From 02c7905b28416f7c6be2de6206a5e502823cb87c Mon Sep 17 00:00:00 2001
From: Paul Schneider <paul@pschneider.fr>
Date: Sat, 13 Aug 2016 01:26:32 +0200
Subject: [PATCH] Estimate Owner implementation

---
 Yavsc/ApiControllers/EstimateApiController.cs | 57 ++++++++++++++++---
 Yavsc/Model/Billing/Estimate.cs               | 18 ++++--
 2 files changed, 63 insertions(+), 12 deletions(-)

diff --git a/Yavsc/ApiControllers/EstimateApiController.cs b/Yavsc/ApiControllers/EstimateApiController.cs
index e32c08e4..8381b722 100644
--- a/Yavsc/ApiControllers/EstimateApiController.cs
+++ b/Yavsc/ApiControllers/EstimateApiController.cs
@@ -1,5 +1,5 @@
-using System.Collections.Generic;
 using System.Linq;
+using System.Security.Claims;
 using Microsoft.AspNet.Authorization;
 using Microsoft.AspNet.Http;
 using Microsoft.AspNet.Mvc;
@@ -19,12 +19,26 @@ namespace Yavsc.Controllers
         {
             _context = context;
         }
-
-        // GET: api/Estimate
+        bool UserIsAdminOrThis(string uid)
+        {
+            if (User.IsInRole(Constants.AdminGroupName)) return true;
+            return uid == User.GetUserId();
+        }
+        bool UserIsAdminOrInThese (string oid, string uid)
+        {
+            if (User.IsInRole(Constants.AdminGroupName)) return true;
+            var cuid = User.GetUserId();
+            return cuid == uid || cuid == oid;
+        }
+        // GET: api/Estimate{?ownerId=User.GetUserId()}
         [HttpGet]
-        public IEnumerable<Estimate> GetEstimates()
+        public IActionResult GetEstimates(string ownerId=null)
         {
-            return _context.Estimates;
+            if ( ownerId == null ) ownerId = User.GetUserId();
+            else if (!UserIsAdminOrThis(ownerId)) // throw new Exception("Not authorized") ;
+            // or just do nothing
+            return new HttpStatusCodeResult(StatusCodes.Status403Forbidden);
+            return Ok(_context.Estimates.Where(e=>e.OwnerId == ownerId));
         }
 
         // GET: api/Estimate/5
@@ -43,7 +57,9 @@ namespace Yavsc.Controllers
                 return HttpNotFound();
             }
 
+            if (UserIsAdminOrInThese(estimate.ClientId,estimate.OwnerId))
             return Ok(estimate);
+            return new HttpStatusCodeResult(StatusCodes.Status403Forbidden);
         }
 
         // PUT: api/Estimate/5
@@ -59,7 +75,15 @@ namespace Yavsc.Controllers
             {
                 return HttpBadRequest();
             }
-
+            var uid = User.GetUserId();
+            if (!User.IsInRole(Constants.AdminGroupName))
+            {
+                if (uid != estimate.OwnerId)
+                {
+                    ModelState.AddModelError("OwnerId","You can only modify your own estimates");
+                    return HttpBadRequest(ModelState);
+                }
+            }
             _context.Entry(estimate).State = EntityState.Modified;
 
             try
@@ -89,7 +113,15 @@ namespace Yavsc.Controllers
             {
                 return HttpBadRequest(ModelState);
             }
-
+            var uid = User.GetUserId();
+            if (!User.IsInRole(Constants.AdminGroupName))
+            {
+                if (uid != estimate.OwnerId)
+                {
+                    ModelState.AddModelError("OwnerId","You can only create your own estimates");
+                    return HttpBadRequest(ModelState);
+                }
+            }
             _context.Estimates.Add(estimate);
             try
             {
@@ -120,11 +152,20 @@ namespace Yavsc.Controllers
             }
 
             Estimate estimate = _context.Estimates.Single(m => m.Id == id);
+           
             if (estimate == null)
             {
                 return HttpNotFound();
             }
-
+            var uid = User.GetUserId();
+            if (!User.IsInRole(Constants.AdminGroupName))
+            {
+                if (uid != estimate.OwnerId)
+                {
+                    ModelState.AddModelError("OwnerId","You can only create your own estimates");
+                    return HttpBadRequest(ModelState);
+                }
+            }
             _context.Estimates.Remove(estimate);
             _context.SaveChanges();
 
diff --git a/Yavsc/Model/Billing/Estimate.cs b/Yavsc/Model/Billing/Estimate.cs
index f33192c0..ecc0ecc4 100644
--- a/Yavsc/Model/Billing/Estimate.cs
+++ b/Yavsc/Model/Billing/Estimate.cs
@@ -35,8 +35,10 @@ namespace Yavsc.Models.Billing
         [NotMapped]
         public List<string> AttachedGraphics { get; set; }
 
-        public string AttachedGraphicsString { get { return string.Join(":", AttachedGraphics); }
-    set { AttachedGraphics = value.Split(':').ToList(); } }
+        public string AttachedGraphicsString { 
+            get { return string.Join(":", AttachedGraphics); }
+            set { AttachedGraphics = value.Split(':').ToList(); } 
+        }
         /// <summary>
         /// List of attached files
         /// to this estimate, as relative pathes to
@@ -46,7 +48,15 @@ namespace Yavsc.Models.Billing
         /// <returns></returns>
         [NotMapped]
         public List<string> AttachedFiles { get; set; }
-        public string AttachedFilesString { get { return string.Join(":", AttachedFiles); }
-    set { AttachedFiles = value.Split(':').ToList(); } }
+        public string AttachedFilesString {
+            get { return string.Join(":", AttachedFiles); }
+            set { AttachedFiles = value.Split(':').ToList(); } 
+        }
+
+        [Required]
+        public string OwnerId { get; set; }
+
+        [Required]
+        public string ClientId { get; set; }
     }
 }