public IHttpActionResult GetInvoicePdf(string orderNumber) { var searchCriteria = AbstractTypeFactory<CustomerOrderSearchCriteria>.TryCreateInstance(); searchCriteria.Number = orderNumber; searchCriteria.Take = 1; searchCriteria.ResponseGroup = OrderReadPricesPermission.ApplyResponseGroupFiltering(_securityService.GetUserPermissions(User.Identity.Name), null); var order = _searchService.SearchCustomerOrders(searchCriteria).Results.FirstOrDefault(); if (order == null) { throw new InvalidOperationException($"Cannot find order with number {orderNumber}"); } var invoice = _notificationManager.GetNewNotification<InvoiceEmailNotification>(order.StoreId, "Store", order.LanguageCode); invoice.CustomerOrder = order; _notificationTemplateResolver.ResolveTemplate(invoice); var stream = new MemoryStream(); var pdf = PdfGenerator.GeneratePdf(invoice.Body, PdfSharp.PageSize.A4); pdf.Save(stream, false); stream.Seek(0, SeekOrigin.Begin); var result = new HttpResponseMessage(HttpStatusCode.OK) { Content = new StreamContent(stream) }; result.Content.Headers.ContentType = new MediaTypeHeaderValue("application/pdf"); return ResponseMessage(result); }
private CustomerOrderSearchCriteria FilterOrderSearchCriteria(string userName, CustomerOrderSearchCriteria criteria) { if (!_securityService.UserHasAnyPermission(userName, null, OrderPredefinedPermissions.Read)) { //Get defined user 'read' permission scopes var readPermissionScopes = _securityService.GetUserPermissions(userName) .Where(x => x.Id.StartsWith(OrderPredefinedPermissions.Read)) .SelectMany(x => x.AssignedScopes) .ToList(); //Check user has a scopes //Stores criteria.StoreIds = readPermissionScopes.OfType<OrderStoreScope>() .Select(x => x.Scope) .Where(x => !string.IsNullOrEmpty(x)) .ToArray(); //employee id var responsibleScope = readPermissionScopes.OfType<OrderResponsibleScope>().FirstOrDefault(); if (responsibleScope != null) { criteria.EmployeeId = userName; } } // ResponseGroup criteria.ResponseGroup = OrderReadPricesPermission.ApplyResponseGroupFiltering(_securityService.GetUserPermissions(User.Identity.Name), criteria.ResponseGroup); return criteria; }
public async Task <IHttpActionResult> GetById(string id, [FromUri] string respGroup = null) { var userName = User.Identity.Name; var user = await _securityService.FindByNameAsync(userName, UserDetails.Reduced); respGroup = OrderReadPricesPermission.ApplyResponseGroupFiltering(user, _securityService.GetUserPermissions(userName), respGroup); var result = _customerOrderService.GetByIds(new[] { id }, respGroup).FirstOrDefault(); if (result == null) { return(NotFound()); } //Scope bound security check var scopes = _permissionScopeService.GetObjectPermissionScopeStrings(result).ToArray(); if (!_securityService.UserHasAnyPermission(User.Identity.Name, scopes, OrderPredefinedPermissions.Read)) { throw new HttpResponseException(HttpStatusCode.Unauthorized); } //Set scopes for UI scope bounded ACL checking result.Scopes = scopes; return(Ok(result)); }
public async Task <IHttpActionResult> GetByNumber(string number, [FromUri] string respGroup = null) { var searchCriteria = AbstractTypeFactory <CustomerOrderSearchCriteria> .TryCreateInstance(); searchCriteria.Number = number; var userName = User.Identity.Name; var user = await _securityService.FindByNameAsync(userName, UserDetails.Reduced); searchCriteria.ResponseGroup = OrderReadPricesPermission.ApplyResponseGroupFiltering(user, _securityService.GetUserPermissions(userName), respGroup); var result = _searchService.SearchCustomerOrders(searchCriteria); var retVal = result.Results.FirstOrDefault(); if (retVal != null) { var scopes = _permissionScopeService.GetObjectPermissionScopeStrings(retVal).ToArray(); if (!_securityService.UserHasAnyPermission(User.Identity.Name, scopes, OrderPredefinedPermissions.Read)) { throw new HttpResponseException(HttpStatusCode.Unauthorized); } //Set scopes for UI scope bounded ACL checking retVal.Scopes = scopes; } return(Ok(retVal)); }
public void CanCheckPermissionsNoPermissions(string expected, string respGroup) { // Arrange var permissions = new Permission[0]; var user = new ApplicationUserExtended(); // Act var result = OrderReadPricesPermission.ApplyResponseGroupFiltering(user, permissions, respGroup); // Assert Assert.Equal(expected, result); }
public void ApplyResponseGroupFiltering_AdminWithOrderPermissionNoReadPrices_NoChangesInResponseGroup(string expected, string respGroup) { // Arrange var permissions = PreparePermissions(false); var user = new ApplicationUserExtended() { IsAdministrator = true, }; // Act var result = OrderReadPricesPermission.ApplyResponseGroupFiltering(user, permissions, respGroup); // Assert Assert.Equal(expected, result); }
public IHttpActionResult GetById(string id, [FromUri] string respGroup = null) { var retVal = _customerOrderService.GetByIds(new[] { id }, OrderReadPricesPermission.ApplyResponseGroupFiltering(_securityService.GetUserPermissions(User.Identity.Name), respGroup)) .FirstOrDefault(); if (retVal == null) { return NotFound(); } //Scope bound security check var scopes = _permissionScopeService.GetObjectPermissionScopeStrings(retVal).ToArray(); if (!_securityService.UserHasAnyPermission(User.Identity.Name, scopes, OrderPredefinedPermissions.Read)) { throw new HttpResponseException(HttpStatusCode.Unauthorized); } //Set scopes for UI scope bounded ACL checking retVal.Scopes = scopes; return Ok(retVal); }
public void CanCheckPermissionsNoPermissions(string expected, string respGroup) { var permissions = new Permission[0]; Assert.Equal(expected, OrderReadPricesPermission.ApplyResponseGroupFiltering(permissions, respGroup)); }
public void CanCheckPermissionsWithPrices(string expected, string respGroup) { var permissions = PreparePermissions(true); Assert.Equal(expected, OrderReadPricesPermission.ApplyResponseGroupFiltering(permissions, respGroup)); }