public async Task <Response <GirafUserDTO> > DeleteResource(string id, [FromBody] ResourceIdDTO resourceIdDTO)
{
//Check if the caller owns the resource
var user = _giraf._context.Users.Include(r => r.Resources).ThenInclude(dr => dr.Pictogram).FirstOrDefault(u => u.Id == id);
if (user == null)
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.UserNotFound));
}
//Check that valid parameters have been specified in the call
if (resourceIdDTO == null)
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.MissingProperties, "resourceIdDTO"));
}
//Fetch the resource with the given id, check that it exists.
var resource = await _giraf._context.Pictograms
.Where(f => f.Id == resourceIdDTO.Id)
.FirstOrDefaultAsync();
if (resource == null)
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.ResourceNotFound));
}
// check access rights
if (!(await _authentication.HasEditOrReadUserAccess(await _giraf._userManager.GetUserAsync(HttpContext.User), user)))
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.NotAuthorized));
}
//Fetch the relationship from the database and check that it exists
var relationship = await _giraf._context.UserResources
.Where(ur => ur.PictogramKey == resource.Id && ur.OtherKey == user.Id)
.FirstOrDefaultAsync();
if (relationship == null)
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.UserDoesNotOwnResource));
}
//Remove the resource - both from the user's list and the database
user.Resources.Remove(relationship);
_giraf._context.UserResources.Remove(relationship);
await _giraf._context.SaveChangesAsync();
// Get the roles the user is associated with
var userRole = await _roleManager.findUserRole(_giraf._userManager, user);
//Return Ok and the user - the resource is now visible in user.Resources
return(new Response <GirafUserDTO>(new GirafUserDTO(user, userRole)));
}
public async Task <Response <GirafUserDTO> > AddUserResource(string id, [FromBody] ResourceIdDTO resourceIdDTO)
{
//Check if valid parameters have been specified in the call
if (string.IsNullOrEmpty(id))
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.MissingProperties, "username"));
}
if (resourceIdDTO == null)
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.MissingProperties, "resourceIdDTO"));
}
//Attempt to find the target user and check that he exists
var user = _giraf._context.Users.Include(u => u.Resources).ThenInclude(dr => dr.Pictogram).FirstOrDefault(u => u.Id == id);
if (user == null)
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.UserNotFound));
}
// check access rights
if (!(await _authentication.HasEditOrReadUserAccess(await _giraf._userManager.GetUserAsync(HttpContext.User), user)))
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.NotAuthorized));
}
//Find the resource and check that it actually does exist - also verify that the resource is private
var resource = await _giraf._context.Pictograms
.Where(pf => pf.Id == resourceIdDTO.Id)
.FirstOrDefaultAsync();
if (resource == null)
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.ResourceNotFound));
}
if (resource.AccessLevel != AccessLevel.PRIVATE)
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.ResourceMustBePrivate));
}
//Check that the currently authenticated user owns the resource
var curUsr = await _giraf.LoadBasicUserDataAsync(HttpContext.User);
var resourceOwnedByCaller = await _giraf.CheckPrivateOwnership(resource, curUsr);
if (!resourceOwnedByCaller)
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.NotAuthorized));
}
//Check if the target user already owns the resource
if (user.Resources.Any(ur => ur.PictogramKey == resourceIdDTO.Id))
{
return(new ErrorResponse <GirafUserDTO>(ErrorCode.UserAlreadyOwnsResource));
}
//Create the relation and save changes.
var userResource = new UserResource(user, resource);
await _giraf._context.UserResources.AddAsync(userResource);
await _giraf._context.SaveChangesAsync();
// Get the roles the user is associated with
GirafRoles userRole = await _roleManager.findUserRole(_giraf._userManager, user);
return(new Response <GirafUserDTO>(new GirafUserDTO(user, userRole)));
}
