79 lines
2.2 KiB
C#
79 lines
2.2 KiB
C#
using System.Security.Claims;
|
|
using Microsoft.AspNetCore.Authorization;
|
|
using Microsoft.EntityFrameworkCore;
|
|
using Yavsc.Helpers;
|
|
using Yavsc.Models;
|
|
using Yavsc.Models.Blog;
|
|
using Yavsc.ViewModels.Auth;
|
|
|
|
namespace Yavsc.Extensions;
|
|
|
|
public class PermissionHandler : IAuthorizationHandler
|
|
{
|
|
ApplicationDbContext applicationDbContext;
|
|
public PermissionHandler(ApplicationDbContext applicationDbContext)
|
|
{
|
|
this.applicationDbContext = applicationDbContext;
|
|
}
|
|
public Task HandleAsync(AuthorizationHandlerContext context)
|
|
{
|
|
var pendingRequirements = context.PendingRequirements.ToList();
|
|
|
|
foreach (var requirement in pendingRequirements)
|
|
{
|
|
if (requirement is ReadPermission)
|
|
{
|
|
if (IsPublic(context.Resource))
|
|
{
|
|
context.Succeed(requirement);
|
|
}
|
|
else if (IsOwner(context.User, context.Resource)
|
|
|| IsSponsor(context.User, context.Resource))
|
|
{
|
|
context.Succeed(requirement);
|
|
}
|
|
}
|
|
else if (requirement is EditPermission || requirement is DeletePermission)
|
|
{
|
|
if (IsOwner(context.User, context.Resource))
|
|
{
|
|
context.Succeed(requirement);
|
|
}
|
|
}
|
|
}
|
|
|
|
return Task.CompletedTask;
|
|
}
|
|
|
|
private bool IsPublic(object? resource)
|
|
{
|
|
if (resource is BlogPost blogPost)
|
|
{
|
|
if (blogPost.ACL.Count==0)
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
private static bool IsOwner(ClaimsPrincipal user, object? resource)
|
|
{
|
|
if (resource is BlogPost blogPost)
|
|
{
|
|
return blogPost.AuthorId == user.GetUserId();
|
|
}
|
|
return false;
|
|
}
|
|
|
|
private bool IsSponsor(ClaimsPrincipal user, object? resource)
|
|
{
|
|
if (resource is BlogPost blogPost)
|
|
{
|
|
return applicationDbContext.CircleMembers
|
|
.Include(c => c.Circle)
|
|
.Where(m=>m.MemberId==user.GetUserId() && m.Circle.OwnerId == blogPost.OwnerId)
|
|
.Any();
|
|
}
|
|
return true;
|
|
}
|
|
}
|