Merge pull request #1066 from gordon-cs/security-hotfix-schedule-access

Add SYB to schedules
gordon-cs · Sep 11, 2024 · 18bc5bf · 18bc5bf
2 parents 6cfdf8d + e5f12b6
commit 18bc5bf
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/Gordon360/Authorization/StateYourBusiness.cs b/Gordon360/Authorization/StateYourBusiness.cs
@@ -44,6 +44,7 @@ public class StateYourBusiness : ActionFilterAttribute
  private IMembershipService _membershipService;
  private IMembershipRequestService _membershipRequestService;
  private INewsService _newsService;
+ private IAccountService _accountService;
 
  //RecIM services
  private IParticipantService _recimParticipantService;
@@ -64,12 +65,13 @@ public async override Task OnActionExecutionAsync(ActionExecutingContext actionC
  _membershipRequestService = context.HttpContext.RequestServices.GetRequiredService<IMembershipRequestService>();
  _newsService = context.HttpContext.RequestServices.GetRequiredService<INewsService>();
  _CCTContext = context.HttpContext.RequestServices.GetService<CCTContext>();
+ _accountService = context.HttpContext.RequestServices.GetRequiredService<IAccountService>();
 
  // set RecIM services
  _recimParticipantService = context.HttpContext.RequestServices.GetRequiredService<IParticipantService>();
  _recimTeamService = context.HttpContext.RequestServices.GetRequiredService<ITeamService>();
  _recimActivityService = context.HttpContext.RequestServices.GetRequiredService<Services.RecIM.IActivityService>();
-
+ 
  user_name = AuthUtils.GetUsername(authenticatedUser);
  user_groups = AuthUtils.GetGroups(authenticatedUser);
 
@@ -187,6 +189,10 @@ private async Task<bool> CanReadOneAsync(string resource)
  }
  case Resource.NEWS:
  return true;
+ case Resource.STUDENT_SCHEDULE:
+ if (context.ActionArguments["username"] is string viewed_username)
+ return user_groups.Contains(AuthGroup.Advisors) || viewed_username.EqualsIgnoreCase(user_name) || _accountService.GetAccountByUsername(viewed_username).AccountType.EqualsIgnoreCase("FACULTY");
+ return false;
  default: return false;
 
  }

diff --git a/Gordon360/Controllers/ScheduleController.cs b/Gordon360/Controllers/ScheduleController.cs
@@ -2,6 +2,7 @@
 using Gordon360.Enums;
 using Gordon360.Models.ViewModels;
 using Gordon360.Services;
+using Gordon360.Static.Names;
 using Microsoft.AspNetCore.Mvc;
 using System.Collections.Generic;
 using System.Linq;
@@ -10,7 +11,7 @@
 namespace Gordon360.Controllers;
 
 [Route("api/[controller]")]
-public class ScheduleController(IScheduleService scheduleService) : ControllerBase
+public class ScheduleController(IScheduleService scheduleService) : GordonControllerBase
 {
 
  /// <summary>
@@ -19,6 +20,7 @@ public class ScheduleController(IScheduleService scheduleService) : ControllerBa
  /// <returns>A IEnumerable of session objects as well as the schedules</returns>
  [HttpGet]
  [Route("{username}/allcourses")]
+ [StateYourBusiness(operation = Operation.READ_ONE, resource = Resource.STUDENT_SCHEDULE)]
  public async Task<ActionResult<CoursesBySessionViewModel>> GetAllCourses(string username)
  {
  IEnumerable<CoursesBySessionViewModel> result = await scheduleService.GetAllCoursesAsync(username);

diff --git a/Gordon360/Static Classes/Names.cs b/Gordon360/Static Classes/Names.cs
@@ -36,6 +36,7 @@ public static class Resource
  public const string RECIM_PARTICIPANT_ADMIN = "The admin status of a RecIM participating user";
  public const string RECIM_SUPER_ADMIN = "A RecIM director level resource";
  public const string RECIM_SURFACE = "RecIM Surfaces/Playing fields/Locations";
+ public const string STUDENT_SCHEDULE = "A student's schedule events";
 
  // Partial resources, to be targetted by Operation.READ_PARTIAL
  public const string MEMBERSHIP_REQUEST_BY_ACTIVITY = "Membership Request Resources associated with an activity";