private bool canUpdate(string resource)
{
switch (resource)
{
case Resource.SHIFT:
{
if (user_position == Position.STUDENT)
{
return(true);
}
return(false);
}
case Resource.MEMBERSHIP:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
var membershipToConsider = (MEMBERSHIP)context.ActionArguments["membership"];
var activityCode = membershipToConsider.ACT_CDE;
var membershipService = new MembershipService(new UnitOfWork());
//var is_membershipLeader = membershipService.GetLeaderMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
//if (is_membershipLeader)
// return true; // Activity Leaders can update memberships of people in their activity.
//var is_membershipAdvisor = membershipService.GetAdvisorMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
//if (is_membershipAdvisor)
// return true; // Activity Advisors can update memberships of people in their activity.
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin)
{
return(true); // Activity Advisors can update memberships of people in their activity.
}
var is_membershipOwner = membershipToConsider.ID_NUM.ToString() == user_id;
if (is_membershipOwner)
{
// Restrict what a regular owner can edit.
var originalMembership = membershipService.GetSpecificMembership(membershipToConsider.MEMBERSHIP_ID);
// If they are not trying to change their participation level, then it is ok
if (originalMembership.PART_CDE == membershipToConsider.PART_CDE)
{
return(true);
}
}
return(false);
}
case Resource.MEMBERSHIP_REQUEST:
{
// Once a request is sent, no one should be able to edit its contents.
// If a mistake is made in creating the original request, the user can always delete it and make a new one.
return(false);
}
case Resource.MEMBERSHIP_PRIVACY:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
var membershipService = new MembershipService(new UnitOfWork());
var membershipID = (int)context.ActionArguments["id"];
var membershipToConsider = membershipService.GetSpecificMembership(membershipID);
var is_membershipOwner = membershipToConsider.ID_NUM.ToString() == user_id;
if (is_membershipOwner)
{
return(true);
}
var activityCode = membershipToConsider.ACT_CDE;
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin)
{
return(true);
}
return(false);
}
case Resource.STUDENT:
return(false); // No one should be able to update a student through this API
case Resource.HOUSING:
{
// The housing admins can update the application information (i.e. probation, offcampus program, etc.)
// If the user is a student, then the user must be on an application and be an editor to update the application
HousingService housingService = new HousingService(new UnitOfWork());
if (housingService.CheckIfHousingAdmin(user_id))
{
return(true);
}
else if (user_position == Position.STUDENT)
{
string sess_cde = Helpers.GetCurrentSession().SessionCode;
int? applicationID = housingService.GetApplicationID(user_name, sess_cde);
int requestedApplicationID = (int)context.ActionArguments["applicationID"];
if (applicationID.HasValue && applicationID == requestedApplicationID)
{
string editorUsername = housingService.GetEditorUsername(applicationID.Value);
if (editorUsername.ToLower() == user_name.ToLower())
{
return(true);
}
return(false);
}
return(false);
}
return(false);
}
case Resource.ADVISOR:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
var membershipService = new MembershipService(new UnitOfWork());
var membershipToConsider = (MEMBERSHIP)context.ActionArguments["membership"];
var activityCode = membershipToConsider.ACT_CDE;
var is_advisor = membershipService.GetAdvisorMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (is_advisor)
{
return(true); // Activity Advisors can update memberships of people in their activity.
}
return(false);
}
case Resource.PROFILE:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
var username = (string)context.ActionArguments["username"];
var isSelf = username.Equals(user_name);
return(isSelf);
}
case Resource.ACTIVITY_INFO:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
var activityCode = (string)context.ActionArguments["id"];
var membershipService = new MembershipService(new UnitOfWork());
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin)
{
return(true);
}
return(false);
}
case Resource.ACTIVITY_STATUS:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
var activityCode = (string)context.ActionArguments["id"];
var sessionCode = (string)context.ActionArguments["sess_cde"];
var unitOfWork = new UnitOfWork();
var membershipService = new MembershipService(unitOfWork);
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin)
{
var activityService = new ActivityService(unitOfWork);
// If an activity is currently open, then a group admin has the ability to close it
if (activityService.IsOpen(activityCode, sessionCode))
{
return(true);
}
}
// If an activity is currently closed, only super admin has permission to edit its closed/open status
return(false);
}
case Resource.NEWS:
var newsID = context.ActionArguments["newsID"];
var newsService = new NewsService(new UnitOfWork());
var newsItem = newsService.Get((int)newsID);
// only unapproved posts may be updated
var approved = newsItem.Accepted;
if (approved == null || approved == true)
{
return(false);
}
// can update if user is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
// can update if user is news item author
string newsAuthor = newsItem.ADUN;
if (user_name == newsAuthor)
{
return(true);
}
return(false);
default: return(false);
}
}