Ignore:
Timestamp:
12/18/17 17:38:05 (5 years ago)
Author:
jzenisek
Message:

#2839 added checks for the administration of project-resource assignments

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/HiveProjectManagement/HeuristicLab.Services.Hive/3.3/Manager/AuthorizationManager.cs

    r15530 r15540  
    7272    }
    7373
     74    // authorize if user is admin or resource owner
    7475    public void AuthorizeForResourceAdministration(Guid resourceId) {
    7576      var pm = PersistenceManager;
     
    7879        var resource = resourceDao.GetById(resourceId);
    7980        if (resource == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
     81
    8082        if (resource.OwnerUserId != UserManager.CurrentUserId
    8183            && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
     
    8587    }
    8688
     89    // authorize if user is admin, project owner or owner of a parent project
    8790    public void AuthorizeForProjectAdministration(Guid projectId) {
    8891      var pm = PersistenceManager;
    8992      var projectDao = pm.ProjectDao;
    9093      pm.UseTransaction(() => {
     94        // check if project exists (not necessary)
    9195        var project = projectDao.GetById(projectId);
    9296        if (project == null) throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
    9397
    94         var projectTree = projectDao.GetCurrentAndParentProjectsById(projectId);
    95         if(!projectTree.Select(x => x.OwnerUserId).Contains(UserManager.CurrentUserId)
     98        var projectBranch = projectDao.GetCurrentAndParentProjectsById(projectId);
     99        if(!projectBranch.Select(x => x.OwnerUserId).Contains(UserManager.CurrentUserId)
    96100            && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
    97101          throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
     102        }
     103      });
     104    }
     105
     106    // authorize if user is admin, or owner of a parent project, for which the resources are assigned to
     107    public void AuthorizeForProjectResourceAdministration(Guid projectId, IEnumerable<Guid> resourceIds) {
     108      var pm = PersistenceManager;
     109      var projectDao = pm.ProjectDao;
     110      var resourceDao = pm.ResourceDao;
     111      var assignedProjectResourceDao = pm.AssignedProjectResourceDao;
     112      pm.UseTransaction(() => {
     113        // check if project exists (not necessary)
     114        var project = projectDao.GetById(projectId);
     115        if (project == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
     116
     117        // check if resourceIds exist
     118        if (!resourceDao.CheckExistence(resourceIds))
     119          throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
     120
     121        // check if user is admin
     122        if (RoleVerifier.IsInRole(HiveRoles.Administrator)) return;
     123
     124        // check if user is owner of a parent project and...
     125        // check if the all argument resourceIds are among the assigned resources of the owned projects
     126        var grantedResourceIds = assignedProjectResourceDao.GetAllGrantedResourceIdsOfOwnedParentProjects(projectId, UserManager.CurrentUserId);
     127        if(resourceIds.Except(grantedResourceIds).Any()) {
     128          throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
    98129        }
    99130      });
Note: See TracChangeset for help on using the changeset viewer.