From 8ab363cc73230703a40127c646995c16ed23b2ab Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Thu, 6 Apr 2017 13:21:26 -0400
Subject: [PATCH] rework permission checks on org apis

---
 .../Controllers/OrganizationsController.cs    | 50 ++++++++++++++++---
 1 file changed, 44 insertions(+), 6 deletions(-)

diff --git a/src/Api/Controllers/OrganizationsController.cs b/src/Api/Controllers/OrganizationsController.cs
index 2f83f6cb2..5c0b524f8 100644
--- a/src/Api/Controllers/OrganizationsController.cs
+++ b/src/Api/Controllers/OrganizationsController.cs
@@ -38,12 +38,38 @@ namespace Bit.Api.Controllers
         [HttpGet("{id}")]
         public async Task<OrganizationResponseModel> Get(string id)
         {
-            var organization = await _organizationRepository.GetByIdAsync(new Guid(id));
-            if(organization == null || !_currentContext.OrganizationAdmin(organization.Id))
+            var orgIdGuid = new Guid(id);
+            if(!_currentContext.OrganizationOwner(orgIdGuid))
             {
                 throw new NotFoundException();
             }
 
+            var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
+            if(organization == null)
+            {
+                throw new NotFoundException();
+            }
+
+            return new OrganizationResponseModel(organization);
+        }
+
+        [HttpGet("{id}/billing")]
+        public async Task<OrganizationResponseModel> GetBilling(string id)
+        {
+            var orgIdGuid = new Guid(id);
+            if(!_currentContext.OrganizationOwner(orgIdGuid))
+            {
+                throw new NotFoundException();
+            }
+
+            var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
+            if(organization == null)
+            {
+                throw new NotFoundException();
+            }
+
+            // TODO: billing stuff
+
             return new OrganizationResponseModel(organization);
         }
 
@@ -69,8 +95,14 @@ namespace Bit.Api.Controllers
         [HttpPost("{id}")]
         public async Task<OrganizationResponseModel> Put(string id, [FromBody]OrganizationUpdateRequestModel model)
         {
-            var organization = await _organizationRepository.GetByIdAsync(new Guid(id));
-            if(organization == null || !_currentContext.OrganizationAdmin(organization.Id))
+            var orgIdGuid = new Guid(id);
+            if(!_currentContext.OrganizationOwner(orgIdGuid))
+            {
+                throw new NotFoundException();
+            }
+
+            var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
+            if(organization == null)
             {
                 throw new NotFoundException();
             }
@@ -83,8 +115,14 @@ namespace Bit.Api.Controllers
         [HttpPost("{id}/delete")]
         public async Task Delete(string id)
         {
-            var organization = await _organizationRepository.GetByIdAsync(new Guid(id));
-            if(organization == null || !_currentContext.OrganizationAdmin(organization.Id))
+            var orgIdGuid = new Guid(id);
+            if(!_currentContext.OrganizationOwner(orgIdGuid))
+            {
+                throw new NotFoundException();
+            }
+
+            var organization = await _organizationRepository.GetByIdAsync(orgIdGuid);
+            if(organization == null)
             {
                 throw new NotFoundException();
             }