Check user permissions when detaching files from a borehole (#1560)

danjov · web-flow · commit 7d50b87ea681 · 2024-10-01T08:41:30.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,7 @@
 ### Fixed
 
 - _view-sync_ did not clean up unpublished boreholes.
+- User permissions were not checked when detaching files from boreholes.
 
 ## v2.1.870 - 2024-09-27
 
diff --git a/src/api/Controllers/BoreholeFileController.cs b/src/api/Controllers/BoreholeFileController.cs
@@ -4,6 +4,7 @@
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
 using System.ComponentModel.DataAnnotations;
+using System.Net;
 
 namespace BDMS.Controllers;
 
@@ -15,13 +16,15 @@ public class BoreholeFileController : ControllerBase
     private readonly BdmsContext context;
     private readonly BoreholeFileCloudService boreholeFileCloudService;
     private readonly ILogger logger;
+    private readonly IBoreholeLockService boreholeLockService;
 
-    public BoreholeFileController(BdmsContext context, ILogger<BoreholeFileController> logger, BoreholeFileCloudService boreholeFileCloudService)
+    public BoreholeFileController(BdmsContext context, ILogger<BoreholeFileController> logger, BoreholeFileCloudService boreholeFileCloudService, IBoreholeLockService boreholeLockService)
         : base()
     {
         this.logger = logger;
         this.boreholeFileCloudService = boreholeFileCloudService;
         this.context = context;
+        this.boreholeLockService = boreholeLockService;
     }
 
     /// <summary>
@@ -184,6 +187,12 @@ public async Task<IActionResult> DetachFromBorehole([Required, Range(1, int.MaxV
         if (boreholeId == 0) return BadRequest("No boreholeId provided.");
         if (boreholeFileId == 0) return BadRequest("No boreholeFileId provided.");
 
+        // Check if associated borehole is locked or user has permissions
+        if (await boreholeLockService.IsBoreholeLockedAsync(boreholeId, HttpContext.GetUserSubjectId()).ConfigureAwait(false))
+        {
+            return BadRequest("The borehole is locked by another user or you are missing permissions.");
+        }
+
         try
         {
             // Get the file and its borehole files from the database.
diff --git a/tests/Controllers/BoreholeFileControllerTest.cs b/tests/Controllers/BoreholeFileControllerTest.cs
@@ -46,10 +46,15 @@ public void TestInitialize()
         boreholeFileCloudServiceLoggerMock.Setup(l => l.Log(It.IsAny<LogLevel>(), It.IsAny<EventId>(), It.IsAny<It.IsAnyType>(), It.IsAny<Exception>(), (Func<It.IsAnyType, Exception, string>)It.IsAny<object>()));
         boreholeFileCloudService = new BoreholeFileCloudService(context, configuration, boreholeFileCloudServiceLoggerMock.Object, contextAccessorMock.Object, s3ClientMock);
 
+        var boreholeLockServiceMock = new Mock<IBoreholeLockService>(MockBehavior.Strict);
+        boreholeLockServiceMock
+            .Setup(x => x.IsBoreholeLockedAsync(It.IsAny<int?>(), It.IsAny<string?>()))
+            .ReturnsAsync(false);
+
         var boreholeFileControllerLoggerMock = new Mock<ILogger<BoreholeFileController>>(MockBehavior.Strict);
         boreholeFileControllerLoggerMock.Setup(l => l.Log(It.IsAny<LogLevel>(), It.IsAny<EventId>(), It.IsAny<It.IsAnyType>(), It.IsAny<Exception>(), (Func<It.IsAnyType, Exception, string>)It.IsAny<object>()));
-        controller = new BoreholeFileController(context, boreholeFileControllerLoggerMock.Object, boreholeFileCloudService);
-        controller.ControllerContext.HttpContext = new DefaultHttpContext();
+        controller = new BoreholeFileController(context, boreholeFileControllerLoggerMock.Object, boreholeFileCloudService, boreholeLockServiceMock.Object);
+        controller.ControllerContext = GetControllerContextAdmin();
     }
 
     [TestCleanup]
