private bool canReadOne(string resource)
{
// User is admin
if (user_position == Position.GOD)
{
return(true);
}
switch (resource)
{
case Resource.PROFILE:
return(true);
case Resource.MEMBERSHIP:
return(true);
case Resource.MEMBERSHIP_REQUEST:
{
// membershipRequest = mr
var mrService = new MembershipRequestService(new UnitOfWork());
var mrID = (int)context.ActionArguments["id"];
var mrToConsider = mrService.Get(mrID);
var is_mrOwner = mrToConsider.IDNumber.ToString() == user_id; // User_id is an instance variable.
if (is_mrOwner) // If user owns the request
{
return(true);
}
var activityCode = mrToConsider.ActivityCode;
var membershipService = new MembershipService(new UnitOfWork());
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin) // If user is a group admin of the activity that the request is sent to
{
return(true);
}
return(false);
}
case Resource.STUDENT:
// To add a membership for a student, you need to have the students identifier.
{
return(true);
}
case Resource.ADVISOR:
return(true);
case Resource.ACCOUNT:
// To add a membership for a person, you need to have the the person's identifier.
{
return(true);
}
default: return(false);
}
}
/*
* Operations
*/
// This operation is specifically for authorizing deny and allow operations on membership requests. These two operations don't
// Fit in nicely with the REST specificatino which is why there is a seperate case for them.
private bool canDenyAllow(string resource)
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
switch (resource)
{
case Resource.MEMBERSHIP_REQUEST:
{
var mrID = (int)context.ActionArguments["id"];
// Get the veiw model from the repository
var mrService = new MembershipRequestService(new UnitOfWork());
var mrToConsider = mrService.Get(mrID);
// Populate the membershipRequest manually. Omit fields I don't need.
var activityCode = mrToConsider.ActivityCode;
var membershipService = new MembershipService(new UnitOfWork());
var is_activityLeader = membershipService.GetLeaderMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (is_activityLeader) // If user is the leader of the activity that the request is sent to.
{
return(true);
}
var is_activityAdvisor = membershipService.GetAdvisorMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (is_activityAdvisor) // If user is the advisor of the activity that the request is sent to.
{
return(true);
}
return(false);
}
default: return(false);
}
}
private bool canDelete(string resource)
{
switch (resource)
{
case Resource.SHIFT:
if (user_position == Position.STUDENT)
{
return(true);
}
return(false);
case Resource.MEMBERSHIP:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
var membershipService = new MembershipService(new UnitOfWork());
var membershipID = (int)context.ActionArguments["id"];
var membershipToConsider = membershipService.GetSpecificMembership(membershipID);
var is_membershipOwner = membershipToConsider.ID_NUM.ToString() == user_id;
if (is_membershipOwner)
{
return(true);
}
var activityCode = membershipToConsider.ACT_CDE;
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin)
{
return(true);
}
return(false);
}
case Resource.MEMBERSHIP_REQUEST:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
// membershipRequest = mr
var mrService = new MembershipRequestService(new UnitOfWork());
var mrID = (int)context.ActionArguments["id"];
var mrToConsider = mrService.Get(mrID);
var is_mrOwner = mrToConsider.IDNumber.ToString() == user_id;
if (is_mrOwner)
{
return(true);
}
var activityCode = mrToConsider.ActivityCode;
var membershipService = new MembershipService(new UnitOfWork());
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin)
{
return(true);
}
return(false);
}
case Resource.STUDENT:
return(false); // No one should be able to delete a student through our API
case Resource.ADVISOR:
return(false);
case Resource.ADMIN:
return(false);
case Resource.NEWS:
{
var newsID = context.ActionArguments["newsID"];
var newsService = new NewsService(new UnitOfWork());
var newsItem = newsService.Get((int)newsID);
// only expired news items may be deleted
var todaysDate = System.DateTime.Now;
var newsDate = (System.DateTime)newsItem.Entered;
var dateDiff = (todaysDate - newsDate).Days;
if (newsDate == null || dateDiff >= 14)
{
return(false);
}
// user is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
// user is news item author
string newsAuthor = newsItem.ADUN;
if (user_name == newsAuthor)
{
return(true);
}
return(false);
}
default: return(false);
}
}
private bool canDelete(string resource)
{
switch (resource)
{
case Resource.MEMBERSHIP:
{
// User is admin
if (user_position == Position.GOD)
{
return(true);
}
var membershipService = new MembershipService(new UnitOfWork());
var membershipID = (int)context.ActionArguments["id"];
var membershipToConsider = membershipService.Get(membershipID);
var is_membershipOwner = membershipToConsider.IDNumber.ToString() == user_id;
if (is_membershipOwner)
{
return(true);
}
var activityCode = membershipToConsider.ActivityCode;
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin)
{
return(true);
}
return(false);
}
case Resource.MEMBERSHIP_REQUEST:
{
// User is admin
if (user_position == Position.GOD)
{
return(true);
}
// membershipRequest = mr
var mrService = new MembershipRequestService(new UnitOfWork());
var mrID = (int)context.ActionArguments["id"];
var mrToConsider = mrService.Get(mrID);
var is_mrOwner = mrToConsider.IDNumber.ToString() == user_id;
if (is_mrOwner)
{
return(true);
}
var activityCode = mrToConsider.ActivityCode;
var membershipService = new MembershipService(new UnitOfWork());
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin)
{
return(true);
}
return(false);
}
case Resource.STUDENT:
return(false); // No one should be able to delete a student through our API
case Resource.ADVISOR:
return(false);
case Resource.ADMIN:
return(false);
default: return(false);
}
}
private bool canDelete(string resource)
{
switch (resource)
{
case Resource.SHIFT:
if (user_position == Position.STUDENT)
{
return(true);
}
return(false);
case Resource.MEMBERSHIP:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
var membershipService = new MembershipService(new UnitOfWork());
var membershipID = (int)context.ActionArguments["id"];
var membershipToConsider = membershipService.GetSpecificMembership(membershipID);
var is_membershipOwner = membershipToConsider.ID_NUM.ToString() == user_id;
if (is_membershipOwner)
{
return(true);
}
var activityCode = membershipToConsider.ACT_CDE;
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin)
{
return(true);
}
return(false);
}
case Resource.MEMBERSHIP_REQUEST:
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
// membershipRequest = mr
var mrService = new MembershipRequestService(new UnitOfWork());
var mrID = (int)context.ActionArguments["id"];
var mrToConsider = mrService.Get(mrID);
var is_mrOwner = mrToConsider.IDNumber.ToString() == user_id;
if (is_mrOwner)
{
return(true);
}
var activityCode = mrToConsider.ActivityCode;
var membershipService = new MembershipService(new UnitOfWork());
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin)
{
return(true);
}
return(false);
}
case Resource.STUDENT:
return(false); // No one should be able to delete a student through our API
case Resource.HOUSING:
{
// The housing admins can update the application information (i.e. probation, offcampus program, etc.)
// If the user is a student, then the user must be on an application and be an editor to update the application
HousingService housingService = new HousingService(new UnitOfWork());
if (housingService.CheckIfHousingAdmin(user_id))
{
return(true);
}
else if (user_position == Position.STUDENT)
{
string sess_cde = Helpers.GetCurrentSession().SessionCode;
int? applicationID = housingService.GetApplicationID(user_name, sess_cde);
int requestedApplicationID = (int)context.ActionArguments["applicationID"];
if (applicationID.HasValue && applicationID.Value == requestedApplicationID)
{
var editorUsername = housingService.GetEditorUsername(applicationID.Value);
if (editorUsername.ToLower() == user_name.ToLower())
{
return(true);
}
return(false);
}
return(false);
}
return(false);
}
case Resource.ADVISOR:
return(false);
case Resource.ADMIN:
return(false);
case Resource.HOUSING_ADMIN:
{
// Only the superadmins can remove a housing admin from the whitelist
// Super admins have unrestricted access by default: no need to check
return(false);
}
case Resource.NEWS:
{
var newsID = context.ActionArguments["newsID"];
var newsService = new NewsService(new UnitOfWork());
var newsItem = newsService.Get((int)newsID);
// only expired news items may be deleted
var todaysDate = System.DateTime.Now;
var newsDate = (System.DateTime)newsItem.Entered;
var dateDiff = (todaysDate - newsDate).Days;
if (newsDate == null || dateDiff >= 14)
{
return(false);
}
// user is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
// user is news item author
string newsAuthor = newsItem.ADUN;
if (user_name == newsAuthor)
{
return(true);
}
return(false);
}
default: return(false);
}
}
private bool canReadOne(string resource)
{
// User is admin
if (user_position == Position.SUPERADMIN)
{
return(true);
}
switch (resource)
{
case Resource.PROFILE:
return(true);
case Resource.MEMBERSHIP:
return(true);
case Resource.MEMBERSHIP_REQUEST:
{
// membershipRequest = mr
var mrService = new MembershipRequestService(new UnitOfWork());
var mrID = (int)context.ActionArguments["id"];
var mrToConsider = mrService.Get(mrID);
var is_mrOwner = mrToConsider.IDNumber.ToString() == user_id; // User_id is an instance variable.
if (is_mrOwner) // If user owns the request
{
return(true);
}
var activityCode = mrToConsider.ActivityCode;
var membershipService = new MembershipService(new UnitOfWork());
var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
if (isGroupAdmin) // If user is a group admin of the activity that the request is sent to
{
return(true);
}
return(false);
}
case Resource.STUDENT:
// To add a membership for a student, you need to have the students identifier.
// NOTE: I don't believe the 'student' resource is currently being used in API
{
return(true);
}
case Resource.ADVISOR:
return(true);
case Resource.ACCOUNT:
{
// Membership group admins can access ID of members using their email
// NOTE: In the future, probably only email addresses should be stored
// in memberships, since we would rather not give students access to
// other students' account information
var membershipService = new MembershipService(new UnitOfWork());
var isGroupAdmin = membershipService.IsGroupAdmin(Int32.Parse(user_id));
if (isGroupAdmin) // If user is a group admin of the activity that the request is sent to
{
return(true);
}
// faculty and police can access student account information
if (user_position == Position.FACSTAFF ||
user_position == Position.POLICE)
{
return(true);
}
return(false);
}
case Resource.HOUSING:
{
// The members of the apartment application can only read their application
HousingService housingService = new HousingService(new UnitOfWork());
string sess_cde = Helpers.GetCurrentSession().SessionCode;
int? applicationID = housingService.GetApplicationID(user_name, sess_cde);
int requestedApplicationID = (int)context.ActionArguments["applicationID"];
if (applicationID.HasValue && applicationID.Value == requestedApplicationID)
{
return(true);
}
return(false);
}
case Resource.NEWS:
return(true);
default: return(false);
}
}