...
Take the example of AuthUtils.checkSelfStudyResearcherOrAdmin check for enrollments:
| Code Block | ||
|---|---|---|
| ||
public class EnrollmentService {
@GetMapping("/v5/studies/{studyId}/enrollments")
public PagedResourceList<EnrollmentDetail> getEnrollments(...) {
UserSession session = getAuthenticatedSession(RESEARCHER, ADMIN);
if (!session.isInRole(ADMIN) && !AuthUtils.canAccessStudy(studyId)) {
throw new UnauthorizedException();
}
}
@GetMapping("/v3/participants/self/enrollments")
public PagedResourceList<EnrollmentDetail> getSelfEnrollments(...) {
UserSession session = getAuthenticatedSession();
// set userId to the caller's user Id
}
@PostMapping("/v5/studies/{studyId}/enrollments")
public Enrollment enroll(...) {
UserSession session = getAuthenticatedSession(RESEARCHER, ADMIN);
if (!session.isInRole(ADMIN) && !AuthUtils.canAccessStudy(studyId)) {
throw new UnauthorizedException();
}
}
@PostMapping("/v3/participants/self/enrollments")
public Enrollment enrollSelf(...) {
UserSession session = getAuthenticatedSession();
// set userId to the caller's user Id
}
@PostMapping("/v5/studies/{studyId}/enrollments/{userId}")
public void updateEnrollment(...) {
UserSession session = getAuthenticatedSession(RESEARCHER, ADMIN);
if (!session.isInRole(ADMIN) && !AuthUtils.canAccessStudy(studyId)) {
throw new UnauthorizedException();
}
}
@DeleteMapping("/v5/studies/{studyId}/enrollments/{userId}")
public Enrollment unenroll(...) {
UserSession session = getAuthenticatedSession(RESEARCHER, ADMIN);
if (!session.isInRole(ADMIN) && !AuthUtils.canAccessStudy(studyId)) {
throw new UnauthorizedException();
}
}
@DeleteMapping("/v3/participants/self/enrollments/{userId}")
public Enrollment unenrollSelf(...) {
UserSession session = getAuthenticatedSession();
// set userId to the caller's user Id
}
} |
Another example are org administrators who can list, read, create, and delete administrative accounts in their organizations:
...