protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, MarkSpecificMethodologyAsDraftRequirement requirement, MethodologyVersion methodologyVersion) { // If the Methodology is already public, it cannot be marked as draft if (await _methodologyVersionRepository.IsPubliclyAccessible(methodologyVersion.Id)) { return; } if (SecurityUtils.HasClaim(context.User, MarkAllMethodologiesDraft)) { context.Succeed(requirement); return; } var owningPublication = await _methodologyRepository.GetOwningPublication(methodologyVersion.MethodologyId); // If the user is an Approver of the latest (Live or non-Live) Release for the owning Publication of // this Methodology, they can mark it as draft. if (await _userReleaseRoleRepository.IsUserApproverOnLatestRelease( context.User.GetUserId(), owningPublication.Id)) { context.Succeed(requirement); } }
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, ApproveSpecificMethodologyRequirement requirement, MethodologyVersion methodologyVersion) { // If the Methodology is already public, it cannot be approved // An approved Methodology that isn't public can be approved to change attributes associated with approval if (await _methodologyVersionRepository.IsPubliclyAccessible(methodologyVersion.Id)) { return; } if (SecurityUtils.HasClaim(context.User, ApproveAllMethodologies)) { context.Succeed(requirement); return; } var owningPublication = await _methodologyRepository.GetOwningPublication(methodologyVersion.MethodologyId); // If the user is an Approver of the latest (Live or non-Live) Release for the owning Publication of // this Methodology, they can approve it. if (await _userReleaseRoleRepository.IsUserApproverOnLatestRelease( context.User.GetUserId(), owningPublication.Id)) { context.Succeed(requirement); } }
protected override async Task HandleRequirementAsync( AuthorizationHandlerContext context, DeleteSpecificMethodologyRequirement requirement, MethodologyVersion methodologyVersion) { // If the Methodology is already public, it cannot be deleted. if (await _methodologyVersionRepository.IsPubliclyAccessible(methodologyVersion.Id)) { return; } if (methodologyVersion.Status == Approved) { return; } if (SecurityUtils.HasClaim(context.User, DeleteAllMethodologies)) { context.Succeed(requirement); return; } var owningPublication = await _methodologyRepository.GetOwningPublication(methodologyVersion.MethodologyId); // If the user is a Publication Owner of the Publication that owns this Methodology, they can delete it. if (await _userPublicationRoleRepository.IsUserPublicationOwner( context.User.GetUserId(), owningPublication.Id)) { context.Succeed(requirement); } }
protected override async Task HandleRequirementAsync( AuthorizationHandlerContext context, MakeAmendmentOfSpecificMethodologyRequirement requirement, MethodologyVersion methodologyVersion) { // Amendments can only be created from Methodologies that are already publicly-accessible. if (!await _methodologyVersionRepository.IsPubliclyAccessible(methodologyVersion.Id)) { return; } // Any user with the "MakeAmendmentsOfAllMethodologies" Claim can create an amendment of a // publicly-accessible Methodology. if (SecurityUtils.HasClaim(context.User, MakeAmendmentsOfAllMethodologies)) { context.Succeed(requirement); return; } var owningPublication = await _methodologyRepository.GetOwningPublication(methodologyVersion.MethodologyId); // If the user is a Publication Owner of the Publication that owns this Methodology, they can create // an Amendment of this Methodology. if (await _userPublicationRoleRepository.IsUserPublicationOwner( context.User.GetUserId(), owningPublication.Id)) { context.Succeed(requirement); } }
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, UpdateSpecificMethodologyRequirement requirement, MethodologyVersion methodologyVersion) { // An Approved Methodology cannot be updated. Instead, it should firstly be unapproved if permissions // allow and then updated. if (methodologyVersion.Approved) { return; } // If the Methodology is already public, it cannot be updated. if (await _methodologyVersionRepository.IsPubliclyAccessible(methodologyVersion.Id)) { return; } // If the user has a global Claim that allows them to update any Methodology, allow it. if (SecurityUtils.HasClaim(context.User, UpdateAllMethodologies)) { context.Succeed(requirement); return; } var owningPublication = await _methodologyRepository.GetOwningPublication(methodologyVersion.MethodologyId); // If the user is a Publication Owner of the Publication that owns this Methodology, they can update it. if (await _userPublicationRoleRepository.IsUserPublicationOwner(context.User.GetUserId(), owningPublication.Id)) { context.Succeed(requirement); return; } // If the user is an Editor (Contributor, Lead) or an Approver of the latest (Live or non-Live) Release // of the owning Publication of this Methodology, they can update it. if (await _userReleaseRoleRepository.IsUserEditorOrApproverOnLatestRelease( context.User.GetUserId(), owningPublication.Id)) { context.Succeed(requirement); } }
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, ViewSpecificMethodologyRequirement requirement, MethodologyVersion methodologyVersion) { // If the user has a global Claim that allows them to access any Methodology, allow it. if (SecurityUtils.HasClaim(context.User, SecurityClaimTypes.AccessAllMethodologies)) { context.Succeed(requirement); return; } var owningPublication = await _methodologyRepository.GetOwningPublication(methodologyVersion.MethodologyId); // If the user is a Publication Owner of the Publication that owns this Methodology, they can view it. if (await _userPublicationRoleRepository.IsUserPublicationOwner(context.User.GetUserId(), owningPublication.Id)) { context.Succeed(requirement); return; } // If the user is an Editor (Contributor, Lead) or an Approver of the latest (Live or non-Live) Release // of the owning Publication of this Methodology, they can view it. if (await _userReleaseRoleRepository.IsUserEditorOrApproverOnLatestRelease( context.User.GetUserId(), owningPublication.Id)) { context.Succeed(requirement); } // If the user is a PrereleaseViewer of the latest non-Live, Approved Release of any Publication // using this Methodology, and the methodology is approved, and the latest release under that publication // is within the prerelease time window, they can view it if (methodologyVersion.Approved) { var publicationIds = await _methodologyRepository .GetAllPublicationIds(methodologyVersion.MethodologyId); foreach (var publicationId in publicationIds) { if (await _userReleaseRoleRepository.IsUserPrereleaseViewerOnLatestPreReleaseRelease( context.User.GetUserId(), publicationId)) { var publication = await _contentDbContext.Publications .Include(p => p.Releases) .SingleAsync(p => p.Id == publicationId); var latestRelease = publication.LatestRelease(); if (latestRelease != null && _preReleaseService .GetPreReleaseWindowStatus(latestRelease, DateTime.UtcNow) .Access == PreReleaseAccess.Within) { context.Succeed(requirement); break; } } } } }