Role Manager

MWClayson-NHS · MWClayson-NHS · commit 34988bdd54ca · 2026-04-15T17:10:57.000+01:00
diff --git a/application/CohortManager/src/Functions/Shared/Common/Authentication/IRoleManager.cs b/application/CohortManager/src/Functions/Shared/Common/Authentication/IRoleManager.cs
@@ -0,0 +1,6 @@
+namespace Common;
+
+public interface IRoleManager
+{
+    public bool ValidateRole(Cis2User user, Role role);
+}
diff --git a/application/CohortManager/src/Functions/Shared/Common/Authentication/RoleManager.cs b/application/CohortManager/src/Functions/Shared/Common/Authentication/RoleManager.cs
@@ -2,12 +2,12 @@ namespace Common;
 
 using Microsoft.Extensions.Options;
 
-public class RoleMapper
+public class RoleManager : IRoleManager
 {
     private readonly Dictionary<string, Role> _roleMappings;
 
     IOptions<RoleConfig> _roleConfig;
-    public RoleMapper(IOptions<RoleConfig> roleConfig)
+    public RoleManager(IOptions<RoleConfig> roleConfig)
     {
         _roleConfig = roleConfig;
         _roleMappings = new Dictionary<string, Role>
@@ -16,9 +16,16 @@ public RoleMapper(IOptions<RoleConfig> roleConfig)
             { _roleConfig.Value.CohortManagerDummyGpRemovalWorkgroupId, Role.CohortManagerDummyGpRemoval }
         };
     }
-
-    public Role? GetRole(string workgroupId)
+    public bool ValidateRole(Cis2User user, Role role)
     {
-        return _roleMappings.TryGetValue(workgroupId, out var mappedRole) ? mappedRole : null;
+
+        var workgroupId = _roleMappings.FirstOrDefault(x => x.Value == role).Key;
+
+        if (workgroupId == null)
+        {
+            return false;
+        }
+        return user.NhsidNrbacRoles.Count(x => x.WorkgroupsCodes.Contains(workgroupId)) > 0;
     }
+
 }
diff --git a/application/CohortManager/src/Functions/Shared/Common/Authentication/RolesEnum.cs b/application/CohortManager/src/Functions/Shared/Common/Authentication/RolesEnum.cs
diff --git a/application/CohortManager/src/Functions/Shared/Common/Extensions/AuthenticationExtension.cs b/application/CohortManager/src/Functions/Shared/Common/Extensions/AuthenticationExtension.cs
@@ -9,6 +9,7 @@ public static IHostBuilder AddAuthentication(this IHostBuilder hostBuilder)
     {
 
         hostBuilder.AddConfiguration<AuthConfig>();
+        hostBuilder.AddConfiguration<RoleConfig>();
         hostBuilder.ConfigureFunctionsWorkerDefaults(workerOptions =>
         {
             workerOptions.UseMiddleware<Cis2AuthMiddleware>();
@@ -17,6 +18,7 @@ public static IHostBuilder AddAuthentication(this IHostBuilder hostBuilder)
         {
             services.AddSingleton<IAuthenticationService, JwtAuthentication>();
             services.AddSingleton<ICis2UserService,Cis2UserService>();
+            services.AddSingleton<IRoleManager, RoleManager>();
         });
         return hostBuilder;
      }
diff --git a/application/CohortManager/src/Functions/screeningDataServices/GetValidationExceptions/GetValidationExceptions.cs b/application/CohortManager/src/Functions/screeningDataServices/GetValidationExceptions/GetValidationExceptions.cs
@@ -24,14 +24,16 @@ public class GetValidationExceptions
     private readonly IValidationExceptionData _validationData;
     private readonly IHttpParserHelper _httpParserHelper;
     private readonly IPaginationService<ValidationException> _paginationService;
+    private readonly IRoleManager _roleManager;
 
-    public GetValidationExceptions(ILogger<GetValidationExceptions> logger, ICreateResponse createResponse, IValidationExceptionData validationData, IHttpParserHelper httpParserHelper, IPaginationService<ValidationException> paginationService)
+    public GetValidationExceptions(ILogger<GetValidationExceptions> logger, ICreateResponse createResponse, IValidationExceptionData validationData, IHttpParserHelper httpParserHelper, IPaginationService<ValidationException> paginationService, IRoleManager roleManager)
     {
         _logger = logger;
         _createResponse = createResponse;
         _validationData = validationData;
         _httpParserHelper = httpParserHelper;
         _paginationService = paginationService;
+        _roleManager = roleManager;
     }
 
     /// <summary>
@@ -57,6 +59,12 @@ public async Task<HttpResponseData> Run([HttpTrigger(AuthorizationLevel.Anonymou
         var isReport = _httpParserHelper.GetQueryParameterAsBool(req, "isReport");
         var ruleId = _httpParserHelper.GetQueryParameterAsNullableInt(req, "ruleId");
         var dateCreated = _httpParserHelper.GetQueryParameterAsDateTime(req, "dateCreated");
+
+        if (!_roleManager.ValidateRole((Cis2User)req.FunctionContext.Items["Cis2User"]!, Role.CohortManagerUser))
+        {
+            return _createResponse.CreateHttpResponse(HttpStatusCode.Forbidden, req);
+        }
+
         try
         {
             if (exceptionId > 0)

Original file line number	Diff line number	Diff line change
`@@ -2,12 +2,12 @@ namespace Common;`
`2`	`2`
`3`	`3`	`using Microsoft.Extensions.Options;`
`4`	`4`
`5`		`-public class RoleMapper`
	`5`	`+public class RoleManager : IRoleManager`
`6`	`6`	`{`
`7`	`7`	`private readonly Dictionary<string, Role> _roleMappings;`
`8`	`8`
`9`	`9`	`IOptions<RoleConfig> _roleConfig;`
`10`		`- public RoleMapper(IOptions<RoleConfig> roleConfig)`
	`10`	`+ public RoleManager(IOptions<RoleConfig> roleConfig)`
`11`	`11`	`{`
`12`	`12`	`_roleConfig = roleConfig;`
`13`	`13`	`_roleMappings = new Dictionary<string, Role>`
`@@ -16,9 +16,16 @@ public RoleMapper(IOptions<RoleConfig> roleConfig)`
`16`	`16`	`{ _roleConfig.Value.CohortManagerDummyGpRemovalWorkgroupId, Role.CohortManagerDummyGpRemoval }`
`17`	`17`	`};`
`18`	`18`	`}`
`19`		`-`
`20`		`- public Role? GetRole(string workgroupId)`
	`19`	`+ public bool ValidateRole(Cis2User user, Role role)`
`21`	`20`	`{`
`22`		`- return _roleMappings.TryGetValue(workgroupId, out var mappedRole) ? mappedRole : null;`
	`21`	`+`
	`22`	`+ var workgroupId = _roleMappings.FirstOrDefault(x => x.Value == role).Key;`
	`23`	`+`
	`24`	`+ if (workgroupId == null)`
	`25`	`+ {`
	`26`	`+ return false;`
	`27`	`+ }`
	`28`	`+ return user.NhsidNrbacRoles.Count(x => x.WorkgroupsCodes.Contains(workgroupId)) > 0;`
`23`	`29`	`}`
	`30`	`+`
`24`	`31`	`}`
Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ public static IHostBuilder AddAuthentication(this IHostBuilder hostBuilder)`
`9`	`9`	`{`
`10`	`10`
`11`	`11`	`hostBuilder.AddConfiguration<AuthConfig>();`
	`12`	`+ hostBuilder.AddConfiguration<RoleConfig>();`
`12`	`13`	`hostBuilder.ConfigureFunctionsWorkerDefaults(workerOptions =>`
`13`	`14`	`{`
`14`	`15`	`workerOptions.UseMiddleware<Cis2AuthMiddleware>();`
`@@ -17,6 +18,7 @@ public static IHostBuilder AddAuthentication(this IHostBuilder hostBuilder)`
`17`	`18`	`{`
`18`	`19`	`services.AddSingleton<IAuthenticationService, JwtAuthentication>();`
`19`	`20`	`services.AddSingleton<ICis2UserService,Cis2UserService>();`
	`21`	`+ services.AddSingleton<IRoleManager, RoleManager>();`
`20`	`22`	`});`
`21`	`23`	`return hostBuilder;`
`22`	`24`	`}`