Upstream sync
This commit is contained in:
Senad Uka
1
server/authorization/authorization.go
Normal file
1
server/authorization/authorization.go
Normal file
@@ -0,0 +1 @@
|
||||
package authorization
|
||||
28
server/authorization/organization.go
Normal file
28
server/authorization/organization.go
Normal file
@@ -0,0 +1,28 @@
|
||||
package authorization
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"bitbucket.org/nemt/nemt-portal-api/application/viewmodel"
|
||||
)
|
||||
|
||||
func isAChildOrganization(potentialParent viewmodel.Organization, potentialChild viewmodel.Organization) bool {
|
||||
for _, org := range potentialParent.ChildOrgs {
|
||||
if potentialChild.UUID == org.UUID {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func isSameOrganization(organizationA viewmodel.Organization, organizationB viewmodel.Organization) bool {
|
||||
return organizationA.UUID == organizationB.UUID
|
||||
}
|
||||
|
||||
func grabOrgFromUser(user viewmodel.User) (viewmodel.Organization, error) {
|
||||
if len(user.Organizations) < 1 {
|
||||
return viewmodel.Organization{}, fmt.Errorf("User has no organizations %v", user)
|
||||
}
|
||||
|
||||
return user.Organizations[0], nil
|
||||
}
|
||||
62
server/authorization/profile.go
Normal file
62
server/authorization/profile.go
Normal file
@@ -0,0 +1,62 @@
|
||||
package authorization
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"bitbucket.org/nemt/nemt-portal-api/application/viewmodel"
|
||||
)
|
||||
|
||||
const (
|
||||
superAdmin = "AD"
|
||||
scheduler = "SP"
|
||||
support = "SPT"
|
||||
member = "US"
|
||||
brighterDevAdmin = "BDCAD"
|
||||
bcbsiAdmin = "BCBSIAD"
|
||||
planAdmin = "PLANAD"
|
||||
providerAdmin = "SCHDAD"
|
||||
)
|
||||
|
||||
func grabProfileFromUser(user viewmodel.User) (viewmodel.Profile, error) {
|
||||
if len(user.Profiles) < 1 {
|
||||
return viewmodel.Profile{}, fmt.Errorf("User has no profiles %v", user)
|
||||
}
|
||||
return user.Profiles[0], nil
|
||||
}
|
||||
|
||||
func morePrivileged(who viewmodel.Profile, towardsWhom viewmodel.Profile) bool {
|
||||
order := []string{superAdmin, brighterDevAdmin, bcbsiAdmin, planAdmin, providerAdmin, support, scheduler, member}
|
||||
for _, value := range order {
|
||||
if value == who.Key {
|
||||
return true
|
||||
}
|
||||
|
||||
if value == towardsWhom.Key {
|
||||
return false
|
||||
}
|
||||
}
|
||||
// should hapen only in case profile key is empty
|
||||
// and that's something fishy so let's deny!
|
||||
return false
|
||||
}
|
||||
|
||||
func equallyOrMorePrivileged(who viewmodel.Profile, towardsWhom viewmodel.Profile) bool {
|
||||
if who.Key == towardsWhom.Key {
|
||||
return true
|
||||
}
|
||||
|
||||
return morePrivileged(who, towardsWhom)
|
||||
|
||||
}
|
||||
|
||||
func lessPrivilegedThanAdmin(who viewmodel.Profile) bool {
|
||||
switch who.Key {
|
||||
case member:
|
||||
return true
|
||||
case scheduler:
|
||||
return true
|
||||
case support:
|
||||
return true
|
||||
}
|
||||
return false
|
||||
}
|
||||
86
server/authorization/user.go
Normal file
86
server/authorization/user.go
Normal file
@@ -0,0 +1,86 @@
|
||||
package authorization
|
||||
|
||||
import "bitbucket.org/nemt/nemt-portal-api/application/viewmodel"
|
||||
|
||||
/*
|
||||
CanCreateUser returns true if currentUser is allowed to create updatingUser according to
|
||||
authorization rules
|
||||
*/
|
||||
func CanCreateUser(currentUser viewmodel.User, updatingUser viewmodel.User) bool {
|
||||
|
||||
if len(currentUser.Profiles) < 1 {
|
||||
return false
|
||||
}
|
||||
|
||||
if len(updatingUser.Profiles) < 1 {
|
||||
return false
|
||||
}
|
||||
|
||||
currentUserOrganization, err := grabOrgFromUser(currentUser)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
updatingUserOrganization, err := grabOrgFromUser(updatingUser)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
currentUserRole, err := grabProfileFromUser(currentUser)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
updatingUserRole, err := grabProfileFromUser(updatingUser)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
/*
|
||||
Admin Provider
|
||||
Manage all Authorized Users of the provider Organization or child organization
|
||||
|
||||
The (Provider) Admin can manage Authorized Users of their Parent/ Top-level Org , but not Admins
|
||||
*/
|
||||
|
||||
currentUserHigherOrEqualOrg := isSameOrganization(currentUserOrganization, updatingUserOrganization) || isAChildOrganization(currentUserOrganization, updatingUserOrganization)
|
||||
currentUserLowerOrg := isAChildOrganization(updatingUserOrganization, currentUserOrganization)
|
||||
if currentUserRole.Key == providerAdmin && currentUserHigherOrEqualOrg && equallyOrMorePrivileged(currentUserRole, updatingUserRole) {
|
||||
return true
|
||||
}
|
||||
if currentUserRole.Key == providerAdmin && currentUserLowerOrg && lessPrivilegedThanAdmin(updatingUserRole) {
|
||||
return true
|
||||
}
|
||||
|
||||
/* Admin BCBSI
|
||||
Manage all Authorized Users except Admins
|
||||
|
||||
return false
|
||||
*/
|
||||
|
||||
if currentUserRole.Key == bcbsiAdmin && lessPrivilegedThanAdmin(updatingUserRole) {
|
||||
return true
|
||||
}
|
||||
|
||||
/* Admin Technical Support Manage all Authorized Users except Admins */
|
||||
|
||||
if currentUserRole.Key == brighterDevAdmin && lessPrivilegedThanAdmin(updatingUserRole) {
|
||||
return true
|
||||
}
|
||||
|
||||
/* Admin Plan Manage all Authorized Users of a single participating Plan except Admins */
|
||||
|
||||
if currentUserRole.Key == planAdmin && lessPrivilegedThanAdmin(updatingUserRole) && isSameOrganization(currentUserOrganization, updatingUserOrganization) {
|
||||
return true
|
||||
}
|
||||
|
||||
/* Super Admin Technical Support
|
||||
Manage all Members, INCLUDING Admins */
|
||||
|
||||
if currentUserRole.Key == superAdmin {
|
||||
return true
|
||||
}
|
||||
|
||||
return false
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user