Exemplo n.º 1
0
        private bool canDelete(string resource)
        {
            switch (resource)
            {
            case Resource.SHIFT:
                if (user_position == Position.STUDENT)
                {
                    return(true);
                }
                return(false);

            case Resource.MEMBERSHIP:
            {
                // User is admin
                if (user_position == Position.SUPERADMIN)
                {
                    return(true);
                }
                var membershipService    = new MembershipService(new UnitOfWork());
                var membershipID         = (int)context.ActionArguments["id"];
                var membershipToConsider = membershipService.GetSpecificMembership(membershipID);
                var is_membershipOwner   = membershipToConsider.ID_NUM.ToString() == user_id;
                if (is_membershipOwner)
                {
                    return(true);
                }

                var activityCode = membershipToConsider.ACT_CDE;

                var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
                if (isGroupAdmin)
                {
                    return(true);
                }

                return(false);
            }

            case Resource.MEMBERSHIP_REQUEST:
            {
                // User is admin
                if (user_position == Position.SUPERADMIN)
                {
                    return(true);
                }
                // membershipRequest = mr
                var mrService    = new MembershipRequestService(new UnitOfWork());
                var mrID         = (int)context.ActionArguments["id"];
                var mrToConsider = mrService.Get(mrID);
                var is_mrOwner   = mrToConsider.IDNumber.ToString() == user_id;
                if (is_mrOwner)
                {
                    return(true);
                }

                var activityCode      = mrToConsider.ActivityCode;
                var membershipService = new MembershipService(new UnitOfWork());

                var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
                if (isGroupAdmin)
                {
                    return(true);
                }


                return(false);
            }

            case Resource.STUDENT:
                return(false);    // No one should be able to delete a student through our API

            case Resource.HOUSING:
            {
                // The housing admins can update the application information (i.e. probation, offcampus program, etc.)
                // If the user is a student, then the user must be on an application and be an editor to update the application
                HousingService housingService = new HousingService(new UnitOfWork());
                if (housingService.CheckIfHousingAdmin(user_id))
                {
                    return(true);
                }
                else if (user_position == Position.STUDENT)
                {
                    string sess_cde               = Helpers.GetCurrentSession().SessionCode;
                    int?   applicationID          = housingService.GetApplicationID(user_name, sess_cde);
                    int    requestedApplicationID = (int)context.ActionArguments["applicationID"];
                    if (applicationID.HasValue && applicationID.Value == requestedApplicationID)
                    {
                        var editorUsername = housingService.GetEditorUsername(applicationID.Value);
                        if (editorUsername.ToLower() == user_name.ToLower())
                        {
                            return(true);
                        }
                        return(false);
                    }
                    return(false);
                }
                return(false);
            }

            case Resource.ADVISOR:
                return(false);

            case Resource.ADMIN:
                return(false);

            case Resource.HOUSING_ADMIN:
            {
                // Only the superadmins can remove a housing admin from the whitelist
                // Super admins have unrestricted access by default: no need to check
                return(false);
            }

            case Resource.NEWS:
            {
                var newsID      = context.ActionArguments["newsID"];
                var newsService = new NewsService(new UnitOfWork());
                var newsItem    = newsService.Get((int)newsID);
                // only expired news items may be deleted
                var todaysDate = System.DateTime.Now;
                var newsDate   = (System.DateTime)newsItem.Entered;
                var dateDiff   = (todaysDate - newsDate).Days;
                if (newsDate == null || dateDiff >= 14)
                {
                    return(false);
                }
                // user is admin
                if (user_position == Position.SUPERADMIN)
                {
                    return(true);
                }
                // user is news item author
                string newsAuthor = newsItem.ADUN;
                if (user_name == newsAuthor)
                {
                    return(true);
                }
                return(false);
            }

            default: return(false);
            }
        }
Exemplo n.º 2
0
        private bool canAdd(string resource)
        {
            switch (resource)
            {
            case Resource.SHIFT:
            {
                if (user_position == Position.STUDENT)
                {
                    return(true);
                }
                return(false);
            }

            case Resource.MEMBERSHIP:
            {
                // User is admin
                if (user_position == Position.SUPERADMIN)
                {
                    return(true);
                }
                var membershipToConsider = (MEMBERSHIP)context.ActionArguments["membership"];
                // A membership can always be added if it is of type "GUEST"
                var isFollower = (membershipToConsider.PART_CDE == Activity_Roles.GUEST) && (user_id == membershipToConsider.ID_NUM.ToString());
                if (isFollower)
                {
                    return(true);
                }

                var activityCode      = membershipToConsider.ACT_CDE;
                var membershipService = new MembershipService(new UnitOfWork());

                var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
                if (isGroupAdmin)         // If user is the advisor of the activity that the request is sent to.
                {
                    return(true);
                }
                return(false);
            }

            case Resource.MEMBERSHIP_REQUEST:
            {
                // User is admin
                if (user_position == Position.SUPERADMIN)
                {
                    return(true);
                }
                var membershipRequestToConsider = (REQUEST)context.ActionArguments["membershipRequest"];
                // A membership request belonging to the currently logged in student
                var is_Owner = (membershipRequestToConsider.ID_NUM.ToString() == user_id);
                if (is_Owner)
                {
                    return(true);
                }
                // No one should be able to add requests on behalf of another person.
                return(false);
            }

            case Resource.STUDENT:
                return(false);    // No one should be able to add students through this API

            case Resource.ADVISOR:
                // User is admin
                if (user_position == Position.SUPERADMIN)
                {
                    return(true);
                }
                else
                {
                    return(false);    // Only super admin can add Advisors through this API
                }

            case Resource.HOUSING_ADMIN:
                //only superadmins can add a HOUSING_ADMIN
                return(false);

            case Resource.HOUSING:
            {
                // The user must be a student and not a member of an existing application
                var housingService = new HousingService(new UnitOfWork());
                if (user_position == Position.STUDENT)
                {
                    var sess_cde      = Helpers.GetCurrentSession().SessionCode;
                    int?applicationID = housingService.GetApplicationID(user_name, sess_cde);
                    if (!applicationID.HasValue)
                    {
                        return(true);
                    }
                    return(false);
                }
                return(false);
            }

            case Resource.ADMIN:
                return(false);

            case Resource.ERROR_LOG:
                return(true);

            case Resource.NEWS:
                return(true);

            default: return(false);
            }
        }
Exemplo n.º 3
0
        private bool canUpdate(string resource)
        {
            switch (resource)
            {
            case Resource.SHIFT:
            {
                if (user_position == Position.STUDENT)
                {
                    return(true);
                }
                return(false);
            }

            case Resource.MEMBERSHIP:
            {
                // User is admin
                if (user_position == Position.SUPERADMIN)
                {
                    return(true);
                }
                var membershipToConsider = (MEMBERSHIP)context.ActionArguments["membership"];
                var activityCode         = membershipToConsider.ACT_CDE;


                var membershipService = new MembershipService(new UnitOfWork());
                //var is_membershipLeader = membershipService.GetLeaderMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
                //if (is_membershipLeader)
                //    return true; // Activity Leaders can update memberships of people in their activity.

                //var is_membershipAdvisor = membershipService.GetAdvisorMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
                //if (is_membershipAdvisor)
                //    return true; // Activity Advisors can update memberships of people in their activity.
                var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
                if (isGroupAdmin)
                {
                    return(true);        // Activity Advisors can update memberships of people in their activity.
                }
                var is_membershipOwner = membershipToConsider.ID_NUM.ToString() == user_id;
                if (is_membershipOwner)
                {
                    // Restrict what a regular owner can edit.
                    var originalMembership = membershipService.GetSpecificMembership(membershipToConsider.MEMBERSHIP_ID);
                    // If they are not trying to change their participation level, then it is ok
                    if (originalMembership.PART_CDE == membershipToConsider.PART_CDE)
                    {
                        return(true);
                    }
                }


                return(false);
            }

            case Resource.MEMBERSHIP_REQUEST:
            {
                // Once a request is sent, no one should be able to edit its contents.
                // If a mistake is made in creating the original request, the user can always delete it and make a new one.
                return(false);
            }

            case Resource.MEMBERSHIP_PRIVACY:
            {
                // User is admin
                if (user_position == Position.SUPERADMIN)
                {
                    return(true);
                }
                var membershipService = new MembershipService(new UnitOfWork());
                var membershipID      = (int)context.ActionArguments["id"];

                var membershipToConsider = membershipService.GetSpecificMembership(membershipID);
                var is_membershipOwner   = membershipToConsider.ID_NUM.ToString() == user_id;
                if (is_membershipOwner)
                {
                    return(true);
                }

                var activityCode = membershipToConsider.ACT_CDE;

                var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
                if (isGroupAdmin)
                {
                    return(true);
                }

                return(false);
            }

            case Resource.STUDENT:
                return(false);    // No one should be able to update a student through this API

            case Resource.HOUSING:
            {
                // The housing admins can update the application information (i.e. probation, offcampus program, etc.)
                // If the user is a student, then the user must be on an application and be an editor to update the application
                HousingService housingService = new HousingService(new UnitOfWork());
                if (housingService.CheckIfHousingAdmin(user_id))
                {
                    return(true);
                }
                else if (user_position == Position.STUDENT)
                {
                    string sess_cde               = Helpers.GetCurrentSession().SessionCode;
                    int?   applicationID          = housingService.GetApplicationID(user_name, sess_cde);
                    int    requestedApplicationID = (int)context.ActionArguments["applicationID"];
                    if (applicationID.HasValue && applicationID == requestedApplicationID)
                    {
                        string editorUsername = housingService.GetEditorUsername(applicationID.Value);
                        if (editorUsername.ToLower() == user_name.ToLower())
                        {
                            return(true);
                        }
                        return(false);
                    }
                    return(false);
                }
                return(false);
            }

            case Resource.ADVISOR:
            {
                // User is admin
                if (user_position == Position.SUPERADMIN)
                {
                    return(true);
                }

                var membershipService    = new MembershipService(new UnitOfWork());
                var membershipToConsider = (MEMBERSHIP)context.ActionArguments["membership"];
                var activityCode         = membershipToConsider.ACT_CDE;

                var is_advisor = membershipService.GetAdvisorMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
                if (is_advisor)
                {
                    return(true);        // Activity Advisors can update memberships of people in their activity.
                }
                return(false);
            }

            case Resource.PROFILE:
            {
                // User is admin
                if (user_position == Position.SUPERADMIN)
                {
                    return(true);
                }

                var username = (string)context.ActionArguments["username"];
                var isSelf   = username.Equals(user_name);
                return(isSelf);
            }

            case Resource.ACTIVITY_INFO:
            {
                // User is admin
                if (user_position == Position.SUPERADMIN)
                {
                    return(true);
                }
                var activityCode      = (string)context.ActionArguments["id"];
                var membershipService = new MembershipService(new UnitOfWork());

                var isGroupAdmin = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
                if (isGroupAdmin)
                {
                    return(true);
                }
                return(false);
            }

            case Resource.ACTIVITY_STATUS:
            {
                // User is admin
                if (user_position == Position.SUPERADMIN)
                {
                    return(true);
                }
                var activityCode = (string)context.ActionArguments["id"];
                var sessionCode  = (string)context.ActionArguments["sess_cde"];
                var unitOfWork   = new UnitOfWork();

                var membershipService = new MembershipService(unitOfWork);
                var isGroupAdmin      = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
                if (isGroupAdmin)
                {
                    var activityService = new ActivityService(unitOfWork);
                    // If an activity is currently open, then a group admin has the ability to close it
                    if (activityService.IsOpen(activityCode, sessionCode))
                    {
                        return(true);
                    }
                }

                // If an activity is currently closed, only super admin has permission to edit its closed/open status

                return(false);
            }

            case Resource.NEWS:
                var newsID      = context.ActionArguments["newsID"];
                var newsService = new NewsService(new UnitOfWork());
                var newsItem    = newsService.Get((int)newsID);
                // only unapproved posts may be updated
                var approved = newsItem.Accepted;
                if (approved == null || approved == true)
                {
                    return(false);
                }
                // can update if user is admin
                if (user_position == Position.SUPERADMIN)
                {
                    return(true);
                }
                // can update if user is news item author
                string newsAuthor = newsItem.ADUN;
                if (user_name == newsAuthor)
                {
                    return(true);
                }
                return(false);

            default: return(false);
            }
        }
Exemplo n.º 4
0
        private bool canReadOne(string resource)
        {
            // User is admin
            if (user_position == Position.SUPERADMIN)
            {
                return(true);
            }

            switch (resource)
            {
            case Resource.PROFILE:
                return(true);

            case Resource.MEMBERSHIP:
                return(true);

            case Resource.MEMBERSHIP_REQUEST:
            {
                // membershipRequest = mr
                var mrService    = new MembershipRequestService(new UnitOfWork());
                var mrID         = (int)context.ActionArguments["id"];
                var mrToConsider = mrService.Get(mrID);
                var is_mrOwner   = mrToConsider.IDNumber.ToString() == user_id; // User_id is an instance variable.

                if (is_mrOwner)                                                 // If user owns the request
                {
                    return(true);
                }

                var activityCode      = mrToConsider.ActivityCode;
                var membershipService = new MembershipService(new UnitOfWork());
                var isGroupAdmin      = membershipService.GetGroupAdminMembershipsForActivity(activityCode).Where(x => x.IDNumber.ToString() == user_id).Count() > 0;
                if (isGroupAdmin)         // If user is a group admin of the activity that the request is sent to
                {
                    return(true);
                }

                return(false);
            }

            case Resource.STUDENT:
                // To add a membership for a student, you need to have the students identifier.
                // NOTE: I don't believe the 'student' resource is currently being used in API
            {
                return(true);
            }

            case Resource.ADVISOR:
                return(true);

            case Resource.ACCOUNT:
            {
                // Membership group admins can access ID of members using their email
                // NOTE: In the future, probably only email addresses should be stored
                // in memberships, since we would rather not give students access to
                // other students' account information
                var membershipService = new MembershipService(new UnitOfWork());
                var isGroupAdmin      = membershipService.IsGroupAdmin(Int32.Parse(user_id));
                if (isGroupAdmin)         // If user is a group admin of the activity that the request is sent to
                {
                    return(true);
                }

                // faculty and police can access student account information
                if (user_position == Position.FACSTAFF ||
                    user_position == Position.POLICE)
                {
                    return(true);
                }

                return(false);
            }

            case Resource.HOUSING:
            {
                // The members of the apartment application can only read their application
                HousingService housingService         = new HousingService(new UnitOfWork());
                string         sess_cde               = Helpers.GetCurrentSession().SessionCode;
                int?           applicationID          = housingService.GetApplicationID(user_name, sess_cde);
                int            requestedApplicationID = (int)context.ActionArguments["applicationID"];
                if (applicationID.HasValue && applicationID.Value == requestedApplicationID)
                {
                    return(true);
                }
                return(false);
            }

            case Resource.NEWS:
                return(true);

            default: return(false);
            }
        }