private bool canDelete(string resource)
{
switch (resource)
{
case Resource.SHIFT:
if (user_position == Position.STUDENT)
{
return(true);
}
return(false);
case Resource.MEMBERSHIP:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
var membershipService = new MembershipService(new UnitOfWork());
var membershipID = (int)context.ActionArguments["id"];
var membershipToConsider = membershipService.GetSpecificMembership(membershipID);
var is_membershipOwner = membershipToConsider.ID_NUM.ToString() == user_id;
if (is_membershipOwner)
{
return(true);
}
var activityCode = membershipToConsider.ACT_CDE;
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin)
{
return(true);
}
return(false);
}
case Resource.MEMBERSHIP_REQUEST:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
// membershipRequest = mr
var mrService = new MembershipRequestService(new UnitOfWork());
var mrID = (int)context.ActionArguments["id"];
var mrToConsider = mrService.Get(mrID);
var is_mrOwner = mrToConsider.IDNumber.ToString() == user_id;
if (is_mrOwner)
{
return(true);
}
var activityCode = mrToConsider.ActivityCode;
var membershipService = new MembershipService(new UnitOfWork());
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin)
{
return(true);
}
return(false);
}
case Resource.STUDENT:
return(false); // No one should be able to delete a student through our API
case Resource.HOUSING:
{
// The housing admins can update the application information (i.e. probation, offcampus program, etc.)
// If the user is a student, then the user must be on an application and be an editor to update the application
HousingService housingService = new HousingService(new UnitOfWork());
if (housingService.CheckIfHousingAdmin(user_id))
{
return(true);
}
else if (user_position == Position.STUDENT)
{
string sess_cde = Helpers.GetCurrentSession().SessionCode;
int? applicationID = housingService.GetApplicationID(user_name, sess_cde);
int requestedApplicationID = (int)context.ActionArguments["applicationID"];
if (applicationID.HasValue && applicationID.Value == requestedApplicationID)
{
var editorUsername = housingService.GetEditorUsername(applicationID.Value);
if (editorUsername.ToLower() == user_name.ToLower())
{
return(true);
}
return(false);
}
return(false);
}
return(false);
}
case Resource.ADVISOR:
return(false);
case Resource.ADMIN:
return(false);
case Resource.HOUSING_ADMIN:
{
// Only the superadmins can remove a housing admin from the whitelist
// Super admins have unrestricted access by default: no need to check
return(false);
}
case Resource.NEWS:
{
var newsID = context.ActionArguments["newsID"];
var newsService = new NewsService(new UnitOfWork());
var newsItem = newsService.Get((int)newsID);
// only expired news items may be deleted
var todaysDate = System.DateTime.Now;
var newsDate = (System.DateTime)newsItem.Entered;
var dateDiff = (todaysDate - newsDate).Days;
if (newsDate == null || dateDiff >= 14)
{
return(false);
}
// user is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
// user is news item author
string newsAuthor = newsItem.ADUN;
if (user_name == newsAuthor)
{
return(true);
}
return(false);
}
default: return(false);
}
}
private bool canAdd(string resource)
{
switch (resource)
{
case Resource.SHIFT:
{
if (user_position == Position.STUDENT)
{
return(true);
}
return(false);
}
case Resource.MEMBERSHIP:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
var membershipToConsider = (MEMBERSHIP)context.ActionArguments["membership"];
// A membership can always be added if it is of type "GUEST"
var isFollower = (membershipToConsider.PART_CDE == Activity_Roles.GUEST) && (user_id == membershipToConsider.ID_NUM.ToString());
if (isFollower)
{
return(true);
}
var activityCode = membershipToConsider.ACT_CDE;
var membershipService = new MembershipService(new UnitOfWork());
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin) // If user is the advisor of the activity that the request is sent to.
{
return(true);
}
return(false);
}
case Resource.MEMBERSHIP_REQUEST:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
var membershipRequestToConsider = (REQUEST)context.ActionArguments["membershipRequest"];
// A membership request belonging to the currently logged in student
var is_Owner = (membershipRequestToConsider.ID_NUM.ToString() == user_id);
if (is_Owner)
{
return(true);
}
// No one should be able to add requests on behalf of another person.
return(false);
}
case Resource.STUDENT:
return(false); // No one should be able to add students through this API
case Resource.ADVISOR:
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
else
{
return(false); // Only super admin can add Advisors through this API
}
case Resource.HOUSING_ADMIN:
//only superadmins can add a HOUSING_ADMIN
return(false);
case Resource.HOUSING:
{
// The user must be a student and not a member of an existing application
var housingService = new HousingService(new UnitOfWork());
if (user_position == Position.STUDENT)
{
var sess_cde = Helpers.GetCurrentSession().SessionCode;
int?applicationID = housingService.GetApplicationID(user_name, sess_cde);
if (!applicationID.HasValue)
{
return(true);
}
return(false);
}
return(false);
}
case Resource.ADMIN:
return(false);
case Resource.ERROR_LOG:
return(true);
case Resource.NEWS:
return(true);
default: return(false);
}
}
private bool canUpdate(string resource)
{
switch (resource)
{
case Resource.SHIFT:
{
if (user_position == Position.STUDENT)
{
return(true);
}
return(false);
}
case Resource.MEMBERSHIP:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
var membershipToConsider = (MEMBERSHIP)context.ActionArguments["membership"];
var activityCode = membershipToConsider.ACT_CDE;
var membershipService = new MembershipService(new UnitOfWork());
//var is_membershipLeader = membershipService.GetLeaderMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
//if (is_membershipLeader)
// return true; // Activity Leaders can update memberships of people in their activity.
//var is_membershipAdvisor = membershipService.GetAdvisorMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
//if (is_membershipAdvisor)
// return true; // Activity Advisors can update memberships of people in their activity.
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin)
{
return(true); // Activity Advisors can update memberships of people in their activity.
}
var is_membershipOwner = membershipToConsider.ID_NUM.ToString() == user_id;
if (is_membershipOwner)
{
// Restrict what a regular owner can edit.
var originalMembership = membershipService.GetSpecificMembership(membershipToConsider.MEMBERSHIP_ID);
// If they are not trying to change their participation level, then it is ok
if (originalMembership.PART_CDE == membershipToConsider.PART_CDE)
{
return(true);
}
}
return(false);
}
case Resource.MEMBERSHIP_REQUEST:
{
// Once a request is sent, no one should be able to edit its contents.
// If a mistake is made in creating the original request, the user can always delete it and make a new one.
return(false);
}
case Resource.MEMBERSHIP_PRIVACY:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
var membershipService = new MembershipService(new UnitOfWork());
var membershipID = (int)context.ActionArguments["id"];
var membershipToConsider = membershipService.GetSpecificMembership(membershipID);
var is_membershipOwner = membershipToConsider.ID_NUM.ToString() == user_id;
if (is_membershipOwner)
{
return(true);
}
var activityCode = membershipToConsider.ACT_CDE;
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin)
{
return(true);
}
return(false);
}
case Resource.STUDENT:
return(false); // No one should be able to update a student through this API
case Resource.HOUSING:
{
// The housing admins can update the application information (i.e. probation, offcampus program, etc.)
// If the user is a student, then the user must be on an application and be an editor to update the application
HousingService housingService = new HousingService(new UnitOfWork());
if (housingService.CheckIfHousingAdmin(user_id))
{
return(true);
}
else if (user_position == Position.STUDENT)
{
string sess_cde = Helpers.GetCurrentSession().SessionCode;
int? applicationID = housingService.GetApplicationID(user_name, sess_cde);
int requestedApplicationID = (int)context.ActionArguments["applicationID"];
if (applicationID.HasValue && applicationID == requestedApplicationID)
{
string editorUsername = housingService.GetEditorUsername(applicationID.Value);
if (editorUsername.ToLower() == user_name.ToLower())
{
return(true);
}
return(false);
}
return(false);
}
return(false);
}
case Resource.ADVISOR:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
var membershipService = new MembershipService(new UnitOfWork());
var membershipToConsider = (MEMBERSHIP)context.ActionArguments["membership"];
var activityCode = membershipToConsider.ACT_CDE;
var is_advisor = membershipService.GetAdvisorMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (is_advisor)
{
return(true); // Activity Advisors can update memberships of people in their activity.
}
return(false);
}
case Resource.PROFILE:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
var username = (string)context.ActionArguments["username"];
var isSelf = username.Equals(user_name);
return(isSelf);
}
case Resource.ACTIVITY_INFO:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
var activityCode = (string)context.ActionArguments["id"];
var membershipService = new MembershipService(new UnitOfWork());
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin)
{
return(true);
}
return(false);
}
case Resource.ACTIVITY_STATUS:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
var activityCode = (string)context.ActionArguments["id"];
var sessionCode = (string)context.ActionArguments["sess_cde"];
var unitOfWork = new UnitOfWork();
var membershipService = new MembershipService(unitOfWork);
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin)
{
var activityService = new ActivityService(unitOfWork);
// If an activity is currently open, then a group admin has the ability to close it
if (activityService.IsOpen(activityCode, sessionCode))
{
return(true);
}
}
// If an activity is currently closed, only super admin has permission to edit its closed/open status
return(false);
}
case Resource.NEWS:
var newsID = context.ActionArguments["newsID"];
var newsService = new NewsService(new UnitOfWork());
var newsItem = newsService.Get((int)newsID);
// only unapproved posts may be updated
var approved = newsItem.Accepted;
if (approved == null || approved == true)
{
return(false);
}
// can update if user is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
// can update if user is news item author
string newsAuthor = newsItem.ADUN;
if (user_name == newsAuthor)
{
return(true);
}
return(false);
default: return(false);
}
}
private bool canReadOne(string resource)
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
switch (resource)
{
case Resource.PROFILE:
return(true);
case Resource.MEMBERSHIP:
return(true);
case Resource.MEMBERSHIP_REQUEST:
{
// membershipRequest = mr
var mrService = new MembershipRequestService(new UnitOfWork());
var mrID = (int)context.ActionArguments["id"];
var mrToConsider = mrService.Get(mrID);
var is_mrOwner = mrToConsider.IDNumber.ToString() == user_id; // User_id is an instance variable.
if (is_mrOwner) // If user owns the request
{
return(true);
}
var activityCode = mrToConsider.ActivityCode;
var membershipService = new MembershipService(new UnitOfWork());
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin) // If user is a group admin of the activity that the request is sent to
{
return(true);
}
return(false);
}
case Resource.STUDENT:
// To add a membership for a student, you need to have the students identifier.
// NOTE: I don't believe the 'student' resource is currently being used in API
{
return(true);
}
case Resource.ADVISOR:
return(true);
case Resource.ACCOUNT:
{
// Membership group admins can access ID of members using their email
// NOTE: In the future, probably only email addresses should be stored
// in memberships, since we would rather not give students access to
// other students' account information
var membershipService = new MembershipService(new UnitOfWork());
var isGroupAdmin = membershipService.IsGroupAdmin(Int32.Parse(user_id));
if (isGroupAdmin) // If user is a group admin of the activity that the request is sent to
{
return(true);
}
// faculty and police can access student account information
if (user_position == Position.FACSTAFF ||
user_position == Position.POLICE)
{
return(true);
}
return(false);
}
case Resource.HOUSING:
{
// The members of the apartment application can only read their application
HousingService housingService = new HousingService(new UnitOfWork());
string sess_cde = Helpers.GetCurrentSession().SessionCode;
int? applicationID = housingService.GetApplicationID(user_name, sess_cde);
int requestedApplicationID = (int)context.ActionArguments["applicationID"];
if (applicationID.HasValue && applicationID.Value == requestedApplicationID)
{
return(true);
}
return(false);
}
case Resource.NEWS:
return(true);
default: return(false);
}
}