estimate view authorization

8 years ago · d6de99d9a0
parent 0e46342cb1
commit d6de99d9a0
7 changed files with 71 additions and 28 deletions
--- a/Yavsc/ApiControllers/PdfEstimateController.cs
+++ b/Yavsc/ApiControllers/PdfEstimateController.cs
@ -2,32 +2,47 @@ using System.IO;
 using Microsoft.AspNet.Authorization;
 using Microsoft.AspNet.Mvc;
 using System.Web.Routing;
-using Microsoft.AspNet.Mvc.ViewComponents;

 namespace Yavsc.ApiControllers
 {
    using Models;
    using Helpers;
+    using System.Linq;
+    using Microsoft.Data.Entity;
+    using System.Threading.Tasks;
+    using Microsoft.Extensions.Logging;

    [Route("api/pdfestimate"), Authorize]
    public class PdfEstimateController : Controller
    {
        ApplicationDbContext dbContext;
+        private IAuthorizationService authorizationService;
+
+        private ILogger logger;

        public PdfEstimateController(
-            IViewComponentDescriptorCollectionProvider provider,
-            IViewComponentSelector selector,
-        IViewComponentInvokerFactory factory,
+            IAuthorizationService authorizationService,
+            ILoggerFactory loggerFactory,
         ApplicationDbContext context)
        {
-            
+            this.authorizationService = authorizationService;
            dbContext = context;
+            logger = loggerFactory.CreateLogger<PdfEstimateController>();
        }


        [HttpGet("get/{id}", Name = "Get"), Authorize]
-        public IActionResult Get(long id)
+        public async Task<IActionResult> Get(long id)
        {
+            var estimate = dbContext.Estimates.Include(
+                e=>e.Query
+            ).FirstOrDefault(e=>e.Id == id);
+            logger.LogWarning($"#######ESTIMATE OWNER ID {estimate.OwnerId} ########");
+            if (!await authorizationService.AuthorizeAsync(User, estimate, new ViewRequirement()))
+            {
+                return new ChallengeResult();
+            }
+
            var filename = $"estimate-{id}.pdf";

            var cd = new System.Net.Mime.ContentDisposition
--- a/Yavsc/Controllers/EstimateController.cs
+++ b/Yavsc/Controllers/EstimateController.cs
@ -3,6 +3,7 @@ using System.IO;
 using System.Linq;
 using System.Net.Mime;
 using System.Security.Claims;
+using System.Threading.Tasks;
 using Microsoft.AspNet.Authorization;
 using Microsoft.AspNet.Http;
 using Microsoft.AspNet.Mvc;
@ -21,10 +22,13 @@ namespace Yavsc.Controllers
        private ApplicationDbContext _context;
        private SiteSettings _site;

-        public EstimateController(ApplicationDbContext context, IOptions<SiteSettings> siteSettings)
+        IAuthorizationService authorizationService;
+
+        public EstimateController(ApplicationDbContext context, IAuthorizationService authorizationService, IOptions<SiteSettings> siteSettings)
        {
            _context = context;
            _site = siteSettings.Value;
+            this.authorizationService = authorizationService;
        }

        // GET: Estimate
@ -41,7 +45,7 @@ namespace Yavsc.Controllers
        }

        // GET: Estimate/Details/5
-        public IActionResult Details(long? id)
+        public async Task<IActionResult> Details(long? id)
        {
            var uid = User.GetUserId();
            if (id == null)
@ -62,6 +66,10 @@ namespace Yavsc.Controllers
            {
                return HttpNotFound();
            }
+            if (!await authorizationService.AuthorizeAsync(User, estimate, new ViewRequirement()))
+            {
+                return new ChallengeResult();
+            }
            return View(estimate);
        }

--- a/Yavsc/Startup/Startup.cs
+++ b/Yavsc/Startup/Startup.cs
@ -181,6 +181,7 @@ namespace Yavsc
            services.AddSingleton<IAuthorizationHandler, CommandEditHandler>();
            services.AddSingleton<IAuthorizationHandler, CommandViewHandler>();
            services.AddSingleton<IAuthorizationHandler, PostUserFileHandler>();
+            services.AddSingleton<IAuthorizationHandler, EstimateViewHandler>();

            services.AddMvc(config =>
            {
--- a/Yavsc/ViewModels/Auth/BlogEditHandler.cs
+++ b/Yavsc/ViewModels/Auth/BlogEditHandler.cs
@ -0,0 +1,19 @@
+using System.Security.Claims;
+using Microsoft.AspNet.Authorization;
+using Yavsc.Models;
+
+namespace Yavsc.ViewModels.Auth
+{
+    public class BlogEditHandler : AuthorizationHandler<EditRequirement, Blog>
+    {
+        protected override void Handle(AuthorizationContext context, EditRequirement requirement, Blog resource)
+        {
+            if (context.User.IsInRole(Constants.BlogModeratorGroupName))
+                context.Succeed(requirement);
+            else if (context.User.Identity.IsAuthenticated)
+            if (resource.AuthorId == context.User.GetUserId())
+                context.Succeed(requirement);
+        }
+
+    }
+}
--- a/Yavsc/ViewModels/Auth/BlogViewHandler.cs
+++ b/Yavsc/ViewModels/Auth/BlogViewHandler.cs
@ -8,7 +8,8 @@ namespace Yavsc.ViewModels.Auth
    {
        protected override void Handle(AuthorizationContext context, ViewRequirement requirement, Blog resource)
        {
-            if (context.User.IsInRole("Moderator"))
+            if (context.User.IsInRole(Constants.BlogModeratorGroupName)
+            || context.User.IsInRole(Constants.AdminGroupName))
                context.Succeed(requirement);
            else if (context.User.Identity.IsAuthenticated)
            if (resource.AuthorId == context.User.GetUserId())
--- a/Yavsc/ViewModels/Auth/EstimateViewHandler.cs
+++ b/Yavsc/ViewModels/Auth/EstimateViewHandler.cs
@ -6,20 +6,17 @@ namespace Yavsc.ViewModels.Auth
 {
    public class EstimateViewHandler : AuthorizationHandler<ViewRequirement, Estimate>
    {
-         protected override void Handle(AuthorizationContext context, ViewRequirement requirement, Estimate resource)
+        protected override void Handle(AuthorizationContext context, ViewRequirement requirement, Estimate resource)
        {
-            if (context.User.IsInRole("Moderator"))
-                context.Succeed(requirement);
-            else if (!context.User.Identity.IsAuthenticated)
-                context.Fail();
-            else {
-            var uid = context.User.GetUserId();
            
-            if (resource.OwnerId == uid || resource.Query.ClientId == uid)
-                context.Succeed(requirement); 
-            else
-            // TODO && ( resource.Circles == null || context.User belongs to resource.Circles )
-                context.Fail();
+            if (context.User.IsInRole(Constants.AdminGroupName)
+            || context.User.IsInRole(Constants.FrontOfficeGroupName))
+                context.Succeed(requirement);
+            else if (context.User.Identity.IsAuthenticated) {
+                var uid = context.User.GetUserId();
+                if (resource.OwnerId == uid || resource.ClientId == uid)
+                    context.Succeed(requirement); 
+                // TODO && ( resource.Circles == null || context.User belongs to resource.Circles )
            }
        }
    }
--- a/Yavsc/Views/_ViewImports.cshtml
+++ b/Yavsc/Views/_ViewImports.cshtml
@ -1,3 +1,11 @@
+
+@using Microsoft.AspNet.Identity;
+@using Microsoft.AspNet.Mvc;
+@using Microsoft.Extensions.Localization;
+@using Microsoft.AspNet.Mvc.Localization;
+@using Microsoft.AspNet.Authorization;
+@using Microsoft.Extensions.OptionsModel;
+@using System.Web.Optimization;
@using Yavsc;
@using Yavsc.Models;
@using Yavsc.Models.Google;
@ -8,13 +16,7 @@
@using Yavsc.ViewModels.Account;
@using Yavsc.ViewModels.Manage;
@using Yavsc.ViewModels.Calendar;
-@using Microsoft.AspNet.Identity;
-@using Microsoft.AspNet.Mvc;
-@using Microsoft.Extensions.Localization;
-@using Microsoft.AspNet.Mvc.Localization;
-@using Microsoft.AspNet.Authorization;
-@using Microsoft.Extensions.OptionsModel;
-@using System.Web.Optimization;
+@using Yavsc.ViewModels.Auth;

@inject IViewLocalizer LocString
@addTagHelper "*, Microsoft.AspNet.Mvc.TagHelpers"