178 lines
5.9 KiB
C#
178 lines
5.9 KiB
C#
using System.Security.Claims;
|
|
using Socialize.Api.Modules.Identity.Contracts;
|
|
using Socialize.Api.Modules.Organizations.Services;
|
|
|
|
namespace Socialize.Api.Infrastructure.Security;
|
|
|
|
public sealed class AccessScopeService(
|
|
OrganizationAccessService organizationAccessService)
|
|
{
|
|
public bool IsManager(ClaimsPrincipal user)
|
|
{
|
|
return user.IsInRole(KnownRoles.Administrator) || user.IsInRole(KnownRoles.Manager);
|
|
}
|
|
|
|
public bool IsProvider(ClaimsPrincipal user)
|
|
{
|
|
return user.IsInRole(KnownRoles.Provider);
|
|
}
|
|
|
|
public bool IsClient(ClaimsPrincipal user)
|
|
{
|
|
return user.IsInRole(KnownRoles.Client);
|
|
}
|
|
|
|
public bool CanAccessWorkspace(ClaimsPrincipal user, Guid workspaceId)
|
|
{
|
|
return IsManager(user) || user.GetWorkspaceScopeIds().Contains(workspaceId);
|
|
}
|
|
|
|
public bool CanManageWorkspace(ClaimsPrincipal user, Guid workspaceId)
|
|
{
|
|
return IsManager(user) && CanAccessWorkspace(user, workspaceId);
|
|
}
|
|
|
|
public bool CanAccessClient(ClaimsPrincipal user, Guid workspaceId, Guid clientId)
|
|
{
|
|
return IsManager(user)
|
|
|| (CanAccessWorkspace(user, workspaceId) && user.GetClientScopeIds().Contains(clientId));
|
|
}
|
|
|
|
public bool CanAccessCampaign(ClaimsPrincipal user, Guid workspaceId, Guid clientId, Guid campaignId)
|
|
{
|
|
return IsManager(user)
|
|
|| (CanAccessClient(user, workspaceId, clientId) && user.GetCampaignScopeIds().Contains(campaignId));
|
|
}
|
|
|
|
public bool CanContributeToCampaign(ClaimsPrincipal user, Guid workspaceId, Guid clientId, Guid campaignId)
|
|
{
|
|
return IsManager(user) || (IsProvider(user) && CanAccessCampaign(user, workspaceId, clientId, campaignId));
|
|
}
|
|
|
|
public bool CanReviewContent(ClaimsPrincipal user, Guid workspaceId, Guid clientId, Guid campaignId)
|
|
{
|
|
return IsManager(user)
|
|
|| IsProvider(user) && CanAccessCampaign(user, workspaceId, clientId, campaignId)
|
|
|| IsClient(user) && CanAccessClient(user, workspaceId, clientId);
|
|
}
|
|
|
|
public Task<IReadOnlyCollection<Guid>> GetAccessibleWorkspaceIdsAsync(
|
|
ClaimsPrincipal user,
|
|
CancellationToken ct)
|
|
{
|
|
return organizationAccessService.GetAccessibleWorkspaceIdsAsync(user, ct);
|
|
}
|
|
|
|
public async Task<bool> CanAccessWorkspaceAsync(
|
|
ClaimsPrincipal user,
|
|
Guid workspaceId,
|
|
CancellationToken ct)
|
|
{
|
|
return CanAccessWorkspace(user, workspaceId)
|
|
|| await organizationAccessService.HasInheritedWorkspacePermissionAsync(
|
|
user,
|
|
workspaceId,
|
|
OrganizationPermissions.AccessOwnedWorkspaces,
|
|
ct);
|
|
}
|
|
|
|
public async Task<bool> CanManageWorkspaceAsync(
|
|
ClaimsPrincipal user,
|
|
Guid workspaceId,
|
|
CancellationToken ct)
|
|
{
|
|
return IsManager(user)
|
|
|| await organizationAccessService.HasInheritedWorkspacePermissionAsync(
|
|
user,
|
|
workspaceId,
|
|
OrganizationPermissions.ManageWorkspaces,
|
|
ct);
|
|
}
|
|
|
|
public async Task<bool> CanCreateWorkspaceAsync(
|
|
ClaimsPrincipal user,
|
|
Guid organizationId,
|
|
CancellationToken ct)
|
|
{
|
|
return IsManager(user)
|
|
|| await organizationAccessService.HasOrganizationPermissionAsync(
|
|
user,
|
|
organizationId,
|
|
OrganizationPermissions.CreateWorkspaces,
|
|
ct);
|
|
}
|
|
|
|
public async Task<bool> CanAccessClientAsync(
|
|
ClaimsPrincipal user,
|
|
Guid workspaceId,
|
|
Guid clientId,
|
|
CancellationToken ct)
|
|
{
|
|
if (IsManager(user) ||
|
|
await organizationAccessService.HasInheritedWorkspacePermissionAsync(
|
|
user,
|
|
workspaceId,
|
|
OrganizationPermissions.AccessOwnedWorkspaces,
|
|
ct))
|
|
{
|
|
return true;
|
|
}
|
|
|
|
return user.GetWorkspaceScopeIds().Contains(workspaceId) && user.GetClientScopeIds().Contains(clientId);
|
|
}
|
|
|
|
public async Task<bool> CanAccessCampaignAsync(
|
|
ClaimsPrincipal user,
|
|
Guid workspaceId,
|
|
Guid clientId,
|
|
Guid campaignId,
|
|
CancellationToken ct)
|
|
{
|
|
if (IsManager(user) ||
|
|
await organizationAccessService.HasInheritedWorkspacePermissionAsync(
|
|
user,
|
|
workspaceId,
|
|
OrganizationPermissions.AccessOwnedWorkspaces,
|
|
ct))
|
|
{
|
|
return true;
|
|
}
|
|
|
|
return await CanAccessClientAsync(user, workspaceId, clientId, ct) &&
|
|
user.GetCampaignScopeIds().Contains(campaignId);
|
|
}
|
|
|
|
public async Task<bool> CanContributeToCampaignAsync(
|
|
ClaimsPrincipal user,
|
|
Guid workspaceId,
|
|
Guid clientId,
|
|
Guid campaignId,
|
|
CancellationToken ct)
|
|
{
|
|
return IsManager(user)
|
|
|| await organizationAccessService.HasInheritedWorkspacePermissionAsync(
|
|
user,
|
|
workspaceId,
|
|
OrganizationPermissions.ManageWorkspaces,
|
|
ct)
|
|
|| IsProvider(user) && await CanAccessCampaignAsync(user, workspaceId, clientId, campaignId, ct);
|
|
}
|
|
|
|
public async Task<bool> CanReviewContentAsync(
|
|
ClaimsPrincipal user,
|
|
Guid workspaceId,
|
|
Guid clientId,
|
|
Guid campaignId,
|
|
CancellationToken ct)
|
|
{
|
|
return IsManager(user)
|
|
|| await organizationAccessService.HasInheritedWorkspacePermissionAsync(
|
|
user,
|
|
workspaceId,
|
|
OrganizationPermissions.AccessOwnedWorkspaces,
|
|
ct)
|
|
|| IsProvider(user) && await CanAccessCampaignAsync(user, workspaceId, clientId, campaignId, ct)
|
|
|| IsClient(user) && await CanAccessClientAsync(user, workspaceId, clientId, ct);
|
|
}
|
|
}
|