protected override async Task HandleRequirementAsync(
AuthorizationHandlerContext context,
DropMethodologyLinkRequirement requirement,
PublicationMethodology link)
{
if (link.Owner)
{
// No user is allowed to drop the link between a methodology and its owning publication
return;
}
// Allow users who can adopt methodologies to also drop them
if (SecurityUtils.HasClaim(context.User, AdoptAnyMethodology))
{
context.Succeed(requirement);
return;
}
if (await _userPublicationRoleRepository.IsUserPublicationOwner(
context.User.GetUserId(),
link.PublicationId))
{
context.Succeed(requirement);
}
}
protected override async Task HandleRequirementAsync(
AuthorizationHandlerContext context,
DeleteSpecificMethodologyRequirement requirement,
MethodologyVersion methodologyVersion)
{
// If the Methodology is already public, it cannot be deleted.
if (await _methodologyVersionRepository.IsPubliclyAccessible(methodologyVersion.Id))
{
return;
}
if (methodologyVersion.Status == Approved)
{
return;
}
if (SecurityUtils.HasClaim(context.User, DeleteAllMethodologies))
{
context.Succeed(requirement);
return;
}
var owningPublication =
await _methodologyRepository.GetOwningPublication(methodologyVersion.MethodologyId);
// If the user is a Publication Owner of the Publication that owns this Methodology, they can delete it.
if (await _userPublicationRoleRepository.IsUserPublicationOwner(
context.User.GetUserId(),
owningPublication.Id))
{
context.Succeed(requirement);
}
}
protected override async Task HandleRequirementAsync(
AuthorizationHandlerContext context,
MakeAmendmentOfSpecificMethodologyRequirement requirement,
MethodologyVersion methodologyVersion)
{
// Amendments can only be created from Methodologies that are already publicly-accessible.
if (!await _methodologyVersionRepository.IsPubliclyAccessible(methodologyVersion.Id))
{
return;
}
// Any user with the "MakeAmendmentsOfAllMethodologies" Claim can create an amendment of a
// publicly-accessible Methodology.
if (SecurityUtils.HasClaim(context.User, MakeAmendmentsOfAllMethodologies))
{
context.Succeed(requirement);
return;
}
var owningPublication =
await _methodologyRepository.GetOwningPublication(methodologyVersion.MethodologyId);
// If the user is a Publication Owner of the Publication that owns this Methodology, they can create
// an Amendment of this Methodology.
if (await _userPublicationRoleRepository.IsUserPublicationOwner(
context.User.GetUserId(),
owningPublication.Id))
{
context.Succeed(requirement);
}
}
protected override async Task HandleRequirementAsync(
AuthorizationHandlerContext context,
AdoptMethodologyForSpecificPublicationRequirement requirement,
Publication publication)
{
if (SecurityUtils.HasClaim(context.User, SecurityClaimTypes.AdoptAnyMethodology))
{
context.Succeed(requirement);
return;
}
if (await _userPublicationRoleRepository.IsUserPublicationOwner(context.User.GetUserId(), publication.Id))
{
context.Succeed(requirement);
}
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
UpdateSpecificMethodologyRequirement requirement,
MethodologyVersion methodologyVersion)
{
// An Approved Methodology cannot be updated. Instead, it should firstly be unapproved if permissions
// allow and then updated.
if (methodologyVersion.Approved)
{
return;
}
// If the Methodology is already public, it cannot be updated.
if (await _methodologyVersionRepository.IsPubliclyAccessible(methodologyVersion.Id))
{
return;
}
// If the user has a global Claim that allows them to update any Methodology, allow it.
if (SecurityUtils.HasClaim(context.User, UpdateAllMethodologies))
{
context.Succeed(requirement);
return;
}
var owningPublication =
await _methodologyRepository.GetOwningPublication(methodologyVersion.MethodologyId);
// If the user is a Publication Owner of the Publication that owns this Methodology, they can update it.
if (await _userPublicationRoleRepository.IsUserPublicationOwner(context.User.GetUserId(),
owningPublication.Id))
{
context.Succeed(requirement);
return;
}
// If the user is an Editor (Contributor, Lead) or an Approver of the latest (Live or non-Live) Release
// of the owning Publication of this Methodology, they can update it.
if (await _userReleaseRoleRepository.IsUserEditorOrApproverOnLatestRelease(
context.User.GetUserId(),
owningPublication.Id))
{
context.Succeed(requirement);
}
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
UpdateLegacyReleaseRequirement requirement,
LegacyRelease legacyRelease)
{
if (SecurityUtils.HasClaim(context.User, UpdateAllReleases))
{
context.Succeed(requirement);
return;
}
var isUserPublicationOwner = await _userPublicationRoleRepository.IsUserPublicationOwner(
context.User.GetUserId(),
legacyRelease.PublicationId);
if (isUserPublicationOwner)
{
context.Succeed(requirement);
}
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
UpdateReleaseRoleRequirement requirement,
Tuple <Publication, ReleaseRole> tuple)
{
var(publication, releaseRole) = tuple;
if (SecurityUtils.HasClaim(context.User, ManageAnyUser))
{
context.Succeed(requirement);
return;
}
if (releaseRole == ReleaseRole.Contributor &&
await _userPublicationRoleRepository
.IsUserPublicationOwner(context.User.GetUserId(), publication.Id))
{
context.Succeed(requirement);
}
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
CreateMethodologyForSpecificPublicationRequirement requirement,
Publication publication)
{
// If a Publication owns a Methodology already, they cannot own another.
if (await _context.PublicationMethodologies
.AnyAsync(pm => pm.PublicationId == publication.Id && pm.Owner))
{
return;
}
if (SecurityUtils.HasClaim(context.User, CreateAnyMethodology))
{
context.Succeed(requirement);
return;
}
if (await _userPublicationRoleRepository.IsUserPublicationOwner(
context.User.GetUserId(),
publication.Id))
{
context.Succeed(requirement);
}
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
ViewSpecificMethodologyRequirement requirement,
MethodologyVersion methodologyVersion)
{
// If the user has a global Claim that allows them to access any Methodology, allow it.
if (SecurityUtils.HasClaim(context.User, SecurityClaimTypes.AccessAllMethodologies))
{
context.Succeed(requirement);
return;
}
var owningPublication =
await _methodologyRepository.GetOwningPublication(methodologyVersion.MethodologyId);
// If the user is a Publication Owner of the Publication that owns this Methodology, they can view it.
if (await _userPublicationRoleRepository.IsUserPublicationOwner(context.User.GetUserId(),
owningPublication.Id))
{
context.Succeed(requirement);
return;
}
// If the user is an Editor (Contributor, Lead) or an Approver of the latest (Live or non-Live) Release
// of the owning Publication of this Methodology, they can view it.
if (await _userReleaseRoleRepository.IsUserEditorOrApproverOnLatestRelease(
context.User.GetUserId(),
owningPublication.Id))
{
context.Succeed(requirement);
}
// If the user is a PrereleaseViewer of the latest non-Live, Approved Release of any Publication
// using this Methodology, and the methodology is approved, and the latest release under that publication
// is within the prerelease time window, they can view it
if (methodologyVersion.Approved)
{
var publicationIds = await _methodologyRepository
.GetAllPublicationIds(methodologyVersion.MethodologyId);
foreach (var publicationId in publicationIds)
{
if (await _userReleaseRoleRepository.IsUserPrereleaseViewerOnLatestPreReleaseRelease(
context.User.GetUserId(),
publicationId))
{
var publication = await _contentDbContext.Publications
.Include(p => p.Releases)
.SingleAsync(p => p.Id == publicationId);
var latestRelease = publication.LatestRelease();
if (latestRelease != null &&
_preReleaseService
.GetPreReleaseWindowStatus(latestRelease, DateTime.UtcNow)
.Access == PreReleaseAccess.Within)
{
context.Succeed(requirement);
break;
}
}
}
}
}