public ActionResult Add(int id, int projectId, Risk risk, string likelihoodId, int impactId, string magnitudeId)
{
// validate access
if (!_projectService.HasAccess(projectId, CurrentUserId))
{
return this.RedirectToAction<ErrorController>(a => a.NoAccessToStep());
}
// remove modelstate validation
ModelState.Remove("risk.Project");
ModelState.Remove("risk.SquareType");
ModelState.Remove("risk.AssessmentType");
// load all the objects
var projectStep = Db.ProjectSteps.Include("Project").Include("Project.SecurityAssessmentType")
.Include("Project.PrivacyAssessmentType").Include("Step")
.Include("Step.SquareType").Where(a => a.Id == id).Single();
var likelihood = Db.RiskLevels.Where(a => a.Id == likelihoodId).SingleOrDefault();
var impact = Db.Impacts.Where(a => a.Id == impactId).SingleOrDefault();
var magnitude = Db.RiskLevels.Where(a => a.Id == magnitudeId).SingleOrDefault();
// set up the object
if (likelihood == null) ModelState.AddModelError("Likelihood", "Likelihood is required.");
if (impact == null) ModelState.AddModelError("Impact", "Impact is required.");
if (magnitude == null) ModelState.AddModelError("Magnitude", "Magnitude is required.");
if (ModelState.IsValid)
{
risk.Likelihood = likelihood;
risk.Impact = impact;
risk.Magnitude = magnitude;
risk.Project = projectStep.Project;
risk.SquareType = projectStep.Step.SquareType;
risk.RiskLevel = CalculateRiskLevel(likelihood, magnitude);
if (projectStep.Step.SquareType.Name == SquareTypes.Security)
{
risk.AssessmentType = projectStep.Project.SecurityAssessmentType;
}
else
{
risk.AssessmentType = projectStep.Project.PrivacyAssessmentType;
}
Db.Risks.Add(risk);
Db.SaveChanges();
Message = string.Format(Messages.Saved, "Risk");
return this.RedirectToAction(a => a.Index(id, projectId));
}
var viewModel = NIST800_30EditViewModel.Create(Db, _projectService, id, projectId, CurrentUserId, risk);
return View(viewModel);
}
public ActionResult Add(int id, int projectId, Risk risk, string likelihoodId, string damageId)
{
// clear the modelstate errors
ModelState.Remove("risk.Name");
ModelState.Remove("risk.Project");
ModelState.Remove("risk.SquareType");
ModelState.Remove("risk.AssessmentType");
if (!_projectService.HasAccess(projectId, CurrentUserId))
{
return this.RedirectToAction<ErrorController>(a => a.NoAccessToStep());
}
try
{
var project = Db.Projects.Include("SecurityAssessmentType").Include("PrivacyAssessmentType").Where(a => a.Id == projectId).Single();
var projectStep = Db.ProjectSteps.Include("Step").Include("Step.SquareType").Where(a => a.Id == id).Single();
var likelihood = Db.RiskLevels.Where(a => a.Id == likelihoodId).Single();
var damage = Db.RiskLevels.Where(a => a.Id == damageId).Single();
risk.Project = project;
risk.SquareType = projectStep.Step.SquareType;
if (projectStep.Step.SquareType.Name == SquareTypes.Security)
{
risk.AssessmentType = project.SecurityAssessmentType;
}
else
{
risk.AssessmentType = project.PrivacyAssessmentType;
}
risk.Likelihood = likelihood;
risk.Damage = damage;
risk.RiskLevel = CalculateRiskLevel(likelihood, damage, risk.Cost);
risk.Name = "Created using PRAUC controller";
if (ModelState.IsValid)
{
Db.Risks.Add(risk);
Db.SaveChanges();
Message = string.Format(Messages.Saved, "Risk");
return this.RedirectToAction(a => a.Index(id, projectId));
}
var viewModel = PRAUCEditViewModel.Create(Db, _projectService, id, projectId, CurrentUserId, risk);
return View(viewModel);
}
catch (SecurityException)
{
return this.RedirectToAction<ErrorController>(a => a.NoAccessToStep());
}
}
public static RiskRecommendationViewModel Create(int projectStepId, Risk risk, RiskRecommendation riskRecommendation = null)
{
Check.Require(risk != null, "risk is required.");
var viewModel = new RiskRecommendationViewModel()
{
ProjectStepId = projectStepId,
RiskRecommendation = riskRecommendation ?? new RiskRecommendation(),
Risk = risk
};
return viewModel;
}
public static PRAUCEditViewModel Create(SquareContext db, IProjectService projectService, int projectStepId, int projectId, string userId, Risk risk = null)
{
var viewModel = new PRAUCEditViewModel()
{
ProjectStep = projectService.GetProjectStep(projectStepId, userId),
Project = projectService.GetProject(projectId, userId),
RiskLevels = db.RiskLevels.OrderBy(a=>a.Order).ToList(),
Risk = risk ?? new Risk()
};
Check.Ensure(viewModel.Risk.Project.Id == viewModel.Project.Id, "Risk does not belong to the intended project.");
return viewModel;
}
public ActionResult Create(int id, int projectId, Risk risk, string riskLevelId)
{
if (!Db.RiskLevels.Any(a=>a.Id == riskLevelId)) ModelState.Remove("risk.RiskLevel");
ModelState.Remove("risk.Project");
ModelState.Remove("risk.SquareType");
ModelState.Remove("risk.AssessmentType");
if (ModelState.IsValid)
{
var step = Db.ProjectSteps.Include("Step").Include("Step.SquareType").Where(a => a.Id == id).Single();
_projectService.CreateRisk(projectId, step.Step.SquareType.Id, CurrentUserId, risk.Name, risk.Source, risk.Vulnerability, riskLevelId);
Message = "Risk created.";
return this.RedirectToAction(a => a.Index(id, projectId));
}
var viewModel = GenericRiskViewModel.Create(_projectService, projectId, id, CurrentUserId, risk);
return View(viewModel);
}
public static NIST800_30EditViewModel Create(SquareContext db, IProjectService projectService, int projectStepId, int projectId, string userId, Risk risk = null)
{
Check.Require(db != null, "db is required.");
var viewModel = new NIST800_30EditViewModel()
{
ProjectStep = projectService.GetProjectStep(projectStepId, userId),
Project = projectService.GetProject(projectId, userId),
RiskLevels = db.RiskLevels.OrderBy(a=>a.Order).ToList(),
Impacts = db.Impacts.ToList(),
Risk = risk ?? new Risk(),
RiskLevelColor = string.Empty
};
// figure out the risk level color, if not null
if (risk != null)
{
viewModel.RiskLevelColor = risk.RiskLevel != null ? risk.RiskLevel.Color : string.Empty;
}
Check.Ensure(viewModel.Risk.Project.Id == viewModel.Project.Id, "Risk does not belong to the intended project.");
return viewModel;
}
public ActionResult Edit(int id, int projectStepId, Risk risk, string riskLevelId)
{
if (!Db.RiskLevels.Any(a => a.Id == riskLevelId)) ModelState.Remove("risk.RiskLevel");
ModelState.Remove("risk.Project");
ModelState.Remove("risk.SquareType");
ModelState.Remove("risk.AssessmentType");
var riskToEdit = Db.Risks.Include("SquareType").Include("AssessmentType").Include("Project").Include("RiskLevel").Where(a => a.Id == id).Single();
if (ModelState.IsValid)
{
var riskLevel = Db.RiskLevels.Where(a => a.Id == riskLevelId).SingleOrDefault();
riskToEdit.Name = risk.Name;
riskToEdit.Source = risk.Source;
riskToEdit.Vulnerability = risk.Vulnerability;
riskToEdit.RiskLevel = Db.RiskLevels.Where(a => a.Id == riskLevelId).Single();
Db.SaveChanges();
return this.RedirectToAction(a => a.Index(projectStepId, riskToEdit.Project.Id));
}
var viewModel = GenericRiskViewModel.Create(_projectService, risk.Project.Id, projectStepId, CurrentUserId, riskToEdit);
return View(viewModel);
}
public static GenericRiskViewModel Create(IProjectService projectService, int projectId, int projectStepId, string userId, Risk risk = null)
{
var context = new SquareContext();
var viewModel = new GenericRiskViewModel() {Risk = risk ?? new Risk(), RiskLevels = context.RiskLevels.ToList()};
viewModel.SetProjectInfo(projectService, projectId, projectStepId, userId);
return viewModel;
}
/// <summary>
/// Create a risk
/// </summary>
/// <param name="id">Project Id</param>
/// <param name="userId"></param>
/// <param name="name"></param>
/// <param name="source"></param>
/// <param name="vulnerability"></param>
/// <param name="riskLevelId"></param>
public void CreateRisk(int id, int squareTypeId, string userId, string name, string source, string vulnerability, string riskLevelId)
{
using(var db = new SquareContext())
{
var project = db.Projects.Include("SecurityAssessmentType").Include("PrivacyAssessmentType").Where(a => a.Id == id).Single();
var riskLevel = db.RiskLevels.Where(a => a.Id == riskLevelId).Single();
var squareType = db.SquareTypes.Where(a => a.Id == squareTypeId).Single();
var risk = new Risk() { Name = name, Source = source, Vulnerability = vulnerability, Project = project, RiskLevel = riskLevel, SquareType = squareType};
if (squareType.Name == SquareTypes.Security) risk.AssessmentType = project.SecurityAssessmentType;
else if (squareType.Name == SquareTypes.Privacy) risk.AssessmentType = project.PrivacyAssessmentType;
db.Risks.Add(risk);
db.SaveChanges();
}
}
public ActionResult Edit(int id, int projectId, int riskId, Risk risk, string likelihoodId, string damageId)
{
// clear the modelstate errors
ModelState.Remove("risk.Name");
ModelState.Remove("risk.Project");
ModelState.Remove("risk.SquareType");
ModelState.Remove("risk.AssessmentType");
try
{
// load objects
var origRisk = Db.Risks.Include("Project").Include("Likelihood").Include("Damage").Where(a => a.Id == riskId).Single();
var likelihood = Db.RiskLevels.Where(a => a.Id == likelihoodId).Single();
var damage = Db.RiskLevels.Where(a => a.Id == damageId).Single();
// copy in the values that were altered
origRisk.Description = risk.Description;
origRisk.Cost = risk.Cost;
origRisk.Likelihood = likelihood;
origRisk.Damage = damage;
origRisk.RiskLevel = CalculateRiskLevel(likelihood, damage, risk.Cost);
// valid go ahead and save
if (ModelState.IsValid)
{
Db.SaveChanges();
Message = string.Format(Messages.Saved, "Risk");
return this.RedirectToAction(a => a.Index(id, projectId));
}
// failed, go back to the view
var viewModel = PRAUCEditViewModel.Create(Db, _projectService, id, projectId, CurrentUserId, origRisk);
return View(viewModel);
}
catch (SecurityException)
{
return this.RedirectToAction<ErrorController>(a => a.NoAccessToStep());
}
}
