protected override Maybe <IHttpActionResult> ValidatePatch(Delta <User> delta, User entity) { var error = base.ValidatePatch(delta, entity); if (error.IsNone) { var changedPropertyNames = delta.GetChangedPropertyNames().ToHashSet(); if (AttemptToChangeStakeHolderAccess(delta, entity, changedPropertyNames)) { if (!AuthorizationContext.HasPermission(new AdministerGlobalPermission(GlobalPermission.StakeHolderAccess))) { error = Forbidden(); } } if (AttemptToChangeGlobalAdminFlag(delta, entity, changedPropertyNames)) { if (!AuthorizationContext.HasPermission(new AdministerGlobalPermission(GlobalPermission.GlobalAdmin))) { error = Forbidden(); } } if (AttemptToChangeUuid(delta, entity, changedPropertyNames)) { return(BadRequest("Uuid cannot be changed")); } } return(error); }
public override HttpResponseMessage Patch(int id, int organizationId, JObject obj) { var existingUser = Repository.AsQueryable().ById(id); if (existingUser == null) { return(NotFound()); } // get name of mapped property var map = Mapper.ConfigurationProvider.FindTypeMapFor <UserDTO, User>().PropertyMaps; var nonNullMaps = map.Where(x => x.SourceMember != null).ToList(); foreach (var valuePair in obj) { var mapMember = nonNullMaps.SingleOrDefault(x => x.SourceMember.Name.Equals(valuePair.Key, StringComparison.InvariantCultureIgnoreCase)); if (mapMember == null) { continue; // abort if no map found } var destName = mapMember.DestinationName; if (destName == nameof(Core.DomainModel.User.Uuid)) { if (valuePair.Value?.Value <Guid>() != existingUser.Uuid) { return(BadRequest($"{nameof(Core.DomainModel.User.Uuid)}cannot be updated")); } } if (destName == nameof(Core.DomainModel.User.IsGlobalAdmin)) { if ((valuePair.Value?.Value <bool>()).GetValueOrDefault()) // check if value is being set to true { if (!AuthorizationContext.HasPermission(new AdministerGlobalPermission(GlobalPermission.GlobalAdmin))) { return(Forbidden()); } } } if (destName == nameof(Core.DomainModel.User.HasStakeHolderAccess)) { if (existingUser.HasStakeHolderAccess != (valuePair.Value?.Value <bool>()).GetValueOrDefault()) { if (!AuthorizationContext.HasPermission(new AdministerGlobalPermission(GlobalPermission.StakeHolderAccess))) { return(Forbidden()); } } } } return(base.Patch(id, organizationId, obj)); }
public IHttpActionResult Create(ODataActionParameters parameters) { if (!ModelState.IsValid) { return(BadRequest(ModelState)); } User user = null; if (parameters.ContainsKey("user")) { user = parameters["user"] as User; Validate(user); // this will set the ModelState if not valid - it doesn't http://stackoverflow.com/questions/39484185/model-validation-in-odatacontroller } var organizationId = 0; if (parameters.ContainsKey("organizationId")) { organizationId = (int)parameters["organizationId"]; } var sendMailOnCreation = false; if (parameters.ContainsKey("sendMailOnCreation")) { sendMailOnCreation = (bool)parameters["sendMailOnCreation"]; } if (user?.Email != null && EmailExists(user.Email)) { ModelState.AddModelError(nameof(user.Email), "Email is already in use."); } // user is being created as global admin if (user?.IsGlobalAdmin == true) { // only other global admins can create global admin users if (!AuthorizationContext.HasPermission(new AdministerGlobalPermission(GlobalPermission.GlobalAdmin))) { ModelState.AddModelError(nameof(user.IsGlobalAdmin), "You don't have permission to create a global admin user."); } } if (user?.HasStakeHolderAccess == true) { // only global admins can create stakeholder access if (!AuthorizationContext.HasPermission(new AdministerGlobalPermission(GlobalPermission.StakeHolderAccess))) { ModelState.AddModelError(nameof(user.HasStakeHolderAccess), "You don't have permission to issue stakeholder access."); } } if (!ModelState.IsValid) { return(BadRequest(ModelState)); } var createdUser = _userService.AddUser(user, sendMailOnCreation, organizationId); return(Created(createdUser)); }