estimate view authorization

Yavsc/ApiControllers/PdfEstimateController.cs

@@ -2,32 +2,47 @@ using System.IO;
 using Microsoft.AspNet.Authorization;
 using Microsoft.AspNet.Mvc;
 using System.Web.Routing;
-using Microsoft.AspNet.Mvc.ViewComponents;
 
 namespace Yavsc.ApiControllers
 {
     using Models;
     using Helpers;
+    using System.Linq;
+    using Microsoft.Data.Entity;
+    using System.Threading.Tasks;
+    using Microsoft.Extensions.Logging;
 
     [Route("api/pdfestimate"), Authorize]
     public class PdfEstimateController : Controller
     {
         ApplicationDbContext dbContext;
+        private IAuthorizationService authorizationService;
+
+        private ILogger logger;
 
         public PdfEstimateController(
-            IViewComponentDescriptorCollectionProvider provider,
+            IAuthorizationService authorizationService,
-            IViewComponentSelector selector,
+            ILoggerFactory loggerFactory,
-        IViewComponentInvokerFactory factory,
          ApplicationDbContext context)
         {
-            
+            this.authorizationService = authorizationService;
             dbContext = context;
+            logger = loggerFactory.CreateLogger<PdfEstimateController>();
         }
 
 
         [HttpGet("get/{id}", Name = "Get"), Authorize]
-        public IActionResult Get(long id)
+        public async Task<IActionResult> Get(long id)
+        {
+            var estimate = dbContext.Estimates.Include(
+                e=>e.Query
+            ).FirstOrDefault(e=>e.Id == id);
+            logger.LogWarning($"#######ESTIMATE OWNER ID {estimate.OwnerId} ########");
+            if (!await authorizationService.AuthorizeAsync(User, estimate, new ViewRequirement()))
             {
+                return new ChallengeResult();
+            }
+
             var filename = $"estimate-{id}.pdf";
 
             var cd = new System.Net.Mime.ContentDisposition

Yavsc/Controllers/EstimateController.cs

@@ -3,6 +3,7 @@ using System.IO;
 using System.Linq;
 using System.Net.Mime;
 using System.Security.Claims;
+using System.Threading.Tasks;
 using Microsoft.AspNet.Authorization;
 using Microsoft.AspNet.Http;
 using Microsoft.AspNet.Mvc;
@@ -21,10 +22,13 @@ namespace Yavsc.Controllers
         private ApplicationDbContext _context;
         private SiteSettings _site;
 
-        public EstimateController(ApplicationDbContext context, IOptions<SiteSettings> siteSettings)
+        IAuthorizationService authorizationService;
+
+        public EstimateController(ApplicationDbContext context, IAuthorizationService authorizationService, IOptions<SiteSettings> siteSettings)
         {
             _context = context;
             _site = siteSettings.Value;
+            this.authorizationService = authorizationService;
         }
 
         // GET: Estimate
@@ -41,7 +45,7 @@ namespace Yavsc.Controllers
         }
 
         // GET: Estimate/Details/5
-        public IActionResult Details(long? id)
+        public async Task<IActionResult> Details(long? id)
         {
             var uid = User.GetUserId();
             if (id == null)
@@ -62,6 +66,10 @@ namespace Yavsc.Controllers
             {
                 return HttpNotFound();
             }
+            if (!await authorizationService.AuthorizeAsync(User, estimate, new ViewRequirement()))
+            {
+                return new ChallengeResult();
+            }
             return View(estimate);
         }
 

Yavsc/Startup/Startup.cs

@@ -181,6 +181,7 @@ namespace Yavsc
             services.AddSingleton<IAuthorizationHandler, CommandEditHandler>();
             services.AddSingleton<IAuthorizationHandler, CommandViewHandler>();
             services.AddSingleton<IAuthorizationHandler, PostUserFileHandler>();
+            services.AddSingleton<IAuthorizationHandler, EstimateViewHandler>();
 
             services.AddMvc(config =>
             {

Yavsc/ViewModels/Auth/BlogEditHandler.cs

@@ -0,0 +1,19 @@
+using System.Security.Claims;
+using Microsoft.AspNet.Authorization;
+using Yavsc.Models;
+
+namespace Yavsc.ViewModels.Auth
+{
+    public class BlogEditHandler : AuthorizationHandler<EditRequirement, Blog>
+    {
+        protected override void Handle(AuthorizationContext context, EditRequirement requirement, Blog resource)
+        {
+            if (context.User.IsInRole(Constants.BlogModeratorGroupName))
+                context.Succeed(requirement);
+            else if (context.User.Identity.IsAuthenticated)
+            if (resource.AuthorId == context.User.GetUserId())
+                context.Succeed(requirement);
+        }
+
+    }
+}

Yavsc/ViewModels/Auth/BlogViewHandler.cs

@@ -8,7 +8,8 @@ namespace Yavsc.ViewModels.Auth
     {
         protected override void Handle(AuthorizationContext context, ViewRequirement requirement, Blog resource)
         {
-            if (context.User.IsInRole("Moderator"))
+            if (context.User.IsInRole(Constants.BlogModeratorGroupName)
+            || context.User.IsInRole(Constants.AdminGroupName))
                 context.Succeed(requirement);
             else if (context.User.Identity.IsAuthenticated)
             if (resource.AuthorId == context.User.GetUserId())

Yavsc/ViewModels/Auth/EstimateViewHandler.cs

@@ -8,18 +8,15 @@ namespace Yavsc.ViewModels.Auth
     {
         protected override void Handle(AuthorizationContext context, ViewRequirement requirement, Estimate resource)
         {
-            if (context.User.IsInRole("Moderator"))
+            
+            if (context.User.IsInRole(Constants.AdminGroupName)
+            || context.User.IsInRole(Constants.FrontOfficeGroupName))
                 context.Succeed(requirement);
-            else if (!context.User.Identity.IsAuthenticated)
+            else if (context.User.Identity.IsAuthenticated) {
-                context.Fail();
-            else {
                 var uid = context.User.GetUserId();
-            
+                if (resource.OwnerId == uid || resource.ClientId == uid)
-            if (resource.OwnerId == uid || resource.Query.ClientId == uid)
                     context.Succeed(requirement); 
-            else
                 // TODO && ( resource.Circles == null || context.User belongs to resource.Circles )
-                context.Fail();
             }
         }
     }

Yavsc/Views/_ViewImports.cshtml

@@ -1,3 +1,11 @@
+
+@using Microsoft.AspNet.Identity;
+@using Microsoft.AspNet.Mvc;
+@using Microsoft.Extensions.Localization;
+@using Microsoft.AspNet.Mvc.Localization;
+@using Microsoft.AspNet.Authorization;
+@using Microsoft.Extensions.OptionsModel;
+@using System.Web.Optimization;
 @using Yavsc;
 @using Yavsc.Models;
 @using Yavsc.Models.Google;
@@ -8,13 +16,7 @@
 @using Yavsc.ViewModels.Account;
 @using Yavsc.ViewModels.Manage;
 @using Yavsc.ViewModels.Calendar;
-@using Microsoft.AspNet.Identity;
+@using Yavsc.ViewModels.Auth;
-@using Microsoft.AspNet.Mvc;
-@using Microsoft.Extensions.Localization;
-@using Microsoft.AspNet.Mvc.Localization;
-@using Microsoft.AspNet.Authorization;
-@using Microsoft.Extensions.OptionsModel;
-@using System.Web.Optimization;
 
 @inject IViewLocalizer LocString
 @addTagHelper "*, Microsoft.AspNet.Mvc.TagHelpers"