diff --git a/api/TwoWeeksReady/EmergencyKits/BaseKitsApi.cs b/api/TwoWeeksReady/EmergencyKits/BaseKitsApi.cs index 2c0183d..455ced2 100644 --- a/api/TwoWeeksReady/EmergencyKits/BaseKitsApi.cs +++ b/api/TwoWeeksReady/EmergencyKits/BaseKitsApi.cs @@ -15,6 +15,7 @@ using Newtonsoft.Json; using AzureFunctions.OidcAuthentication; using TwoWeeksReady.Common.EmergencyKits; +using TwoWeeksReady.Authorization; namespace TwoWeeksReady.EmergencyKits { @@ -74,7 +75,13 @@ public async Task CreateBaseKit( return new UnauthorizedResult(); } - var content = await new StreamReader(req.Body).ReadToEndAsync(); + if (!authorizationResult.IsInRole(Roles.Admin)) + { + log.LogWarning($"User is not in the {Roles.Admin} role"); + return new UnauthorizedResult(); + } + + var content = await new StreamReader(req.Body).ReadToEndAsync(); var newBaseKit = JsonConvert.DeserializeObject(content); newBaseKit.Id = Guid.NewGuid().ToString(); if(newBaseKit.Items.Count > 0) @@ -105,6 +112,12 @@ public async Task UpdateBaseKit( return new UnauthorizedResult(); } + if (!authorizationResult.IsInRole(Roles.Admin)) + { + log.LogWarning($"User is not in the {Roles.Admin} role"); + return new UnauthorizedResult(); + } + var content = await new StreamReader(req.Body).ReadToEndAsync(); var kit = JsonConvert.DeserializeObject(content); @@ -154,8 +167,13 @@ public async Task DeleteBaseKit( log.LogWarning(authorizationResult.FailureReason); return new UnauthorizedResult(); } + if (!authorizationResult.IsInRole(Roles.Admin)) + { + log.LogWarning($"User is not in the {Roles.Admin} role"); + return new UnauthorizedResult(); + } - if(String.IsNullOrWhiteSpace(id)) + if (String.IsNullOrWhiteSpace(id)) { return new BadRequestObjectResult("Base Kit id was not specified."); } diff --git a/api/TwoWeeksReady/Hazards/HazardApiBase.cs b/api/TwoWeeksReady/Hazards/HazardApiBase.cs index 784ce02..206d447 100644 --- a/api/TwoWeeksReady/Hazards/HazardApiBase.cs +++ b/api/TwoWeeksReady/Hazards/HazardApiBase.cs @@ -149,7 +149,7 @@ protected async Task UpdateDocument( } protected async Task DeleteDocument( - HttpRequest req, string id, DocumentClient client, ILogger log, string collectionName) + HttpRequest req, string id, DocumentClient client, ILogger log, string collectionName, string requiredRole = null) { log.LogInformation($"Deleting {collectionName} document: id = {id}"); var authorizationResult = await _apiAuthentication.AuthenticateAsync(req.Headers); @@ -158,6 +158,12 @@ protected async Task DeleteDocument( log.LogWarning(authorizationResult.FailureReason); return new UnauthorizedResult(); } + + if (!string.IsNullOrEmpty(requiredRole) && !authorizationResult.IsInRole(requiredRole)) + { + log.LogWarning($"User is not in the {requiredRole} role"); + return new UnauthorizedResult(); + } if (String.IsNullOrWhiteSpace(id)) { diff --git a/api/TwoWeeksReady/Hazards/HazardInfoApi.cs b/api/TwoWeeksReady/Hazards/HazardInfoApi.cs index 9318619..7fcab53 100644 --- a/api/TwoWeeksReady/Hazards/HazardInfoApi.cs +++ b/api/TwoWeeksReady/Hazards/HazardInfoApi.cs @@ -78,7 +78,7 @@ public async Task DeleteDocument( DocumentClient client, ILogger log) { - return await DeleteDocument(req, id, client, log, CollectionName); + return await DeleteDocument(req, id, client, log, CollectionName, Roles.Admin); } } }