public bool ValidateMyRemoval([FromUri] int assessmentId) { Auth.IsAuthenticated(); if (Auth.AmILastAdminWithUsers(assessmentId)) { return(false); } return(true); }
public ContactsListResponse RemoveContactFromAssessment([FromBody] ContactRemoveParameters contactRemove) { if (contactRemove == null) { var err = new HttpResponseMessage(HttpStatusCode.Unauthorized) { Content = new StringContent("The input parameters are not valid"), ReasonPhrase = "The input parameters are not valid" }; throw new HttpResponseException(err); } int assessmentId = contactRemove.Assessment_ID == 0 ? Auth.AssessmentForUser() : contactRemove.Assessment_ID; int currentUserId = Auth.GetUserId(); if (contactRemove.UserId == 0) { contactRemove.UserId = currentUserId; } // Determine the current user's role. ContactsManager cm = new ContactsManager(); int currentUserRole = cm.GetUserRoleOnAssessment(TransactionSecurity.CurrentUserId, assessmentId) ?? 0; // If they are a USER and are trying to remove anyone but themself, forbid it if (currentUserRole == (int)ContactsManager.ContactRole.RoleUser && contactRemove.UserId != currentUserId) { var err = new HttpResponseMessage(HttpStatusCode.Unauthorized) { Content = new StringContent("The current user does not have administrative authority for the Assessment."), ReasonPhrase = "The only contact that a user role can remove is themself." }; throw new HttpResponseException(err); } // Do not allow the user to remove themself if they are the last Admin on the assessment and there are other users if (contactRemove.UserId == currentUserId && Auth.AmILastAdminWithUsers(assessmentId)) { var err = new HttpResponseMessage(HttpStatusCode.Unauthorized) { Content = new StringContent("The current user is the only Administrator contact on the Assessment"), ReasonPhrase = "An Assessment must have at least one Administrator contact." }; throw new HttpResponseException(err); } List <ContactDetail> newList; try { newList = cm.RemoveContact(contactRemove.UserId, assessmentId); } catch (NoSuchUserException) { // This could happen if they try to remove a contact that wasn't on the assessment. // It's not critical. //Are we sure this is the ONLY CASE that could ever happen? //changing it to catch specific instance just in case there could be //anything else that could ever happen } ContactsManager contactManager = new ContactsManager(); ContactsListResponse resp = new ContactsListResponse { ContactList = contactManager.GetContacts(assessmentId), CurrentUserRole = contactManager.GetUserRoleOnAssessment(TransactionSecurity.CurrentUserId, assessmentId) ?? 0 }; return(resp); }