Fix

807a0794 · Petar Hristov · d1a76444 · 807a0794
Commit 807a0794 authored 2 years ago by Petar Hristov
--- a/src/Blob/Controllers/BlobController.cs
+++ b/src/Blob/Controllers/BlobController.cs
@@ -120,11 +120,14 @@ namespace Coscine.Api.Blob.Controllers
            {
                return checkResourceId;
            }
-            var checkUser = CheckUser(user, resource);
-            if (checkUser != null)
+
+            // Rights Matrix (https://git.rwth-aachen.de/coscine/docs/private/internal-wiki/-/blob/master/coscine/Definition%20of%20rights%20Matrix.md)
+            // - Resource: View Resource (RCV, Metadatamanager)
+            if (user is null || !_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member, UserRoles.Guest))
            {
-                return checkUser;
+                return Forbid("User does not have permission to download files from the resource.");
            }
+
            try
            {
                var resourceTypeDefinition = ResourceTypeFactory.Instance.GetResourceType(resource);
@@ -204,10 +207,12 @@ namespace Coscine.Api.Blob.Controllers
            {
                return checkResourceId;
            }
-            var checkUser = CheckUser(user, resource);
-            if (checkUser != null)
+
+            // Rights Matrix (https://git.rwth-aachen.de/coscine/docs/private/internal-wiki/-/blob/master/coscine/Definition%20of%20rights%20Matrix.md)
+            // - Resource: Change Resource (RCV, Metadatamanager)
+            if (user is null || !_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member))
            {
-                return checkUser;
+                return Forbid("User does not have permission to upload files in the resource.");
            }

            if (resource.Archived == "1")
@@ -306,10 +311,12 @@ namespace Coscine.Api.Blob.Controllers
            {
                return checkResourceId;
            }
-            var checkUser = CheckUser(user, resource);
-            if (checkUser != null)
+
+            // Rights Matrix (https://git.rwth-aachen.de/coscine/docs/private/internal-wiki/-/blob/master/coscine/Definition%20of%20rights%20Matrix.md)
+            // - Resource: Change Resource (RCV, Metadatamanager)
+            if (user is null || !_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member))
            {
-                return checkUser;
+                return Forbid("User does not have permission to delete from the resource.");
            }

            if (resource.Archived == "1")
@@ -395,21 +402,6 @@ namespace Coscine.Api.Blob.Controllers
            return null;
        }

-        /// <summary>
-        /// Checks if the user has access to the resource
-        /// </summary>
-        /// <param name="user">user</param>
-        /// <param name="resource">resource</param>
-        /// <returns>status code 403 if the user has no access</returns>
-        public IActionResult CheckUser(User user, Resource resource)
-        {
-            if (user == null || !_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member))
-            {
-                return Forbid("User does not have permission to the resource.");
-            }
-            return null;
-        }
-
        /// <summary>
        /// Writes an analytics log entry
        /// </summary>