Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VCST-2542: delete permission fix #8

Merged
merged 1 commit into from
Jan 28, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
using VirtoCommerce.CustomerModule.Core.Extensions;
using VirtoCommerce.CustomerModule.Core.Model;
using VirtoCommerce.FileExperienceApi.Core.Models;
using VirtoCommerce.Platform.Core;
using VirtoCommerce.Platform.Core.Security;
using VirtoCommerce.Platform.Security.Authorization;
using static VirtoCommerce.FileExperienceApi.Core.ModuleConstants.Security.Permissions;
using static VirtoCommerce.WhiteLabeling.Core.ModuleConstants;

namespace VirtoCommerce.WhiteLabeling.ExperienceApi.Authorization;

Expand All @@ -26,26 +26,7 @@ protected override Task HandleRequirementAsync(AuthorizationHandlerContext conte

if (!authorized)
{
var organizationId = "";

switch (context.Resource)
{
case File file when file.OwnerEntityType == nameof(Organization):
organizationId = file.OwnerEntityId;
break;
case string id:
organizationId = id;
break;
}

if (context.User.GetCurrentOrganizationId() == organizationId)
{
authorized = requirement.Permission switch
{
Create or Update or Delete => IsOrganizationMaintainer(context.User),
_ => false,
};
}
authorized = CheckRequirement(context, requirement);
}

if (authorized)
Expand All @@ -60,6 +41,35 @@ protected override Task HandleRequirementAsync(AuthorizationHandlerContext conte
return Task.CompletedTask;
}

private static bool CheckRequirement(AuthorizationHandlerContext context, OrganizationLogoAuthorizationRequirement requirement)
{
if (context.Resource is not File file || file.Scope != OrganizationLogoUploadScope)
{
return false;
}

var authorized = false;

if (context.User.GetCurrentOrganizationId() == file.OwnerEntityId)
{
authorized = requirement.Permission switch
{
Create or Update or Delete => IsOrganizationMaintainer(context.User),
_ => false,
};
}
else if (string.IsNullOrEmpty(file.OwnerEntityId))
{
authorized = requirement.Permission switch
{
Delete => IsOrganizationMaintainer(context.User),
_ => false,
};
}

return authorized;
}

private static bool IsOrganizationMaintainer(ClaimsPrincipal principal)
{
return principal.HasGlobalPermission("xapi:my_organization:edit");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,14 @@
using GraphQL;
using MediatR;
using Microsoft.AspNetCore.Authorization;
using VirtoCommerce.CustomerModule.Core.Model;
using VirtoCommerce.FileExperienceApi.Core.Models;
using VirtoCommerce.WhiteLabeling.ExperienceApi.Authorization;
using VirtoCommerce.WhiteLabeling.ExperienceApi.Models;
using VirtoCommerce.WhiteLabeling.ExperienceApi.Schemas;
using VirtoCommerce.Xapi.Core.BaseQueries;
using static VirtoCommerce.FileExperienceApi.Core.ModuleConstants.Security.Permissions;
using static VirtoCommerce.WhiteLabeling.Core.ModuleConstants;

namespace VirtoCommerce.WhiteLabeling.ExperienceApi.Commands;

Expand All @@ -24,6 +27,14 @@ public ChangeOrganizationLogoCommandBuilder(
protected override async Task BeforeMediatorSend(IResolveFieldContext<object> context, ChangeOrganizationLogoCommand request)
{
await base.BeforeMediatorSend(context, request);
await Authorize(context, request.OrganizationId, new OrganizationLogoAuthorizationRequirement(Update));

var organizationFileResource = new File
{
OwnerEntityId = request.OrganizationId,
OwnerEntityType = nameof(Organization),
Scope = OrganizationLogoUploadScope,
};

await Authorize(context, organizationFileResource, new OrganizationLogoAuthorizationRequirement(Update));
}
}
Loading