diff --git a/src/Project/Controllers/ProjectController.cs b/src/Project/Controllers/ProjectController.cs index 4e96b6a6a31b2eb96b335b381b35370c67da271f..898f51d338605ccecb8c2ba228aa4cb5d9796f14 100644 --- a/src/Project/Controllers/ProjectController.cs +++ b/src/Project/Controllers/ProjectController.cs @@ -34,7 +34,7 @@ namespace Coscine.Api.Project.Controllers { var user = _authenticator.GetUser(); - return Ok(_projectModel.GetWithAccess(user, UserRoles.Owner).ToList() + return Ok(_projectModel.GetWithAccess(user, UserRoles.Member, UserRoles.Owner).ToList() .Select((project) => _projectModel.CreateReturnObjectFromDatabaseObject(project))); } @@ -164,6 +164,14 @@ namespace Coscine.Api.Project.Controllers { var user = _authenticator.GetUser(); var projectObject = ObjectFactory<ProjectObject>.DeserializeFromStream(Request.Body); + + if (projectObject.ParentId != null + && projectObject.ParentId != new Guid() + && !_projectModel.HasAccess(user, _projectModel.GetById(projectObject.ParentId), UserRoles.Owner)) + { + return Unauthorized("User is not allowed to create SubProjects."); + } + var project = _projectModel.StoreFromObject(projectObject, user); if (projectObject.ParentId != null