public async Task <Response <GirafUserDTO> > DeleteResource(string id, [FromBody] ResourceIdDTO resourceIdDTO) { //Check if the caller owns the resource var user = _giraf._context.Users.Include(r => r.Resources).ThenInclude(dr => dr.Pictogram).FirstOrDefault(u => u.Id == id); if (user == null) { return(new ErrorResponse <GirafUserDTO>(ErrorCode.UserNotFound)); } //Check that valid parameters have been specified in the call if (resourceIdDTO == null) { return(new ErrorResponse <GirafUserDTO>(ErrorCode.MissingProperties, "resourceIdDTO")); } //Fetch the resource with the given id, check that it exists. var resource = await _giraf._context.Pictograms .Where(f => f.Id == resourceIdDTO.Id) .FirstOrDefaultAsync(); if (resource == null) { return(new ErrorResponse <GirafUserDTO>(ErrorCode.ResourceNotFound)); } // check access rights if (!(await _authentication.HasEditOrReadUserAccess(await _giraf._userManager.GetUserAsync(HttpContext.User), user))) { return(new ErrorResponse <GirafUserDTO>(ErrorCode.NotAuthorized)); } //Fetch the relationship from the database and check that it exists var relationship = await _giraf._context.UserResources .Where(ur => ur.PictogramKey == resource.Id && ur.OtherKey == user.Id) .FirstOrDefaultAsync(); if (relationship == null) { return(new ErrorResponse <GirafUserDTO>(ErrorCode.UserDoesNotOwnResource)); } //Remove the resource - both from the user's list and the database user.Resources.Remove(relationship); _giraf._context.UserResources.Remove(relationship); await _giraf._context.SaveChangesAsync(); // Get the roles the user is associated with var userRole = await _roleManager.findUserRole(_giraf._userManager, user); //Return Ok and the user - the resource is now visible in user.Resources return(new Response <GirafUserDTO>(new GirafUserDTO(user, userRole))); }
public async Task <Response <GirafUserDTO> > AddUserResource(string id, [FromBody] ResourceIdDTO resourceIdDTO) { //Check if valid parameters have been specified in the call if (string.IsNullOrEmpty(id)) { return(new ErrorResponse <GirafUserDTO>(ErrorCode.MissingProperties, "username")); } if (resourceIdDTO == null) { return(new ErrorResponse <GirafUserDTO>(ErrorCode.MissingProperties, "resourceIdDTO")); } //Attempt to find the target user and check that he exists var user = _giraf._context.Users.Include(u => u.Resources).ThenInclude(dr => dr.Pictogram).FirstOrDefault(u => u.Id == id); if (user == null) { return(new ErrorResponse <GirafUserDTO>(ErrorCode.UserNotFound)); } // check access rights if (!(await _authentication.HasEditOrReadUserAccess(await _giraf._userManager.GetUserAsync(HttpContext.User), user))) { return(new ErrorResponse <GirafUserDTO>(ErrorCode.NotAuthorized)); } //Find the resource and check that it actually does exist - also verify that the resource is private var resource = await _giraf._context.Pictograms .Where(pf => pf.Id == resourceIdDTO.Id) .FirstOrDefaultAsync(); if (resource == null) { return(new ErrorResponse <GirafUserDTO>(ErrorCode.ResourceNotFound)); } if (resource.AccessLevel != AccessLevel.PRIVATE) { return(new ErrorResponse <GirafUserDTO>(ErrorCode.ResourceMustBePrivate)); } //Check that the currently authenticated user owns the resource var curUsr = await _giraf.LoadBasicUserDataAsync(HttpContext.User); var resourceOwnedByCaller = await _giraf.CheckPrivateOwnership(resource, curUsr); if (!resourceOwnedByCaller) { return(new ErrorResponse <GirafUserDTO>(ErrorCode.NotAuthorized)); } //Check if the target user already owns the resource if (user.Resources.Any(ur => ur.PictogramKey == resourceIdDTO.Id)) { return(new ErrorResponse <GirafUserDTO>(ErrorCode.UserAlreadyOwnsResource)); } //Create the relation and save changes. var userResource = new UserResource(user, resource); await _giraf._context.UserResources.AddAsync(userResource); await _giraf._context.SaveChangesAsync(); // Get the roles the user is associated with GirafRoles userRole = await _roleManager.findUserRole(_giraf._userManager, user); return(new Response <GirafUserDTO>(new GirafUserDTO(user, userRole))); }