diff --git a/api/src/Controllers/UsersController.cs b/api/src/Controllers/UsersController.cs index f00325f..5adafb7 100644 --- a/api/src/Controllers/UsersController.cs +++ b/api/src/Controllers/UsersController.cs @@ -66,6 +66,54 @@ public class UsersController : ControllerBase { return NoContent(); } + [Authorize(Policy = Permission.SensitiveData_Modify)] + [HttpDelete("{id}/permission")] + public async Task removePermission(string id, string permission) { + + var userId = User.FindFirstValue(ClaimTypes.NameIdentifier); + if(userId == id) return BadRequest(); // dont allow permission removal of yourself + + // get list of permissions of that user + var user = await service_.GetById(id); + if (user == null) return NotFound(); + if(user.Permissions == null) return NotFound(); + + // verify that the requested permission exists on that user + if(!user.Permissions.Contains(permission)) return NotFound(); + + // remove the permission from the permission list + user.Permissions.Remove(permission); + + // update the user + await service_.Update(id, user); + + return NoContent(); + } + + [Authorize(Policy = Permission.SensitiveData_Modify)] + [HttpPost("{id}/{permission}")] // TODO: this was made with a single button per permission in mind, but may be better as sending an array + public async Task addPermission(string id, string permission) { + + // we'll allow the superuser to elevate their own permissions because they're the superuser + + // get list of permissions of the user + var user = await service_.GetById(id); + if (user == null) return NotFound(); + if(user.Permissions == null) return NotFound(); + + // remove add the permission to the user's permission list (if it doesnt already exist) + if(user.Permissions.Contains(permission)) return NoContent(); + user.Permissions.Add(permission); + + // update the user + await service_.Update(id, user); + + return NoContent(); + + // fyi the user will need to sign out and sign back in so the new permissions are reflected in their jwt claims + // TODO: or on the client i could issue a refresh token request after a permission api call + } + // TODO: add controls on editing roles } \ No newline at end of file diff --git a/client/src/models/User.ts b/client/src/models/User.ts index 5df874b..48c9573 100644 --- a/client/src/models/User.ts +++ b/client/src/models/User.ts @@ -7,6 +7,7 @@ export interface UserDto { email: string; id: string; userName: string; + permissions: string; } export interface RegisterDto {