// does the user have access to a file ? public static bool HasFileAccess(int fileId) { MyDatabase db = new MyDatabase(); bool hasFileAccess = false; if (IsSystemAdmin()) // yes, if you are a sys admin { hasFileAccess = true; } else { // What org does the file belong to? File f = db.File.Find(fileId); int FilesOrg = f.orgsId; // Does the user belong to this org? IEnumerable<OrgUserMappings> u = db.OrgUserMappings.Where(m => m.usersId == _userId && m.orgsId == FilesOrg); if (u.Count() > 0) { hasFileAccess = true; } } db.Dispose(); return hasFileAccess; }
public static bool IsSystemAdmin() { MyDatabase db = new MyDatabase(); bool isSysAdmin = false; var a = db.Users.Find(_userId); if (a.isSystemAdmin) { isSysAdmin = true; } db.Dispose(); return isSysAdmin; }
public override void OnAuthorization(HttpActionContext actionContext) { MyDatabase db = new MyDatabase(); try { // get api token from the user header ApiToken IEnumerable<string> token = actionContext.Request.Headers.GetValues("ApiToken"); _apiToken = token.First(); // get facebook credential based on fb token passed in IEnumerable<string> fbToken = actionContext.Request.Headers.GetValues("FbToken"); Debug.Write(fbToken.First()); _fbToken = fbToken.First(); // Check is user is Legit // authenicated if (_apiToken == _apiTokenSecret) { // the api token is good, is the facebook token valid ? and who are you ? var client = new FacebookClient(_fbToken); dynamic result = client.Get("me", new { fields = "name,id" }); // set the users identity _fbUserid = result.id; var _fbName = result.name; if (_fbUserid != "") { // get the userid (internal id ) from the db - user.Id var user = db.Users.Where(u => u.fbUserId == _fbUserid).FirstOrDefault(); // Brand new user to add if (user == null) { //_isAuth = false; // add user to db Users newUser = new Users(); var now = DateTime.Now.ToString("O"); newUser.defaultOrg = 1; newUser.fbUserId = _fbUserid; newUser.created_at = now; newUser.isSystemAdmin = false; newUser.updated_at = now; newUser.name = _fbName; db.Users.Add(newUser); db.SaveChanges(); // add the user to an org with there name as the orgName Orgs newOrg = new Orgs(); newOrg.created_at = now; newOrg.orgName = _fbName; newOrg.updated_at = now; // save new org to the Org DB db.Orgs.Add(newOrg); db.SaveChanges(); // Map user to the org that was just created and make him the admin db.OrgUserMappings.Add(new OrgUserMappings { usersId = newUser.id, isOrgAdmin = true, orgsId = newOrg.id}); db.SaveChanges(); // set the default org for the user newUser.defaultOrg = newOrg.id; db.SaveChanges(); _userId = newUser.id; // Set up the identity object that our Controllers can use GenericIdentity identity = new GenericIdentity(_fbUserid); System.Threading.Thread.CurrentPrincipal = new GenericPrincipal(identity, _roles); _isAuth = true; } else { _userId = user.id; // Set up the identity object that our Controllers can use GenericIdentity identity = new GenericIdentity(_fbUserid); System.Threading.Thread.CurrentPrincipal = new GenericPrincipal(identity, _roles); _isAuth = true; } } else { _isAuth = false; } } // not authenicated else { _isAuth = false; } //authenicated if (_isAuth) { Debug.WriteLine("You're authenicated"); } // not authenicated else { // 417 - so we can specify a message actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.ExpectationFailed); actionContext.Response.ReasonPhrase = "Invalid token"; actionContext.Response.Content = new StringContent("Invalid token"); } } catch (FacebookOAuthException e) { actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.ExpectationFailed); actionContext.Response.ReasonPhrase = e.Message; actionContext.Response.Content = new StringContent(e.InnerException.ToString()); } catch (FacebookApiLimitException e) { actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.ExpectationFailed); actionContext.Response.ReasonPhrase = e.Message; actionContext.Response.Content = new StringContent(e.InnerException.ToString()); } catch (FacebookApiException e) { actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.ExpectationFailed); actionContext.Response.ReasonPhrase = e.Message; actionContext.Response.Content = new StringContent(e.InnerException.ToString()); } catch (Exception e) { actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.ExpectationFailed); actionContext.Response.ReasonPhrase = e.Message; actionContext.Response.Content = new StringContent(e.InnerException.ToString()); } finally { db.Dispose(); } }
public static bool IsOrgUser(int org) { MyDatabase db = new MyDatabase(); bool isOrgUser = false; // system admins are automatically an org user if (IsSystemAdmin()) { isOrgUser = true; } else { var orgMap = db.OrgUserMappings.Include("Orgs").Where(o => o.orgsId == org); foreach (var o in orgMap) { if (o.usersId == _userId) { isOrgUser = true; break; } } } db.Dispose(); return isOrgUser; }
public static bool IsOrgAdmin(int org) { MyDatabase db = new MyDatabase(); bool isOrgAdmin = false; // system admins are admins for any org if (IsSystemAdmin()) { isOrgAdmin = true; } else { var orgMap = db.OrgUserMappings.Include("Orgs").Where(o => o.orgsId == org); foreach (var o in orgMap) { if (o.usersId == _userId && o.isOrgAdmin == true) { isOrgAdmin = true; break; } } } db.Dispose(); return isOrgAdmin; }
// does the user have access to a response ? // you must be the user who created the response, or the orgAdmin, or the Sysadmin public static bool HasResponseAccess(int responseId) { MyDatabase db = new MyDatabase(); bool hasResponseAccess = false; if (IsSystemAdmin()) // yes, if you are a sys admin { hasResponseAccess = true; } else { Responses responseSecurityCheck = db.Responses.Include("NewFileInstance").SingleOrDefault(r => r.id == responseId); if (HasFileInstanceAccess(responseSecurityCheck.NewFileInstance)) { hasResponseAccess = true; } } db.Dispose(); return hasResponseAccess; }
// does the user have access to a question ? public static bool HasQuestionAccess(int questionId) { MyDatabase db = new MyDatabase(); bool hasQuestionAccess = false; if (IsSystemAdmin()) // yes, if you are a sys admin { hasQuestionAccess = true; } else { // What file does the question belong to? Questions q = db.Questions.Find(questionId); // if you have access to the file, then you have access to the question if (HasFileAccess(q.fileId)) { hasQuestionAccess = true; } } db.Dispose(); return hasQuestionAccess; }
// does the user have access to a file instance (i.e his own file) by fileInstId ? public static bool HasFileInstanceAccess(int fileInstId) { MyDatabase db = new MyDatabase(); bool hasAccess = false; NewFileInstance newfileinstance = db.NewFileInstance.Find(fileInstId); if (IsSystemAdmin()) //yes if you are a sys admin { hasAccess = true; } else { // yes if your userId is on the file if (newfileinstance.userId == _userId) { hasAccess = true; } // yes if you are an orgAdmin else { // What org does the fileInstance belong to? File f = db.File.Find(newfileinstance.fileId); int FilesOrg = f.orgsId; // Is the user an admin of this org? IEnumerable<OrgUserMappings> org = db.OrgUserMappings.Where(m => m.usersId == _userId && m.orgsId == FilesOrg && m.isOrgAdmin == true); if (org.Count() > 0) { hasAccess = true; } } } db.Dispose(); return hasAccess; }