protected override async Task <PermissionResult> CanUpdateAsync(Organization original, Delta <NewOrganization> changes)
{
var changed = changes.GetEntity();
if (!await IsOrganizationNameAvailableInternalAsync(changed.Name))
{
return(PermissionResult.DenyWithMessage("A organization with this name already exists."));
}
return(await base.CanUpdateAsync(original, changes));
}
protected override async Task <PermissionResult> CanDeleteAsync(Token value)
{
if (!User.IsInRole(AuthorizationRoles.GlobalAdmin) && !String.IsNullOrEmpty(value.UserId) && value.UserId != CurrentUser.Id)
{
return(PermissionResult.DenyWithMessage("Can only delete tokens created by you."));
}
if (!String.IsNullOrEmpty(value.ProjectId) && !await IsInProjectAsync(value.ProjectId))
{
return(PermissionResult.DenyWithNotFound(value.Id));
}
return(await base.CanDeleteAsync(value));
}
protected virtual async Task <PermissionResult> CanUpdateAsync(TModel original, Delta <TUpdateModel> changes)
{
if (original is IOwnedByOrganization orgModel && !CanAccessOrganization(orgModel.OrganizationId))
{
return(PermissionResult.DenyWithMessage("Invalid organization id specified."));
}
if (changes.GetChangedPropertyNames().Contains("OrganizationId"))
{
return(PermissionResult.DenyWithMessage("OrganizationId cannot be modified."));
}
return(PermissionResult.Allow);
}
protected virtual async Task <PermissionResult> CanAddAsync(TModel value)
{
if (_isOrganization || !(value is IOwnedByOrganization orgModel))
{
return(PermissionResult.Allow);
}
if (!CanAccessOrganization(orgModel.OrganizationId))
{
return(PermissionResult.DenyWithMessage("Invalid organization id specified."));
}
return(PermissionResult.Allow);
}
protected override async Task <PermissionResult> CanDeleteAsync(User value)
{
if (value.OrganizationIds.Count > 0)
{
return(PermissionResult.DenyWithMessage("Please delete or leave any organizations before deleting your account."));
}
if (!User.IsInRole(AuthorizationRoles.GlobalAdmin) && value.Id != CurrentUser.Id)
{
return(PermissionResult.Deny);
}
return(await base.CanDeleteAsync(value));
}
protected override async Task <PermissionResult> CanDeleteAsync(Organization value)
{
if (!String.IsNullOrEmpty(value.StripeCustomerId) && !User.IsInRole(AuthorizationRoles.GlobalAdmin))
{
return(PermissionResult.DenyWithMessage("An organization cannot be deleted if it has a subscription.", value.Id));
}
var projects = (await _projectRepository.GetByOrganizationIdAsync(value.Id)).Documents.ToList();
if (!User.IsInRole(AuthorizationRoles.GlobalAdmin) && projects.Any())
{
return(PermissionResult.DenyWithMessage("An organization cannot be deleted if it contains any projects.", value.Id));
}
return(await base.CanDeleteAsync(value));
}
protected override async Task <PermissionResult> CanAddAsync(Project value)
{
if (String.IsNullOrEmpty(value.Name))
{
return(PermissionResult.DenyWithMessage("Project name is required."));
}
if (!await IsProjectNameAvailableInternalAsync(value.OrganizationId, value.Name))
{
return(PermissionResult.DenyWithMessage("A project with this name already exists."));
}
if (!await _billingManager.CanAddProjectAsync(value))
{
return(PermissionResult.DenyWithPlanLimitReached("Please upgrade your plan to add additional projects."));
}
return(await base.CanAddAsync(value));
}
protected override async Task <PermissionResult> CanAddAsync(Organization value)
{
if (String.IsNullOrEmpty(value.Name))
{
return(PermissionResult.DenyWithMessage("Organization name is required."));
}
if (!await IsOrganizationNameAvailableInternalAsync(value.Name))
{
return(PermissionResult.DenyWithMessage("A organization with this name already exists."));
}
if (!await _billingManager.CanAddOrganizationAsync(CurrentUser))
{
return(PermissionResult.DenyWithPlanLimitReached("Please upgrade your plan to add an additional organization."));
}
return(await base.CanAddAsync(value));
}
protected override async Task <PermissionResult> CanAddAsync(WebHook value)
{
if (String.IsNullOrEmpty(value.Url) || value.EventTypes.Length == 0)
{
return(PermissionResult.Deny);
}
if (String.IsNullOrEmpty(value.ProjectId) && String.IsNullOrEmpty(value.OrganizationId))
{
return(PermissionResult.Deny);
}
if (!String.IsNullOrEmpty(value.OrganizationId) && !IsInOrganization(value.OrganizationId))
{
return(PermissionResult.DenyWithMessage("Invalid organization id specified."));
}
Project project = null;
if (!String.IsNullOrEmpty(value.ProjectId))
{
project = await GetProjectAsync(value.ProjectId);
if (project == null)
{
return(PermissionResult.DenyWithMessage("Invalid project id specified."));
}
value.OrganizationId = project.OrganizationId;
}
if (!await _billingManager.HasPremiumFeaturesAsync(project != null ? project.OrganizationId : value.OrganizationId))
{
return(PermissionResult.DenyWithPlanLimitReached("Please upgrade your plan to add integrations."));
}
return(PermissionResult.Allow);
}
protected override async Task <PermissionResult> CanAddAsync(Token value)
{
// We only allow users to create organization scoped tokens.
if (String.IsNullOrEmpty(value.OrganizationId))
{
return(PermissionResult.Deny);
}
if (!String.IsNullOrEmpty(value.ProjectId) && !String.IsNullOrEmpty(value.UserId))
{
return(PermissionResult.DenyWithMessage("Token can't be associated to both user and project."));
}
foreach (string scope in value.Scopes.ToList())
{
if (scope != scope.ToLowerInvariant())
{
value.Scopes.Remove(scope);
value.Scopes.Add(scope.ToLowerInvariant());
}
if (!AuthorizationRoles.AllScopes.Contains(scope.ToLowerInvariant()))
{
return(PermissionResult.DenyWithMessage("Invalid token scope requested."));
}
}
if (value.Scopes.Count == 0)
{
value.Scopes.Add(AuthorizationRoles.Client);
}
if (value.Scopes.Contains(AuthorizationRoles.Client) && !User.IsInRole(AuthorizationRoles.User))
{
return(PermissionResult.Deny);
}
if (value.Scopes.Contains(AuthorizationRoles.User) && !User.IsInRole(AuthorizationRoles.User))
{
return(PermissionResult.Deny);
}
if (value.Scopes.Contains(AuthorizationRoles.GlobalAdmin) && !User.IsInRole(AuthorizationRoles.GlobalAdmin))
{
return(PermissionResult.Deny);
}
if (!String.IsNullOrEmpty(value.ProjectId))
{
var project = await GetProjectAsync(value.ProjectId);
if (project == null)
{
return(PermissionResult.Deny);
}
value.OrganizationId = project.OrganizationId;
value.DefaultProjectId = null;
}
if (!String.IsNullOrEmpty(value.DefaultProjectId))
{
var project = await GetProjectAsync(value.DefaultProjectId);
if (project == null)
{
return(PermissionResult.Deny);
}
}
if (!String.IsNullOrEmpty(value.ApplicationId))
{
var application = await _applicationRepository.GetByIdAsync(value.ApplicationId, true);
if (application == null || !IsInOrganization(application.OrganizationId))
{
return(PermissionResult.Deny);
}
}
return(await base.CanAddAsync(value));
}
protected override async Task <PermissionResult> CanAddAsync(Token value)
{
// We only allow users to create organization scoped tokens.
if (String.IsNullOrEmpty(value.OrganizationId))
{
return(PermissionResult.Deny);
}
bool hasUserRole = User.IsInRole(AuthorizationRoles.User);
bool hasGlobalAdminRole = User.IsInRole(AuthorizationRoles.GlobalAdmin);
if (!hasGlobalAdminRole && !String.IsNullOrEmpty(value.UserId) && value.UserId != CurrentUser.Id)
{
return(PermissionResult.Deny);
}
if (!String.IsNullOrEmpty(value.ProjectId) && !String.IsNullOrEmpty(value.UserId))
{
return(PermissionResult.DenyWithMessage("Token can't be associated to both user and project."));
}
foreach (string scope in value.Scopes.ToList())
{
string lowerCaseScoped = scope.ToLowerInvariant();
if (!String.Equals(scope, lowerCaseScoped))
{
value.Scopes.Remove(scope);
value.Scopes.Add(lowerCaseScoped);
}
if (!AuthorizationRoles.AllScopes.Contains(lowerCaseScoped))
{
return(PermissionResult.DenyWithMessage("Invalid token scope requested."));
}
}
if (value.Scopes.Count == 0)
{
value.Scopes.Add(AuthorizationRoles.Client);
}
if (value.Scopes.Contains(AuthorizationRoles.Client) && !hasUserRole)
{
return(PermissionResult.Deny);
}
if (value.Scopes.Contains(AuthorizationRoles.User) && !hasUserRole)
{
return(PermissionResult.Deny);
}
if (value.Scopes.Contains(AuthorizationRoles.GlobalAdmin) && !hasGlobalAdminRole)
{
return(PermissionResult.Deny);
}
if (!String.IsNullOrEmpty(value.ProjectId))
{
var project = await GetProjectAsync(value.ProjectId);
if (project == null)
{
return(PermissionResult.Deny);
}
value.OrganizationId = project.OrganizationId;
value.DefaultProjectId = null;
}
if (!String.IsNullOrEmpty(value.DefaultProjectId))
{
var project = await GetProjectAsync(value.DefaultProjectId);
if (project == null)
{
return(PermissionResult.Deny);
}
}
return(await base.CanAddAsync(value));
}
protected override PermissionResult CanAdd(Token value)
{
if (String.IsNullOrEmpty(value.OrganizationId))
{
return(PermissionResult.Deny);
}
if (!String.IsNullOrEmpty(value.ProjectId) && !String.IsNullOrEmpty(value.UserId))
{
return(PermissionResult.DenyWithMessage("Token can't be associated to both user and project."));
}
foreach (string scope in value.Scopes.ToList())
{
if (scope != scope.ToLower())
{
value.Scopes.Remove(scope);
value.Scopes.Add(scope.ToLower());
}
if (!AuthorizationRoles.AllScopes.Contains(scope.ToLower()))
{
return(PermissionResult.DenyWithMessage("Invalid token scope requested."));
}
}
if (value.Scopes.Count == 0)
{
value.Scopes.Add(AuthorizationRoles.Client);
}
if (value.Scopes.Contains(AuthorizationRoles.Client) && !User.IsInRole(AuthorizationRoles.User))
{
return(PermissionResult.Deny);
}
if (value.Scopes.Contains(AuthorizationRoles.User) && !User.IsInRole(AuthorizationRoles.User))
{
return(PermissionResult.Deny);
}
if (value.Scopes.Contains(AuthorizationRoles.GlobalAdmin) && !User.IsInRole(AuthorizationRoles.GlobalAdmin))
{
return(PermissionResult.Deny);
}
if (!String.IsNullOrEmpty(value.ProjectId))
{
Project project = _projectRepository.GetById(value.ProjectId, true);
value.OrganizationId = project.OrganizationId;
if (!IsInProject(project))
{
return(PermissionResult.Deny);
}
}
if (!String.IsNullOrEmpty(value.ApplicationId))
{
var application = _applicationRepository.GetById(value.ApplicationId, true);
if (application == null || !IsInOrganization(application.OrganizationId))
{
return(PermissionResult.Deny);
}
}
return(base.CanAdd(value));
}
