HTBox · codingbandit · Oct 15, 2021 · Oct 14, 2021
diff --git a/api/TwoWeeksReady/EmergencyKits/BaseKitsApi.cs b/api/TwoWeeksReady/EmergencyKits/BaseKitsApi.cs
@@ -15,6 +15,7 @@
 using Newtonsoft.Json;
 using AzureFunctions.OidcAuthentication;
 using TwoWeeksReady.Common.EmergencyKits;
+using TwoWeeksReady.Authorization;
 
 namespace TwoWeeksReady.EmergencyKits
 {
@@ -74,7 +75,13 @@ public async Task<IActionResult> CreateBaseKit(
             return new UnauthorizedResult();
         }
 
-        var content = await new StreamReader(req.Body).ReadToEndAsync();
+        if (!authorizationResult.IsInRole(Roles.Admin))
+        {
+            log.LogWarning($"User is not in the {Roles.Admin} role");
+            return new UnauthorizedResult();
+        }
+
+            var content = await new StreamReader(req.Body).ReadToEndAsync();
         var newBaseKit = JsonConvert.DeserializeObject<BaseKit>(content);
         newBaseKit.Id = Guid.NewGuid().ToString();
         if(newBaseKit.Items.Count > 0) 
@@ -105,6 +112,12 @@ public async Task<IActionResult> UpdateBaseKit(
               return new UnauthorizedResult();
           }
 
+          if (!authorizationResult.IsInRole(Roles.Admin))
+          {
+              log.LogWarning($"User is not in the {Roles.Admin} role");
+              return new UnauthorizedResult();
+          }
+
           var content = await new StreamReader(req.Body).ReadToEndAsync();
           var kit = JsonConvert.DeserializeObject<BaseKit>(content);            
 
@@ -154,8 +167,13 @@ public async Task<IActionResult> DeleteBaseKit(
               log.LogWarning(authorizationResult.FailureReason);
               return new UnauthorizedResult();
           }
+          if (!authorizationResult.IsInRole(Roles.Admin))
+          {
+              log.LogWarning($"User is not in the {Roles.Admin} role");
+              return new UnauthorizedResult();
+          }
 
-          if(String.IsNullOrWhiteSpace(id))
+            if (String.IsNullOrWhiteSpace(id))
           {
               return new BadRequestObjectResult("Base Kit id was not specified.");
           }

diff --git a/api/TwoWeeksReady/Hazards/HazardApiBase.cs b/api/TwoWeeksReady/Hazards/HazardApiBase.cs
@@ -149,7 +149,7 @@ protected async Task<IActionResult> UpdateDocument(
         }
 
         protected async Task<IActionResult> DeleteDocument(
-           HttpRequest req, string id, DocumentClient client, ILogger log, string collectionName)
+           HttpRequest req, string id, DocumentClient client, ILogger log, string collectionName, string requiredRole = null)
         {
             log.LogInformation($"Deleting {collectionName} document: id = {id}");
             var authorizationResult = await _apiAuthentication.AuthenticateAsync(req.Headers);
@@ -158,6 +158,12 @@ protected async Task<IActionResult> DeleteDocument(
                 log.LogWarning(authorizationResult.FailureReason);
                 return new UnauthorizedResult();
             }
+
+            if (!string.IsNullOrEmpty(requiredRole) && !authorizationResult.IsInRole(requiredRole))
+            {
+                log.LogWarning($"User is not in the {requiredRole} role");
+                return new UnauthorizedResult();
+            }
 
             if (String.IsNullOrWhiteSpace(id))
             {

diff --git a/api/TwoWeeksReady/Hazards/HazardInfoApi.cs b/api/TwoWeeksReady/Hazards/HazardInfoApi.cs
@@ -78,7 +78,7 @@ public async Task<IActionResult> DeleteDocument(
             DocumentClient client,
           ILogger log)
       {
-         return await DeleteDocument(req, id, client, log, CollectionName);
+         return await DeleteDocument(req, id, client, log, CollectionName, Roles.Admin);
       }
    }
 }