From c2bfb0935e32af6ea247fe117c6cebba01afcbf3 Mon Sep 17 00:00:00 2001
From: Marcel Nellesen <nellesen@itc.rwth-aachen.de>
Date: Mon, 13 Jan 2020 10:11:06 +0100
Subject: [PATCH] Fixed permissions in the Project Controller
 (coscine/issues#529)

---
 src/Project/Controllers/ProjectController.cs | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/Project/Controllers/ProjectController.cs b/src/Project/Controllers/ProjectController.cs
index 4e96b6a..898f51d 100644
--- a/src/Project/Controllers/ProjectController.cs
+++ b/src/Project/Controllers/ProjectController.cs
@@ -34,7 +34,7 @@ namespace Coscine.Api.Project.Controllers
         {
             var user = _authenticator.GetUser();
 
-            return Ok(_projectModel.GetWithAccess(user, UserRoles.Owner).ToList()
+            return Ok(_projectModel.GetWithAccess(user, UserRoles.Member, UserRoles.Owner).ToList()
                 .Select((project) => _projectModel.CreateReturnObjectFromDatabaseObject(project)));
 
         }
@@ -164,6 +164,14 @@ namespace Coscine.Api.Project.Controllers
         {
             var user = _authenticator.GetUser();
             var projectObject = ObjectFactory<ProjectObject>.DeserializeFromStream(Request.Body);
+
+            if (projectObject.ParentId != null
+                && projectObject.ParentId != new Guid()
+                && !_projectModel.HasAccess(user, _projectModel.GetById(projectObject.ParentId), UserRoles.Owner))
+            {
+                return Unauthorized("User is not allowed to create SubProjects.");
+            }
+
             var project = _projectModel.StoreFromObject(projectObject, user);
 
             if (projectObject.ParentId != null 
-- 
GitLab