protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
MarkSpecificMethodologyAsDraftRequirement requirement,
MethodologyVersion methodologyVersion)
{
// If the Methodology is already public, it cannot be marked as draft
if (await _methodologyVersionRepository.IsPubliclyAccessible(methodologyVersion.Id))
{
return;
}
if (SecurityUtils.HasClaim(context.User, MarkAllMethodologiesDraft))
{
context.Succeed(requirement);
return;
}
var owningPublication =
await _methodologyRepository.GetOwningPublication(methodologyVersion.MethodologyId);
// If the user is an Approver of the latest (Live or non-Live) Release for the owning Publication of
// this Methodology, they can mark it as draft.
if (await _userReleaseRoleRepository.IsUserApproverOnLatestRelease(
context.User.GetUserId(),
owningPublication.Id))
{
context.Succeed(requirement);
}
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
ApproveSpecificMethodologyRequirement requirement,
MethodologyVersion methodologyVersion)
{
// If the Methodology is already public, it cannot be approved
// An approved Methodology that isn't public can be approved to change attributes associated with approval
if (await _methodologyVersionRepository.IsPubliclyAccessible(methodologyVersion.Id))
{
return;
}
if (SecurityUtils.HasClaim(context.User, ApproveAllMethodologies))
{
context.Succeed(requirement);
return;
}
var owningPublication =
await _methodologyRepository.GetOwningPublication(methodologyVersion.MethodologyId);
// If the user is an Approver of the latest (Live or non-Live) Release for the owning Publication of
// this Methodology, they can approve it.
if (await _userReleaseRoleRepository.IsUserApproverOnLatestRelease(
context.User.GetUserId(),
owningPublication.Id))
{
context.Succeed(requirement);
}
}
protected override async Task HandleRequirementAsync(
AuthorizationHandlerContext context,
DeleteSpecificMethodologyRequirement requirement,
MethodologyVersion methodologyVersion)
{
// If the Methodology is already public, it cannot be deleted.
if (await _methodologyVersionRepository.IsPubliclyAccessible(methodologyVersion.Id))
{
return;
}
if (methodologyVersion.Status == Approved)
{
return;
}
if (SecurityUtils.HasClaim(context.User, DeleteAllMethodologies))
{
context.Succeed(requirement);
return;
}
var owningPublication =
await _methodologyRepository.GetOwningPublication(methodologyVersion.MethodologyId);
// If the user is a Publication Owner of the Publication that owns this Methodology, they can delete it.
if (await _userPublicationRoleRepository.IsUserPublicationOwner(
context.User.GetUserId(),
owningPublication.Id))
{
context.Succeed(requirement);
}
}
protected override async Task HandleRequirementAsync(
AuthorizationHandlerContext context,
MakeAmendmentOfSpecificMethodologyRequirement requirement,
MethodologyVersion methodologyVersion)
{
// Amendments can only be created from Methodologies that are already publicly-accessible.
if (!await _methodologyVersionRepository.IsPubliclyAccessible(methodologyVersion.Id))
{
return;
}
// Any user with the "MakeAmendmentsOfAllMethodologies" Claim can create an amendment of a
// publicly-accessible Methodology.
if (SecurityUtils.HasClaim(context.User, MakeAmendmentsOfAllMethodologies))
{
context.Succeed(requirement);
return;
}
var owningPublication =
await _methodologyRepository.GetOwningPublication(methodologyVersion.MethodologyId);
// If the user is a Publication Owner of the Publication that owns this Methodology, they can create
// an Amendment of this Methodology.
if (await _userPublicationRoleRepository.IsUserPublicationOwner(
context.User.GetUserId(),
owningPublication.Id))
{
context.Succeed(requirement);
}
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
UpdateSpecificMethodologyRequirement requirement,
MethodologyVersion methodologyVersion)
{
// An Approved Methodology cannot be updated. Instead, it should firstly be unapproved if permissions
// allow and then updated.
if (methodologyVersion.Approved)
{
return;
}
// If the Methodology is already public, it cannot be updated.
if (await _methodologyVersionRepository.IsPubliclyAccessible(methodologyVersion.Id))
{
return;
}
// If the user has a global Claim that allows them to update any Methodology, allow it.
if (SecurityUtils.HasClaim(context.User, UpdateAllMethodologies))
{
context.Succeed(requirement);
return;
}
var owningPublication =
await _methodologyRepository.GetOwningPublication(methodologyVersion.MethodologyId);
// If the user is a Publication Owner of the Publication that owns this Methodology, they can update it.
if (await _userPublicationRoleRepository.IsUserPublicationOwner(context.User.GetUserId(),
owningPublication.Id))
{
context.Succeed(requirement);
return;
}
// If the user is an Editor (Contributor, Lead) or an Approver of the latest (Live or non-Live) Release
// of the owning Publication of this Methodology, they can update it.
if (await _userReleaseRoleRepository.IsUserEditorOrApproverOnLatestRelease(
context.User.GetUserId(),
owningPublication.Id))
{
context.Succeed(requirement);
}
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
ViewSpecificMethodologyRequirement requirement,
MethodologyVersion methodologyVersion)
{
// If the user has a global Claim that allows them to access any Methodology, allow it.
if (SecurityUtils.HasClaim(context.User, SecurityClaimTypes.AccessAllMethodologies))
{
context.Succeed(requirement);
return;
}
var owningPublication =
await _methodologyRepository.GetOwningPublication(methodologyVersion.MethodologyId);
// If the user is a Publication Owner of the Publication that owns this Methodology, they can view it.
if (await _userPublicationRoleRepository.IsUserPublicationOwner(context.User.GetUserId(),
owningPublication.Id))
{
context.Succeed(requirement);
return;
}
// If the user is an Editor (Contributor, Lead) or an Approver of the latest (Live or non-Live) Release
// of the owning Publication of this Methodology, they can view it.
if (await _userReleaseRoleRepository.IsUserEditorOrApproverOnLatestRelease(
context.User.GetUserId(),
owningPublication.Id))
{
context.Succeed(requirement);
}
// If the user is a PrereleaseViewer of the latest non-Live, Approved Release of any Publication
// using this Methodology, and the methodology is approved, and the latest release under that publication
// is within the prerelease time window, they can view it
if (methodologyVersion.Approved)
{
var publicationIds = await _methodologyRepository
.GetAllPublicationIds(methodologyVersion.MethodologyId);
foreach (var publicationId in publicationIds)
{
if (await _userReleaseRoleRepository.IsUserPrereleaseViewerOnLatestPreReleaseRelease(
context.User.GetUserId(),
publicationId))
{
var publication = await _contentDbContext.Publications
.Include(p => p.Releases)
.SingleAsync(p => p.Id == publicationId);
var latestRelease = publication.LatestRelease();
if (latestRelease != null &&
_preReleaseService
.GetPreReleaseWindowStatus(latestRelease, DateTime.UtcNow)
.Access == PreReleaseAccess.Within)
{
context.Succeed(requirement);
break;
}
}
}
}
}
