Marcel Nellesen · c11b45fb · 683d593c · f3e512f3 · c11b45fb · 683d593c
--- a/src/Project/Controllers/DataSourceController.cs

+ 41

− 12
+++ b/src/Project/Controllers/DataSourceController.cs

+ 41

− 12
 @@ -5,6 +5,7 @@ using Coscine.ApiCommons.Factories;
 using Coscine.ApiCommons.Utils;
 using Coscine.Configuration;
 using Coscine.Database.Model;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Newtonsoft.Json.Linq;
 using System;
 @@ -22,6 +23,7 @@ using System.Web;

 namespace Coscine.Api.Project.Controllers
 {
+    [Authorize]
    public class DataSourceController : Controller
    {
        private readonly IConfiguration _configuration;
 @@ -30,6 +32,7 @@ namespace Coscine.Api.Project.Controllers
        private static readonly HttpClient Client;
        private readonly Authenticator _authenticator;
        private readonly ResourceModel _resourceModel;
+        private readonly ProjectModel _projectModel;

        static DataSourceController()
        {
 @@ -45,6 +48,7 @@ namespace Coscine.Api.Project.Controllers
            _jwtHandler = new JWTHandler(_configuration);
            _authenticator = new Authenticator(this, _configuration);
            _resourceModel = new ResourceModel();
+            _projectModel = new ProjectModel();
        }

        // inferring a ../ (urlencoded) can manipulate the url.
 @@ -53,6 +57,8 @@ namespace Coscine.Api.Project.Controllers
        [HttpGet("[controller]/{resourceId}/{path}")]
        public async Task<IActionResult> GetWaterButlerFolder(string resourceId, string path)
        {
+            var user = _authenticator.GetUser();
+
            if (!string.IsNullOrWhiteSpace(path))
            {
                path = HttpUtility.UrlDecode(path);
 @@ -64,6 +70,11 @@ namespace Coscine.Api.Project.Controllers
                return check;
            }

+            if (!_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member))
+            {
+                return BadRequest("User does not have permission to the resource.");
+            }
+
            var authHeader = BuildAuthHeader(resource);

            if (authHeader == null)
 @@ -107,6 +118,9 @@ namespace Coscine.Api.Project.Controllers
        [DisableRequestSizeLimit]
        public async Task<IActionResult> PutUploadFile(string resourceId, string path)
        {
+            var user = _authenticator.GetUser();
+
+
            if (!string.IsNullOrWhiteSpace(path))
            {
                path = HttpUtility.UrlDecode(path);
 @@ -118,6 +132,11 @@ namespace Coscine.Api.Project.Controllers
                return check;
            }

+            if(!_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member))
+            {
+                return BadRequest("User does not have permission to the resource.");
+            }
+
            var authHeader = BuildAuthHeader(resource, new string[] { "gitlab" });

            if (authHeader == null)
 @@ -156,6 +175,8 @@ namespace Coscine.Api.Project.Controllers
        [DisableRequestSizeLimit]
        public async Task<IActionResult> PutUpdateFile(string resourceId, string path)
        {
+            var user = _authenticator.GetUser();
+
            if (!string.IsNullOrWhiteSpace(path))
            {
                path = HttpUtility.UrlDecode(path);
 @@ -167,6 +188,11 @@ namespace Coscine.Api.Project.Controllers
                return check;
            }

+            if (!_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member))
+            {
+                return BadRequest("User does not have permission to the resource.");
+            }
+
            var authHeader = BuildAuthHeader(resource, new string[] { "gitlab" });

            if (authHeader == null)
 @@ -220,7 +246,7 @@ namespace Coscine.Api.Project.Controllers
                return resource["type"]["displayName"].ToString().ToLower();
            }
        }
-        
+

        public async Task<HttpResponseMessage> UploadFile(string url, string authHeader, Stream stream)
        {
 @@ -233,6 +259,8 @@ namespace Coscine.Api.Project.Controllers
        [HttpDelete("[controller]/{resourceId}/{path}")]
        public async Task<IActionResult> Delete(string resourceId, string path)
        {
+            var user = _authenticator.GetUser();
+
            if (!string.IsNullOrWhiteSpace(path))
            {
                path = HttpUtility.UrlDecode(path);
 @@ -244,6 +272,11 @@ namespace Coscine.Api.Project.Controllers
                return check;
            }

+            if (!_resourceModel.HasAccess(user, resource, UserRoles.Owner, UserRoles.Member))
+            {
+                return BadRequest("User does not have permission to the resource.");
+            }
+
            var authHeader = BuildAuthHeader(resource, new string[] { "gitlab" });

            if (authHeader == null)
 @@ -286,7 +319,6 @@ namespace Coscine.Api.Project.Controllers

            JToken resource = ObjectFactory<JToken>.DeserializeFromStream(Request.Body);

-
            string authHeader = null;
            if (resource["type"]["displayName"].ToString().ToLower() == "s3")
            {
 @@ -298,10 +330,12 @@ namespace Coscine.Api.Project.Controllers
            }
            else if (resource["type"]["displayName"].ToString().ToLower() == "gitlab")
            {
-                GitlabResourceType gitlabResourceType = new GitlabResourceType();
-                gitlabResourceType.RepositoryNumber = (int)resource["resourceTypeOption"]["RepositoryNumber"];
-                gitlabResourceType.RepositoryUrl = resource["resourceTypeOption"]["RepositoryUrl"].ToString();
-                gitlabResourceType.Token = resource["resourceTypeOption"]["Token"].ToString();
+                GitlabResourceType gitlabResourceType = new GitlabResourceType
+                {
+                    RepositoryNumber = (int)resource["resourceTypeOption"]["RepositoryNumber"],
+                    RepositoryUrl = resource["resourceTypeOption"]["RepositoryUrl"].ToString(),
+                    Token = resource["resourceTypeOption"]["Token"].ToString()
+                };
                authHeader = BuildGitlabAuthHeader(gitlabResourceType);
            }

 @@ -374,7 +408,7 @@ namespace Coscine.Api.Project.Controllers
            {
                return BadRequest($"{resourceId} is not a guid.");
            }
-            
+
            try
            {
                resource = _resourceModel.GetById(resourceGuid);
 @@ -382,11 +416,6 @@ namespace Coscine.Api.Project.Controllers
                {
                    return NotFound($"Could not find resource with id: {resourceId}");
                }
-                var user = _authenticator.GetUserFromToken();
-                if (!_resourceModel.OwnsResource(user, resource))
-                {
-                    return Forbid($"The user does not own the resource {resourceId}");
-                }
            }
            catch (Exception)
            {