From 754d573df925e24ef5d794c836d5315185758f9b Mon Sep 17 00:00:00 2001 From: RossClark01 Date: Fri, 6 Dec 2024 20:26:23 -0500 Subject: [PATCH] Added `StateYourBusiness` for API route protecting. Added new auth groups for RDs,RAs, and Hall viewers. For testing purposes added Housing developers as bypassers of api auth checking. This MUST be removed before merging. I would like to test the api permissions on real RA's and RD's to test functionality --- Gordon360/Authorization/StateYourBusiness.cs | 26 ++++++++++++++++++-- Gordon360/Controllers/HousingController.cs | 11 +++++++++ Gordon360/Enums/AuthGroup.cs | 11 ++++++++- Gordon360/Static Classes/Names.cs | 5 ++++ 4 files changed, 50 insertions(+), 3 deletions(-) diff --git a/Gordon360/Authorization/StateYourBusiness.cs b/Gordon360/Authorization/StateYourBusiness.cs index 865f3962c..b950a9e78 100644 --- a/Gordon360/Authorization/StateYourBusiness.cs +++ b/Gordon360/Authorization/StateYourBusiness.cs @@ -72,11 +72,11 @@ public async override Task OnActionExecutionAsync(ActionExecutingContext actionC _recimParticipantService = context.HttpContext.RequestServices.GetRequiredService(); _recimTeamService = context.HttpContext.RequestServices.GetRequiredService(); _recimActivityService = context.HttpContext.RequestServices.GetRequiredService(); - + user_name = AuthUtils.GetUsername(authenticatedUser); user_groups = AuthUtils.GetGroups(authenticatedUser); - if (user_groups.Contains(AuthGroup.SiteAdmin)) + if ((user_groups.Contains(AuthGroup.SiteAdmin))|| (user_groups.Contains(AuthGroup.HousingDeveloper))) //remove housing developer before deployment { await next(); return; @@ -188,6 +188,11 @@ private async Task CanReadOneAsync(string resource) } return false; } + case Resource.HOUSING_CONTACT_PREFERENCE: + return (user_groups.Contains(AuthGroup.RD) || user_groups.Contains(AuthGroup.HousingAdmin) || + user_groups.Contains(AuthGroup.HallInfoViewer) || user_groups.Contains(AuthGroup.Student)); + case Resource.HOUSING_ON_CALL_RA: + return (user_groups.Contains(AuthGroup.Student)); case Resource.NEWS: return true; case Resource.STUDENT_SCHEDULE: @@ -398,6 +403,13 @@ private bool CanReadAll(string resource) } return false; } + case Resource.HOUSING_ROOM_RANGE: + return (user_groups.Contains(AuthGroup.HousingAdmin) || user_groups.Contains(AuthGroup.RD)); + case Resource.HOUSING_RA_ASSIGNMENT: + return (user_groups.Contains(AuthGroup.HousingAdmin) || user_groups.Contains(AuthGroup.RD)); + case Resource.HOUSING_ON_CALL_RA: + return (user_groups.Contains(AuthGroup.RD) || user_groups.Contains(AuthGroup.HallInfoViewer) || + user_groups.Contains(AuthGroup.HousingAdmin)); case Resource.NEWS: return user_groups.Contains(AuthGroup.NewsAdmin); case Resource.RECIM: @@ -500,6 +512,12 @@ private async Task CanAddAsync(string resource) } return false; } + case Resource.HOUSING_ROOM_RANGE: + return (user_groups.Contains(AuthGroup.HousingAdmin) || user_groups.Contains(AuthGroup.RD)); + case Resource.HOUSING_RA_ASSIGNMENT: + return (user_groups.Contains(AuthGroup.HousingAdmin) || user_groups.Contains(AuthGroup.RD)); + case Resource.HOUSING_CONTACT_PREFERENCE: + return (user_groups.Contains(AuthGroup.RA)); case Resource.ADMIN: return false; case Resource.ERROR_LOG: @@ -853,6 +871,10 @@ private async Task CanDeleteAsync(string resource) // Super admins have unrestricted access by default: no need to check return false; } + case Resource.HOUSING_ROOM_RANGE: + return (user_groups.Contains(AuthGroup.HousingAdmin) || user_groups.Contains(AuthGroup.RD)); + case Resource.HOUSING_RA_ASSIGNMENT: + return (user_groups.Contains(AuthGroup.HousingAdmin) || user_groups.Contains(AuthGroup.RD)); case Resource.NEWS: { if (context.ActionArguments["newsID"] is int newsID) diff --git a/Gordon360/Controllers/HousingController.cs b/Gordon360/Controllers/HousingController.cs index a1c53017f..e22a9cfb8 100644 --- a/Gordon360/Controllers/HousingController.cs +++ b/Gordon360/Controllers/HousingController.cs @@ -242,6 +242,7 @@ public ActionResult GetAllApartmentApplication( /// The ViewModel that contains the hall ID and room range /// The created Hall_Assignment_Ranges object [HttpPost("roomrange")] + [StateYourBusiness(operation = Operation.ADD, resource = Resource.HOUSING_ROOM_RANGE)] public async Task> CreateRoomRange([FromBody] HallAssignmentRangeViewModel model) { try @@ -264,6 +265,7 @@ public async Task> CreateRoomRange([FromBod /// /// A list of room ranges. [HttpGet("roomrange/all")] + [StateYourBusiness(operation = Operation.READ_ALL, resource = Resource.HOUSING_ROOM_RANGE)] public async Task>> GetAllRoomRanges() { try @@ -283,6 +285,7 @@ public async Task>> GetAllRoomRa /// The ID of the room range to delete /// Returns if completed [HttpDelete("roomrange/{rangeId}")] + [StateYourBusiness(operation = Operation.DELETE, resource = Resource.HOUSING_ROOM_RANGE)] public async Task DeleteRoomRange(int rangeId) { try @@ -315,6 +318,7 @@ public async Task DeleteRoomRange(int rangeId) /// The ID of the RA to assign /// The created RA_Assigned_Ranges object [HttpPost("roomrange/assign-ra")] + [StateYourBusiness(operation = Operation.ADD, resource = Resource.HOUSING_RA_ASSIGNMENT)] public async Task> AssignRaToRoomRange([FromBody] RA_AssignmentViewModel model) { try @@ -338,6 +342,7 @@ public async Task> AssignRaToRoomRange([FromBod /// Returns a list of all assignments [HttpGet] [Route("roomrange/assignment/all")] + [StateYourBusiness(operation = Operation.READ_ALL, resource = Resource.HOUSING_RA_ASSIGNMENT)] public async Task GetRangeAssignments() { try @@ -361,6 +366,7 @@ public async Task GetRangeAssignments() /// The Room range of the assignment to delete /// Returns if completed [HttpDelete("roomrange/assignment/{rangeId}")] + [StateYourBusiness(operation = Operation.DELETE, resource = Resource.HOUSING_RA_ASSIGNMENT)] public async Task DeleteAssignment(int rangeId) { try @@ -462,6 +468,7 @@ public async Task GetAllRAs() /// The contact method (e.g., "Phone", "Teams") /// True if the contact method was successfully set [HttpPost("ra/contact")] + [StateYourBusiness(operation = Operation.ADD, resource = Resource.HOUSING_CONTACT_PREFERENCE)] public async Task SetPreferredContact([FromQuery] string raId, [FromQuery] string preferredContactMethod) { if (string.IsNullOrWhiteSpace(raId) || string.IsNullOrWhiteSpace(preferredContactMethod)) @@ -496,6 +503,7 @@ public async Task SetPreferredContact([FromQuery] string raId, [F /// A string containing the preferred contact information (phone number or Teams link) or a default /// phone number if no preference is set. [HttpGet("ra/contact/{raId}")] + [StateYourBusiness(operation = Operation.READ_ONE, resource = Resource.HOUSING_CONTACT_PREFERENCE)] public async Task> GetRAContact(string raId) { try @@ -571,6 +579,7 @@ public async Task> CreateStatus( [FromBody] RA_ /// The viewmodel object of the RA checking in /// true if RA checked in successfully [HttpPost("ra/checkin")] + [StateYourBusiness(operation = Operation.ADD, resource = Resource.RA_CHECKIN)] public async Task> RA_Checkin([FromBody] RA_On_CallViewModel RAcheckin) { try @@ -598,6 +607,7 @@ public async Task> RA_Checkin([FromBody] RA_On_CallViewModel /// The ID of the hall /// The ID of the on-call RA, or a 404 if no RA is on call [HttpGet("ra/on-call/{Hall_ID}")] + [StateYourBusiness(operation = Operation.READ_ONE, resource = Resource.HOUSING_ON_CALL_RA)] public async Task> GetOnCallRA(string Hall_ID) { try @@ -622,6 +632,7 @@ public async Task> GetOnCallRA(string Hall_ID) /// /// The RAs on call [HttpGet("ra/on-call/all")] + [StateYourBusiness(operation = Operation.READ_ALL, resource = Resource.HOUSING_ON_CALL_RA)] public async Task>> GetOnCallRAAllHalls() { try diff --git a/Gordon360/Enums/AuthGroup.cs b/Gordon360/Enums/AuthGroup.cs index 6e5eb651b..0f254308a 100644 --- a/Gordon360/Enums/AuthGroup.cs +++ b/Gordon360/Enums/AuthGroup.cs @@ -13,7 +13,11 @@ public enum AuthGroup RecIMSuperAdmin, SiteAdmin, Staff, - Student + Student, + RA, + RD, + HallInfoViewer, + HousingDeveloper //Remove before deployment } public static class AuthGroupEnum @@ -32,6 +36,11 @@ public static class AuthGroupEnum "360-SiteAdmin-SG" => AuthGroup.SiteAdmin, "360-Staff-SG" => AuthGroup.Staff, "360-Student-SG" => AuthGroup.Student, + "360-ResLifeStudentWorker-SG" => AuthGroup.RA, + "360-HallInfoViewer-SG" => AuthGroup.HallInfoViewer, + "360-ResidentDirector" => AuthGroup.RD, + "360-HousingDevelopers-SG" => AuthGroup.HousingDeveloper, + _ => null }; } diff --git a/Gordon360/Static Classes/Names.cs b/Gordon360/Static Classes/Names.cs index c41090a56..12635f614 100644 --- a/Gordon360/Static Classes/Names.cs +++ b/Gordon360/Static Classes/Names.cs @@ -20,6 +20,11 @@ public static class Resource public const string DINING = "Info related to dining service"; public const string HOUSING = "Info related to housing"; public const string HOUSING_ADMIN = "A Housing Admin Resource"; + public const string HOUSING_ROOM_RANGE = "Information related to room ranges in housing"; + public const string HOUSING_RA_ASSIGNMENT = "Resident Advisor assignments in housing"; + public const string RA_CHECKIN = "Info relating to an RA Checkin"; + public const string HOUSING_CONTACT_PREFERENCE = "Resident Advisor preferred contact methods"; + public const string HOUSING_ON_CALL_RA = "Information about on-call Resident Advisors"; public const string ERROR_LOG = "The error log resource"; public const string NEWS = "A student news resource"; public const string NEWS_APPROVAL = "The approval of a student news resource";