social-media/backend/src/Socialize.Api/Infrastructure/Security/AccessScopeService.cs

using System.Security.Claims;
using Socialize.Modules.Identity.Contracts;

namespace Socialize.Infrastructure.Security;

public sealed class AccessScopeService
{
    public bool IsManager(ClaimsPrincipal user)
    {
        return user.IsInRole(KnownRoles.Administrator) || user.IsInRole(KnownRoles.Manager);
    }

    public bool IsProvider(ClaimsPrincipal user)
    {
        return user.IsInRole(KnownRoles.Provider);
    }

    public bool IsClient(ClaimsPrincipal user)
    {
        return user.IsInRole(KnownRoles.Client);
    }

    public bool CanAccessWorkspace(ClaimsPrincipal user, Guid workspaceId)
    {
        return IsManager(user) || user.GetWorkspaceScopeIds().Contains(workspaceId);
    }

    public bool CanManageWorkspace(ClaimsPrincipal user, Guid workspaceId)
    {
        return IsManager(user) && CanAccessWorkspace(user, workspaceId);
    }

    public bool CanAccessClient(ClaimsPrincipal user, Guid workspaceId, Guid clientId)
    {
        return IsManager(user)
               || (CanAccessWorkspace(user, workspaceId) && user.GetClientScopeIds().Contains(clientId));
    }

    public bool CanAccessProject(ClaimsPrincipal user, Guid workspaceId, Guid clientId, Guid projectId)
    {
        return IsManager(user)
               || (CanAccessClient(user, workspaceId, clientId) && user.GetProjectScopeIds().Contains(projectId));
    }

    public bool CanContributeToProject(ClaimsPrincipal user, Guid workspaceId, Guid clientId, Guid projectId)
    {
        return IsManager(user) || (IsProvider(user) && CanAccessProject(user, workspaceId, clientId, projectId));
    }

    public bool CanReviewContent(ClaimsPrincipal user, Guid workspaceId, Guid clientId, Guid projectId)
    {
        return IsManager(user)
               || IsProvider(user) && CanAccessProject(user, workspaceId, clientId, projectId)
               || IsClient(user) && CanAccessClient(user, workspaceId, clientId);
    }
}