Merge pull request #1112 from gordon-cs/WMRA-Route-Protection

Added StateYourBusiness for API route protecting. Added new auth gr…

Gordon360/Authorization/StateYourBusiness.cs

@@ -72,11 +72,11 @@ public async override Task OnActionExecutionAsync(ActionExecutingContext actionC
         _recimParticipantService = context.HttpContext.RequestServices.GetRequiredService<IParticipantService>();
         _recimTeamService = context.HttpContext.RequestServices.GetRequiredService<ITeamService>();
         _recimActivityService = context.HttpContext.RequestServices.GetRequiredService<Services.RecIM.IActivityService>();
-        
+
         user_name = AuthUtils.GetUsername(authenticatedUser);
         user_groups = AuthUtils.GetGroups(authenticatedUser);
 
-        if (user_groups.Contains(AuthGroup.SiteAdmin))
+        if ((user_groups.Contains(AuthGroup.SiteAdmin))|| (user_groups.Contains(AuthGroup.HousingDeveloper))) //remove housing developer before deployment
         {
             await next();
             return;
@@ -188,6 +188,11 @@ private async Task<bool> CanReadOneAsync(string resource)
                     }
                     return false;
                 }
+            case Resource.HOUSING_CONTACT_PREFERENCE:
+                return (user_groups.Contains(AuthGroup.RD) || user_groups.Contains(AuthGroup.HousingAdmin) ||
+                    user_groups.Contains(AuthGroup.HallInfoViewer) || user_groups.Contains(AuthGroup.Student));
+            case Resource.HOUSING_ON_CALL_RA:
+                return (user_groups.Contains(AuthGroup.Student));
             case Resource.NEWS:
                 return true;
             case Resource.STUDENT_SCHEDULE:
@@ -398,6 +403,13 @@ private bool CanReadAll(string resource)
                     }
                     return false;
                 }
+            case Resource.HOUSING_ROOM_RANGE:
+                return (user_groups.Contains(AuthGroup.HousingAdmin) || user_groups.Contains(AuthGroup.RD));
+            case Resource.HOUSING_RA_ASSIGNMENT:
+                return (user_groups.Contains(AuthGroup.HousingAdmin) || user_groups.Contains(AuthGroup.RD));
+            case Resource.HOUSING_ON_CALL_RA:
+                return (user_groups.Contains(AuthGroup.RD) || user_groups.Contains(AuthGroup.HallInfoViewer) || 
+                    user_groups.Contains(AuthGroup.HousingAdmin));
             case Resource.NEWS:
                 return user_groups.Contains(AuthGroup.NewsAdmin);
             case Resource.RECIM:
@@ -500,6 +512,12 @@ private async Task<bool> CanAddAsync(string resource)
                     }
                     return false;
                 }
+            case Resource.HOUSING_ROOM_RANGE:
+                return (user_groups.Contains(AuthGroup.HousingAdmin) || user_groups.Contains(AuthGroup.RD));
+            case Resource.HOUSING_RA_ASSIGNMENT:
+                return (user_groups.Contains(AuthGroup.HousingAdmin) || user_groups.Contains(AuthGroup.RD));
+            case Resource.HOUSING_CONTACT_PREFERENCE:
+                return (user_groups.Contains(AuthGroup.RA));
             case Resource.ADMIN:
                 return false;
             case Resource.ERROR_LOG:
@@ -853,6 +871,10 @@ private async Task<bool> CanDeleteAsync(string resource)
                     // Super admins have unrestricted access by default: no need to check
                     return false;
                 }
+            case Resource.HOUSING_ROOM_RANGE:
+                return (user_groups.Contains(AuthGroup.HousingAdmin) || user_groups.Contains(AuthGroup.RD));
+            case Resource.HOUSING_RA_ASSIGNMENT:
+                return (user_groups.Contains(AuthGroup.HousingAdmin) || user_groups.Contains(AuthGroup.RD));
             case Resource.NEWS:
                 {
                     if (context.ActionArguments["newsID"] is int newsID)

Gordon360/Controllers/HousingController.cs

@@ -242,6 +242,7 @@ public ActionResult<ApartmentApplicationViewModel[]> GetAllApartmentApplication(
     /// <param name="model">The ViewModel that contains the hall ID and room range</param>
     /// <returns>The created Hall_Assignment_Ranges object</returns>
     [HttpPost("roomrange")]
+    [StateYourBusiness(operation = Operation.ADD, resource = Resource.HOUSING_ROOM_RANGE)]
     public async Task<ActionResult<Hall_Assignment_Ranges>> CreateRoomRange([FromBody] HallAssignmentRangeViewModel model)
     {
         try
@@ -264,6 +265,7 @@ public async Task<ActionResult<Hall_Assignment_Ranges>> CreateRoomRange([FromBod
     /// </summary>
     /// <returns>A list of room ranges.</returns>
     [HttpGet("roomrange/all")]
+    [StateYourBusiness(operation = Operation.READ_ALL, resource = Resource.HOUSING_ROOM_RANGE)]
     public async Task<ActionResult<List<HallAssignmentRangeViewModel>>> GetAllRoomRanges()
     {
         try
@@ -283,6 +285,7 @@ public async Task<ActionResult<List<HallAssignmentRangeViewModel>>> GetAllRoomRa
     /// <param name="rangeId">The ID of the room range to delete</param>
     /// <returns> Returns if completed</returns>
     [HttpDelete("roomrange/{rangeId}")]
+    [StateYourBusiness(operation = Operation.DELETE, resource = Resource.HOUSING_ROOM_RANGE)]
     public async Task<IActionResult> DeleteRoomRange(int rangeId)
     {
         try
@@ -315,6 +318,7 @@ public async Task<IActionResult> DeleteRoomRange(int rangeId)
     /// <param name="ra_Id">The ID of the RA to assign</param>
     /// <returns>The created RA_Assigned_Ranges object</returns>
     [HttpPost("roomrange/assign-ra")]
+    [StateYourBusiness(operation = Operation.ADD, resource = Resource.HOUSING_RA_ASSIGNMENT)]
     public async Task<ActionResult<RA_Assigned_Ranges>> AssignRaToRoomRange([FromBody] RA_AssignmentViewModel model)
     {
         try
@@ -338,6 +342,7 @@ public async Task<ActionResult<RA_Assigned_Ranges>> AssignRaToRoomRange([FromBod
     /// <returns>Returns a list of all assignments</returns>
     [HttpGet]
     [Route("roomrange/assignment/all")]
+    [StateYourBusiness(operation = Operation.READ_ALL, resource = Resource.HOUSING_RA_ASSIGNMENT)]
     public async Task<IActionResult> GetRangeAssignments()
     {
         try
@@ -361,6 +366,7 @@ public async Task<IActionResult> GetRangeAssignments()
     /// <param name="rangeId">The Room range of the assignment to delete</param>
     /// <returns> Returns if completed</returns>
     [HttpDelete("roomrange/assignment/{rangeId}")]
+    [StateYourBusiness(operation = Operation.DELETE, resource = Resource.HOUSING_RA_ASSIGNMENT)]
     public async Task<IActionResult> DeleteAssignment(int rangeId)
     {
         try
@@ -462,6 +468,7 @@ public async Task<IActionResult> GetAllRAs()
     /// <param name="preferredContactMethod">The contact method (e.g., "Phone", "Teams")</param>
     /// <returns>True if the contact method was successfully set</returns>
     [HttpPost("ra/contact")]
+    [StateYourBusiness(operation = Operation.ADD, resource = Resource.HOUSING_CONTACT_PREFERENCE)]
     public async Task<IActionResult> SetPreferredContact([FromQuery] string raId, [FromQuery] string preferredContactMethod)
     {
         if (string.IsNullOrWhiteSpace(raId) || string.IsNullOrWhiteSpace(preferredContactMethod))
@@ -496,6 +503,7 @@ public async Task<IActionResult> SetPreferredContact([FromQuery] string raId, [F
     /// <returns>A string containing the preferred contact information (phone number or Teams link) or a default 
     /// phone number if no preference is set.</returns>
     [HttpGet("ra/contact/{raId}")]
+    [StateYourBusiness(operation = Operation.READ_ONE, resource = Resource.HOUSING_CONTACT_PREFERENCE)]
     public async Task<ActionResult<string>> GetRAContact(string raId)
     {
         try
@@ -571,6 +579,7 @@ public async Task<ActionResult<RA_Status_Schedule>> CreateStatus( [FromBody] RA_
     /// <param name="checkin">The viewmodel object of the RA checking in</param>
     /// <returns>true if RA checked in successfully</returns>
     [HttpPost("ra/checkin")]
+    [StateYourBusiness(operation = Operation.ADD, resource = Resource.RA_CHECKIN)]
     public async Task<ActionResult<bool>> RA_Checkin([FromBody] RA_On_CallViewModel RAcheckin)
     {
         try
@@ -598,6 +607,7 @@ public async Task<ActionResult<bool>> RA_Checkin([FromBody] RA_On_CallViewModel
     /// <param name="Hall_ID">The ID of the hall</param>
     /// <returns>The ID of the on-call RA, or a 404 if no RA is on call</returns>
     [HttpGet("ra/on-call/{Hall_ID}")]
+    [StateYourBusiness(operation = Operation.READ_ONE, resource = Resource.HOUSING_ON_CALL_RA)]
     public async Task<ActionResult<string>> GetOnCallRA(string Hall_ID)
     {
         try
@@ -622,6 +632,7 @@ public async Task<ActionResult<string>> GetOnCallRA(string Hall_ID)
     /// </summary>
     /// <returns>The RAs on call</returns>
     [HttpGet("ra/on-call/all")]
+    [StateYourBusiness(operation = Operation.READ_ALL, resource = Resource.HOUSING_ON_CALL_RA)]
     public async Task<ActionResult<List<RA_On_Call_GetViewModel>>> GetOnCallRAAllHalls()
     {
         try

Gordon360/Enums/AuthGroup.cs

@@ -13,7 +13,11 @@ public enum AuthGroup
     RecIMSuperAdmin,
     SiteAdmin,
     Staff,
-    Student
+    Student,
+    RA,
+    RD,
+    HallInfoViewer,
+    HousingDeveloper //Remove before deployment
 }
 
 public static class AuthGroupEnum
@@ -32,6 +36,11 @@ public static class AuthGroupEnum
         "360-SiteAdmin-SG" => AuthGroup.SiteAdmin,
         "360-Staff-SG" => AuthGroup.Staff,
         "360-Student-SG" => AuthGroup.Student,
+        "360-ResLifeStudentWorker-SG" => AuthGroup.RA,
+        "360-HallInfoViewer-SG" => AuthGroup.HallInfoViewer,
+        "360-ResidentDirector" => AuthGroup.RD,
+        "360-HousingDevelopers-SG" => AuthGroup.HousingDeveloper,
+
         _ => null
     };
 }

Gordon360/Static Classes/Names.cs

@@ -20,6 +20,11 @@ public static class Resource
     public const string DINING = "Info related to dining service";
     public const string HOUSING = "Info related to housing";
     public const string HOUSING_ADMIN = "A Housing Admin Resource";
+    public const string HOUSING_ROOM_RANGE = "Information related to room ranges in housing";
+    public const string HOUSING_RA_ASSIGNMENT = "Resident Advisor assignments in housing";
+    public const string RA_CHECKIN = "Info relating to an RA Checkin";
+    public const string HOUSING_CONTACT_PREFERENCE = "Resident Advisor preferred contact methods";
+    public const string HOUSING_ON_CALL_RA = "Information about on-call Resident Advisors";
     public const string ERROR_LOG = "The error log resource";
     public const string NEWS = "A student news resource";
     public const string NEWS_APPROVAL = "The approval of a student news resource";