public EntityPermissionsController() { Get("/api/v1/entity/permissions/get", _ => { var errors = ValidationProcessor.Process(Request, new IValidatorRule[] { new ShouldHaveParameters(new[] { "entity_guid", "entity_type" }), new ShouldBeCorrectEnumValue("entity_type", typeof(EntityType)), new EntityShouldExist(), }, true); if (errors.Count > 0) { return(HttpResponse.Errors(errors)); } var me = UserRepository.Find(CurrentRequest.UserId); var entityType = (EntityType)GetRequestEnum("entity_type", typeof(EntityType)); var entityId = EntityUtils.GetEntityId(GetRequestStr("entity_guid"), entityType); if (!PermissionUtils.HasEntityPermission(me, entityId, entityType)) { return(HttpResponse.Item("permissions", new JArray() { })); } return(HttpResponse.Item("permissions", new JArray() { "read", "write" })); }); }
public HttpError Process(Request request) { if (!PermissionUtils.HasEntityPermission(_user, _entityId, _entityType)) { return(new HttpError(HttpStatusCode.Forbidden, "You don't have edit permissions for this entity")); } return(null); }
public void HasEntityPermission_Board_HasPermission() { var user = UserFaker.Create(); var board = BoardFaker.Create(); Assert.False(PermissionUtils.HasEntityPermission(user, board.id, EntityType.Board)); ProjectTeamMemberFaker.Create(board.Project(), user); Assert.True(PermissionUtils.HasEntityPermission(user, board.id, EntityType.Board)); }
public void HasEntityPermission_Project_HasPermission() { var user = UserFaker.Create(); var project = ProjectFaker.Create(); Assert.False(PermissionUtils.HasEntityPermission(user, project.id, EntityType.Project)); ProjectTeamMemberFaker.Create(project, user); Assert.True(PermissionUtils.HasEntityPermission(user, project.id, EntityType.Project)); }
public ProcessedRequest Process(ProcessedRequest request) { var me = UserRepository.Find(request.UserId); var entityGuid = _forcedGuid ?? request.GetRequestStr(_entityGuidParam); if (!EntityUtils.IsEntityExists(entityGuid, _entityType)) { request.AddError(new HttpError(HttpStatusCode.NotFound, $"Target {_entityType} doesn't exist")); } if (!PermissionUtils.HasEntityPermission(me, entityGuid, _entityType)) { request.AddError( new HttpError(HttpStatusCode.Forbidden, "You don't have write permissions for this " + _entityType) ); } return(request); }
public EntityDecisionCrudController() { // Options should be a valid json array ex. "['option 1', 'option2']" Post("/api/v1/entity/decision/create", _ => { var rules = new List <IValidatorRule>() { new ShouldHaveParameters(new[] { "entity_guid", "entity_type", "title", "content", "deadline", "options" }), new MinLength("title", 3), new MinLength("content", 10), new ShouldBeCorrectEnumValue("entity_type", typeof(EntityType)), new EntityShouldExist() }; var errors = ValidationProcessor.Process(Request, rules, true); if (errors.Count > 0) { return(HttpResponse.Errors(errors)); } JArray options; try { options = JArray.Parse(GetRequestStr("options")); } catch (Exception e) { return(HttpResponse.Error( HttpStatusCode.UnprocessableEntity, "For options please provide a valid JSON array" )); } var entityType = (EntityType)GetRequestEnum("entity_type", typeof(EntityType)); var entityId = EntityUtils.GetEntityId(GetRequestStr("entity_guid"), entityType); if (entityType != EntityType.Project || entityType != EntityType.Board) { } var deadline = DateTime.Parse(GetRequestStr("deadline")); var minDeadline = DateTime.Now.AddDays(1); if (deadline < minDeadline) { return(HttpResponse.Error( HttpStatusCode.UnprocessableEntity, "Deadline cannot be earlier than 1 day : " + minDeadline )); } var me = UserRepository.Find(CurrentRequest.UserId); if (PermissionUtils.HasEntityPermission(me, entityId, entityType)) { return(HttpResponse.Error( HttpStatusCode.Unauthorized, "You don't have decision edit access" )); } var decision = EntityDecisionRepository.Create( me, entityId, entityType, GetRequestStr("title"), GetRequestStr("content"), deadline ); int optionOrder = 1; foreach (var option in options) { EntityDecisionOptionRepository.Create(decision, option.Value <string>(), optionOrder); optionOrder++; if (optionOrder > 10) { break; } } return(HttpResponse.Item( "decision", new DecisionTransformer().Transform(decision), HttpStatusCode.Created )); }); Patch("/api/v1/entity/decision/edit", _ => { var rules = new List <IValidatorRule>() { new ShouldHaveParameters(new[] { "decision_guid" }), new ExistsInTable("decision_guid", "entity_decisions", "guid") }; var errors = ValidationProcessor.Process(Request, rules, true); if (errors.Count > 0) { return(HttpResponse.Errors(errors)); } var me = UserRepository.Find(CurrentRequest.UserId); var decision = EntityDecisionRepository.FindByGuid(GetRequestStr("decision_guid")); if (me.id != decision.creator_id) { return(HttpResponse.Error(HttpStatusCode.Unauthorized, "Only creator can update this decision")); } if (GetRequestStr("new_status") != "") { var newStatus = (DecisionStatus)GetRequestEnum("new_status", typeof(DecisionStatus)); switch (newStatus) { case DecisionStatus.Canceled: decision.UpdateStatus(DecisionStatus.Canceled); break; case DecisionStatus.Open: case DecisionStatus.Closed: return(HttpResponse.Error(HttpStatusCode.Unauthorized, "You cannot set this status")); } } decision = decision.Refresh(); return(HttpResponse.Item("decision", new DecisionTransformer().Transform(decision))); }); Delete("/api/v1/entity/decision/delete", _ => { var rules = new List <IValidatorRule>() { new ShouldHaveParameters(new[] { "decision_guid" }), new ExistsInTable("decision_guid", "entity_decisions", "guid") }; var errors = ValidationProcessor.Process(Request, rules, true); if (errors.Count > 0) { return(HttpResponse.Errors(errors)); } var me = UserRepository.Find(CurrentRequest.UserId); var decision = EntityDecisionRepository.FindByGuid(GetRequestStr("decision_guid")); if (me.id != decision.creator_id) { return(HttpResponse.Error(HttpStatusCode.Unauthorized, "Only creator can update this decision")); } decision.Delete(); return(HttpResponse.Item("decision", new DecisionTransformer().Transform(decision))); }); }