From 48b14bbe14d55ae0ed7f02fe6a5586414222eda1 Mon Sep 17 00:00:00 2001
From: Marko Milic <marko.milic@md-softwaredesign.de>
Date: Mon, 21 Nov 2016 15:08:44 +0100
Subject: [PATCH] Add Roles for CanCreateEntitlement etc. #244

---
 src/main/scala/code/api/util/ApiRole.scala    | 20 +++++++++++++++++++
 .../scala/code/api/v2_0_0/APIMethods200.scala |  8 ++++++--
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/src/main/scala/code/api/util/ApiRole.scala b/src/main/scala/code/api/util/ApiRole.scala
index 4755c911e..219c4f5e0 100644
--- a/src/main/scala/code/api/util/ApiRole.scala
+++ b/src/main/scala/code/api/util/ApiRole.scala
@@ -45,9 +45,21 @@ object ApiRole {
   case object CanGetEntitlementsForAnyUserAtOneBank extends ApiRole{
     val requiresBankId = true
   }
+  case object CanCreateEntitlementAtOneBank extends ApiRole{
+    val requiresBankId = true
+  }
+  case object CanDeleteEntitlementAtOneBank extends ApiRole{
+    val requiresBankId = true
+  }
   case object CanGetEntitlementsForAnyUserAtAnyBank extends ApiRole{
     val requiresBankId = false
   }
+  case object CanCreateEntitlementAtAnyBank extends ApiRole{
+    val requiresBankId = false
+  }
+  case object CanDeleteEntitlementAtAnyBank extends ApiRole{
+    val requiresBankId = false
+  }
   case object CanGetConsumers extends ApiRole{
     val requiresBankId = false
   }
@@ -81,7 +93,11 @@ object ApiRole {
     case "CanGetSocialMediaHandles" => CanGetSocialMediaHandles
     case "CanCreateSandbox" => CanCreateSandbox
     case "CanGetEntitlementsForAnyUserAtOneBank" => CanGetEntitlementsForAnyUserAtOneBank
+    case "CanCreateEntitlementAtOneBank" => CanCreateEntitlementAtOneBank
+    case "CanDeleteEntitlementAtOneBank" => CanDeleteEntitlementAtOneBank
     case "CanGetEntitlementsForAnyUserAtAnyBank" => CanGetEntitlementsForAnyUserAtAnyBank
+    case "CanCreateEntitlementAtAnyBank" => CanCreateEntitlementAtAnyBank
+    case "CanDeleteEntitlementAtAnyBank" => CanDeleteEntitlementAtAnyBank
     case "CanGetConsumers" => CanGetConsumers
     case "CanDisableConsumers" => CanDisableConsumers
     case "CanEnableConsumers" => CanEnableConsumers
@@ -104,7 +120,11 @@ object ApiRole {
                       "CanGetSocialMediaHandles" ::
                       "CanCreateSandbox" ::
                       "CanGetEntitlementsForAnyUserAtOneBank" ::
+                      "CanCreateEntitlementAtOneBank" ::
+                      "CanDeleteEntitlementAtOneBank" ::
                       "CanGetEntitlementsForAnyUserAtAnyBank" ::
+                      "CanCreateEntitlementAtAnyBank" ::
+                      "CanDeleteEntitlementAtAnyBank" ::
                       "CanGetConsumers" ::
                       "CanDisableConsumers" ::
                       "CanEnableConsumers" ::
diff --git a/src/main/scala/code/api/v2_0_0/APIMethods200.scala b/src/main/scala/code/api/v2_0_0/APIMethods200.scala
index 4c5f85f8d..44ca53618 100644
--- a/src/main/scala/code/api/v2_0_0/APIMethods200.scala
+++ b/src/main/scala/code/api/v2_0_0/APIMethods200.scala
@@ -1788,14 +1788,18 @@ trait APIMethods200 {
         user =>
           for {
             u <- user ?~ ErrorMessages.UserNotLoggedIn
-            isSuperAdmin <- booleanToBox(isSuperAdmin(u.userId)) ?~ "Logged user is not super admin!"
             user <- User.findByUserId(userId) ?~! ErrorMessages.UserNotFoundById
             postedData <- tryo{json.extract[CreateEntitlementJSON]} ?~ "wrong format JSON"
+            role <- tryo{valueOf(postedData.role_name)} ?~! "wrong role name"
             isBankOrSystemRoleOk <- booleanToBox(ApiRole.valueOf(postedData.role_name).requiresBankId == postedData.bank_id.nonEmpty) ?~!
               {if (ApiRole.valueOf(postedData.role_name).requiresBankId) ErrorMessages.EntitlementIsBankRole else ErrorMessages.EntitlementIsSystemRole}
+            allowedEntitlements = CanCreateEntitlementAtOneBank ::
+                                  CanCreateEntitlementAtAnyBank ::
+                                  Nil
+            isSuperAdmin <- booleanToBox(isSuperAdmin(u.userId) || hasAtLeastOneEntitlement(postedData.bank_id, u.userId, allowedEntitlements) == true) ?~ {"Logged user is not super admin or does not have entitlements: " + allowedEntitlements.mkString(", ") + "!"}
             bank <- booleanToBox(Bank(BankId(postedData.bank_id)).isEmpty == false || postedData.bank_id.nonEmpty == false) ?~! {ErrorMessages.BankNotFound}
             role <- tryo{valueOf(postedData.role_name)} ?~! "wrong role name"
-            hasEntitlement <- booleanToBox(hasEntitlement(postedData.bank_id, userId, role) == false, "Entitlement already exists for the user.")
+            hasEntitlement <- booleanToBox(hasEntitlement(postedData.bank_id, userId, role) == false, "Entitlement already exists for the user." )
             addedEntitlement <- Entitlement.entitlement.vend.addEntitlement(postedData.bank_id, userId, postedData.role_name)
           } yield {
             val viewJson = JSONFactory200.createEntitlementJSON(addedEntitlement)