Merge pull request #207 from AppliedIS/issue-118

allow ViewAllApplications claim to download attachments

DOL.WHD.Section14c.Api/Controllers/AttachmentController.cs

@@ -76,12 +76,13 @@ public async Task<IHttpActionResult> Post(string EIN)
         /// <returns></returns>
         [HttpGet]
         [Route("{EIN}/{fileId}")]
-        [AuthorizeClaims(ApplicationClaimTypes.SubmitApplication)]
+        [AuthorizeClaims(ApplicationClaimTypes.SubmitApplication, ApplicationClaimTypes.ViewAllApplications)]
         public HttpResponseMessage Download(string EIN, Guid fileId)
         {
-            // make sure user has rights to the EIN
+            // make sure user has rights to the EIN or has View All Application rights
             var hasEINClaim = _identityService.UserHasEINClaim(User, EIN);
-            if (!hasEINClaim)
+            var hasViewAllFeature = _identityService.UserHasFeatureClaim(User, ApplicationClaimTypes.ViewAllApplications);
+            if (!hasEINClaim && !hasViewAllFeature)
             {
                 return new HttpResponseMessage(HttpStatusCode.Unauthorized);
             }

DOL.WHD.Section14c.Business/IIdentityService.cs

@@ -5,6 +5,6 @@ namespace DOL.WHD.Section14c.Business
     public interface IIdentityService
     {
         bool UserHasEINClaim(IPrincipal user, string EIN);
-
+        bool UserHasFeatureClaim(IPrincipal user, string feature);
     }
 }

DOL.WHD.Section14c.Business/Services/IdentityService.cs

@@ -1,6 +1,7 @@
 using System.Linq;
 using System.Security.Claims;
 using System.Security.Principal;
+using DOL.WHD.Section14c.Domain.Models.Identity;
 
 namespace DOL.WHD.Section14c.Business.Services
 {
@@ -12,5 +13,11 @@ public bool UserHasEINClaim(IPrincipal user, string EIN)
             var einClaims = identity.Claims.Where(c => c.Type == "EIN").Select(c => c.Value);
             return einClaims.Contains(EIN);
         }
+
+        public bool UserHasFeatureClaim(IPrincipal user, string feature)
+        {
+            var identity = (ClaimsIdentity)user.Identity;
+            return identity.Claims.Any(c => c.Type == feature);
+        }
     }
 }

DOL.WHD.Section14c.Test/Business/IdentityServiceTests.cs

@@ -6,6 +6,7 @@
 using System.Text;
 using System.Threading.Tasks;
 using DOL.WHD.Section14c.Business.Services;
+using DOL.WHD.Section14c.Domain.Models.Identity;
 using Microsoft.VisualStudio.TestTools.UnitTesting;
 using Moq;
 
@@ -63,5 +64,47 @@ public void ValidatesEINClaims_DoesNotHaveClaim()
             // Assert
             Assert.IsFalse(hasClaim);
         }
+
+
+        [TestMethod]
+        public void ValidatesFeatureClaims_HasClaim()
+        {
+            // Arrange
+            var featureToTest = ApplicationClaimTypes.ViewAllApplications;
+            var claims = new List<Claim>
+            {
+                new Claim(featureToTest, true.ToString())
+            };
+            _mockIdentity.Setup(i => i.Claims).Returns(claims);
+            _mockUser.Setup(u => u.Identity).Returns(_mockIdentity.Object);
+            var service = new IdentityService();
+
+            // Act
+            var hasClaim = service.UserHasFeatureClaim(_mockUser.Object, featureToTest);
+
+            // Assert
+            Assert.IsTrue(hasClaim);
+        }
+
+        [TestMethod]
+        public void ValidatesFeatureClaims_DoesNotHaveClaim()
+        {
+            // Arrange
+            var featureToTest = ApplicationClaimTypes.SubmitApplication;
+            var featureToCheck = ApplicationClaimTypes.ViewAllApplications;
+            var claims = new List<Claim>
+            {
+                new Claim(featureToTest, true.ToString())
+            };
+            _mockIdentity.Setup(i => i.Claims).Returns(claims);
+            _mockUser.Setup(u => u.Identity).Returns(_mockIdentity.Object);
+            var service = new IdentityService();
+
+            // Act
+            var hasClaim = service.UserHasFeatureClaim(_mockUser.Object, featureToCheck);
+
+            // Assert
+            Assert.IsFalse(hasClaim);
+        }
     }
 }