protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
UpdateSpecificMethodologyRequirement requirement,
MethodologyVersion methodologyVersion)
{
// An Approved Methodology cannot be updated. Instead, it should firstly be unapproved if permissions
// allow and then updated.
if (methodologyVersion.Approved)
{
return;
}
// If the Methodology is already public, it cannot be updated.
if (await _methodologyVersionRepository.IsPubliclyAccessible(methodologyVersion.Id))
{
return;
}
// If the user has a global Claim that allows them to update any Methodology, allow it.
if (SecurityUtils.HasClaim(context.User, UpdateAllMethodologies))
{
context.Succeed(requirement);
return;
}
var owningPublication =
await _methodologyRepository.GetOwningPublication(methodologyVersion.MethodologyId);
// If the user is a Publication Owner of the Publication that owns this Methodology, they can update it.
if (await _userPublicationRoleRepository.IsUserPublicationOwner(context.User.GetUserId(),
owningPublication.Id))
{
context.Succeed(requirement);
return;
}
// If the user is an Editor (Contributor, Lead) or an Approver of the latest (Live or non-Live) Release
// of the owning Publication of this Methodology, they can update it.
if (await _userReleaseRoleRepository.IsUserEditorOrApproverOnLatestRelease(
context.User.GetUserId(),
owningPublication.Id))
{
context.Succeed(requirement);
}
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
ViewSpecificMethodologyRequirement requirement,
MethodologyVersion methodologyVersion)
{
// If the user has a global Claim that allows them to access any Methodology, allow it.
if (SecurityUtils.HasClaim(context.User, SecurityClaimTypes.AccessAllMethodologies))
{
context.Succeed(requirement);
return;
}
var owningPublication =
await _methodologyRepository.GetOwningPublication(methodologyVersion.MethodologyId);
// If the user is a Publication Owner of the Publication that owns this Methodology, they can view it.
if (await _userPublicationRoleRepository.IsUserPublicationOwner(context.User.GetUserId(),
owningPublication.Id))
{
context.Succeed(requirement);
return;
}
// If the user is an Editor (Contributor, Lead) or an Approver of the latest (Live or non-Live) Release
// of the owning Publication of this Methodology, they can view it.
if (await _userReleaseRoleRepository.IsUserEditorOrApproverOnLatestRelease(
context.User.GetUserId(),
owningPublication.Id))
{
context.Succeed(requirement);
}
// If the user is a PrereleaseViewer of the latest non-Live, Approved Release of any Publication
// using this Methodology, and the methodology is approved, and the latest release under that publication
// is within the prerelease time window, they can view it
if (methodologyVersion.Approved)
{
var publicationIds = await _methodologyRepository
.GetAllPublicationIds(methodologyVersion.MethodologyId);
foreach (var publicationId in publicationIds)
{
if (await _userReleaseRoleRepository.IsUserPrereleaseViewerOnLatestPreReleaseRelease(
context.User.GetUserId(),
publicationId))
{
var publication = await _contentDbContext.Publications
.Include(p => p.Releases)
.SingleAsync(p => p.Id == publicationId);
var latestRelease = publication.LatestRelease();
if (latestRelease != null &&
_preReleaseService
.GetPreReleaseWindowStatus(latestRelease, DateTime.UtcNow)
.Access == PreReleaseAccess.Within)
{
context.Succeed(requirement);
break;
}
}
}
}
}
