/// <summary>
/// Maps an EF Role record from the db into an RoleDetails
/// object. If the db record is null then null is returned.
/// </summary>
/// <param name="dbRole">Role record from the database.</param>
public RoleDetails Map(Role dbRole)
{
if (dbRole == null)
{
return(null);
}
var role = new RoleDetails()
{
IsAnonymousRole = dbRole.RoleCode == AnonymousRole.AnonymousRoleCode,
IsSuperAdministrator = dbRole.RoleCode == SuperAdminRole.SuperAdminRoleCode,
RoleId = dbRole.RoleId,
RoleCode = dbRole.RoleCode,
Title = dbRole.Title
};
var userArea = _userAreaRepository.GetByCode(dbRole.UserAreaCode);
role.UserArea = new UserAreaMicroSummary()
{
UserAreaCode = dbRole.UserAreaCode,
Name = userArea.Name
};
if (role.IsSuperAdministrator)
{
// Grant super users all permissions
role.Permissions = _permissionRepository.GetAll().ToArray();
}
else
{
var permissions = new List <IPermission>(dbRole.RolePermissions.Count);
foreach (var dbPermission in dbRole.RolePermissions.Select(rp => rp.Permission))
{
var permission = _permissionRepository.GetByCode(dbPermission.PermissionCode, dbPermission.EntityDefinitionCode);
if (permission != null)
{
permissions.Add(permission);
}
}
role.Permissions = permissions.ToArray();
}
return(role);
}
private void ValidateCustomPermissions(User user, IExecutionContext executionContext, RoleDetails executorRole)
{
if (user.IsSystemAccount)
{
throw new NotPermittedException("You cannot delete the system account.");
}
if (user.UserAreaCode == CofoundryAdminUserArea.AreaCode)
{
_permissionValidationService.EnforcePermission(new CofoundryUserUpdatePermission(), executionContext.UserContext);
}
else
{
_permissionValidationService.EnforcePermission(new NonCofoundryUserUpdatePermission(), executionContext.UserContext);
}
if (user.UserId == executionContext.UserContext.UserId)
{
throw new NotPermittedException("You cannot delete your own user account via this api.");
}
// Only super admins can delete super admin
if (user.Role.RoleCode == SuperAdminRole.SuperAdminRoleCode && !executorRole.IsSuperAdministrator)
{
throw new NotPermittedException("Only Super Administrator users can delete other users with the Super Administrator role");
}
}
private async Task ValidateDeAssignmentAsync(int?oldRoleId, Role newUserRole, RoleDetails executorRole)
{
if (oldRoleId.HasValue &&
!executorRole.IsSuperAdministrator &&
newUserRole.RoleCode != SuperAdminRole.SuperAdminRoleCode)
{
var oldRole = await QueryRole(oldRoleId.Value).SingleOrDefaultAsync();
if (oldRole.RoleCode == SuperAdminRole.SuperAdminRoleCode)
{
throw new NotPermittedException("Only Super Administrator users can de-assign the Super Administrator role");
}
}
}
