upstream sync

2018-05-11 09:07:54 +02:00
parent 50a6362b67
commit 4852a5586c
23 changed files with 664 additions and 35 deletions
--- a/server/authorization/address.go
+++ b/server/authorization/address.go
@@ -0,0 +1,15 @@
+package authorization
+
+import (
+
+	"bitbucket.org/nemt/nemt-portal-api/application/viewmodel"
+)
+
+func CanCreateAddress(user viewmodel.User, organization viewmodel.Organization) bool {
+	//rules are the same for address creation and for organization creation
+	return CanCreateOrganization(user, organization)
+}
+
+func CanUpdateAddress(user viewmodel.User, organization viewmodel.Organization) bool {
+	return CanCreateAddress(user, organization)
+}
--- a/server/authorization/authorization.go
+++ b/server/authorization/authorization.go
@@ -0,0 +1 @@
+package authorization
--- a/server/authorization/contact.go
+++ b/server/authorization/contact.go
@@ -0,0 +1,15 @@
+package authorization
+
+import (
+
+	"bitbucket.org/nemt/nemt-portal-api/application/viewmodel"
+)
+
+func CanCreateContact(user viewmodel.User, organization viewmodel.Organization) bool {
+	//rules are the same for contact creation and for organization creation
+	return CanCreateOrganization(user, organization)
+}
+
+func CanUpdateContact(user viewmodel.User, organization viewmodel.Organization) bool {
+	return CanCreateAddress(user, organization)
+}
--- a/server/authorization/organization.go
+++ b/server/authorization/organization.go
@@ -0,0 +1,68 @@
+package authorization
+
+import (
+	"fmt"
+
+	"bitbucket.org/nemt/nemt-portal-api/application/viewmodel"
+)
+
+func isAChildOrganization(potentialParent viewmodel.Organization, potentialChild viewmodel.Organization) bool {
+	for _, org := range potentialParent.ChildOrgs {
+		if potentialChild.UUID == org.UUID {
+			return true
+		}
+	}
+	return false
+}
+
+func isSameOrganization(organizationA viewmodel.Organization, organizationB viewmodel.Organization) bool {
+	return organizationA.UUID == organizationB.UUID
+}
+
+func grabOrgFromUser(user viewmodel.User) (viewmodel.Organization, error) {
+	if len(user.Organizations) < 1 {
+		return viewmodel.Organization{}, fmt.Errorf("User has no organizations %v", user)
+	}
+
+	return user.Organizations[0], nil
+}
+
+func CanCreateOrganization(user viewmodel.User, organization viewmodel.Organization ) bool {
+	userRole, err := grabProfileFromUser(user)
+	if err != nil {
+		return false
+	}
+
+	/*
+	Admin			BCBSI 
+	Admin			Technical Support
+	Super Admin 	Technical Support
+	
+	Manage all Organizations*/
+	if userRole.Key == bcbsiAdmin || userRole.Key == brighterDevAdmin || userRole.Key == superAdmin{
+		return true
+	}
+
+	userOrg, err := grabOrgFromUser(user)
+	if err != nil{
+		return false
+	}
+	
+	/*
+	Admin		Provider
+	Admin		Plan
+	
+	Manage the authenticated Authorized User's Organization and child Organizations */
+	if userRole.Key == providerAdmin || userRole.Key == planAdmin{
+		if isSameOrganization(userOrg, organization) || isAChildOrganization(userOrg, organization) {
+			return true
+		}
+		return false
+	}
+	
+	return false
+}
+
+func CanUpdateOrganization(user viewmodel.User, organization viewmodel.Organization) bool{
+	return CanCreateOrganization(user, organization)
+}
--- a/server/authorization/profile.go
+++ b/server/authorization/profile.go
@@ -0,0 +1,62 @@
+package authorization
+
+import (
+	"fmt"
+
+	"bitbucket.org/nemt/nemt-portal-api/application/viewmodel"
+)
+
+const (
+	superAdmin       = "AD"
+	scheduler        = "SP"
+	support          = "SPT"
+	member           = "US"
+	brighterDevAdmin = "BDCAD"
+	bcbsiAdmin       = "BCBSIAD"
+	planAdmin        = "PLANAD"
+	providerAdmin    = "SCHDAD"
+)
+
+func grabProfileFromUser(user viewmodel.User) (viewmodel.Profile, error) {
+	if len(user.Profiles) < 1 {
+		return viewmodel.Profile{}, fmt.Errorf("User has no profiles %v", user)
+	}
+	return user.Profiles[0], nil
+}
+
+func morePrivileged(who viewmodel.Profile, towardsWhom viewmodel.Profile) bool {
+	order := []string{superAdmin, brighterDevAdmin, bcbsiAdmin, planAdmin, providerAdmin, support, scheduler, member}
+	for _, value := range order {
+		if value == who.Key {
+			return true
+		}
+
+		if value == towardsWhom.Key {
+			return false
+		}
+	}
+	// should hapen only in case profile key is empty
+	// and that's something fishy so let's deny!
+	return false
+}
+
+func equallyOrMorePrivileged(who viewmodel.Profile, towardsWhom viewmodel.Profile) bool {
+	if who.Key == towardsWhom.Key {
+		return true
+	}
+
+	return morePrivileged(who, towardsWhom)
+
+}
+
+func lessPrivilegedThanAdmin(who viewmodel.Profile) bool {
+	switch who.Key {
+	case member:
+		return true
+	case scheduler:
+		return true
+	case support:
+		return true
+	}
+	return false
+}
--- a/server/authorization/user.go
+++ b/server/authorization/user.go
@@ -0,0 +1,86 @@
+package authorization
+
+import "bitbucket.org/nemt/nemt-portal-api/application/viewmodel"
+
+/*
+CanCreateUser returns true if currentUser is allowed to create updatingUser according to
+authorization rules
+*/
+func CanCreateUser(currentUser viewmodel.User, updatingUser viewmodel.User) bool {
+
+	if len(currentUser.Profiles) < 1 {
+		return false
+	}
+
+	if len(updatingUser.Profiles) < 1 {
+		return false
+	}
+
+	currentUserOrganization, err := grabOrgFromUser(currentUser)
+	if err != nil {
+		return false
+	}
+
+	updatingUserOrganization, err := grabOrgFromUser(updatingUser)
+	if err != nil {
+		return false
+	}
+
+	currentUserRole, err := grabProfileFromUser(currentUser)
+	if err != nil {
+		return false
+	}
+
+	updatingUserRole, err := grabProfileFromUser(updatingUser)
+	if err != nil {
+		return false
+	}
+
+	/*
+		Admin	Provider
+		Manage all Authorized Users of the provider Organization or child organization
+
+		The (Provider) Admin can manage Authorized Users of their Parent/ Top-level Org , but not Admins
+	*/
+
+	currentUserHigherOrEqualOrg := isSameOrganization(currentUserOrganization, updatingUserOrganization) || isAChildOrganization(currentUserOrganization, updatingUserOrganization)
+	currentUserLowerOrg := isAChildOrganization(updatingUserOrganization, currentUserOrganization)
+	if currentUserRole.Key == providerAdmin && currentUserHigherOrEqualOrg && equallyOrMorePrivileged(currentUserRole, updatingUserRole) {
+		return true
+	}
+	if currentUserRole.Key == providerAdmin && currentUserLowerOrg && lessPrivilegedThanAdmin(updatingUserRole) {
+		return true
+	}
+
+	/* Admin	BCBSI
+	Manage all Authorized Users except Admins
+
+	return false
+	*/
+
+	if currentUserRole.Key == bcbsiAdmin && lessPrivilegedThanAdmin(updatingUserRole) {
+		return true
+	}
+
+	/* Admin	Technical Support	Manage all Authorized Users except Admins */
+
+	if currentUserRole.Key == brighterDevAdmin && lessPrivilegedThanAdmin(updatingUserRole) {
+		return true
+	}
+
+	/* Admin	Plan	Manage all Authorized Users of a single participating Plan except Admins */
+
+	if currentUserRole.Key == planAdmin && lessPrivilegedThanAdmin(updatingUserRole) && isSameOrganization(currentUserOrganization, updatingUserOrganization) {
+		return true
+	}
+
+	/* Super Admin	Technical Support
+	Manage all Members, INCLUDING Admins */
+
+	if currentUserRole.Key == superAdmin {
+		return true
+	}
+
+	return false
+
+}