Added Role-based Authorization - API

AirportAutomation/AirportАutomationApi/Authentication/AuthenticationController.cs

@@ -58,7 +58,8 @@ public ActionResult<string> Authenticate(ApiUserDto apiUserDto)
 			var claimsForToken = new List<Claim>
 			{
 				new Claim(ClaimTypes.Name, user.UserName),
-				new Claim(ClaimTypes.Role, user.Roles)
+				new Claim(ClaimTypes.Role, "Admin"),
+				new Claim(ClaimTypes.Role, "User")
 			};
 			var jwtSecurityToken = new JwtSecurityToken(
 				_configuration["Authentication:Issuer"],

AirportAutomation/AirportАutomationApi/Controllers/AirlinesController.cs

@@ -159,10 +159,13 @@ public async Task<ActionResult<PagedResponse<AirlineDto>>> GetAirlinesByName(str
 		/// <response code="201">Returns the created airline if successful.</response>
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		[HttpPost]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(201, Type = typeof(AirlineDto))]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		public async Task<ActionResult<AirlineDto>> PostAirline(AirlineCreateDto airlineCreateDto)
 		{
 			var airline = _mapper.Map<AirlineEntity>(airlineCreateDto);
@@ -181,11 +184,14 @@ public async Task<ActionResult<AirlineDto>> PostAirline(AirlineCreateDto airline
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="404">If no airline is found.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		[HttpPut("{id}")]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(204)]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(404)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		public async Task<IActionResult> PutAirline(int id, AirlineDto airlineDto)
 		{
 			if (!_inputValidationService.IsNonNegativeInt(id))
@@ -228,11 +234,14 @@ public async Task<IActionResult> PutAirline(int id, AirlineDto airlineDto)
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="404">If the airline with the specified ID is not found.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		[HttpPatch("{id}")]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(200, Type = typeof(AirlineDto))]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(404)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		public async Task<IActionResult> PatchAirline(int id, [FromBody] JsonPatchDocument airlineDocument)
 		{
 			if (!_inputValidationService.IsNonNegativeInt(id))
@@ -259,12 +268,15 @@ public async Task<IActionResult> PatchAirline(int id, [FromBody] JsonPatchDocume
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="404">If no airline is found.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		/// <response code="409">Conflict. If the passenger cannot be deleted because it is being referenced by other entities.</response>
 		[HttpDelete("{id}")]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(204)]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(404)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		[ProducesResponseType(409)]
 		public async Task<IActionResult> DeleteAirline(int id)
 		{

AirportAutomation/AirportАutomationApi/Controllers/DestinationsController.cs

@@ -163,10 +163,13 @@ public async Task<ActionResult<PagedResponse<DestinationDto>>> GetDestinationsBy
 		/// <response code="201">Returns the created destination if successful.</response>
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		[HttpPost]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(201, Type = typeof(DestinationDto))]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		public async Task<ActionResult<DestinationDto>> PostDestination(DestinationCreateDto destinationCreateDto)
 		{
 			var destination = _mapper.Map<DestinationEntity>(destinationCreateDto);
@@ -185,11 +188,14 @@ public async Task<ActionResult<DestinationDto>> PostDestination(DestinationCreat
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="404">If no destination is found.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		[HttpPut("{id}")]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(204)]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(404)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		public async Task<IActionResult> PutDestination(int id, DestinationDto destinationDto)
 		{
 			if (!_inputValidationService.IsNonNegativeInt(id))
@@ -231,11 +237,14 @@ public async Task<IActionResult> PutDestination(int id, DestinationDto destinati
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="404">If the destination with the specified ID is not found.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		[HttpPatch("{id}")]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(200, Type = typeof(DestinationDto))]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(404)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		public async Task<IActionResult> PatchDestination(int id, [FromBody] JsonPatchDocument destinationDocument)
 		{
 			if (!_inputValidationService.IsNonNegativeInt(id))
@@ -262,12 +271,15 @@ public async Task<IActionResult> PatchDestination(int id, [FromBody] JsonPatchDo
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="404">If no destination is found.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		/// <response code="409">Conflict. If the passenger cannot be deleted because it is being referenced by other entities.</response>
 		[HttpDelete("{id}")]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(204)]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(404)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		[ProducesResponseType(409)]
 		public async Task<IActionResult> DeleteDestination(int id)
 		{

AirportAutomation/AirportАutomationApi/Controllers/FlightsController.cs

@@ -168,10 +168,13 @@ public async Task<ActionResult<PagedResponse<FlightDto>>> GetFlightsBetweenDates
 		/// <response code="201">Returns the created flight if successful.</response>
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		[HttpPost]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(201, Type = typeof(FlightDto))]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		public async Task<ActionResult<FlightEntity>> PostFlight(FlightCreateDto flightCreateDto)
 		{
 			var flight = _mapper.Map<FlightEntity>(flightCreateDto);
@@ -190,11 +193,14 @@ public async Task<ActionResult<FlightEntity>> PostFlight(FlightCreateDto flightC
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="404">If no flight is found.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		[HttpPut("{id}")]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(204)]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(404)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		public async Task<IActionResult> PutFlight(int id, FlightUpdateDto flightUpdateDto)
 		{
 			if (!_inputValidationService.IsNonNegativeInt(id))
@@ -236,11 +242,14 @@ public async Task<IActionResult> PutFlight(int id, FlightUpdateDto flightUpdateD
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="404">If the flight with the specified ID is not found.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		[HttpPatch("{id}")]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(200, Type = typeof(FlightDto))]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(404)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		public async Task<IActionResult> PatchFlight(int id, [FromBody] JsonPatchDocument flightDocument)
 		{
 			if (!_inputValidationService.IsNonNegativeInt(id))
@@ -267,12 +276,15 @@ public async Task<IActionResult> PatchFlight(int id, [FromBody] JsonPatchDocumen
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="404">If no flight is found.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		/// <response code="409">Conflict. If the passenger cannot be deleted because it is being referenced by other entities.</response>
 		[HttpDelete("{id}")]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(204)]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(404)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		[ProducesResponseType(409)]
 		public async Task<IActionResult> DeleteFlight(int id)
 		{

AirportAutomation/AirportАutomationApi/Controllers/PassengersController.cs

@@ -163,10 +163,13 @@ public async Task<ActionResult<PagedResponse<PassengerDto>>> GetPassengersByName
 		/// <response code="201">Returns the created passenger if successful.</response>
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		[HttpPost]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(201, Type = typeof(PassengerDto))]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		public async Task<ActionResult<PassengerDto>> PostPassenger(PassengerCreateDto passengerCreateDto)
 		{
 			var passenger = _mapper.Map<PassengerEntity>(passengerCreateDto);
@@ -185,11 +188,14 @@ public async Task<ActionResult<PassengerDto>> PostPassenger(PassengerCreateDto p
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="404">If no passenger is found.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		[HttpPut("{id}")]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(204)]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(404)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		public async Task<IActionResult> PutPassenger(int id, PassengerDto passengerDto)
 		{
 			if (!_inputValidationService.IsNonNegativeInt(id))
@@ -231,11 +237,14 @@ public async Task<IActionResult> PutPassenger(int id, PassengerDto passengerDto)
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="404">If the passenger with the specified ID is not found.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		[HttpPatch("{id}")]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(200, Type = typeof(PassengerDto))]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(404)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		public async Task<IActionResult> PatchPassenger(int id, [FromBody] JsonPatchDocument passengerDocument)
 		{
 			if (!_inputValidationService.IsNonNegativeInt(id))
@@ -262,12 +271,15 @@ public async Task<IActionResult> PatchPassenger(int id, [FromBody] JsonPatchDocu
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="404">If no passenger is found.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		/// <response code="409">Conflict. If the passenger cannot be deleted because it is being referenced by other entities.</response>
 		[HttpDelete("{id}")]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(204)]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(404)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		[ProducesResponseType(409)]
 		public async Task<IActionResult> DeletePassenger(int id)
 		{

AirportAutomation/AirportАutomationApi/Controllers/PilotsController.cs

@@ -163,10 +163,13 @@ public async Task<ActionResult<PagedResponse<PilotDto>>> GetPilotsByName(
 		/// <response code="201">Returns the created pilot if successful.</response>
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		[HttpPost]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(201, Type = typeof(PilotDto))]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		public async Task<ActionResult<PilotDto>> PostPilot(PilotCreateDto pilotCreateDto)
 		{
 			var pilot = _mapper.Map<PilotEntity>(pilotCreateDto);
@@ -185,11 +188,14 @@ public async Task<ActionResult<PilotDto>> PostPilot(PilotCreateDto pilotCreateDt
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="404">If no pilot is found.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		[HttpPut("{id}")]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(204)]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(404)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		public async Task<IActionResult> PutPilot(int id, PilotDto pilotDto)
 		{
 			if (!_inputValidationService.IsNonNegativeInt(id))
@@ -231,11 +237,14 @@ public async Task<IActionResult> PutPilot(int id, PilotDto pilotDto)
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="404">If the pilot with the specified ID is not found.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		[HttpPatch("{id}")]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(200, Type = typeof(PilotDto))]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(404)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		public async Task<IActionResult> PatchPilot(int id, [FromBody] JsonPatchDocument pilotDocument)
 		{
 			if (!_inputValidationService.IsNonNegativeInt(id))
@@ -262,12 +271,15 @@ public async Task<IActionResult> PatchPilot(int id, [FromBody] JsonPatchDocument
 		/// <response code="400">If the request is invalid or if there's a validation error.</response>
 		/// <response code="404">If no pilot is found.</response>
 		/// <response code="401">If user do not have permission to access the requested resource.</response>
+		/// <response code="403">If the user does not have permission to access the requested resource.</response>
 		/// <response code="409">Conflict. If the passenger cannot be deleted because it is being referenced by other entities.</response>
 		[HttpDelete("{id}")]
+		[Authorize(Roles = "Admin")]
 		[ProducesResponseType(204)]
 		[ProducesResponseType(400)]
 		[ProducesResponseType(404)]
 		[ProducesResponseType(401)]
+		[ProducesResponseType(403)]
 		[ProducesResponseType(409)]
 		public async Task<IActionResult> DeletePilot(int id)
 		{