diff --git a/Gordon360/Authorization/StateYourBusiness.cs b/Gordon360/Authorization/StateYourBusiness.cs index f85621ce5..865f3962c 100644 --- a/Gordon360/Authorization/StateYourBusiness.cs +++ b/Gordon360/Authorization/StateYourBusiness.cs @@ -45,6 +45,7 @@ public class StateYourBusiness : ActionFilterAttribute private IMembershipService _membershipService; private IMembershipRequestService _membershipRequestService; private INewsService _newsService; + private IAccountService _accountService; //RecIM services private IParticipantService _recimParticipantService; @@ -65,12 +66,13 @@ public async override Task OnActionExecutionAsync(ActionExecutingContext actionC _membershipRequestService = context.HttpContext.RequestServices.GetRequiredService(); _newsService = context.HttpContext.RequestServices.GetRequiredService(); _CCTContext = context.HttpContext.RequestServices.GetService(); + _accountService = context.HttpContext.RequestServices.GetRequiredService(); // set RecIM services _recimParticipantService = context.HttpContext.RequestServices.GetRequiredService(); _recimTeamService = context.HttpContext.RequestServices.GetRequiredService(); _recimActivityService = context.HttpContext.RequestServices.GetRequiredService(); - + user_name = AuthUtils.GetUsername(authenticatedUser); user_groups = AuthUtils.GetGroups(authenticatedUser); @@ -188,6 +190,10 @@ private async Task CanReadOneAsync(string resource) } case Resource.NEWS: return true; + case Resource.STUDENT_SCHEDULE: + if (context.ActionArguments["username"] is string viewed_username) + return user_groups.Contains(AuthGroup.Advisors) || viewed_username.EqualsIgnoreCase(user_name) || _accountService.GetAccountByUsername(viewed_username).AccountType.EqualsIgnoreCase("FACULTY"); + return false; default: return false; } diff --git a/Gordon360/Controllers/ScheduleController.cs b/Gordon360/Controllers/ScheduleController.cs index bb3a20f8b..7253adc55 100644 --- a/Gordon360/Controllers/ScheduleController.cs +++ b/Gordon360/Controllers/ScheduleController.cs @@ -2,6 +2,7 @@ using Gordon360.Enums; using Gordon360.Models.ViewModels; using Gordon360.Services; +using Gordon360.Static.Names; using Microsoft.AspNetCore.Mvc; using System.Collections.Generic; using System.Linq; @@ -19,6 +20,7 @@ public class ScheduleController(IScheduleService scheduleService) : ControllerBa /// A IEnumerable of session objects as well as the schedules [HttpGet] [Route("{username}/allcourses")] + [StateYourBusiness(operation = Operation.READ_ONE, resource = Resource.STUDENT_SCHEDULE)] public async Task> GetAllCourses(string username) { IEnumerable result = await scheduleService.GetAllCoursesAsync(username); diff --git a/Gordon360/Static Classes/Names.cs b/Gordon360/Static Classes/Names.cs index c852e7e75..c41090a56 100644 --- a/Gordon360/Static Classes/Names.cs +++ b/Gordon360/Static Classes/Names.cs @@ -36,6 +36,7 @@ public static class Resource public const string RECIM_PARTICIPANT_ADMIN = "The admin status of a RecIM participating user"; public const string RECIM_SUPER_ADMIN = "A RecIM director level resource"; public const string RECIM_SURFACE = "RecIM Surfaces/Playing fields/Locations"; + public const string STUDENT_SCHEDULE = "A student's schedule events"; // Partial resources, to be targetted by Operation.READ_PARTIAL public const string MEMBERSHIP_REQUEST_BY_ACTIVITY = "Membership Request Resources associated with an activity";