/// <summary> /// Generally, users can only add/remove individuals to/from requests associated with their own 'request entity'. This applies mainly to /// initiators. Initiators may also only view requests associated with their own request entity. /// /// Checks whether given user is allowed to modify this screening request (during the initiation and validation stages). /// i.e., add and remove persons, propose new persons to attach to the screening request. /// /// This method was ported from stored procedure logic in Profiling1. /// </summary> /// <param name="user"></param> /// <returns></returns> public virtual bool UserHasPermission(AdminUser user) { if (user != null) { if (this.Creator == user || // (initiator) can view requests they created user.HasSameRequestEntityAs(this.Creator) || // (initiator) can view requests created by others from the same request entity user.RequestEntities.Contains(this.RequestEntity) || // (initiator) can view requests when they are a member of the requests' assigned request entity user.ScreeningEntities.Count > 0) // any screening entity member can view any request { return(true); } } return(false); }