public IHttpActionResult GetInvoicePdf(string orderNumber)
{
var searchCriteria = AbstractTypeFactory<CustomerOrderSearchCriteria>.TryCreateInstance();
searchCriteria.Number = orderNumber;
searchCriteria.Take = 1;
searchCriteria.ResponseGroup = OrderReadPricesPermission.ApplyResponseGroupFiltering(_securityService.GetUserPermissions(User.Identity.Name), null);
var order = _searchService.SearchCustomerOrders(searchCriteria).Results.FirstOrDefault();
if (order == null)
{
throw new InvalidOperationException($"Cannot find order with number {orderNumber}");
}
var invoice = _notificationManager.GetNewNotification<InvoiceEmailNotification>(order.StoreId, "Store", order.LanguageCode);
invoice.CustomerOrder = order;
_notificationTemplateResolver.ResolveTemplate(invoice);
var stream = new MemoryStream();
var pdf = PdfGenerator.GeneratePdf(invoice.Body, PdfSharp.PageSize.A4);
pdf.Save(stream, false);
stream.Seek(0, SeekOrigin.Begin);
var result = new HttpResponseMessage(HttpStatusCode.OK) { Content = new StreamContent(stream) };
result.Content.Headers.ContentType = new MediaTypeHeaderValue("application/pdf");
return ResponseMessage(result);
}
private CustomerOrderSearchCriteria FilterOrderSearchCriteria(string userName,
CustomerOrderSearchCriteria criteria)
{
if (!_securityService.UserHasAnyPermission(userName, null, OrderPredefinedPermissions.Read))
{
//Get defined user 'read' permission scopes
var readPermissionScopes = _securityService.GetUserPermissions(userName)
.Where(x => x.Id.StartsWith(OrderPredefinedPermissions.Read))
.SelectMany(x => x.AssignedScopes)
.ToList();
//Check user has a scopes
//Stores
criteria.StoreIds = readPermissionScopes.OfType<OrderStoreScope>()
.Select(x => x.Scope)
.Where(x => !string.IsNullOrEmpty(x))
.ToArray();
//employee id
var responsibleScope = readPermissionScopes.OfType<OrderResponsibleScope>().FirstOrDefault();
if (responsibleScope != null)
{
criteria.EmployeeId = userName;
}
}
// ResponseGroup
criteria.ResponseGroup = OrderReadPricesPermission.ApplyResponseGroupFiltering(_securityService.GetUserPermissions(User.Identity.Name), criteria.ResponseGroup);
return criteria;
}
public async Task <IHttpActionResult> GetById(string id, [FromUri] string respGroup = null)
{
var userName = User.Identity.Name;
var user = await _securityService.FindByNameAsync(userName, UserDetails.Reduced);
respGroup = OrderReadPricesPermission.ApplyResponseGroupFiltering(user, _securityService.GetUserPermissions(userName), respGroup);
var result = _customerOrderService.GetByIds(new[] { id }, respGroup).FirstOrDefault();
if (result == null)
{
return(NotFound());
}
//Scope bound security check
var scopes = _permissionScopeService.GetObjectPermissionScopeStrings(result).ToArray();
if (!_securityService.UserHasAnyPermission(User.Identity.Name, scopes, OrderPredefinedPermissions.Read))
{
throw new HttpResponseException(HttpStatusCode.Unauthorized);
}
//Set scopes for UI scope bounded ACL checking
result.Scopes = scopes;
return(Ok(result));
}
public async Task <IHttpActionResult> GetByNumber(string number, [FromUri] string respGroup = null)
{
var searchCriteria = AbstractTypeFactory <CustomerOrderSearchCriteria> .TryCreateInstance();
searchCriteria.Number = number;
var userName = User.Identity.Name;
var user = await _securityService.FindByNameAsync(userName, UserDetails.Reduced);
searchCriteria.ResponseGroup = OrderReadPricesPermission.ApplyResponseGroupFiltering(user, _securityService.GetUserPermissions(userName), respGroup);
var result = _searchService.SearchCustomerOrders(searchCriteria);
var retVal = result.Results.FirstOrDefault();
if (retVal != null)
{
var scopes = _permissionScopeService.GetObjectPermissionScopeStrings(retVal).ToArray();
if (!_securityService.UserHasAnyPermission(User.Identity.Name, scopes, OrderPredefinedPermissions.Read))
{
throw new HttpResponseException(HttpStatusCode.Unauthorized);
}
//Set scopes for UI scope bounded ACL checking
retVal.Scopes = scopes;
}
return(Ok(retVal));
}
public void CanCheckPermissionsNoPermissions(string expected, string respGroup)
{
// Arrange
var permissions = new Permission[0];
var user = new ApplicationUserExtended();
// Act
var result = OrderReadPricesPermission.ApplyResponseGroupFiltering(user, permissions, respGroup);
// Assert
Assert.Equal(expected, result);
}
public void ApplyResponseGroupFiltering_AdminWithOrderPermissionNoReadPrices_NoChangesInResponseGroup(string expected, string respGroup)
{
// Arrange
var permissions = PreparePermissions(false);
var user = new ApplicationUserExtended()
{
IsAdministrator = true,
};
// Act
var result = OrderReadPricesPermission.ApplyResponseGroupFiltering(user, permissions, respGroup);
// Assert
Assert.Equal(expected, result);
}
public IHttpActionResult GetById(string id, [FromUri] string respGroup = null)
{
var retVal = _customerOrderService.GetByIds(new[] { id }, OrderReadPricesPermission.ApplyResponseGroupFiltering(_securityService.GetUserPermissions(User.Identity.Name), respGroup))
.FirstOrDefault();
if (retVal == null)
{
return NotFound();
}
//Scope bound security check
var scopes = _permissionScopeService.GetObjectPermissionScopeStrings(retVal).ToArray();
if (!_securityService.UserHasAnyPermission(User.Identity.Name, scopes, OrderPredefinedPermissions.Read))
{
throw new HttpResponseException(HttpStatusCode.Unauthorized);
}
//Set scopes for UI scope bounded ACL checking
retVal.Scopes = scopes;
return Ok(retVal);
}
public void CanCheckPermissionsNoPermissions(string expected, string respGroup)
{
var permissions = new Permission[0];
Assert.Equal(expected, OrderReadPricesPermission.ApplyResponseGroupFiltering(permissions, respGroup));
}
public void CanCheckPermissionsWithPrices(string expected, string respGroup)
{
var permissions = PreparePermissions(true);
Assert.Equal(expected, OrderReadPricesPermission.ApplyResponseGroupFiltering(permissions, respGroup));
}
