/// <summary> /// Generate a query for the specified 'filter'. /// Returns all properties, even properties that don't belong to the user's agency or sub-agencies. /// The results of this query must be 'cleaned' so that only appropriate data is returned to API. /// </summary> /// <param name="context"></param> /// <param name="user"></param> /// <param name="filter"></param> /// <returns></returns> public static IQueryable <Entity.Views.Property> GenerateAllPropertyQuery(this PimsContext context, ClaimsPrincipal user, Entity.Models.AllPropertyFilter filter) { filter.ThrowIfNull(nameof(filter)); filter.ThrowIfNull(nameof(user)); var query = context.GenerateProjectQuery(filter); // Only return properties owned by user's agency or sub-agencies. if (!filter.IncludeAllProperties) { var userAgencies = user.GetAgenciesAsNullable(); query = query.Where(p => userAgencies.Contains(p.AgencyId)); } query = context.GenerateCommonQuery(query, user, filter); return(query); }
/// <summary> /// Generate a query for the specified 'filter'. /// Only includes properties that belong to the user's agency or sub-agencies. /// </summary> /// <param name="context"></param> /// <param name="user"></param> /// <param name="filter"></param> /// <returns></returns> public static IQueryable <Entity.Views.Property> GenerateQuery(this PimsContext context, ClaimsPrincipal user, Entity.Models.AllPropertyFilter filter) { filter.ThrowIfNull(nameof(filter)); filter.ThrowIfNull(nameof(user)); // Users may only view sensitive properties if they have the `sensitive-view` claim and belong to the owning agency. var query = context.GenerateProjectQuery(filter); // Users can only view their agency or sub-agency properties. var isAdmin = user.HasPermission(Permissions.AdminProperties); if (!isAdmin) { var userAgencies = user.GetAgenciesAsNullable(); query = query.Where(p => userAgencies.Contains(p.AgencyId)); } query = context.GenerateCommonQuery(query, user, filter); return(query); }