Skip to content

Commit

Permalink
Merge pull request #955 from gordon-cs/s23-more-security-checks-getMe…
Browse files Browse the repository at this point in the history 
…mberships

S23 more security checks get memberships
  • Loading branch information
@antoniavonto
antoniavonto authored Jul 10, 2023
2 parents 54723f1 + dfb4c49 commit b6e2819
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 12 deletions.
29 changes: 17 additions & 12 deletions Gordon360/Controllers/MembershipsController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ public MembershipsController(IMembershipService membershipService)
/// <summary>
/// Get all the memberships associated with a given activity
/// </summary>
/// <param name="myProf">Optional boolean indication if you are searching for your public profile</param>
/// <param name="involvementCode">Optional involvementCode filter</param>
/// <param name="username">Optional username filter</param>
/// <param name="sessionCode">Optional session code for which session memberships should be retrieved. Defaults to current session. Use "*" for all sessions.</param>
Expand All @@ -34,25 +35,29 @@ public MembershipsController(IMembershipService membershipService)
[StateYourBusiness(operation = Operation.READ_PARTIAL, resource = Resource.MEMBERSHIP)]
public ActionResult<IEnumerable<MembershipView>> GetMemberships(string? involvementCode = null, string? username = null, string? sessionCode = null, [FromQuery] List<string>? participationTypes = null)
{
var authenticatedUserUsername = AuthUtils.GetUsername(User);
var viewerGroups = AuthUtils.GetGroups(User);

var memberships = _membershipService.GetMemberships(
activityCode: involvementCode,
username: username,
sessionCode: sessionCode,
participationTypes: participationTypes);

if (username is not null)
// When user is null, only SiteAdmin and Police can see all the user's memberships.
if ((username is null) && !(viewerGroups.Contains(AuthGroup.SiteAdmin)
|| viewerGroups.Contains(AuthGroup.Police)))
{
memberships = _membershipService.RemovePrivateMemberships(memberships, authenticatedUserUsername);
return Ok(memberships);
}
// Only user, siteAdmin and Police can see all the user's memberships.
else if (!(username == authenticatedUserUsername
|| viewerGroups.Contains(AuthGroup.SiteAdmin)
|| viewerGroups.Contains(AuthGroup.Police)
))
{
var authenticatedUserUsername = AuthUtils.GetUsername(User);
var viewerGroups = AuthUtils.GetGroups(User);

// User can see all their own memberships. SiteAdmin and Police can see all of anyone's memberships
if (!(username == authenticatedUserUsername
|| viewerGroups.Contains(AuthGroup.SiteAdmin)
|| viewerGroups.Contains(AuthGroup.Police)
))
{
memberships = _membershipService.RemovePrivateMemberships(memberships, authenticatedUserUsername);
}
memberships = _membershipService.RemovePrivateMemberships(memberships, authenticatedUserUsername);
}

return Ok(memberships);
Expand Down
1 change: 1 addition & 0 deletions Gordon360/Documentation/Gordon360.xml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit b6e2819

Please sign in to comment.