upstream sync

server/router/organizationroute/controller.go

@@ -10,6 +10,7 @@ import (
 	"bitbucket.org/nemt/nemt-portal-api/infra/cache"
 	"bitbucket.org/nemt/nemt-portal-api/infra/config"
 	"bitbucket.org/nemt/nemt-portal-api/server/router/routeutils"
+	"bitbucket.org/nemt/nemt-portal-api/server/authorization"
 	"github.com/labstack/echo"
 )
 
@@ -64,6 +65,11 @@ func (c *controller) handleAddOrganization(ctx echo.Context) error {
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}
+
+	if !authorization.CanCreateOrganization(authUser, org) {
+		return routeutils.ResponseAPIAuthorizationError(ctx)
+	}
+
 	org.Author.ID = authUser.ID
 	org.LastEditor.ID = authUser.ID
 
@@ -127,6 +133,15 @@ func (c *controller) handleParent(ctx echo.Context) error {
 		return routeutils.HandleAPIError(ctx, err)
 	}
 
+	organization, err := c.svc.Organization.GetByUUID(orgUUID, authUser)
+	if err != nil {
+		return routeutils.HandleAPIError(ctx, err)
+	}
+
+	if !authorization.CanUpdateOrganization(authUser, organization){
+		return routeutils.ResponseAPIAuthorizationError(ctx)
+	}
+
 	resp, err := c.svc.Organization.SetParentOrganization(orgUUID, parent.UUID, authUser)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
@@ -152,6 +167,15 @@ func (c *controller) handleChild(ctx echo.Context) error {
 		return routeutils.HandleAPIError(ctx, err)
 	}
 
+	organization, err := c.svc.Organization.GetByUUID(orgUUID, authUser)
+	if err != nil {
+		return routeutils.HandleAPIError(ctx, err)
+	}
+
+	if !authorization.CanUpdateOrganization(authUser, organization){
+		return routeutils.ResponseAPIAuthorizationError(ctx)
+	}
+
 	_, err = c.svc.Organization.SetParentOrganization(child.UUID, orgUUID, authUser)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
@@ -246,6 +270,18 @@ func (c *controller) handleAddAddress(ctx echo.Context) error {
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}
+
+	organization, err := c.svc.Organization.GetByUUID(orgUUID, authUser)
+	if err != nil {
+		return routeutils.HandleAPIError(ctx, err)
+	}
+
+	if !authorization.CanCreateAddress(authUser, organization) {
+		return routeutils.ResponseAPIAuthorizationError(ctx)
+	}
+
+	return routeutils.ResponseAPIAuthorizationError(ctx)
+
 	address.CreatedUser.ID = authUser.ID
 	address.UpdatedUser.ID = authUser.ID
 
@@ -278,6 +314,7 @@ func (c *controller) handleRemoveContact(ctx echo.Context) error {
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}
+
 	contact.UpdatedUser.ID = authUser.ID
 
 	err = c.svc.Organization.InactivateOrganizationContact(orgUUID, contact, authUser)
@@ -309,6 +346,16 @@ func (c *controller) handleAddContact(ctx echo.Context) error {
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}
+
+	organization, err := c.svc.Organization.GetByUUID(orgUUID, authUser)
+	if err != nil {
+		return routeutils.HandleAPIError(ctx, err)
+	}
+
+	if !authorization.CanCreateContact(authUser, organization) {
+		return routeutils.ResponseAPIAuthorizationError(ctx)
+	}
+
 	contact.CreatedUser.ID = authUser.ID
 	contact.UpdatedUser.ID = authUser.ID
 

server/router/routeutils/response.go

@@ -33,6 +33,18 @@ func ResponseAPIOK(c echo.Context, data interface{}) error {
 	return c.JSON(http.StatusOK, data)
 }
 
+// ResponseAPIErrorWithData returns a standard API error with additional data to the response
+func ResponseAPIErrorWithData(c echo.Context, status int, message string, redirect bool, data interface{}) error {
+	returnValue := resultWrapper{
+		Error:    true,
+		Message:  message,
+		Redirect: redirect,
+		Data:	  data,
+	}
+
+	return c.JSON(status, returnValue)
+}
+
 // ResponseAPIError returns a standard API error to the response
 func ResponseAPIError(c echo.Context, status int, message string, redirect bool) error {
 	returnValue := resultWrapper{
@@ -49,6 +61,11 @@ func ResponseAPIAuthError(c echo.Context, message string, redirect bool) error {
 	return ResponseAPIError(c, http.StatusUnauthorized, message, redirect)
 }
 
+// ResponseAPIAuthorizationError returns a standard API auth error to the response
+func ResponseAPIAuthorizationError(c echo.Context) error {
+	return ResponseAPIError(c, http.StatusForbidden, "Forbidden by controller", false)
+}
+
 // ResponseAPIServiceError returns a standard API service unavailable error to the response
 func ResponseAPIServiceError(c echo.Context, message string) error {
 	return ResponseAPIError(c, http.StatusServiceUnavailable, message, false)
@@ -59,6 +76,11 @@ func ResponseAPIValidationError(c echo.Context, message string) error {
 	return ResponseAPIError(c, http.StatusUnprocessableEntity, message, false)
 }
 
+// ResponseAPICustomValidationError returns a standard API validation error with custom data to the response
+func ResponseAPICustomValidationError(c echo.Context, message string, data interface{}) error {
+	return ResponseAPIErrorWithData(c, http.StatusUnprocessableEntity, message, false, data)
+}
+
 // ResponseAPIFieldValidationError returns a standard API field validation error to the response
 func ResponseAPIFieldValidationError(c echo.Context, field string, message string) error {
 	err := errors.NewValidationError(field, message)

server/router/tncroute/controller.go

@@ -15,6 +15,7 @@ import (
 	"bitbucket.org/nemt/nemt-portal-api/infra/auth"
 	"bitbucket.org/nemt/nemt-portal-api/infra/config"
 	"bitbucket.org/nemt/nemt-portal-api/server/router/routeutils"
+	"bitbucket.org/nemt/nemt-portal-api/server/validation"
 	"github.com/labstack/echo"
 	uuid "github.com/satori/go.uuid"
 	"google.golang.org/api/googleapi/transport"
@@ -231,6 +232,11 @@ func (c *controller) handle(ctx echo.Context) error {
 		return routeutils.ResponseAPIValidationError(ctx, "User not found")
 	}
 
+	//Validate ride request
+	if validationErrors := validation.ValidateRide(&requestRide, &user) ; len(validationErrors) > 0 {
+		return routeutils.ResponseAPICustomValidationError(ctx, "ride validation failed", validationErrors)
+	}
+
 	createdUser, err := auth.GetUserDetail(ctx, c.cfg)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
@@ -869,4 +875,4 @@ func (c *controller) handleReady(ctx echo.Context) error {
 	}()
 
 	return routeutils.ResponseAPIOK(ctx, nextRide)
-}
+}

server/router/usersroute/controller.go

@@ -13,6 +13,7 @@ import (
 	"bitbucket.org/nemt/nemt-portal-api/infra/auth"
 	"bitbucket.org/nemt/nemt-portal-api/infra/cache"
 	"bitbucket.org/nemt/nemt-portal-api/infra/config"
+	"bitbucket.org/nemt/nemt-portal-api/server/authorization"
 	"bitbucket.org/nemt/nemt-portal-api/server/router/routeutils"
 	"github.com/labstack/echo"
 )
@@ -127,6 +128,62 @@ func (c *controller) handleRemoveAddress(ctx echo.Context) error {
 	return routeutils.ResponseNoContent(ctx, addressID)
 }
 
+func (c *controller) handlePortalContact(ctx echo.Context) error {
+	userID, err := routeutils.GetAndValidateStringParam(ctx, "user_uuid", "mandatory field")
+	if err != nil {
+		return routeutils.HandleAPIError(ctx, err)
+	}
+
+	item, err := c.svc.Users.GetByUUID(userID, "")
+	if err != nil {
+		return routeutils.HandleAPIError(ctx, err)
+	}
+
+	createdUser, err := auth.GetUserDetail(ctx, c.cfg)
+	if err != nil {
+		return routeutils.HandleAPIError(ctx, err)
+	}
+
+	if item.ID == "" {
+		return routeutils.ResponseAPIValidationError(ctx, "User not found")
+	} else {
+		var Contact viewmodel.Contact
+		if err := ctx.Bind(&Contact); err != nil {
+			return routeutils.HandleAPIError(ctx, err)
+		}
+		Contact.User = item
+		Contact.Author = createdUser
+		Contact, err = c.svc.Users.SaveContact(Contact)
+		if err != nil {
+			return routeutils.HandleAPIError(ctx, err)
+		}
+
+		// Contact.User, err = c.svc.Users.GetByUUID(userID, "")
+		// if err != nil {
+		// 	return routeutils.HandleAPIError(ctx, err)
+		// }
+
+		return routeutils.ResponseAPIOK(ctx, Contact)
+	}
+}
+
+func (c *controller) handleRemoveContact(ctx echo.Context) error {
+	contactUUID, err := routeutils.GetAndValidateStringParam(ctx, "contact_uuid", "mandatory field")
+	if err != nil {
+		return routeutils.HandleAPIError(ctx, err)
+	}
+
+	contact := viewmodel.Contact{
+		ID: contactUUID,
+	}
+	contact, err = c.svc.Users.RemoveContact(contact)
+	if err != nil {
+		return routeutils.HandleAPIError(ctx, err)
+	}
+
+	return routeutils.ResponseNoContent(ctx, contact)
+}
+
 func (c *controller) handleMemberAddress(ctx echo.Context) error {
 	userID, err := routeutils.GetAndValidateStringParam(ctx, "user_uuid", "mandatory field")
 	if err != nil {
@@ -389,6 +446,10 @@ func (c *controller) handlePortal(ctx echo.Context) error {
 		return routeutils.HandleAPIError(ctx, err)
 	}
 
+	if !authorization.CanCreateUser(authUser, user) {
+		return routeutils.ResponseAPIAuthorizationError(ctx)
+	}
+
 	if len(user.Profiles) == 0 {
 		return routeutils.ResponseAPIAuthError(ctx, "profile is required", false)
 	}

server/router/usersroute/router.go

@@ -17,6 +17,8 @@ const (
 	userDetailRoute          = "/portal/:user_uuid"
 	userAddressRoute         = "/portal/:user_uuid/address"
 	userRemoveAddressRoute   = "/portal/:user_uuid/address/:address_uuid"
+	userContactRoute         = "/portal/:user_uuid/contact"
+	userRemoveContactRoute   = "/portal/:user_uuid/contact/:contact_uuid"
 	portalRoute              = "/portal"
 	portalBulkRoute          = "/portal/bulk"
 	contacttypeRoute         = "/contacttype"
@@ -41,6 +43,9 @@ func Register(r *echo.Group, cfg *config.Config, svc *applicationservice.Service
 	r.POST(userAddressRoute, ctrl.handlePortalAddress)
 	r.PUT(userRemoveAddressRoute, ctrl.handleRemoveAddress)
 
+	r.POST(userContactRoute, ctrl.handlePortalContact)
+	r.PUT(userRemoveContactRoute, ctrl.handleRemoveContact)
+
 	//Can be cached
 	r.GET(contacttypeRoute, ctrl.handleContactType)