From 8082e2f88b08c263cb4603099562b4249df7c7ae Mon Sep 17 00:00:00 2001
From: Stephen Birarda <commit@birarda.com>
Date: Mon, 21 Jul 2014 17:41:22 -0700
Subject: [PATCH] allow a user to be let into domain-server based on role

---
 domain-server/src/DomainServer.cpp            | 27 ++++++++++++++-----
 .../src/DomainServerWebSessionData.cpp        |  9 ++++---
 .../src/DomainServerWebSessionData.h          |  2 +-
 3 files changed, 26 insertions(+), 12 deletions(-)

diff --git a/domain-server/src/DomainServer.cpp b/domain-server/src/DomainServer.cpp
index 3c0a088869..52da966d46 100644
--- a/domain-server/src/DomainServer.cpp
+++ b/domain-server/src/DomainServer.cpp
@@ -1289,13 +1289,25 @@ bool DomainServer::isAuthenticatedRequest(HTTPConnection* connection, const QUrl
             if (_argumentVariantMap.value(ADMIN_USERS_CONFIG_KEY).toJsonValue().toArray().contains(profileUsername)) {
                 // this is an authenticated user
                 return true;
-            } else {
-                QString unauthenticatedRequest = "You do not have permission to access this domain-server.";
-                connection->respond(HTTPConnection::StatusCode401, unauthenticatedRequest.toUtf8());
-                
-                // the user does not have allowed username or role, return 401
-                return false;
             }
+            
+            // loop the roles of this user and see if they are in the admin-roles array
+            QJsonArray adminRolesArray = _argumentVariantMap.value(ADMIN_ROLES_CONFIG_KEY).toJsonValue().toArray();
+            
+            if (!adminRolesArray.isEmpty()) {
+                foreach(const QString& userRole, sessionData.getRoles()) {
+                    if (adminRolesArray.contains(userRole)) {
+                        // this user has a role that allows them to administer the domain-server
+                        return true;
+                    }
+                }
+            }
+            
+            QString unauthenticatedRequest = "You do not have permission to access this domain-server.";
+            connection->respond(HTTPConnection::StatusCode401, unauthenticatedRequest.toUtf8());
+            
+            // the user does not have allowed username or role, return 401
+            return false;
         } else {
             // re-direct this user to OAuth page
             
@@ -1402,9 +1414,10 @@ Headers DomainServer::setupCookieHeadersFromProfileReply(QNetworkReply* profileR
     QUuid cookieUUID = QUuid::createUuid();
     
     QJsonDocument profileDocument = QJsonDocument::fromJson(profileReply->readAll());
+    QJsonObject userObject = profileDocument.object()["data"].toObject()["user"].toObject();
     
     // add the profile to our in-memory data structure so we know who the user is when they send us their cookie
-    _cookieSessionHash.insert(cookieUUID, DomainServerWebSessionData(profileDocument));
+    _cookieSessionHash.insert(cookieUUID, DomainServerWebSessionData(userObject));
     
     // setup expiry for cookie to 1 month from today
     QDateTime cookieExpiry = QDateTime::currentDateTimeUtc().addMonths(1);
diff --git a/domain-server/src/DomainServerWebSessionData.cpp b/domain-server/src/DomainServerWebSessionData.cpp
index de73ca77dd..b0c56cc59e 100644
--- a/domain-server/src/DomainServerWebSessionData.cpp
+++ b/domain-server/src/DomainServerWebSessionData.cpp
@@ -9,7 +9,8 @@
 //  See the accompanying file LICENSE or http://www.apache.org/licenses/LICENSE-2.0.html
 //
 
-#include <QtCore/QJsonDocument>
+#include <QtCore/QDebug>
+#include <QtCore/QJsonArray>
 #include <QtCore/QJsonObject>
 
 #include "DomainServerWebSessionData.h"
@@ -21,13 +22,13 @@ DomainServerWebSessionData::DomainServerWebSessionData() :
     
 }
 
-DomainServerWebSessionData::DomainServerWebSessionData(const QJsonDocument& profileDocument) :
+DomainServerWebSessionData::DomainServerWebSessionData(const QJsonObject& userObject) :
     _roles()
 {
-    _username = profileDocument.object()["user"].toObject()["username"].toString();
+    _username = userObject["username"].toString();
     
     // pull each of the roles and throw them into our set
-    foreach(const QJsonValue& rolesValue, profileDocument.object()["user"].toObject()["roles"].toObject()) {
+    foreach(const QJsonValue& rolesValue, userObject["roles"].toArray()) {
         _roles.insert(rolesValue.toString());
     }
 }
diff --git a/domain-server/src/DomainServerWebSessionData.h b/domain-server/src/DomainServerWebSessionData.h
index cd2410cf66..15e4171b57 100644
--- a/domain-server/src/DomainServerWebSessionData.h
+++ b/domain-server/src/DomainServerWebSessionData.h
@@ -19,7 +19,7 @@ class DomainServerWebSessionData : public QObject {
     Q_OBJECT
 public:
     DomainServerWebSessionData();
-    DomainServerWebSessionData(const QJsonDocument& profileDocument);
+    DomainServerWebSessionData(const QJsonObject& userObject);
     DomainServerWebSessionData(const DomainServerWebSessionData& otherSessionData);
     DomainServerWebSessionData& operator=(const DomainServerWebSessionData& otherSessionData);