deletions(-) diff --git a/server/AyaNova/Controllers/UserController.cs b/server/AyaNova/Controllers/UserController.cs index 2ba4003d..df004085 100644 --- a/server/AyaNova/Controllers/UserController.cs +++ b/server/AyaNova/Controllers/UserController.cs @@ -61,23 +61,30 @@ namespace AyaNova.Api.Controllers //Instantiate the business object handler UserBiz biz = UserBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasReadFullRole(HttpContext.Items, biz.BizType)) - { + + + //Also used for Contacts (customer type user or ho type user) + //by users with no User right so further biz rule required depending on usertype + //this is just phase 1 + bool AllowedOutsideUser = Authorized.HasReadFullRole(HttpContext.Items, AyaType.Customer); + bool AllowedInsideUser = Authorized.HasReadFullRole(HttpContext.Items, AyaType.User); + + if (!AllowedOutsideUser && !AllowedInsideUser) return StatusCode(403, new ApiNotAuthorizedResponse()); - } if (!ModelState.IsValid) - { return BadRequest(new ApiErrorResponse(ModelState)); - } - - - var o = await biz.GetAsync(id); if (o == null) - { return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND)); - } + + bool IsOutsideUser = (o.UserType == UserType.Customer || o.UserType == UserType.HeadOffice); + + if (IsOutsideUser && !AllowedOutsideUser) + return StatusCode(403, new ApiNotAuthorizedResponse()); + + if (!IsOutsideUser && !AllowedInsideUser) + return StatusCode(403, new ApiNotAuthorizedResponse()); return Ok(ApiOkResponse.Response(o)); } @@ -97,8 +104,13 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); UserBiz biz = UserBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType)) + + //Also used for Contacts (customer type user or ho type user) + //by users with no User right so further biz rule required depending on usertype + //this is just phase 1 + if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.User) && !Authorized.HasModifyRole(HttpContext.Items, AyaType.Customer)) return StatusCode(403, new ApiNotAuthorizedResponse()); + var o = await biz.PutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token if (o == null) { @@ -126,27 +138,21 @@ namespace AyaNova.Api.Controllers //Instantiate the business object handler UserBiz biz = UserBiz.GetBiz(ct, HttpContext); - //If a user has change roles - if (!Authorized.HasCreateRole(HttpContext.Items, biz.BizType)) - { + //Also used for Contacts (customer type user or ho type user) + //by users with no User right so further biz rule required depending on usertype + //this is just phase 1 + if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.User) && !Authorized.HasCreateRole(HttpContext.Items, AyaType.Customer)) return StatusCode(403, new ApiNotAuthorizedResponse()); - } if (!ModelState.IsValid) - { return BadRequest(new ApiErrorResponse(ModelState)); - } - //Create and validate dtUser o = await biz.CreateAsync(inObj); if (o == null) - { - //error return return BadRequest(new ApiErrorResponse(biz.Errors)); - } else { @@ -170,8 +176,14 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); UserBiz biz = UserBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasCreateRole(HttpContext.Items, biz.BizType)) + + + //Also used for Contacts (customer type user or ho type user) + //by users with no User right so further biz rule required depending on usertype + //this is just phase 1 + if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.User) && !Authorized.HasCreateRole(HttpContext.Items, AyaType.Customer)) return StatusCode(403, new ApiNotAuthorizedResponse()); + if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); User o = await biz.DuplicateAsync(id); @@ -195,8 +207,14 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); UserBiz biz = UserBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasDeleteRole(HttpContext.Items, biz.BizType)) + + //Also used for Contacts (customer type user or ho type user) + //by users with no User right so further biz rule required depending on usertype + //this is just phase 1 + if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.User) && !Authorized.HasDeleteRole(HttpContext.Items, AyaType.Customer)) return StatusCode(403, new ApiNotAuthorizedResponse()); + + if (!await biz.DeleteAsync(id)) return BadRequest(new ApiErrorResponse(biz.Errors)); return NoContent(); @@ -295,7 +313,7 @@ namespace AyaNova.Api.Controllers return Ok(ApiOkResponse.Response(ret)); } - /// + /// /// Get list of HeadOffice Contact Users /// (Rights to HeadOffice object required) /// @@ -347,7 +365,7 @@ namespace AyaNova.Api.Controllers return Ok(ApiOkResponse.Response(u.UserType != UserType.Customer && u.UserType != UserType.HeadOffice)); } - + //------------