From 9f1b6ccf9dbc6831b29ace182d2e5799fc213afa Mon Sep 17 00:00:00 2001 From: Marcel Nellesen Date: Mon, 20 Jan 2020 13:08:22 +0100 Subject: [PATCH] New: Included the ResourceCreator Role (coscine/issues#530) New: Included Search Api (coscine/issues#533) New: Included metadata in the resource view (coscine/issues#566) New: Corrected user authentication (coscine/issues#529) --- src/Project.Tests/DefaultControllerTests.cs | 6 + src/Project.Tests/Project.Tests.csproj | 24 +- src/Project.Tests/ProjectControllerTests.cs | 55 ++-- src/Project.Tests/ResourceControllerTests.cs | 35 +-- .../ResourceTypeControllerTests.cs | 6 +- src/Project.Tests/app.config | 6 +- src/Project.Tests/packages.config | 10 +- src/Project/App.config | 6 +- .../Controllers/DataSourceController.cs | 53 +++- .../Controllers/DisciplineController.cs | 16 +- .../Controllers/InstituteController.cs | 15 +- src/Project/Controllers/LicenseController.cs | 15 +- src/Project/Controllers/MetadataController.cs | 229 +++++++++-------- src/Project/Controllers/ProjectController.cs | 197 +++++++------- .../Controllers/ProjectRoleController.cs | 180 +++++++------ src/Project/Controllers/ResourceController.cs | 155 +++++------ .../Controllers/ResourceTypeController.cs | 31 +-- src/Project/Controllers/RoleController.cs | 15 +- src/Project/Controllers/SearchController.cs | 242 ++++++++++++++---- .../Controllers/SubProjectController.cs | 32 +-- .../Controllers/VisibilityController.cs | 15 +- src/Project/Models/MetadataModel.cs | 25 -- src/Project/Models/ProjectModel.cs | 42 +-- src/Project/Models/ResourceModel.cs | 29 ++- src/Project/Project.csproj | 26 +- src/Project/ReturnObjects/ResourceObject.cs | 5 +- src/Project/UserRoles.cs | 8 + src/Project/packages.config | 10 +- 28 files changed, 833 insertions(+), 655 deletions(-) create mode 100644 src/Project/UserRoles.cs diff --git a/src/Project.Tests/DefaultControllerTests.cs b/src/Project.Tests/DefaultControllerTests.cs index 1a1c179..2869e18 100644 --- a/src/Project.Tests/DefaultControllerTests.cs +++ b/src/Project.Tests/DefaultControllerTests.cs @@ -13,6 +13,7 @@ using System.Collections.Generic; using System.IO; using System.Linq; using System.Management; +using System.Security.Claims; namespace Coscine.Api.Project.Tests { @@ -257,6 +258,11 @@ namespace Coscine.Api.Project.Tests var context = new Mock(); context.SetupGet(x => x.Request).Returns(request.Object); + var claimsPrincipal = new Mock(); + Claim claim = new Claim("UserID", user.Id.ToString()); + context.SetupGet(x => x.User).Returns(claimsPrincipal.Object); + context.Setup(x => x.User.FindFirst("UserID")).Returns(claim); + if (stream != null) { context.SetupGet(x => x.Request.Method).Returns("POST"); diff --git a/src/Project.Tests/Project.Tests.csproj b/src/Project.Tests/Project.Tests.csproj index 133c2c6..2c54126 100644 --- a/src/Project.Tests/Project.Tests.csproj +++ b/src/Project.Tests/Project.Tests.csproj @@ -56,17 +56,17 @@ ..\packages\Consul.0.7.2.6\lib\net45\Consul.dll - - ..\packages\Coscine.Action.1.7.0\lib\net461\Coscine.Action.dll + + ..\packages\Coscine.Action.1.7.1\lib\net461\Coscine.Action.dll - - ..\packages\Coscine.ApiCommons.1.3.1\lib\net461\Coscine.ApiCommons.dll + + ..\packages\Coscine.ApiCommons.1.4.0\lib\net461\Coscine.ApiCommons.dll ..\packages\Coscine.Configuration.1.4.0\lib\net461\Coscine.Configuration.dll - - ..\packages\Coscine.Database.1.12.1\lib\net461\Coscine.Database.dll + + ..\packages\Coscine.Database.1.13.0\lib\net461\Coscine.Database.dll ..\packages\Coscine.Logging.1.0.1\lib\net461\Coscine.Logging.dll @@ -107,12 +107,18 @@ ..\packages\Microsoft.AspNetCore.Antiforgery.2.2.0\lib\netstandard2.0\Microsoft.AspNetCore.Antiforgery.dll + + ..\packages\Microsoft.AspNetCore.Authentication.2.2.0\lib\netstandard2.0\Microsoft.AspNetCore.Authentication.dll + ..\packages\Microsoft.AspNetCore.Authentication.Abstractions.2.2.0\lib\netstandard2.0\Microsoft.AspNetCore.Authentication.Abstractions.dll ..\packages\Microsoft.AspNetCore.Authentication.Core.2.2.0\lib\netstandard2.0\Microsoft.AspNetCore.Authentication.Core.dll + + ..\packages\Microsoft.AspNetCore.Authentication.JwtBearer.2.2.0\lib\netstandard2.0\Microsoft.AspNetCore.Authentication.JwtBearer.dll + ..\packages\Microsoft.AspNetCore.Authorization.2.2.0\lib\netstandard2.0\Microsoft.AspNetCore.Authorization.dll @@ -371,6 +377,12 @@ ..\packages\Microsoft.IdentityModel.Logging.5.6.0\lib\net461\Microsoft.IdentityModel.Logging.dll + + ..\packages\Microsoft.IdentityModel.Protocols.5.3.0\lib\net461\Microsoft.IdentityModel.Protocols.dll + + + ..\packages\Microsoft.IdentityModel.Protocols.OpenIdConnect.5.3.0\lib\net461\Microsoft.IdentityModel.Protocols.OpenIdConnect.dll + ..\packages\Microsoft.IdentityModel.Tokens.5.6.0\lib\net461\Microsoft.IdentityModel.Tokens.dll diff --git a/src/Project.Tests/ProjectControllerTests.cs b/src/Project.Tests/ProjectControllerTests.cs index d779293..968f1e6 100644 --- a/src/Project.Tests/ProjectControllerTests.cs +++ b/src/Project.Tests/ProjectControllerTests.cs @@ -25,8 +25,8 @@ namespace Coscine.Api.Project.Tests public void OwnsTest() { ProjectModel projectModel = new ProjectModel(); - Assert.IsTrue(projectModel.OwnsProject(Users[0], Projects[0])); - Assert.IsFalse(projectModel.OwnsProject(Users[0], Projects[1])); + Assert.IsTrue(projectModel.HasAccess(Users[0], Projects[0], UserRoles.Owner)); + Assert.IsFalse(projectModel.HasAccess(Users[0], Projects[1], UserRoles.Owner)); var all = projectModel.GetAllWhere((project) => (from projectRole in project.ProjectRolesProjectIdIds @@ -87,15 +87,8 @@ namespace Coscine.Api.Project.Tests FakeControllerContext(Users[0], stream); - try - { - Controller.Update(Projects[1].Id.ToString()); - Assert.Fail(); - } - catch (Exception e) - { - Assert.IsTrue(e.GetType() == typeof(NotAuthorizedException)); - } + actionResult = Controller.Update(Projects[1].Id.ToString()); + Assert.IsTrue(actionResult.GetType() == typeof(UnauthorizedObjectResult)); // Cleanup stream.Close(); @@ -114,12 +107,12 @@ namespace Coscine.Api.Project.Tests FakeControllerContext(Users[0], stream); var actionResult = Controller.Store(); - Assert.IsTrue(actionResult.GetType() == typeof(OkObjectResult)); + Assert.IsTrue(actionResult.GetType() == typeof(JsonResult)); - OkObjectResult okObjectResult = (OkObjectResult)actionResult; - Assert.IsTrue(okObjectResult.Value.GetType() == typeof(ProjectObject)); + JsonResult jsonResult = (JsonResult)actionResult; + Assert.IsTrue(jsonResult.Value.GetType() == typeof(ProjectObject)); - ProjectObject createdProjectObject = (ProjectObject)okObjectResult.Value; + ProjectObject createdProjectObject = (ProjectObject)jsonResult.Value; Assert.IsTrue(createdProjectObject.Description == newProjectObject.Description); Assert.IsTrue(createdProjectObject.DisplayName == newProjectObject.DisplayName); @@ -149,12 +142,12 @@ namespace Coscine.Api.Project.Tests FakeControllerContext(Users[0], stream); var actionResult = Controller.Store(); - Assert.IsTrue(actionResult.GetType() == typeof(OkObjectResult)); + Assert.IsTrue(actionResult.GetType() == typeof(JsonResult)); - OkObjectResult okObjectResult = (OkObjectResult)actionResult; - Assert.IsTrue(okObjectResult.Value.GetType() == typeof(ProjectObject)); + JsonResult result = (JsonResult)actionResult; + Assert.IsTrue(result.Value.GetType() == typeof(ProjectObject)); - ProjectObject createdProjectObject = (ProjectObject)okObjectResult.Value; + ProjectObject createdProjectObject = (ProjectObject)result.Value; stream.Close(); stream = ObjectFactory.SerializeToStream(createdProjectObject); @@ -162,10 +155,10 @@ namespace Coscine.Api.Project.Tests FakeControllerContext(Users[0], stream); actionResult = Controller.Delete(createdProjectObject.Id.ToString()); - Assert.IsTrue(actionResult.GetType() == typeof(OkObjectResult)); + Assert.IsTrue(actionResult.GetType() == typeof(JsonResult)); - okObjectResult = (OkObjectResult)actionResult; - Assert.IsTrue(okObjectResult.Value.GetType() == typeof(ProjectObject)); + result = (JsonResult)actionResult; + Assert.IsTrue(result.Value.GetType() == typeof(ProjectObject)); stream.Close(); } @@ -184,8 +177,8 @@ namespace Coscine.Api.Project.Tests var actionResult = Controller.Store(); - OkObjectResult okObjectResult = (OkObjectResult)actionResult; - ProjectObject createdProjectObject = (ProjectObject)okObjectResult.Value; + JsonResult result = (JsonResult)actionResult; + ProjectObject createdProjectObject = (ProjectObject)result.Value; stream.Close(); newProjectObject = new ProjectObject(Guid.NewGuid(), "NewProject", "NewDisplayName", DateTime.Now, DateTime.Now.AddYears(1), "test2;test3", "abc", "investigator", "grandId", @@ -205,10 +198,10 @@ namespace Coscine.Api.Project.Tests FakeControllerContext(Users[0], stream); actionResult = Controller.Delete(createdProjectObject.Id.ToString()); - Assert.IsTrue(actionResult.GetType() == typeof(OkObjectResult)); + Assert.IsTrue(actionResult.GetType() == typeof(JsonResult)); - okObjectResult = (OkObjectResult)actionResult; - Assert.IsTrue(okObjectResult.Value.GetType() == typeof(ProjectObject)); + result = (JsonResult)actionResult; + Assert.IsTrue(result.Value.GetType() == typeof(ProjectObject)); stream.Close(); } @@ -225,8 +218,8 @@ namespace Coscine.Api.Project.Tests FakeControllerContext(Users[0], stream); var actionResult = Controller.Store(); - OkObjectResult okObjectResult = (OkObjectResult)actionResult; - ProjectObject createdProjectObject = (ProjectObject)okObjectResult.Value; + JsonResult result = (JsonResult)actionResult; + ProjectObject createdProjectObject = (ProjectObject)result.Value; ProjectObject newSubProjectObject = new ProjectObject(Guid.NewGuid(), "NewSubProject", "NewDisplayNameSub", DateTime.Now, DateTime.Now.AddYears(1), "test2;test3", "abc", "investigator", "grandId", new List() { new DisciplineObject(Discipline.Id, Discipline.Url, Discipline.DisplayNameDe, Discipline.DisplayNameEn) }, @@ -238,8 +231,8 @@ namespace Coscine.Api.Project.Tests FakeControllerContext(Users[0], subStream); var subActionResult = Controller.Store(); - OkObjectResult okSubObjectResult = (OkObjectResult)subActionResult; - ProjectObject createdSubProjectObject = (ProjectObject)okSubObjectResult.Value; + JsonResult resultSubProject = (JsonResult)subActionResult; + ProjectObject createdSubProjectObject = (ProjectObject)resultSubProject.Value; SubProjectModel subProjectModel = new SubProjectModel(); var subProjects = subProjectModel.GetAllWhere((x) => x.ProjectId == createdProjectObject.Id); diff --git a/src/Project.Tests/ResourceControllerTests.cs b/src/Project.Tests/ResourceControllerTests.cs index 869a440..b69ef09 100644 --- a/src/Project.Tests/ResourceControllerTests.cs +++ b/src/Project.Tests/ResourceControllerTests.cs @@ -23,19 +23,19 @@ namespace Coscine.Api.Project.Tests public void TestControllerIndex() { var actionResult = Controller.Index(); - Assert.IsTrue(actionResult.GetType() == typeof(OkObjectResult)); + Assert.IsTrue(actionResult.GetType() == typeof(JsonResult)); } [Test] public void TestControllerGet() { var actionResult = Controller.Get(Resources[0].Id.ToString()); - Assert.IsTrue(actionResult.GetType() == typeof(OkObjectResult)); + Assert.IsTrue(actionResult.GetType() == typeof(JsonResult)); - OkObjectResult okObjectResult = (OkObjectResult)actionResult; - Assert.IsTrue(okObjectResult.Value.GetType() == typeof(ResourceObject)); + JsonResult result = (JsonResult)actionResult; + Assert.IsTrue(result.Value.GetType() == typeof(ResourceObject)); - ResourceObject resourceObject = (ResourceObject)okObjectResult.Value; + ResourceObject resourceObject = (ResourceObject)result.Value; Assert.IsTrue(resourceObject.Id == Resources[0].Id); Assert.IsTrue(resourceObject.DisplayName == Resources[0].DisplayName); @@ -49,8 +49,8 @@ namespace Coscine.Api.Project.Tests public void TestControllerUpdate() { var actionResult = Controller.Get(Resources[0].Id.ToString()); - OkObjectResult okObjectResult = (OkObjectResult)actionResult; - ResourceObject resourceObject = (ResourceObject)okObjectResult.Value; + JsonResult result = (JsonResult)actionResult; + ResourceObject resourceObject = (ResourceObject)result.Value; resourceObject.DisplayName = "OtherName"; resourceObject.ResourceTypeOption = JObject.FromObject(new RDSResourceTypeObject(Guid.NewGuid(), "PITLABTTEST", 0)); @@ -60,7 +60,7 @@ namespace Coscine.Api.Project.Tests FakeControllerContext(Users[0], stream); actionResult = Controller.Update(Resources[0].Id.ToString()); - Assert.IsTrue(actionResult.GetType() == typeof(OkObjectResult)); + Assert.IsTrue(actionResult.GetType() == typeof(JsonResult)); // Cleanup stream.Close(); @@ -69,15 +69,8 @@ namespace Coscine.Api.Project.Tests FakeControllerContext(Users[0], stream); - try - { - Controller.Update(Resources[1].Id.ToString()); - Assert.Fail(); - } - catch (Exception e) - { - Assert.IsTrue(e.GetType() == typeof(NotAuthorizedException)); - } + actionResult = Controller.Update(Resources[1].Id.ToString()); + Assert.IsTrue(actionResult.GetType() == typeof(UnauthorizedObjectResult)); // Cleanup stream.Close(); @@ -107,9 +100,9 @@ namespace Coscine.Api.Project.Tests FakeControllerContext(Users[0], stream); var actionResult = Controller.StoreToProject(Projects[0].Id.ToString()); - Assert.IsTrue(actionResult.GetType() == typeof(OkObjectResult)); - OkObjectResult okObjectResult = (OkObjectResult)actionResult; - resourceObject = (ResourceObject)okObjectResult.Value; + Assert.IsTrue(actionResult.GetType() == typeof(JsonResult)); + JsonResult result = (JsonResult)actionResult; + resourceObject = (ResourceObject)result.Value; // Cleanup stream.Close(); @@ -119,7 +112,7 @@ namespace Coscine.Api.Project.Tests FakeControllerContext(Users[0], stream); actionResult = Controller.Delete(resourceObject.Id.ToString()); - Assert.IsTrue(actionResult.GetType() == typeof(OkObjectResult)); + Assert.IsTrue(actionResult.GetType() == typeof(JsonResult)); stream.Close(); } diff --git a/src/Project.Tests/ResourceTypeControllerTests.cs b/src/Project.Tests/ResourceTypeControllerTests.cs index e8cc2aa..69dc700 100644 --- a/src/Project.Tests/ResourceTypeControllerTests.cs +++ b/src/Project.Tests/ResourceTypeControllerTests.cs @@ -20,10 +20,10 @@ namespace Coscine.Api.Project.Tests public void TestGettingFields() { var actionResult = Controller.Fields(Resources[0].Type.Id.ToString()); - Assert.IsTrue(actionResult.GetType() == typeof(OkObjectResult)); + Assert.IsTrue(actionResult.GetType() == typeof(JsonResult)); - OkObjectResult okObjectResult = (OkObjectResult)actionResult; - List fields = (List) okObjectResult.Value; + JsonResult result = (JsonResult)actionResult; + List fields = (List) result.Value; if(fields.Count() == 2) { Assert.IsTrue(fields[0] == "BucketName"); diff --git a/src/Project.Tests/app.config b/src/Project.Tests/app.config index 70c2da4..8187397 100644 --- a/src/Project.Tests/app.config +++ b/src/Project.Tests/app.config @@ -88,7 +88,7 @@ - + @@ -142,6 +142,10 @@ + + + + diff --git a/src/Project.Tests/packages.config b/src/Project.Tests/packages.config index c20bc53..034f6f4 100644 --- a/src/Project.Tests/packages.config +++ b/src/Project.Tests/packages.config @@ -4,10 +4,10 @@ - - + + - + @@ -22,8 +22,10 @@ + + @@ -115,6 +117,8 @@ + + diff --git a/src/Project/App.config b/src/Project/App.config index 8eaea8c..bf476cf 100644 --- a/src/Project/App.config +++ b/src/Project/App.config @@ -91,7 +91,7 @@ - + @@ -145,6 +145,10 @@ + + + + diff --git a/src/Project/Controllers/DataSourceController.cs b/src/Project/Controllers/DataSourceController.cs index d594e88..7dd77b6 100644 --- a/src/Project/Controllers/DataSourceController.cs +++ b/src/Project/Controllers/DataSourceController.cs @@ -5,6 +5,7 @@ using Coscine.ApiCommons.Factories; using Coscine.ApiCommons.Utils; using Coscine.Configuration; using Coscine.Database.Model; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Newtonsoft.Json.Linq; using System; @@ -22,6 +23,7 @@ using System.Web; namespace Coscine.Api.Project.Controllers { + [Authorize] public class DataSourceController : Controller { private readonly IConfiguration _configuration; @@ -30,6 +32,7 @@ namespace Coscine.Api.Project.Controllers private static readonly HttpClient Client; private readonly Authenticator _authenticator; private readonly ResourceModel _resourceModel; + private readonly ProjectModel _projectModel; static DataSourceController() { @@ -45,6 +48,7 @@ namespace Coscine.Api.Project.Controllers _jwtHandler = new JWTHandler(_configuration); _authenticator = new Authenticator(this, _configuration); _resourceModel = new ResourceModel(); + _projectModel = new ProjectModel(); } // inferring a ../ (urlencoded) can manipulate the url. @@ -53,6 +57,8 @@ namespace Coscine.Api.Project.Controllers [HttpGet("[controller]/{resourceId}/{path}")] public async Task GetWaterButlerFolder(string resourceId, string path) { + var user = _authenticator.GetUser(); + if (!string.IsNullOrWhiteSpace(path)) { path = HttpUtility.UrlDecode(path); @@ -64,6 +70,11 @@ namespace Coscine.Api.Project.Controllers return check; } + if (!_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member)) + { + return BadRequest("User does not have permission to the resource."); + } + var authHeader = BuildAuthHeader(resource); if (authHeader == null) @@ -107,6 +118,9 @@ namespace Coscine.Api.Project.Controllers [DisableRequestSizeLimit] public async Task PutUploadFile(string resourceId, string path) { + var user = _authenticator.GetUser(); + + if (!string.IsNullOrWhiteSpace(path)) { path = HttpUtility.UrlDecode(path); @@ -118,6 +132,11 @@ namespace Coscine.Api.Project.Controllers return check; } + if(!_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member)) + { + return BadRequest("User does not have permission to the resource."); + } + var authHeader = BuildAuthHeader(resource, new string[] { "gitlab" }); if (authHeader == null) @@ -156,6 +175,8 @@ namespace Coscine.Api.Project.Controllers [DisableRequestSizeLimit] public async Task PutUpdateFile(string resourceId, string path) { + var user = _authenticator.GetUser(); + if (!string.IsNullOrWhiteSpace(path)) { path = HttpUtility.UrlDecode(path); @@ -167,6 +188,11 @@ namespace Coscine.Api.Project.Controllers return check; } + if (!_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member)) + { + return BadRequest("User does not have permission to the resource."); + } + var authHeader = BuildAuthHeader(resource, new string[] { "gitlab" }); if (authHeader == null) @@ -220,7 +246,7 @@ namespace Coscine.Api.Project.Controllers return resource["type"]["displayName"].ToString().ToLower(); } } - + public async Task UploadFile(string url, string authHeader, Stream stream) { @@ -233,6 +259,8 @@ namespace Coscine.Api.Project.Controllers [HttpDelete("[controller]/{resourceId}/{path}")] public async Task Delete(string resourceId, string path) { + var user = _authenticator.GetUser(); + if (!string.IsNullOrWhiteSpace(path)) { path = HttpUtility.UrlDecode(path); @@ -244,6 +272,11 @@ namespace Coscine.Api.Project.Controllers return check; } + if (!_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member)) + { + return BadRequest("User does not have permission to the resource."); + } + var authHeader = BuildAuthHeader(resource, new string[] { "gitlab" }); if (authHeader == null) @@ -286,7 +319,6 @@ namespace Coscine.Api.Project.Controllers JToken resource = ObjectFactory.DeserializeFromStream(Request.Body); - string authHeader = null; if (resource["type"]["displayName"].ToString().ToLower() == "s3") { @@ -298,10 +330,12 @@ namespace Coscine.Api.Project.Controllers } else if (resource["type"]["displayName"].ToString().ToLower() == "gitlab") { - GitlabResourceType gitlabResourceType = new GitlabResourceType(); - gitlabResourceType.RepositoryNumber = (int)resource["resourceTypeOption"]["RepositoryNumber"]; - gitlabResourceType.RepositoryUrl = resource["resourceTypeOption"]["RepositoryUrl"].ToString(); - gitlabResourceType.Token = resource["resourceTypeOption"]["Token"].ToString(); + GitlabResourceType gitlabResourceType = new GitlabResourceType + { + RepositoryNumber = (int)resource["resourceTypeOption"]["RepositoryNumber"], + RepositoryUrl = resource["resourceTypeOption"]["RepositoryUrl"].ToString(), + Token = resource["resourceTypeOption"]["Token"].ToString() + }; authHeader = BuildGitlabAuthHeader(gitlabResourceType); } @@ -374,7 +408,7 @@ namespace Coscine.Api.Project.Controllers { return BadRequest($"{resourceId} is not a guid."); } - + try { resource = _resourceModel.GetById(resourceGuid); @@ -382,11 +416,6 @@ namespace Coscine.Api.Project.Controllers { return NotFound($"Could not find resource with id: {resourceId}"); } - var user = _authenticator.GetUserFromToken(); - if (!_resourceModel.OwnsResource(user, resource)) - { - return Forbid($"The user does not own the resource {resourceId}"); - } } catch (Exception) { diff --git a/src/Project/Controllers/DisciplineController.cs b/src/Project/Controllers/DisciplineController.cs index 62c1ea0..34ae92d 100644 --- a/src/Project/Controllers/DisciplineController.cs +++ b/src/Project/Controllers/DisciplineController.cs @@ -1,33 +1,27 @@ using Coscine.Api.Project.Models; using Coscine.Api.Project.ReturnObjects; -using Coscine.ApiCommons; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; -using System; -using System.Collections.Generic; using System.Linq; -using System.Text; -using System.Threading.Tasks; namespace Coscine.Api.Project.Controllers { + [Authorize] public class DisciplineController : Controller { - private readonly Authenticator _authenticator; private readonly DisciplineModel _disciplineModel; public DisciplineController() { - _authenticator = new Authenticator(this, Program.Configuration); _disciplineModel = new DisciplineModel(); } [Route("[controller]")] public IActionResult Index() { - return Ok(_authenticator.ValidateAndExecute((user) => - { - return _disciplineModel.GetAll().OrderBy(discipline => discipline.DisplayNameDe.Substring(discipline.DisplayNameDe.Length - 3)).Select((discipline) => new DisciplineObject(discipline.Id, discipline.Url, discipline.DisplayNameDe, discipline.DisplayNameEn)); - })); + return Json(_disciplineModel.GetAll() + .OrderBy(discipline => discipline.DisplayNameDe.Substring(discipline.DisplayNameDe.Length - 3)) + .Select((discipline) => new DisciplineObject(discipline.Id, discipline.Url, discipline.DisplayNameDe, discipline.DisplayNameEn))); } } } diff --git a/src/Project/Controllers/InstituteController.cs b/src/Project/Controllers/InstituteController.cs index 7ef066f..2fff9d6 100644 --- a/src/Project/Controllers/InstituteController.cs +++ b/src/Project/Controllers/InstituteController.cs @@ -1,33 +1,26 @@ using Coscine.Api.Project.Models; using Coscine.Api.Project.ReturnObjects; -using Coscine.ApiCommons; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; -using System; -using System.Collections.Generic; using System.Linq; -using System.Text; -using System.Threading.Tasks; namespace Coscine.Api.Project.Controllers { + [Authorize] public class InstituteController : Controller { - private readonly Authenticator _authenticator; private readonly InstituteModel _instituteModel; public InstituteController() { - _authenticator = new Authenticator(this, Program.Configuration); _instituteModel = new InstituteModel(); } [Route("[controller]")] public IActionResult Index() { - return Ok(_authenticator.ValidateAndExecute((user) => - { - return _instituteModel.GetAll().Select((institute) => new InstituteObject(institute.Id, institute.IKZ, institute.DisplayName)); - })); + return Json(_instituteModel.GetAll() + .Select((institute) => new InstituteObject(institute.Id, institute.IKZ, institute.DisplayName))); } } } diff --git a/src/Project/Controllers/LicenseController.cs b/src/Project/Controllers/LicenseController.cs index 8856855..c4210d9 100644 --- a/src/Project/Controllers/LicenseController.cs +++ b/src/Project/Controllers/LicenseController.cs @@ -1,33 +1,26 @@ using Coscine.Api.Project.Models; using Coscine.Api.Project.ReturnObjects; -using Coscine.ApiCommons; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; -using System; -using System.Collections.Generic; using System.Linq; -using System.Text; -using System.Threading.Tasks; namespace Coscine.Api.Project.Controllers { + [Authorize] public class LicenseController : Controller { - private readonly Authenticator _authenticator; private readonly LicenseModel _licenseModel; public LicenseController() { - _authenticator = new Authenticator(this, Program.Configuration); _licenseModel = new LicenseModel(); } [Route("[controller]")] public IActionResult Index() { - return Ok(_authenticator.ValidateAndExecute((user) => - { - return _licenseModel.GetAll().Select((license) => new LicenseObject(license.Id, license.DisplayName)); - })); + return Json(_licenseModel.GetAll() + .Select((license) => new LicenseObject(license.Id, license.DisplayName))); } } } diff --git a/src/Project/Controllers/MetadataController.cs b/src/Project/Controllers/MetadataController.cs index 018a1da..8a69e4a 100644 --- a/src/Project/Controllers/MetadataController.cs +++ b/src/Project/Controllers/MetadataController.cs @@ -11,15 +11,18 @@ using VDS.RDF.Parsing; using VDS.RDF; using Metadata; using System.Web; -using System.IO; +using Microsoft.AspNetCore.Authorization; namespace Coscine.Api.Project.Controllers { + + [Authorize] public class MetadataController : Controller { private readonly Authenticator _authenticator; private readonly MetadataModel _metadataModel; private readonly ResourceModel _resourceModel; + private readonly ProjectModel _projectModel; private readonly Util _util; public MetadataController() @@ -27,31 +30,29 @@ namespace Coscine.Api.Project.Controllers _authenticator = new Authenticator(this, Program.Configuration); _metadataModel = new MetadataModel(); _resourceModel = new ResourceModel(); + _projectModel = new ProjectModel(); _util = new Util(); } [Route("[controller]")] public IActionResult Index() { - return Ok(_authenticator.ValidateAndExecute((user) => - { - return NoContent(); - })); + return NoContent(); } // returns the basic application profile [HttpGet("[controller]/resource/{projectId}/ap/{applicationProfileId}")] public IActionResult GetApplicationProfile(Guid projectId, string applicationProfileId) { - var user = _authenticator.GetUserFromToken(); + var user = _authenticator.GetUser(); - if (_metadataModel.IsProjectMember(user, projectId)) + if (_projectModel.HasAccess(user, _projectModel.GetById(projectId), UserRoles.Owner, UserRoles.Member)) { var graph = _util.GetGraph(HttpUtility.UrlDecode(applicationProfileId)); var json = JToken.Parse(VDS.RDF.Writing.StringWriter.Write(graph, new RdfJsonWriter())); - return Ok(json); + return Json(json); } else { @@ -64,10 +65,10 @@ namespace Coscine.Api.Project.Controllers [HttpGet("[controller]/resource/{resourceId}/apc/{applicationProfileId}")] public IActionResult GetApplicationProfileComplete(string resourceId, string applicationProfileId) { - var user = _authenticator.GetUserFromToken(); + var user = _authenticator.GetUser(); var resource = _resourceModel.GetById(Guid.Parse(resourceId)); - if (_metadataModel.IsProjectMember(user, resource) && applicationProfileId != null) + if (_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member) && applicationProfileId != null) { var graph = _util.GetGraph(HttpUtility.UrlDecode(applicationProfileId)); var fixedValuesGraph = new Graph(); @@ -90,150 +91,162 @@ namespace Coscine.Api.Project.Controllers [HttpGet("[controller]/project/{projectId}/aplist/")] public IActionResult ListAllApplicationProfiles(Guid projectId) { - return Ok(_authenticator.ValidateAndExecute((user) => + var user = _authenticator.GetUser(); + if (_projectModel.HasAccess(user, _projectModel.GetById(projectId), UserRoles.Owner, UserRoles.Member)) { - if (_metadataModel.IsProjectMember(user, projectId)) - { - var graphUris = _util.ListGraphs(); + var graphUris = _util.ListGraphs(); - return new JArray(graphUris.Select(x => x.ToString()).Where(x => x.StartsWith("https://purl.org/coscine/ap/"))); - } - else - { - throw new NotAuthorizedException("User is no project member!"); - } - })); + return Json(new JArray(graphUris.Select(x => x.ToString()).Where(x => x.StartsWith("https://purl.org/coscine/ap/")))); + } + else + { + throw new NotAuthorizedException("User is no project member!"); + } } [HttpGet("[controller]/resource/{resourceId}/filename/{filename}/ver/{version}")] public IActionResult GetMetadataForFile(string resourceId, string filename, string version) { - return Ok(_authenticator.ValidateAndExecute((user) => + var user = _authenticator.GetUser(); + var resource = _resourceModel.GetById(Guid.Parse(resourceId)); + if (_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member)) { - var resource = _resourceModel.GetById(Guid.Parse(resourceId)); - if (_metadataModel.IsProjectMember(user, resource)) - { - var id = _metadataModel.GenerateId(resourceId, filename, version); - var graph = _util.GetGraph(id); - return JToken.Parse(VDS.RDF.Writing.StringWriter.Write(graph, new RdfJsonWriter())); - } - else - { - throw new NotAuthorizedException("User is no project member!"); - } - })); + var id = _metadataModel.GenerateId(resourceId, filename, version); + var graph = _util.GetGraph(id); + return Json(JToken.Parse(VDS.RDF.Writing.StringWriter.Write(graph, new RdfJsonWriter())).ToString()); + } + else + { + throw new NotAuthorizedException("User is no project member!"); + } } [HttpPut("[controller]/resource/{resourceId}/filename/{filename}/ver/{version}")] public IActionResult StoreMetadataForFile(string resourceId, string filename, string version) { - return Ok(_authenticator.ValidateAndExecute((user) => + var innerBlock = ObjectFactory.DeserializeFromStream(Request.Body); + var graphName = _metadataModel.GenerateId(resourceId, filename, version); + var graphNameUri = new Uri(graphName); + var json = new JObject { - var innerBlock = ObjectFactory.DeserializeFromStream(Request.Body); - var graphName = _metadataModel.GenerateId(resourceId, filename, version); - var graphNameUri = new Uri(graphName); - var json = new JObject + [graphName] = innerBlock + }; + + var user = _authenticator.GetUser(); + var resource = _resourceModel.GetById(Guid.Parse(resourceId)); + + if (_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member)) + { + json[graphName]["http://www.w3.org/1999/02/22-rdf-syntax-ns#type"] = new JArray { - [graphName] = innerBlock + new JObject + { + ["value"] = resource.ApplicationProfile.Substring(0, resource.ApplicationProfile.Length-1), + ["type"] = "uri" + } }; - - var resource = _resourceModel.GetById(Guid.Parse(resourceId)); - if (_metadataModel.IsProjectMember(user, resource)) + // throw bad request if empty node value is detected + JToken root = json.First.First; + foreach (var node in root) { - var graph = new Graph(); - graph.LoadFromString(json.ToString(), new RdfJsonParser()); + string nodeValue = node.First.First["value"].ToString().ToLower(); + if (String.IsNullOrEmpty(nodeValue)) + { + throw new ArgumentException("Empty values in application profile are not accepted."); + } + } - var fixedValuesGraph = new Graph(); - fixedValuesGraph.LoadFromString(resource.FixedValues, new RdfJsonParser()); + var graph = new Graph(); + graph.LoadFromString(json.ToString(), new RdfJsonParser()); - foreach(var triple in fixedValuesGraph.Triples.Where(x => x.Predicate.ToString() == "https://purl.org/coscine/fixedValue")) + var fixedValuesGraph = new Graph(); + fixedValuesGraph.LoadFromString(resource.FixedValues, new RdfJsonParser()); + + foreach(var triple in fixedValuesGraph.Triples.Where(x => x.Predicate.ToString() == "https://purl.org/coscine/fixedValue")) + { + // Remove any existing triples + foreach (var triple2 in graph.GetTriplesWithSubjectPredicate(graph.CreateUriNode(graphNameUri), triple.Subject).ToList()) { - // Remove any existing triples - foreach (var triple2 in graph.GetTriplesWithSubjectPredicate(graph.CreateUriNode(graphNameUri), triple.Subject).ToList()) - { - graph.Retract(triple2); - } - graph.Assert(graph.CreateUriNode(graphNameUri), triple.Subject, triple.Object); + graph.Retract(triple2); } + graph.Assert(graph.CreateUriNode(graphNameUri), triple.Subject, triple.Object); + } - // Default values is not checked or added + // Default values is not checked or added - // validate the data - if (_util.ValidateShacl(graph, graphNameUri)) + // validate the data + if (_util.ValidateShacl(graph, graphNameUri)) + { + // store the data + if (_util.HasGraph(graphNameUri)) { - // store the data - if (_util.HasGraph(graphNameUri)) - { - _util.ClearGraph(graphNameUri); - } - else - { - _util.CreateNamedGraph(graphNameUri); - } - - // BaseUri must be set for the sparql query - graph.BaseUri = graphNameUri; - _util.AddGraph(graph); - - return NoContent(); + _util.ClearGraph(graphNameUri); } else { - throw new NotAuthorizedException("Data has the wrong format!"); + _util.CreateNamedGraph(graphNameUri); } + // BaseUri must be set for the sparql query + graph.BaseUri = graphNameUri; + _util.AddGraph(graph); + + return NoContent(); } else { - throw new NotAuthorizedException("User is no project member!"); + throw new NotAuthorizedException("Data has the wrong format!"); } - })); + + } + else + { + throw new NotAuthorizedException("User is no project member!"); + } } [HttpGet("[controller]/vocabulary/{projectId}/{path}")] public IActionResult GetVocabulary(Guid projectId, string path) { - return Ok(_authenticator.ValidateAndExecute((user) => + var user = _authenticator.GetUser(); + if (_projectModel.HasAccess(user, _projectModel.GetById(projectId), UserRoles.Owner, UserRoles.Member)) { - if (_metadataModel.IsProjectMember(user, projectId)) - { - var graph = _util.GetGraph(HttpUtility.UrlDecode(path)); - - JArray de = new JArray(); - foreach (var kv in _util.GetVocabularyLabels(graph, "de")) - { - JObject obj = new JObject - { - ["value"] = kv.Key, - ["name"] = kv.Value - }; - de.Add(obj); - } + var graph = _util.GetGraph(HttpUtility.UrlDecode(path)); - JArray en = new JArray(); - foreach(var kv in _util.GetVocabularyLabels(graph, "en")) + var de = new JArray(); + foreach (var kv in _util.GetVocabularyLabels(graph, "de")) + { + JObject obj = new JObject { - JObject obj = new JObject - { - ["value"] = kv.Key, - ["name"] = kv.Value - }; - en.Add(obj); - } + ["value"] = kv.Key, + ["name"] = kv.Value + }; + de.Add(obj); + } - JObject json = new JObject + var en = new JArray(); + foreach(var kv in _util.GetVocabularyLabels(graph, "en")) + { + JObject obj = new JObject { - ["de"] = de, - ["en"] = en + ["value"] = kv.Key, + ["name"] = kv.Value }; - - return json; + en.Add(obj); } - else + + JObject json = new JObject { - throw new NotAuthorizedException("User is no project member!"); - } - })); + ["de"] = de, + ["en"] = en + }; + + return Json(json); + } + else + { + throw new NotAuthorizedException("User is no project member!"); + } } } diff --git a/src/Project/Controllers/ProjectController.cs b/src/Project/Controllers/ProjectController.cs index d2a952b..a6dad85 100644 --- a/src/Project/Controllers/ProjectController.cs +++ b/src/Project/Controllers/ProjectController.cs @@ -1,20 +1,19 @@ using Coscine.Action; using Coscine.Action.EventArgs; -using Coscine.Action.Implementations.Project; using Coscine.Api.Project.Models; using Coscine.Api.Project.ReturnObjects; using Coscine.ApiCommons; -using Coscine.ApiCommons.Exceptions; using Coscine.ApiCommons.Factories; -using Coscine.Database.Model; using Microsoft.AspNetCore.Mvc; using System; -using System.Collections.Generic; using System.Linq; using Coscine.Configuration; +using Microsoft.AspNetCore.Authorization; +using System.Collections.Generic; namespace Coscine.Api.Project.Controllers { + [Authorize] public class ProjectController : Controller { private readonly Authenticator _authenticator; @@ -27,105 +26,96 @@ namespace Coscine.Api.Project.Controllers _authenticator = new Authenticator(this, Program.Configuration); _configuration = Program.Configuration; _projectModel = new ProjectModel(); - _emitter = new Emitter(this._configuration); + _emitter = new Emitter(_configuration); } [Route("[controller]")] public IActionResult Index() { - return Ok(_authenticator.ValidateAndExecute((user) => - { - return _projectModel.GetAllWhere((project) => - (from projectRole in project.ProjectRolesProjectIdIds - where projectRole.User == user - && projectRole.Role.DisplayName == "Owner" - select projectRole).Any() - ).Select((project) => _projectModel.CreateReturnObjectFromDatabaseObject(project)); - })); + var user = _authenticator.GetUser(); + + return Ok(_projectModel.GetWithAccess(user, UserRoles.Member, UserRoles.Owner).ToList() + .Select((project) => _projectModel.CreateReturnObjectFromDatabaseObject(project)) + .OrderBy(element => element.DisplayName) + ); + } [HttpGet("[controller]/{id}")] public IActionResult Get(string id) { - return Ok(_authenticator.ValidateAndExecute((user) => - { - var project = _projectModel.GetById(Guid.Parse(id)); - if (_projectModel.CanSeeProject(user, project)) - { - return _projectModel.CreateReturnObjectFromDatabaseObject(project); - } - else - { - throw new UnauthorizedAccessException("User is not allowed to see given project Id!"); - } - })); + var user = _authenticator.GetUser(); + var project = _projectModel.GetById(Guid.Parse(id)); + if (_projectModel.HasAccess(user, project, UserRoles.Member, UserRoles.Owner)) + { + return Ok(_projectModel.CreateReturnObjectFromDatabaseObject(project)); + } + else + { + return Unauthorized($"User is not allowed to see given the project {id}"); + } } [HttpGet("[controller]/{id}/resources")] public IActionResult GetResources(string id) { - return Ok(_authenticator.ValidateAndExecute((user) => - { - var project = _projectModel.GetById(Guid.Parse(id)); - ResourceModel resourceModel = new ResourceModel(); - ResourceTypeModel resourceTypeModel = new ResourceTypeModel(); - if (_projectModel.CanSeeProject(user, project)) - { - return resourceModel.GetAllWhere((resource) => - (from projectResource in resource.ProjectResourceResourceIdIds - where projectResource.ProjectId == project.Id - select projectResource).Any()) - .Select((resource) => - { - return resourceModel.CreateReturnObjectFromDatabaseObject(resource); - }); - } - else - { - throw new UnauthorizedAccessException("User cannot see resources of given project!"); - } - })); + var project = _projectModel.GetById(Guid.Parse(id)); + var user = _authenticator.GetUser(); + + var resourceModel = new ResourceModel(); + var resourceTypeModel = new ResourceTypeModel(); + if (_projectModel.HasAccess(user, project, UserRoles.Member, UserRoles.Owner)) + { + return Json(resourceModel.GetAllWhere((resource) => + (from projectResource in resource.ProjectResourceResourceIdIds + where projectResource.ProjectId == project.Id + select projectResource).Any()) + .Select((resource) => + { + return resourceModel.CreateReturnObjectFromDatabaseObject(resource); + }).OrderBy(element => element.DisplayName)); + } + else + { + return Unauthorized($"User is not allowed to see given the project {id}"); + } } [HttpPost("[controller]/{id}")] public IActionResult Update(string id) { - return Ok(_authenticator.ValidateAndExecute((user) => - { - ProjectObject projectObject = ObjectFactory.DeserializeFromStream(Request.Body); - var project = _projectModel.GetById(Guid.Parse(id)); - if(_projectModel.OwnsProject(user, project)) - { - return _projectModel.UpdateByObject(project, projectObject); - } - else - { - throw new NotAuthorizedException("The user is not authorized to perform an update on the selected project!"); - } - })); + var user = _authenticator.GetUser(); + var projectObject = ObjectFactory.DeserializeFromStream(Request.Body); + var project = _projectModel.GetById(Guid.Parse(id)); + if(_projectModel.HasAccess(user, project, UserRoles.Owner)) + { + return Ok(_projectModel.UpdateByObject(project, projectObject)); + } + else + { + return Unauthorized("The user is not authorized to perform an update on the selected project!"); + } } [HttpDelete("[controller]/{id}")] public IActionResult Delete(string id) { - return Ok(_authenticator.ValidateAndExecute((user) => - { - var project = _projectModel.GetById(Guid.Parse(id)); - if (_projectModel.OwnsProject(user, project)) - { - DeleteProject(project); - return _projectModel.CreateReturnObjectFromDatabaseObject(project); - } - else - { - throw new NotAuthorizedException("The user is not authorized to perform an update on the selected project!"); - } - })); + var user = _authenticator.GetUser(); + var project = _projectModel.GetById(Guid.Parse(id)); + if (_projectModel.HasAccess(user, project, UserRoles.Owner)) + { + DeleteProject(project); + return Json(_projectModel.CreateReturnObjectFromDatabaseObject(project)); + } + else + { + return Unauthorized("The user is not authorized to perform an update on the selected project!"); + } } - public void DeleteProject(Coscine.Database.Model.Project project) + public void DeleteProject(Database.Model.Project project) { - SubProjectModel subProjectModel = new SubProjectModel(); + var subProjectModel = new SubProjectModel(); foreach(var subProject in subProjectModel.GetAllWhere((subProject) => subProject.ProjectId == project.Id)) { subProjectModel.Delete(subProject); @@ -137,7 +127,7 @@ namespace Coscine.Api.Project.Controllers subProjectModel.Delete(subProject); } - ProjectResourceModel projectResourceModel = new ProjectResourceModel(); + var projectResourceModel = new ProjectResourceModel(); ResourceModel resourceModel = new ResourceModel(); foreach (var projectResource in projectResourceModel.GetAllWhere((projectResource) => projectResource.ProjectId == project.Id)) { @@ -145,19 +135,19 @@ namespace Coscine.Api.Project.Controllers resourceModel.Delete(resourceModel.GetById(projectResource.ResourceId)); } - ProjectRoleModel projectRoleModel = new ProjectRoleModel(); + var projectRoleModel = new ProjectRoleModel(); foreach (var projectRole in projectRoleModel.GetAllWhere((projectRole) => projectRole.ProjectId == project.Id)) { projectRoleModel.Delete(projectRole); } - ProjectDisciplineModel projectDisciplineModel = new ProjectDisciplineModel(); + var projectDisciplineModel = new ProjectDisciplineModel(); foreach (var projectDiscipline in projectDisciplineModel.GetAllWhere((projectDiscipline) => projectDiscipline.ProjectId == project.Id)) { projectDisciplineModel.Delete(projectDiscipline); } - ProjectInstituteModel projectInstituteModel = new ProjectInstituteModel(); + var projectInstituteModel = new ProjectInstituteModel(); foreach (var projectInstitute in projectInstituteModel.GetAllWhere((projectInstitute) => projectInstitute.ProjectId == project.Id)) { projectInstituteModel.Delete(projectInstitute); @@ -174,27 +164,34 @@ namespace Coscine.Api.Project.Controllers [HttpPost("[controller]")] public IActionResult Store() { - return base.Ok(_authenticator.ValidateAndExecute((user) => - { - ProjectObject projectObject = ObjectFactory.DeserializeFromStream(Request.Body); - var project = _projectModel.StoreFromObject(projectObject, user); - - if (projectObject.ParentId != null - && projectObject.ParentId != new Guid() - && _projectModel.IsMemberOrHigher(user, _projectModel.GetById(projectObject.ParentId))) // for now, only an owner can add subprojects to projects - { - SubProjectModel subProjectModel = new SubProjectModel(); - subProjectModel.LinkSubProject(projectObject.ParentId, project.Id); - } - - _emitter.EmitProjectCreate(new ProjectEventArgs(_configuration) - { - Project = project, - ProjectOwner = user - }); - - return _projectModel.CreateReturnObjectFromDatabaseObject(project); - })); + var user = _authenticator.GetUser(); + var projectObject = ObjectFactory.DeserializeFromStream(Request.Body); + + if (projectObject.ParentId != null + && projectObject.ParentId != new Guid() + && !_projectModel.HasAccess(user, _projectModel.GetById(projectObject.ParentId), UserRoles.Owner)) + { + return Unauthorized("User is not allowed to create SubProjects."); + } + + var project = _projectModel.StoreFromObject(projectObject, user); + + if (projectObject.ParentId != null + && projectObject.ParentId != new Guid() + // for now, only an owner can add subprojects to projects + && _projectModel.HasAccess(user, _projectModel.GetById(projectObject.ParentId), UserRoles.Owner)) + { + var subProjectModel = new SubProjectModel(); + subProjectModel.LinkSubProject(projectObject.ParentId, project.Id); + } + + _emitter.EmitProjectCreate(new ProjectEventArgs(_configuration) + { + Project = project, + ProjectOwner = user + }); + + return Json(_projectModel.CreateReturnObjectFromDatabaseObject(project)); } } } diff --git a/src/Project/Controllers/ProjectRoleController.cs b/src/Project/Controllers/ProjectRoleController.cs index f7638fd..4dca837 100644 --- a/src/Project/Controllers/ProjectRoleController.cs +++ b/src/Project/Controllers/ProjectRoleController.cs @@ -1,27 +1,24 @@ using Coscine.Action; using Coscine.Action.EventArgs; -using Coscine.Action.Implementations.User; using Coscine.Api.Project.Models; using Coscine.Api.Project.ReturnObjects; using Coscine.ApiCommons; -using Coscine.ApiCommons.Exceptions; using Coscine.ApiCommons.Factories; -using Coscine.Database.Model; +using Coscine.Configuration; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using System; -using System.Collections.Generic; using System.Linq; -using System.Text; -using System.Threading.Tasks; namespace Coscine.Api.Project.Controllers { + [Authorize] public class ProjectRoleController : Controller { private readonly Authenticator _authenticator; private readonly ProjectRoleModel _projectRoleModel; private readonly Emitter _emitter; - private readonly Coscine.Configuration.IConfiguration _configuration; + private readonly IConfiguration _configuration; public ProjectRoleController() { @@ -34,120 +31,115 @@ namespace Coscine.Api.Project.Controllers [Route("[controller]/{projectId}")] public IActionResult Index(string projectId) { - return Ok(_authenticator.ValidateAndExecute((user) => + var userModel = new UserModel(); + var roleModel = new RoleModel(); + var projectModel = new ProjectModel(); + Guid.TryParse(projectId, out Guid projectIdGuid); + var user = _authenticator.GetUser(); + + if (projectModel.HasAccess(user, projectModel.GetById(projectIdGuid), UserRoles.Owner, UserRoles.Member)) { - UserModel userModel = new UserModel(); - RoleModel roleModel = new RoleModel(); - ProjectModel projectModel = new ProjectModel(); - Guid.TryParse(projectId, out Guid projectIdGuid); - if (projectModel.OwnsProject(user, projectModel.GetById(projectIdGuid))) + return Json(_projectRoleModel.GetAllWhere((projectRole) => + (projectRole.ProjectId == projectIdGuid) + ).Select((projectRole) => { - return _projectRoleModel.GetAllWhere((projectRole) => - (projectRole.ProjectId == projectIdGuid) - ).Select((projectRole) => + var userInst = projectRole.User; + if (userInst == null) { - User userInst = projectRole.User; - if (userInst == null) - { - userInst = userModel.GetById(projectRole.UserId); - } - Role role = projectRole.Role; - if (role == null) - { - role = roleModel.GetById(projectRole.RoleId); - } - return new ProjectRoleObject(projectRole.ProjectId, new UserObject(userInst.Id, userInst.DisplayName, userInst.Givenname, userInst.Surname, userInst.EmailAddress), new RoleObject(role.Id, role.DisplayName)); - }); - } - else - { - throw new UnauthorizedAccessException("User is not allowed to list all users to the given project!"); - } - })); + userInst = userModel.GetById(projectRole.UserId); + } + var role = projectRole.Role; + if (role == null) + { + role = roleModel.GetById(projectRole.RoleId); + } + return new ProjectRoleObject(projectRole.ProjectId, new UserObject(userInst.Id, userInst.DisplayName, userInst.Givenname, userInst.Surname, userInst.EmailAddress), new RoleObject(role.Id, role.DisplayName)); + })); + } + else + { + return Unauthorized("User is not allowed to list all users to the given project!"); + } } //Get all roles for current user and given project [HttpGet("[controller]/project/{projectId}")] public IActionResult Get(string projectId) { - return Ok(_authenticator.ValidateAndExecute((user) => - { - RoleModel roleModel = new RoleModel(); - Guid.TryParse(projectId, out Guid projectIdGuid); - UserObject userObject = new UserObject(user.Id, user.DisplayName, user.Givenname, user.Surname, user.EmailAddress); + var roleModel = new RoleModel(); + Guid.TryParse(projectId, out Guid projectIdGuid); + var user = _authenticator.GetUser(); + var userObject = new UserObject(user.Id, user.DisplayName, user.Givenname, user.Surname, user.EmailAddress); - return _projectRoleModel.GetAllWhere((projectRole) => - (projectRole.UserId == user.Id && - projectRole.ProjectId == projectIdGuid) - ).Select((projectRole) => { - if(projectRole.Role == null) - { - projectRole.Role = roleModel.GetById(projectRole.RoleId); - } - return new ProjectRoleObject(projectRole.RelationId, userObject, new RoleObject(projectRole.Role.Id, projectRole.Role.DisplayName)); - }); + return Json(_projectRoleModel.GetAllWhere((projectRole) => + (projectRole.UserId == user.Id && + projectRole.ProjectId == projectIdGuid) + ).Select((projectRole) => { + if(projectRole.Role == null) + { + projectRole.Role = roleModel.GetById(projectRole.RoleId); + } + return new ProjectRoleObject(projectRole.RelationId, userObject, new RoleObject(projectRole.Role.Id, projectRole.Role.DisplayName)); })); } [HttpPost("[controller]")] public IActionResult Set() { - return Ok(_authenticator.ValidateAndExecute((user) => + var projectRoleObject = ObjectFactory.DeserializeFromStream(Request.Body); + var projectModel = new ProjectModel(); + var project = projectModel.GetById(projectRoleObject.ProjectId); + var roleModel = new RoleModel(); + var role = roleModel.GetById(projectRoleObject.Role.Id); + var userModel = new UserModel(); + var userToAdd = userModel.GetById(projectRoleObject.User.Id); + var user = _authenticator.GetUser(); + + if (projectModel.HasAccess(user, project, UserRoles.Owner)) { - ProjectRoleObject projectRoleObject = ObjectFactory.DeserializeFromStream(Request.Body); - ProjectModel projectModel = new ProjectModel(); - var project = projectModel.GetById(projectRoleObject.ProjectId); - RoleModel roleModel = new RoleModel(); - var role = roleModel.GetById(projectRoleObject.Role.Id); - UserModel userModel = new UserModel(); - var userToAdd = userModel.GetById(projectRoleObject.User.Id); - if (projectModel.OwnsProject(user, project)) + _emitter.EmitUserAdd(new UserEventArgs(_configuration) { - _emitter.EmitUserAdd(new UserEventArgs(this._configuration) - { - Project = project, - Role = role, - User = userToAdd - }); - return _projectRoleModel.SetFromObject(projectRoleObject); - } - else - { - throw new NotAuthorizedException("The user is not authorized to store a project role to the given project!"); - } - })); + Project = project, + Role = role, + User = userToAdd + }); + return Json(_projectRoleModel.SetFromObject(projectRoleObject)); + } + else + { + return Unauthorized("The user is not authorized to store a project role to the given project!"); + } } [HttpDelete("[controller]/project/{projectId}/user/{userId}/role/{roleId}")] public IActionResult Delete(Guid projectId, Guid userId, Guid roleId) { - return Ok(_authenticator.ValidateAndExecute((user) => - { - ProjectModel projectModel = new ProjectModel(); - if (projectModel.OwnsProject(user, projectModel.GetById(projectId))) - { - _projectRoleModel.CheckIfLastOwnerWillBeRemoved(roleId, projectId); + var projectModel = new ProjectModel(); + var user = _authenticator.GetUser(); - var project = projectModel.GetById(projectId); - UserModel userModel = new UserModel(); - var userToRemove = userModel.GetById(userId); + if (projectModel.HasAccess(user, projectModel.GetById(projectId), UserRoles.Owner)) + { + _projectRoleModel.CheckIfLastOwnerWillBeRemoved(roleId, projectId); - _emitter.EmitUserRemove(new UserEventArgs(this._configuration) - { - Project = project, - User = userToRemove - }); + var project = projectModel.GetById(projectId); + var userModel = new UserModel(); + var userToRemove = userModel.GetById(userId); - return _projectRoleModel.Delete(_projectRoleModel.GetWhere((projectRole) => - projectRole.ProjectId == projectId - && projectRole.UserId == userId - && projectRole.RoleId == roleId)); - } - else + _emitter.EmitUserRemove(new UserEventArgs(this._configuration) { - throw new NotAuthorizedException("The user is not authorized to delete a project role for the given project!"); - } - })); + Project = project, + User = userToRemove + }); + + return Json(_projectRoleModel.Delete(_projectRoleModel.GetWhere((projectRole) => + projectRole.ProjectId == projectId + && projectRole.UserId == userId + && projectRole.RoleId == roleId))); + } + else + { + return Unauthorized("The user is not authorized to delete a project role for the given project!"); + } } } } diff --git a/src/Project/Controllers/ResourceController.cs b/src/Project/Controllers/ResourceController.cs index 4368b1e..9ca1ae6 100644 --- a/src/Project/Controllers/ResourceController.cs +++ b/src/Project/Controllers/ResourceController.cs @@ -1,18 +1,20 @@ using Coscine.Api.Project.Models; using Coscine.Api.Project.ReturnObjects; using Coscine.ApiCommons; -using Coscine.ApiCommons.Exceptions; using Coscine.ApiCommons.Factories; using Microsoft.AspNetCore.Mvc; using System; using System.Linq; -using Newtonsoft.Json.Linq; using Coscine.Action; using Coscine.Configuration; using Coscine.Action.EventArgs; +using Microsoft.AspNetCore.Authorization; +using Newtonsoft.Json.Linq; +using Coscine.Database.Model; namespace Coscine.Api.Project.Controllers { + [Authorize] public class ResourceController : Controller { private readonly Authenticator _authenticator; @@ -27,110 +29,115 @@ namespace Coscine.Api.Project.Controllers _resourceModel = new ResourceModel(); _emitter = new Emitter(this._configuration); } - + [Route("[controller]")] public IActionResult Index() { - return Ok(_authenticator.ValidateAndExecute((user) => - { - return _resourceModel.GetAllWhere((resource) => - (from projectResource in resource.ProjectResourceResourceIdIds - where (from projectRole in projectResource.Project.ProjectRolesProjectIdIds - where projectRole.User == user - && projectRole.Role.DisplayName == "Owner" - select projectRole).Any() - select projectResource).Any() - ).Select((resource) => _resourceModel.CreateReturnObjectFromDatabaseObject(resource)); - })); + var user = _authenticator.GetUser(); + return Json(_resourceModel.GetAllWhere((resource) => + (from projectResource in resource.ProjectResourceResourceIdIds + where (from projectRole in projectResource.Project.ProjectRolesProjectIdIds + where projectRole.User == user + && (projectRole.Role.DisplayName == "Owner" || projectRole.Role.DisplayName == "Member") + select projectRole).Any() + select projectResource).Any() + ).Select((resource) => _resourceModel.CreateReturnObjectFromDatabaseObject(resource))); } [HttpGet("[controller]/{id}")] public IActionResult Get(string id) { - return Ok(_authenticator.ValidateAndExecute((user) => + var resource = _resourceModel.GetById(Guid.Parse(id)); + var user = _authenticator.GetUser(); + if (_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member)) { - var resource = _resourceModel.GetById(Guid.Parse(id)); - if (_resourceModel.OwnsResource(user, resource)) - { - _resourceModel.SetType(resource); - return _resourceModel.CreateReturnObjectFromDatabaseObject(resource); - } - else - { - throw new NotAuthorizedException("User does not own resource!"); - } - })); + _resourceModel.SetType(resource); + return Json(_resourceModel.CreateReturnObjectFromDatabaseObject(resource)); + } + else + { + return Unauthorized("User does not own resource!"); + } + } + + [HttpGet("[controller]/resource/{id}/isCreator")] + public IActionResult IsUserResourceCreator(string id) + { + Resource resource = _resourceModel.GetById(Guid.Parse(id)); + var user = _authenticator.GetUser(); + var json = new JObject + { + ["isResourceCreator"] = resource.Creator.Equals(user.Id) + }; + return Json(json); } [HttpPost("[controller]/{id}")] public IActionResult Update(string id) { - return Ok(_authenticator.ValidateAndExecute((user) => + var resourceObject = ObjectFactory.DeserializeFromStream(Request.Body); + var resource = _resourceModel.GetById(Guid.Parse(id)); + var user = _authenticator.GetUser(); + + if (_resourceModel.HasAccess(user, resource, UserRoles.Owner) || + (_resourceModel.HasAccess(user, resource, UserRoles.Member) && resource.Creator.Equals(user.Id))) { - ResourceObject resourceObject = ObjectFactory.DeserializeFromStream(Request.Body); - var resource = _resourceModel.GetById(Guid.Parse(id)); - if (_resourceModel.OwnsResource(user, resource)) - { - return _resourceModel.UpdateByObject(resource, resourceObject); - } - else - { - throw new NotAuthorizedException("The user is not authorized to perform an update on the selected resource!"); - } - })); + return Json(_resourceModel.UpdateByObject(resource, resourceObject)); + } + else + { + return Unauthorized("The user is not authorized to perform an update on the selected resource!"); + } } [HttpDelete("[controller]/{id}")] public IActionResult Delete(string id) { - return Ok(_authenticator.ValidateAndExecute((user) => + var resource = _resourceModel.GetById(Guid.Parse(id)); + var user = _authenticator.GetUser(); + if (_resourceModel.HasAccess(user, resource, UserRoles.Owner) || + (_resourceModel.HasAccess(user, resource, UserRoles.Member) && resource.Creator.Equals(user.Id))) { - var resource = _resourceModel.GetById(Guid.Parse(id)); - if (_resourceModel.OwnsResource(user, resource)) - { - var returnObject = _resourceModel.CreateReturnObjectFromDatabaseObject(resource); - _emitter.EmitResourceDelete(new ResourceEventArgs(_configuration) - { - Resource = resource - }); - _resourceModel.DeleteResource(resource); - return returnObject; - } - else + var returnObject = _resourceModel.CreateReturnObjectFromDatabaseObject(resource); + _emitter.EmitResourceDelete(new ResourceEventArgs(_configuration) { - throw new NotAuthorizedException("The user is not authorized to perform an update on the selected resource!"); - } - })); + Resource = resource + }); + _resourceModel.DeleteResource(resource); + return Json(returnObject); + } + else + { + return Unauthorized("The user is not authorized to perform an update on the selected resource!"); + } } [HttpPost("[controller]/project/{projectId}")] public IActionResult StoreToProject(string projectId) { - return Ok(_authenticator.ValidateAndExecute((user) => + var resourceObject = ObjectFactory.DeserializeFromStream(Request.Body); + var projectModel = new ProjectModel(); + var project = projectModel.GetById(Guid.Parse(projectId)); + var user = _authenticator.GetUser(); + + if (projectModel.HasAccess(user, project, UserRoles.Owner, UserRoles.Member)) { - ResourceObject resourceObject = ObjectFactory.DeserializeFromStream(Request.Body); + resourceObject.Creator = user.Id; + var resource = _resourceModel.StoreFromObject(resourceObject); + projectModel.AddResource(project, resource); - ProjectModel projectModel = new ProjectModel(); - var project = projectModel.GetById(Guid.Parse(projectId)); - if (projectModel.OwnsProject(user, project)) + _emitter.EmitResourceCreate(new ResourceEventArgs(_configuration) { - var resource = _resourceModel.StoreFromObject(resourceObject); - - projectModel.AddResource(project, resource); - - _emitter.EmitResourceCreate(new ResourceEventArgs(_configuration) - { - Resource = resource - }); + Resource = resource + }); - return _resourceModel.CreateReturnObjectFromDatabaseObject(resource); - } - else - { - throw new NotAuthorizedException("The user is not authorized to add a new resource to the selected project!"); - } - })); + return Json(_resourceModel.CreateReturnObjectFromDatabaseObject(resource)); + } + else + { + return Unauthorized("The user is not authorized to add a new resource to the selected project!"); + } } } } diff --git a/src/Project/Controllers/ResourceTypeController.cs b/src/Project/Controllers/ResourceTypeController.cs index b002220..04e097a 100644 --- a/src/Project/Controllers/ResourceTypeController.cs +++ b/src/Project/Controllers/ResourceTypeController.cs @@ -1,15 +1,14 @@ using Coscine.Api.Project.Models; using Coscine.Api.Project.ReturnObjects; using Coscine.ApiCommons; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using System; -using System.Collections.Generic; using System.Linq; -using System.Text; -using System.Threading.Tasks; namespace Coscine.Api.Project.Controllers { + [Authorize] public class ResourceTypeController : Controller { private readonly Authenticator _authenticator; @@ -25,46 +24,40 @@ namespace Coscine.Api.Project.Controllers [Route("[controller]")] public IActionResult Index() { - return Ok(_authenticator.ValidateAndExecute((user) => - { - return _resourceTypeModel.GetAll().Select((resourceType) => new ResourceTypeObject(resourceType.Id, resourceType.DisplayName)); - })); + return Json(_resourceTypeModel.GetAll() + .Select((resourceType) => new ResourceTypeObject(resourceType.Id, resourceType.DisplayName))); } [Route("[controller]/{id}/fields")] public IActionResult Fields(string id) { - return Ok(_authenticator.ValidateAndExecute((user) => - { - var resourceType = _resourceTypeModel.GetById(Guid.Parse(id)); + var resourceType = _resourceTypeModel.GetById(Guid.Parse(id)); if (resourceType.DisplayName == "s3") { - return Type.GetType("Coscine.Api.Project.ReturnObjects.S3ResourceTypeObject").GetProperties() + return Json(Type.GetType("Coscine.Api.Project.ReturnObjects.S3ResourceTypeObject").GetProperties() .Where((property) => property.Name != "Id") .Select((property) => property.Name) - .ToList(); + .ToList()); } else if (resourceType.DisplayName == "rds") { - return Type.GetType("Coscine.Api.Project.ReturnObjects.RDSResourceTypeObject").GetProperties() + return Json(Type.GetType("Coscine.Api.Project.ReturnObjects.RDSResourceTypeObject").GetProperties() .Where((property) => property.Name != "Id") .Select((property) => property.Name) - .ToList(); + .ToList()); } else if(resourceType.DisplayName == "gitlab") { - return Type.GetType("Coscine.Api.Project.ReturnObjects.GitlabResourceTypeObject").GetProperties() + return Json(Type.GetType("Coscine.Api.Project.ReturnObjects.GitlabResourceTypeObject").GetProperties() .Where((property) => property.Name != "Id") .Select((property) => property.Name) - .ToList(); + .ToList()); } else { throw new ArgumentException("Invalid Resource Type!"); } - })); } - - } + } } diff --git a/src/Project/Controllers/RoleController.cs b/src/Project/Controllers/RoleController.cs index 7ef12a8..d259627 100644 --- a/src/Project/Controllers/RoleController.cs +++ b/src/Project/Controllers/RoleController.cs @@ -1,33 +1,26 @@ using Coscine.Api.Project.Models; using Coscine.Api.Project.ReturnObjects; -using Coscine.ApiCommons; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; -using System; -using System.Collections.Generic; using System.Linq; -using System.Text; -using System.Threading.Tasks; namespace Coscine.Api.Project.Controllers { + [Authorize] public class RoleController : Controller { - private readonly Authenticator _authenticator; private readonly RoleModel _roleModel; public RoleController() { - _authenticator = new Authenticator(this, Program.Configuration); _roleModel = new RoleModel(); } [Route("[controller]")] public IActionResult Index() { - return Ok(_authenticator.ValidateAndExecute((user) => - { - return _roleModel.GetAll().Select((role) => new RoleObject(role.Id, role.DisplayName)); - })); + return Json(_roleModel.GetAll() + .Select((role) => new RoleObject(role.Id, role.DisplayName))); } } } diff --git a/src/Project/Controllers/SearchController.cs b/src/Project/Controllers/SearchController.cs index b5be4b6..33ee860 100644 --- a/src/Project/Controllers/SearchController.cs +++ b/src/Project/Controllers/SearchController.cs @@ -1,70 +1,220 @@ -using System.Linq; -using Coscine.Api.Project.Models; +using System; +using System.Collections.Generic; +using System.Linq; +using System.Web; using Coscine.ApiCommons; using Coscine.ApiCommons.Utils; +using LinqToDB.Tools; using Microsoft.AspNetCore.Mvc; -using Microsoft.Extensions.Logging; -using VDS.RDF.Query.Expressions.Functions.Sparql.String; +using Newtonsoft.Json; +using Newtonsoft.Json.Linq; +using Microsoft.AspNetCore.Authorization; namespace Coscine.Api.Project.Controllers { + [Authorize] public class SearchController : Controller { private readonly Authenticator _authenticator; - private DatabaseConnection _databaseConnection; - private readonly ProjectModel _projectModel; - + private readonly DatabaseConnection _databaseConnection; public SearchController() { _authenticator = new Authenticator(this, Program.Configuration); - _projectModel = new ProjectModel(); _databaseConnection = new DatabaseConnection(Program.Configuration); + } + + [HttpGet("[controller]/allNoFilter/")] + public IActionResult SearchNoFilter() + { + var user = _authenticator.GetUser(); + return Ok(GetSearchResults(user.Id, "", "")); + } + + [HttpGet("[controller]/all/{encodedSearchWord}")] + public IActionResult Search(string encodedSearchWord) + { + var user = _authenticator.GetUser(); + return Ok(GetSearchResults(user.Id, encodedSearchWord, "")); + } + + [HttpGet("[controller]/projectNoFilter/{projectId}")] + public IActionResult SearchProjectNoFilter(string projectId) + { + var user = _authenticator.GetUser(); + return Ok(GetSearchResults(user.Id, "", projectId)); + } + [HttpGet("[controller]/project/{projectId}/{encodedSearchWord}")] + public IActionResult SearchProject(string projectId, string encodedSearchWord) + { + var user = _authenticator.GetUser(); + return Ok(GetSearchResults(user.Id, encodedSearchWord, projectId)); } - [Route("[controller]")] - public IActionResult Index() + private JToken GetSearchResults(Guid userId, string encodedSearchWord, string projectId) { - return Ok(_authenticator.ValidateAndExecute((user) => + string searchQuery; + if (!string.IsNullOrWhiteSpace(encodedSearchWord)) { - string searchQuery = ""; - return _databaseConnection.ConnectToDatabase((db) => + searchQuery = HttpUtility.UrlDecode(encodedSearchWord); + } + else { - return + searchQuery = ""; + } + + List list; + if (projectId.Equals("")) + { + list = new List(); + } + else + { + list = GetAllSubProjects(projectId); + } + + // create return object + var json = new JObject(); + + // search and add results for resources + json["Resources"] = SearchForResources(userId, searchQuery, projectId, list); + + // search and add results for projects + if (projectId.Equals("")) + { + json["Projects"] = SearchForProjects(userId, searchQuery, projectId, list, false); + } + else + { + json["Projects"] = new JArray(); + } + + // remove the id of the root project since it cann not be a subproject of it self + if (list.Count >= 1) + { + list.RemoveAt(0); + } + + // search and ad results for sub-projects + json["SubProjects"] = SearchForProjects(userId, searchQuery, projectId, list, true); + + return json; + } + + + private List GetAllSubProjects(string projectId) + { + var list = new List(); + if (!projectId.Equals("")) + { + list.Add(new Guid(projectId)); + var counter = 0; + _databaseConnection.ConnectToDatabase((db) => + { + while (counter != list.Count) + { + var innerResults = (from sp in db.SubProjects + where sp.ProjectId.Equals(list[counter]) + select sp.SubProjectId); + list.AddRange(innerResults.ToList()); + counter++; + } + }); + } + return list; + } + + + private JToken SearchForProjects(Guid userId, string searchQuery, string projectId, List listOfSubprojects, bool showSubProjects) + { + return _databaseConnection.ConnectToDatabase((db) => + { + var allSubProjects = (from sp in db.SubProjects select sp.SubProjectId).ToList(); + var allSubProjectsList = new List(); + allSubProjectsList.AddRange(allSubProjects); + + var results = (from p in db.Projects - join v in db.Visibilities on p.VisibilityId equals v.Id - join pd in db.ProjectDisciplines on p.Id equals pd.ProjectId - join d in db.Disciplines on pd.DisciplineId equals d.Id - join pi in db.ProjectInstitutes on p.Id equals pi.ProjectId - join i in db.Institutes on pi.InstituteId equals i.Id - - where p.ProjectName.Contains(searchQuery) || - p.Description.Contains(searchQuery) || - p.StartDate.ToString().Contains(searchQuery) || - p.EndDate.ToString().Contains(searchQuery) || - p.Keywords.Contains(searchQuery) || - p.DisplayName.Contains(searchQuery) || - p.PrincipleInvestigators.Contains(searchQuery) || - p.GrantId.Contains(searchQuery) || - v.DisplayName.Contains(searchQuery) || - d.Url.Contains(searchQuery) || - d.DisplayNameDe.Contains(searchQuery) || - d.DisplayNameEn.Contains(searchQuery) || - i.DisplayName.Contains(searchQuery) || - i.IKZ.Contains(searchQuery) - - select new {p.Id, p.DisplayName}); + join pr in db.ProjectRoles on p.Id equals pr.ProjectId into joinedPr + from jpr in joinedPr.DefaultIfEmpty() + join v in db.Visibilities on p.VisibilityId equals v.Id into joinedV + from jv in joinedV.DefaultIfEmpty() + join pd in db.ProjectDisciplines on p.Id equals pd.ProjectId into joinedPd + from jpd in joinedPd.DefaultIfEmpty() + join d in db.Disciplines on jpd.DisciplineId equals d.Id into joinedD + from jd in joinedD.DefaultIfEmpty() + join pi in db.ProjectInstitutes on p.Id equals pi.ProjectId into joinedPi + from jpi in joinedPi.DefaultIfEmpty() + join i in db.Institutes on jpi.InstituteId equals i.Id into joinedI + from ji in joinedI.DefaultIfEmpty() + + where ((!showSubProjects && p.Id.NotIn(allSubProjectsList)) || + (showSubProjects && p.Id.In(allSubProjectsList))) && + (jpr.UserId.Equals(userId) || jv.DisplayName.Equals("Public")) && + (projectId.Equals("") || p.Id.In(listOfSubprojects)) && + (searchQuery.Equals("") || + p.ProjectName.Contains(searchQuery) || + p.Description.Contains(searchQuery) || + p.Keywords.Contains(searchQuery) || + p.DisplayName.Contains(searchQuery) || + p.PrincipleInvestigators.Contains(searchQuery) || + p.GrantId.Contains(searchQuery) || + jv.DisplayName.Contains(searchQuery) || + jd.Url.Contains(searchQuery) || + jd.DisplayNameDe.Contains(searchQuery) || + jd.DisplayNameEn.Contains(searchQuery) || + ji.DisplayName.Contains(searchQuery) || + ji.IKZ.Contains(searchQuery)) + + select new { p.Id, p.DisplayName }).OrderBy(element => element.DisplayName).Distinct(); + return JToken.Parse(JsonConvert.SerializeObject(results)); + }); + } + + private JToken SearchForResources(Guid userId, string searchQuery, string projectId, List listOfSubprojects) + { + return _databaseConnection.ConnectToDatabase((db) => + { + + var results = (from r in db.Resources + join pres in db.ProjectResources on r.Id equals pres.ResourceId into joinedPres + from jpres in joinedPres.DefaultIfEmpty() + join p in db.Projects on jpres.ProjectId equals p.Id into joinedP + from jp in joinedP.DefaultIfEmpty() + join pr in db.ProjectRoles on jp.Id equals pr.ProjectId into joinedPr + from jpr in joinedPr.DefaultIfEmpty() + join v in db.Visibilities on r.VisibilityId equals v.Id into joinedV + from jv in joinedV.DefaultIfEmpty() + join rd in db.ResourceDisciplines on r.Id equals rd.ResourceId into joinedRd + from jrd in joinedRd.DefaultIfEmpty() + join d in db.Disciplines on jrd.DisciplineId equals d.Id into joinedD + from jd in joinedD.DefaultIfEmpty() + join l in db.Licenses on r.LicenseId equals l.Id into joinedL + from jl in joinedL.DefaultIfEmpty() + join rt in db.ResourceTypes on r.TypeId equals rt.Id into joinedRt + from jrt in joinedRt.DefaultIfEmpty() + + where (jpr.UserId.Equals(userId) || jv.DisplayName.Equals("Public")) && + (projectId.Equals("") || jp.Id.In(listOfSubprojects)) && + (searchQuery.Equals("") || + r.ResourceName.Contains(searchQuery) || + r.DisplayName.Contains(searchQuery) || + r.ResourceName.Contains(searchQuery) || + r.Keywords.Contains(searchQuery) || + r.UsageRights.Contains(searchQuery) || + r.Description.Contains(searchQuery) || + r.ApplicationProfile.Contains(searchQuery) || + jrt.DisplayName.Contains(searchQuery) || + jl.DisplayName.Contains(searchQuery) || + jd.DisplayNameDe.Contains(searchQuery) || + jd.DisplayNameEn.Contains(searchQuery)) + + select new { r.Id, r.DisplayName, jpr.ProjectId }).OrderBy(element => element.DisplayName).Distinct(); + + return JToken.Parse(JsonConvert.SerializeObject(results)); + }); - })); - - /* - return DatabaseConnection.ConnectToDatabase((db) => (from relation in db.ProjectRoles - where relation.Project == project - && relation.User == user - && (relation.Role.DisplayName == "Owner" - || relation.Role.DisplayName == "Member") - select relation).Any());*/ } } -} +} \ No newline at end of file diff --git a/src/Project/Controllers/SubProjectController.cs b/src/Project/Controllers/SubProjectController.cs index 74db39e..a9f9563 100644 --- a/src/Project/Controllers/SubProjectController.cs +++ b/src/Project/Controllers/SubProjectController.cs @@ -1,12 +1,13 @@ using Coscine.Api.Project.Models; -using Coscine.Api.Project.ReturnObjects; using Coscine.ApiCommons; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using System; using System.Linq; namespace Coscine.Api.Project.Controllers { + [Authorize] public class SubProjectController : Controller { private readonly Authenticator _authenticator; @@ -21,22 +22,21 @@ namespace Coscine.Api.Project.Controllers [HttpGet("[controller]/{parentId}")] public IActionResult Get(string parentId) { - return Ok(_authenticator.ValidateAndExecute((user) => + var parentGuid = new Guid(parentId); + var projectModel = new ProjectModel(); + var user = _authenticator.GetUser(); + if (projectModel.HasAccess(user, projectModel.GetById(parentGuid), UserRoles.Owner, UserRoles.Member)) { - Guid parentGuid = new Guid(parentId); - ProjectModel projectModel = new ProjectModel(); - if (projectModel.CanSeeProject(user, projectModel.GetById(parentGuid))) - { - var subProjects = _subProjectModel.GetAllWhere((subProjectM) => (subProjectM.ProjectId == parentGuid)) - .Select((subProject) => projectModel.GetById(subProject.SubProjectId)) - .Select((project) => projectModel.CreateReturnObjectFromDatabaseObject(project, parentGuid)); - return subProjects; - } - else - { - throw new UnauthorizedAccessException("User is not allowed to create a subproject for the given project id!"); - } - })); + var subProjects = _subProjectModel.GetAllWhere((subProjectM) => (subProjectM.ProjectId == parentGuid)) + .Select((subProject) => projectModel.GetById(subProject.SubProjectId)) + .Select((project) => projectModel.CreateReturnObjectFromDatabaseObject(project, parentGuid)) + .OrderBy(element => element.DisplayName); + return Json(subProjects); + } + else + { + return Unauthorized("User is not allowed to create a subproject for the given project id!"); + } } } } diff --git a/src/Project/Controllers/VisibilityController.cs b/src/Project/Controllers/VisibilityController.cs index c14fe74..bdf9bc3 100644 --- a/src/Project/Controllers/VisibilityController.cs +++ b/src/Project/Controllers/VisibilityController.cs @@ -1,33 +1,26 @@ using Coscine.Api.Project.Models; using Coscine.Api.Project.ReturnObjects; -using Coscine.ApiCommons; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; -using System; -using System.Collections.Generic; using System.Linq; -using System.Text; -using System.Threading.Tasks; namespace Coscine.Api.Project.Controllers { + [Authorize] public class VisibilityController : Controller { - private readonly Authenticator _authenticator; private readonly VisibilityModel _visibilityModel; public VisibilityController() { - _authenticator = new Authenticator(this, Program.Configuration); _visibilityModel = new VisibilityModel(); } [Route("[controller]")] public IActionResult Index() { - return Ok(_authenticator.ValidateAndExecute((user) => - { - return _visibilityModel.GetAll().Select((visibility) => new VisibilityObject(visibility.Id, visibility.DisplayName)); - })); + return Json(_visibilityModel.GetAll() + .Select((visibility) => new VisibilityObject(visibility.Id, visibility.DisplayName))); } } } diff --git a/src/Project/Models/MetadataModel.cs b/src/Project/Models/MetadataModel.cs index 5b7697a..5ce7769 100644 --- a/src/Project/Models/MetadataModel.cs +++ b/src/Project/Models/MetadataModel.cs @@ -52,30 +52,5 @@ namespace Coscine.Api.Project.Models { return $"https://purl.org/coscine/md/{resourceId}/{filename}/{version}/"; } - - public bool IsProjectMember(User user, Resource resource) - { - return DatabaseConnection.ConnectToDatabase((db) => - { - return (from relation in db.ProjectRoles - where relation.UserId == user.Id - && (relation.Role.DisplayName == "Owner" || relation.Role.DisplayName == "Member") - && (relation.Project.ProjectResourceProjectIdIds != null && relation.Project.ProjectResourceProjectIdIds. - Any((projectResource) => projectResource.Resource == resource)) - select relation).Any(); - }); - } - - public bool IsProjectMember(User user, Guid projectId) - { - return DatabaseConnection.ConnectToDatabase((db) => - { - return (from relation in db.ProjectRoles - where relation.UserId == user.Id - && (relation.Role.DisplayName == "Owner" || relation.Role.DisplayName == "Member") - && (relation.ProjectId == projectId) - select relation).Any(); - }); - } } } diff --git a/src/Project/Models/ProjectModel.cs b/src/Project/Models/ProjectModel.cs index 97b533d..db9f51d 100644 --- a/src/Project/Models/ProjectModel.cs +++ b/src/Project/Models/ProjectModel.cs @@ -102,28 +102,29 @@ namespace Coscine.Api.Project.Models return projectRole; } - public bool CanSeeProject(User user, Coscine.Database.Model.Project project) + public bool HasAccess(User user, Database.Model.Project project, params string[] allowedAccess) { - return IsMemberOrHigher(user, project); - } + ProjectRoleModel projectRoleModel = new ProjectRoleModel(); + allowedAccess = allowedAccess.Select(x => x.ToLower().Trim()).ToArray(); - public bool IsMemberOrHigher(User user, Coscine.Database.Model.Project project) - { - return DatabaseConnection.ConnectToDatabase((db) => (from relation in db.ProjectRoles - where relation.Project == project - && relation.User == user - && (relation.Role.DisplayName == "Owner" - || relation.Role.DisplayName == "Member") - select relation).Any()); + IEnumerable projectRoles = projectRoleModel.GetAllWhere( + (projectRoleRelation) => projectRoleRelation.ProjectId == project.Id && + projectRoleRelation.UserId == user.Id && + allowedAccess.Contains(projectRoleRelation.Role.DisplayName.ToLower())); + return projectRoles.Count() > 0; } - public bool OwnsProject(User user, Coscine.Database.Model.Project project) + public IEnumerable GetWithAccess(User user, params string[] allowedAccess) { - return DatabaseConnection.ConnectToDatabase((db) => (from relation in db.ProjectRoles - where relation.Project == project - && relation.User == user - && relation.Role.DisplayName == "Owner" - select relation).Any()); + ProjectRoleModel projectRoleModel = new ProjectRoleModel(); + ProjectModel projectModel = new ProjectModel(); + + allowedAccess = allowedAccess.Select(x => x.ToLower().Trim()).ToArray(); + var allUserProjectRoles = projectRoleModel.GetAllWhere((projectRoleRelation) => projectRoleRelation.UserId == user.Id && + allowedAccess.Contains(projectRoleRelation.Role.DisplayName.ToLower())); + var allowedProjectIds = allUserProjectRoles.Select((projectRole) => projectRole.ProjectId); + var allowedProjects = projectModel.GetAllWhere((project) => allowedProjectIds.Contains(project.Id)); + return allowedProjects.ToList(); } public void AddResource(Coscine.Database.Model.Project project, Resource resource) @@ -165,7 +166,12 @@ namespace Coscine.Api.Project.Models return Update(project); } - public ProjectObject CreateReturnObjectFromDatabaseObject(Database.Model.Project project, Guid parentId = new Guid()) + public ProjectObject CreateReturnObjectFromDatabaseObject(Database.Model.Project project) + { + return CreateReturnObjectFromDatabaseObject(project, new Guid()); + } + + public ProjectObject CreateReturnObjectFromDatabaseObject(Database.Model.Project project, Guid parentId) { IEnumerable disciplines = new List(); if(project.ProjectDisciplineProjectIdIds == null) diff --git a/src/Project/Models/ResourceModel.cs b/src/Project/Models/ResourceModel.cs index f7f7d7c..e3b5527 100644 --- a/src/Project/Models/ResourceModel.cs +++ b/src/Project/Models/ResourceModel.cs @@ -38,7 +38,8 @@ namespace Coscine.Api.Project.Models Type = new ResourceTypeModel().GetById(resourceObject.Type.Id), VisibilityId = resourceObject.Visibility.Id, ApplicationProfile = resourceObject.ApplicationProfile, - FixedValues = resourceObject.FixedValues != null ? resourceObject.FixedValues.ToString() :"{}" + FixedValues = resourceObject.FixedValues != null ? resourceObject.FixedValues.ToString() :"{}", + Creator = resourceObject.Creator }; if(resourceObject.License != null) { @@ -191,17 +192,15 @@ namespace Coscine.Api.Project.Models } } - public bool OwnsResource(User user, Resource resource) + public bool HasAccess(User user, Database.Model.Resource resource, params string[] allowedAccess) { - return DatabaseConnection.ConnectToDatabase((db) => - { - return (from relation in db.ProjectRoles - where relation.User == user - && relation.Role.DisplayName == "Owner" - && (relation.Project.ProjectResourceProjectIdIds != null && relation.Project.ProjectResourceProjectIdIds. - Any((projectResource) => projectResource.Resource == resource)) - select relation).Any(); - }); + IEnumerable allowedAccessLabels = allowedAccess.Select(x => x.ToLower().Trim()).ToList(); + return DatabaseConnection.ConnectToDatabase((db) => (from relation in db.ProjectRoles + where relation.Project.ProjectResourceProjectIdIds != null && relation.Project.ProjectResourceProjectIdIds + .Any((projectResource) => projectResource.Resource.Id == resource.Id) + && relation.User.Id == user.Id + && allowedAccessLabels.Contains(relation.Role.DisplayName.ToLower()) + select relation).Any()); } public int UpdateByObject(Resource resource, ResourceObject resourceObject) @@ -228,10 +227,15 @@ namespace Coscine.Api.Project.Models { resource.LicenseId = resourceObject.License.Id; } + // the application profile can not be altered after creation // resource.ApplicationProfile = resourceObject.ApplicationProfile; + resource.FixedValues = resourceObject.FixedValues != null ? resourceObject.FixedValues.ToString() : "{}"; + // the resource creator can not be altered after creation + // resource.Creator = resourceObject.Creator; + SetDisciplines(resource, resourceObject.Disciplines); SetResourceTypeObject(resource, resourceObject.ResourceTypeOption); @@ -324,7 +328,8 @@ namespace Coscine.Api.Project.Models (resource.License != null) ? new LicenseObject(resource.License.Id, resource.License.DisplayName) : null, JObject.FromObject(resourceTypeOptionObject), resource.ApplicationProfile, - JToken.Parse(resource.FixedValues == null ? "{}": resource.FixedValues ) + JToken.Parse(resource.FixedValues == null ? "{}": resource.FixedValues ), + (resource.Creator != null) ? resource.Creator : null ); } diff --git a/src/Project/Project.csproj b/src/Project/Project.csproj index 3d10138..309ead7 100644 --- a/src/Project/Project.csproj +++ b/src/Project/Project.csproj @@ -46,17 +46,17 @@ ..\packages\Consul.0.7.2.6\lib\net45\Consul.dll - - ..\packages\Coscine.Action.1.7.0\lib\net461\Coscine.Action.dll + + ..\packages\Coscine.Action.1.7.1\lib\net461\Coscine.Action.dll - - ..\packages\Coscine.ApiCommons.1.3.1\lib\net461\Coscine.ApiCommons.dll + + ..\packages\Coscine.ApiCommons.1.4.0\lib\net461\Coscine.ApiCommons.dll ..\packages\Coscine.Configuration.1.4.0\lib\net461\Coscine.Configuration.dll - - ..\packages\Coscine.Database.1.12.1\lib\net461\Coscine.Database.dll + + ..\packages\Coscine.Database.1.13.0\lib\net461\Coscine.Database.dll ..\packages\Coscine.Logging.1.0.1\lib\net461\Coscine.Logging.dll @@ -97,12 +97,18 @@ ..\packages\Microsoft.AspNetCore.Antiforgery.2.2.0\lib\netstandard2.0\Microsoft.AspNetCore.Antiforgery.dll + + ..\packages\Microsoft.AspNetCore.Authentication.2.2.0\lib\netstandard2.0\Microsoft.AspNetCore.Authentication.dll + ..\packages\Microsoft.AspNetCore.Authentication.Abstractions.2.2.0\lib\netstandard2.0\Microsoft.AspNetCore.Authentication.Abstractions.dll ..\packages\Microsoft.AspNetCore.Authentication.Core.2.2.0\lib\netstandard2.0\Microsoft.AspNetCore.Authentication.Core.dll + + ..\packages\Microsoft.AspNetCore.Authentication.JwtBearer.2.2.0\lib\netstandard2.0\Microsoft.AspNetCore.Authentication.JwtBearer.dll + ..\packages\Microsoft.AspNetCore.Authorization.2.2.0\lib\netstandard2.0\Microsoft.AspNetCore.Authorization.dll @@ -366,6 +372,12 @@ ..\packages\Microsoft.IdentityModel.Logging.5.6.0\lib\net461\Microsoft.IdentityModel.Logging.dll + + ..\packages\Microsoft.IdentityModel.Protocols.5.3.0\lib\net461\Microsoft.IdentityModel.Protocols.dll + + + ..\packages\Microsoft.IdentityModel.Protocols.OpenIdConnect.5.3.0\lib\net461\Microsoft.IdentityModel.Protocols.OpenIdConnect.dll + ..\packages\Microsoft.IdentityModel.Tokens.5.6.0\lib\net461\Microsoft.IdentityModel.Tokens.dll @@ -606,6 +618,7 @@ + @@ -652,6 +665,7 @@ + diff --git a/src/Project/ReturnObjects/ResourceObject.cs b/src/Project/ReturnObjects/ResourceObject.cs index b02e57c..9f0132f 100644 --- a/src/Project/ReturnObjects/ResourceObject.cs +++ b/src/Project/ReturnObjects/ResourceObject.cs @@ -22,8 +22,9 @@ namespace Coscine.Api.Project.ReturnObjects public JObject ResourceTypeOption { get; set; } public string ApplicationProfile { get; set; } public JToken FixedValues { get; set; } + public Guid? Creator { get; set; } - public ResourceObject(Guid id, string displayName, string resourceName, string description, string keywords, string usageRights, ResourceTypeObject type, IEnumerable disciplines, VisibilityObject visibility, LicenseObject license, JObject resourceTypeOption, string applicationProfile, JToken fixedValues) + public ResourceObject(Guid id, string displayName, string resourceName, string description, string keywords, string usageRights, ResourceTypeObject type, IEnumerable disciplines, VisibilityObject visibility, LicenseObject license, JObject resourceTypeOption, string applicationProfile, JToken fixedValues, Guid? creator = null) { Id = id; @@ -42,6 +43,8 @@ namespace Coscine.Api.Project.ReturnObjects ApplicationProfile = applicationProfile; FixedValues = fixedValues; + + Creator = creator; } } } diff --git a/src/Project/UserRoles.cs b/src/Project/UserRoles.cs new file mode 100644 index 0000000..4a3b853 --- /dev/null +++ b/src/Project/UserRoles.cs @@ -0,0 +1,8 @@ +namespace Coscine.Api.Project +{ + public static class UserRoles + { + public static string Member { get; } = "member"; + public static string Owner { get; } = "owner"; + } +} diff --git a/src/Project/packages.config b/src/Project/packages.config index 6b7bb51..0ef590e 100644 --- a/src/Project/packages.config +++ b/src/Project/packages.config @@ -3,10 +3,10 @@ - - + + - + @@ -21,8 +21,10 @@ + + @@ -114,6 +116,8 @@ + + -- GitLab