protected override Maybe <IHttpActionResult> ValidatePatch(Delta <User> delta, User entity)
{
var error = base.ValidatePatch(delta, entity);
if (error.IsNone)
{
var changedPropertyNames = delta.GetChangedPropertyNames().ToHashSet();
if (AttemptToChangeStakeHolderAccess(delta, entity, changedPropertyNames))
{
if (!AuthorizationContext.HasPermission(new AdministerGlobalPermission(GlobalPermission.StakeHolderAccess)))
{
error = Forbidden();
}
}
if (AttemptToChangeGlobalAdminFlag(delta, entity, changedPropertyNames))
{
if (!AuthorizationContext.HasPermission(new AdministerGlobalPermission(GlobalPermission.GlobalAdmin)))
{
error = Forbidden();
}
}
if (AttemptToChangeUuid(delta, entity, changedPropertyNames))
{
return(BadRequest("Uuid cannot be changed"));
}
}
return(error);
}
public override HttpResponseMessage Patch(int id, int organizationId, JObject obj)
{
var existingUser = Repository.AsQueryable().ById(id);
if (existingUser == null)
{
return(NotFound());
}
// get name of mapped property
var map = Mapper.ConfigurationProvider.FindTypeMapFor <UserDTO, User>().PropertyMaps;
var nonNullMaps = map.Where(x => x.SourceMember != null).ToList();
foreach (var valuePair in obj)
{
var mapMember = nonNullMaps.SingleOrDefault(x => x.SourceMember.Name.Equals(valuePair.Key, StringComparison.InvariantCultureIgnoreCase));
if (mapMember == null)
{
continue; // abort if no map found
}
var destName = mapMember.DestinationName;
if (destName == nameof(Core.DomainModel.User.Uuid))
{
if (valuePair.Value?.Value <Guid>() != existingUser.Uuid)
{
return(BadRequest($"{nameof(Core.DomainModel.User.Uuid)}cannot be updated"));
}
}
if (destName == nameof(Core.DomainModel.User.IsGlobalAdmin))
{
if ((valuePair.Value?.Value <bool>()).GetValueOrDefault()) // check if value is being set to true
{
if (!AuthorizationContext.HasPermission(new AdministerGlobalPermission(GlobalPermission.GlobalAdmin)))
{
return(Forbidden());
}
}
}
if (destName == nameof(Core.DomainModel.User.HasStakeHolderAccess))
{
if (existingUser.HasStakeHolderAccess != (valuePair.Value?.Value <bool>()).GetValueOrDefault())
{
if (!AuthorizationContext.HasPermission(new AdministerGlobalPermission(GlobalPermission.StakeHolderAccess)))
{
return(Forbidden());
}
}
}
}
return(base.Patch(id, organizationId, obj));
}
public IHttpActionResult Create(ODataActionParameters parameters)
{
if (!ModelState.IsValid)
{
return(BadRequest(ModelState));
}
User user = null;
if (parameters.ContainsKey("user"))
{
user = parameters["user"] as User;
Validate(user); // this will set the ModelState if not valid - it doesn't http://stackoverflow.com/questions/39484185/model-validation-in-odatacontroller
}
var organizationId = 0;
if (parameters.ContainsKey("organizationId"))
{
organizationId = (int)parameters["organizationId"];
}
var sendMailOnCreation = false;
if (parameters.ContainsKey("sendMailOnCreation"))
{
sendMailOnCreation = (bool)parameters["sendMailOnCreation"];
}
if (user?.Email != null && EmailExists(user.Email))
{
ModelState.AddModelError(nameof(user.Email), "Email is already in use.");
}
// user is being created as global admin
if (user?.IsGlobalAdmin == true)
{
// only other global admins can create global admin users
if (!AuthorizationContext.HasPermission(new AdministerGlobalPermission(GlobalPermission.GlobalAdmin)))
{
ModelState.AddModelError(nameof(user.IsGlobalAdmin), "You don't have permission to create a global admin user.");
}
}
if (user?.HasStakeHolderAccess == true)
{
// only global admins can create stakeholder access
if (!AuthorizationContext.HasPermission(new AdministerGlobalPermission(GlobalPermission.StakeHolderAccess)))
{
ModelState.AddModelError(nameof(user.HasStakeHolderAccess), "You don't have permission to issue stakeholder access.");
}
}
if (!ModelState.IsValid)
{
return(BadRequest(ModelState));
}
var createdUser = _userService.AddUser(user, sendMailOnCreation, organizationId);
return(Created(createdUser));
}