Role check implemented in cohort endpoints

Roman Eriksen · Roman Eriksen · commit 55eb6ce22151 · 2025-09-23T10:38:24.000+02:00
diff --git a/exercise.wwwapi/Endpoints/CohortEndpoints.cs b/exercise.wwwapi/Endpoints/CohortEndpoints.cs
@@ -2,12 +2,14 @@
 using exercise.wwwapi.DTOs;
 using exercise.wwwapi.DTOs.Cohort;
 using exercise.wwwapi.DTOs.Posts;
+using exercise.wwwapi.Helpers;
 using exercise.wwwapi.Models;
 using exercise.wwwapi.Repository;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
 using System.Linq;
+using System.Security.Claims;
 
 namespace exercise.wwwapi.Endpoints
 {
@@ -86,9 +88,19 @@ public static async Task<IResult> GetCohortByUserId(IRepository<Cohort> cohortRe
         }
 
         [Authorize]
+        [ProducesResponseType(StatusCodes.Status401Unauthorized)]
         [ProducesResponseType(StatusCodes.Status200OK)]
-        public static async Task<IResult> GetAllCohorts(IRepository<Cohort> cohortService, IMapper mapper)
+        public static async Task<IResult> GetAllCohorts(IRepository<Cohort> cohortService, IMapper mapper, ClaimsPrincipal user)
         {
+            if (user.Role() != (int)Roles.teacher)
+            {
+                var forbiddenResponse = new ResponseDTO<object>
+                {
+                    Message = "You are not authorized to get all cohorts."
+                };
+                return TypedResults.Json(forbiddenResponse, statusCode: StatusCodes.Status403Forbidden);
+            }
+
             var results = cohortService.GetWithIncludes(q => q
                 .Include(c => c.CohortCourses)
                     .ThenInclude(cc => cc.Course)
@@ -108,14 +120,24 @@ public static async Task<IResult> GetAllCohorts(IRepository<Cohort> cohortServic
         }
 
         [Authorize]
+        [ProducesResponseType(StatusCodes.Status401Unauthorized)]
         [ProducesResponseType(StatusCodes.Status400BadRequest)]
         [ProducesResponseType(StatusCodes.Status201Created)]
         public static async Task<IResult> CreateCohort(
             IRepository<Cohort> cohortService,
             IRepository<Course> courseService,
+            ClaimsPrincipal user,
             IMapper mapper,
             CreateCohortDTO request)
         {
+            if (user.Role() != (int)Roles.teacher)
+            {
+                var forbiddenResponse = new ResponseDTO<object>
+                {
+                    Message = "You are not authorized to create a new cohort."
+                };
+                return TypedResults.Json(forbiddenResponse, statusCode: StatusCodes.Status403Forbidden);
+            }
 
             var results = cohortService.GetAllFiltered(c => c.Title == request.Title);
             Console.WriteLine(results);
@@ -164,17 +186,28 @@ public static async Task<IResult> CreateCohort(
 
         [Authorize]
         [ProducesResponseType(StatusCodes.Status200OK)]
+        [ProducesResponseType(StatusCodes.Status401Unauthorized)]
         [ProducesResponseType(StatusCodes.Status400BadRequest)]
         public static async Task<IResult> AddUserToCohort(
                     IRepository<Cohort> cohortService,
                     IRepository<User> userService,
                     IRepository<CohortCourse> cohortCourseService,
                     IRepository<CohortCourseUser> cohortCourseUserService,
                     IMapper mapper,
+                    ClaimsPrincipal userCheck,
                     int userId,
                     int cohortId,
                     int courseId)
         {
+            if (userCheck.Role() != (int)Roles.teacher)
+            {
+                var forbiddenResponse = new ResponseDTO<object>
+                {
+                    Message = "You are not authorized to add a user to a cohort."
+                };
+                return TypedResults.Json(forbiddenResponse, statusCode: StatusCodes.Status403Forbidden);
+            }
+
             // 1. Get the user
             var user = userService.GetById(userId);
             if (user == null) 
@@ -253,17 +286,29 @@ public static async Task<IResult> AddUserToCohort(
 
         [Authorize]
         [ProducesResponseType(StatusCodes.Status200OK)]
+        [ProducesResponseType(StatusCodes.Status401Unauthorized)]
         [ProducesResponseType(StatusCodes.Status400BadRequest)]
         public static async Task<IResult> DeleteUserFromCohort(
                 IRepository<Cohort> cohortService,
                 IRepository<User> userService,
                 IRepository<CohortCourse> cohortCourseService,
                 IRepository<CohortCourseUser> cohortCourseUserService,
                 IMapper mapper,
+                ClaimsPrincipal userCheck,
                 int userId,
                 int cohortId,
                 int courseId)
         {
+
+            if (userCheck.Role() != (int)Roles.teacher)
+            {
+                var forbiddenResponse = new ResponseDTO<object>
+                {
+                    Message = "You are not authorized to delete a user from a cohort."
+                };
+                return TypedResults.Json(forbiddenResponse, statusCode: StatusCodes.Status403Forbidden);
+            }
+
             // 1. Get the user
             var user = userService.GetById(userId);
             if (user == null) return TypedResults.BadRequest(new ResponseDTO<object>
