Changeset 15540 for branches/HiveProjectManagement/HeuristicLab.Services.Hive/3.3/Manager/AuthorizationManager.cs

Timestamp:

12/18/17 17:38:05 (5 years ago)

Author:

jzenisek

Message:

#2839 added checks for the administration of project-resource assignments

File:

• branches/HiveProjectManagement/HeuristicLab.Services.Hive/3.3/Manager/AuthorizationManager.cs (modified) (3 diffs)

branches/HiveProjectManagement/HeuristicLab.Services.Hive/3.3/Manager/AuthorizationManager.cs

@@ -72 +72 @@
     }
 
+    // authorize if user is admin or resource owner
     public void AuthorizeForResourceAdministration(Guid resourceId) {
       var pm = PersistenceManager;
@@ -78 +79 @@
         var resource = resourceDao.GetById(resourceId);
         if (resource == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
+
         if (resource.OwnerUserId != UserManager.CurrentUserId
             && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
@@ -85 +87 @@
     }
 
+    // authorize if user is admin, project owner or owner of a parent project
     public void AuthorizeForProjectAdministration(Guid projectId) {
       var pm = PersistenceManager;
       var projectDao = pm.ProjectDao;
       pm.UseTransaction(() => {
+        // check if project exists (not necessary)
         var project = projectDao.GetById(projectId);
         if (project == null) throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
 
-        var projectTree = projectDao.GetCurrentAndParentProjectsById(projectId);
-        if(!projectTree.Select(x => x.OwnerUserId).Contains(UserManager.CurrentUserId)
+        var projectBranch = projectDao.GetCurrentAndParentProjectsById(projectId);
+        if(!projectBranch.Select(x => x.OwnerUserId).Contains(UserManager.CurrentUserId)
             && !RoleVerifier.IsInRole(HiveRoles.Administrator)) {
           throw new SecurityException(NOT_AUTHORIZED_USERPROJECT);
+        }
+      });
+    }
+
+    // authorize if user is admin, or owner of a parent project, for which the resources are assigned to
+    public void AuthorizeForProjectResourceAdministration(Guid projectId, IEnumerable<Guid> resourceIds) {
+      var pm = PersistenceManager;
+      var projectDao = pm.ProjectDao;
+      var resourceDao = pm.ResourceDao;
+      var assignedProjectResourceDao = pm.AssignedProjectResourceDao;
+      pm.UseTransaction(() => {
+        // check if project exists (not necessary)
+        var project = projectDao.GetById(projectId);
+        if (project == null) throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
+
+        // check if resourceIds exist
+        if (!resourceDao.CheckExistence(resourceIds))
+          throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
+
+        // check if user is admin
+        if (RoleVerifier.IsInRole(HiveRoles.Administrator)) return;
+
+        // check if user is owner of a parent project and...
+        // check if the all argument resourceIds are among the assigned resources of the owned projects
+        var grantedResourceIds = assignedProjectResourceDao.GetAllGrantedResourceIdsOfOwnedParentProjects(projectId, UserManager.CurrentUserId);
+        if(resourceIds.Except(grantedResourceIds).Any()) {
+          throw new SecurityException(NOT_AUTHORIZED_USERRESOURCE);
         }
       });