diff --git a/src/Project/Controllers/ProjectController.cs b/src/Project/Controllers/ProjectController.cs index a6dad85b02a4b47b457181ee881bd1c407d5219f..507c321276db5cd32c5879c9cb4055004bb7062b 100644 --- a/src/Project/Controllers/ProjectController.cs +++ b/src/Project/Controllers/ProjectController.cs @@ -19,7 +19,7 @@ namespace Coscine.Api.Project.Controllers private readonly Authenticator _authenticator; private readonly ProjectModel _projectModel; private readonly IConfiguration _configuration; - private readonly Emitter _emitter; + private readonly Emitter _emitter; public ProjectController() { @@ -176,7 +176,7 @@ namespace Coscine.Api.Project.Controllers var project = _projectModel.StoreFromObject(projectObject, user); - if (projectObject.ParentId != null + if (projectObject.ParentId != null && projectObject.ParentId != new Guid() // for now, only an owner can add subprojects to projects && _projectModel.HasAccess(user, _projectModel.GetById(projectObject.ParentId), UserRoles.Owner)) diff --git a/src/Project/Controllers/SubProjectController.cs b/src/Project/Controllers/SubProjectController.cs index a9f95638a2aa661ea43f2995f478e95f616cae5a..812da5778065382280ea15eeeb8658902c6f21a3 100644 --- a/src/Project/Controllers/SubProjectController.cs +++ b/src/Project/Controllers/SubProjectController.cs @@ -24,10 +24,19 @@ namespace Coscine.Api.Project.Controllers { var parentGuid = new Guid(parentId); var projectModel = new ProjectModel(); + var projectRoleModel = new ProjectRoleModel(); var user = _authenticator.GetUser(); - if (projectModel.HasAccess(user, projectModel.GetById(parentGuid), UserRoles.Owner, UserRoles.Member)) + string[] allowedRoles = { UserRoles.Owner, UserRoles.Member }; + allowedRoles = allowedRoles.Select(x => x.ToLower().Trim()).ToArray(); + if (projectModel.HasAccess(user, projectModel.GetById(parentGuid), allowedRoles)) { - var subProjects = _subProjectModel.GetAllWhere((subProjectM) => (subProjectM.ProjectId == parentGuid)) + var subProjects = _subProjectModel.GetAllWhere((subProjectM) => (subProjectM.ProjectId == parentGuid + // select only subprojects to which the user has access + && (from projectRole in subProjectM.SubProject_FK.ProjectRolesProjectIdIds + where projectRole.User.Id == user.Id + && allowedRoles.Contains(projectRole.Role.DisplayName.ToLower()) + select projectRole).Any()) + ) .Select((subProject) => projectModel.GetById(subProject.SubProjectId)) .Select((project) => projectModel.CreateReturnObjectFromDatabaseObject(project, parentGuid)) .OrderBy(element => element.DisplayName); diff --git a/src/Project/Models/ProjectModel.cs b/src/Project/Models/ProjectModel.cs index db9f51de3c641115ea08d9997d101c8f071f9048..97c7431977fb9d9fb98b629134d8468fad84b670 100644 --- a/src/Project/Models/ProjectModel.cs +++ b/src/Project/Models/ProjectModel.cs @@ -123,7 +123,16 @@ namespace Coscine.Api.Project.Models var allUserProjectRoles = projectRoleModel.GetAllWhere((projectRoleRelation) => projectRoleRelation.UserId == user.Id && allowedAccess.Contains(projectRoleRelation.Role.DisplayName.ToLower())); var allowedProjectIds = allUserProjectRoles.Select((projectRole) => projectRole.ProjectId); - var allowedProjects = projectModel.GetAllWhere((project) => allowedProjectIds.Contains(project.Id)); + var allowedProjects = projectModel.GetAllWhere((project) => allowedProjectIds.Contains(project.Id) + && ((!project.SubProjectsSubProjectIdIds.Any()) // get top level projects not having any parent projects + || !(from subProject in project.SubProjectsSubProjectIdIds // check if the direct parent project is accessible to the current user + where (from parentProjectRole in subProject.Project.ProjectRolesProjectIdIds + where parentProjectRole.UserId == user.Id + && allowedAccess.Contains(parentProjectRole.Role.DisplayName.ToLower()) + select parentProjectRole).Any() + select subProject).Any()) + ); + return allowedProjects.ToList(); }