Enforce restrictions for Participants authorization level

[Zenexer]

Checklist

• [x] Step 1: Document restrictions for authorization level
• [x] Complete issue #71 (finished by David and Paul)
• [x] Step 2: Code restrictions for authorization level in corresponding Level subclass

  Step 1

See https://github.com/massbay-cs/cs225-proj4/wiki/Authorization for the information that Prof. Moussavi has provided about authorization/privileges.

I sent an email on Friday explaining the first step. For convenience, here's what the email said:

By Sunday night at midnight: Add a comment in your issue listing the restrictions that your privilege level should have for each field in each table (except the rootkey table, which we're removing).

Here's an example of what that last step should look like for a few fields if your assigned privilege level is Organizers -> Admins:

• users table
  • level field
  • Can modify for other users
  • Can view for self, but not modify; this prevents a situation where there are no admins
  • fname field
  • Can modify for self
  • Can view for other users, but not modify
  • pwd field
  • Can modify for self, but not view
  • Can modify for other users, but not view; this allows admins to reset passwords

    Step 2

Questions due by: Monday at 3 PM Code due by: Tuesday at noon

Now we need to take the data you've collected and turn it into code. I've created a class for each privilege level in the auth.levels package. Find the class that corresponds with your issue and develop the class.

Here's how permissions work:

1. When an operation is in progress, the backend calls the Permissions#checkPermission method with information about the requested operation. It expects that if the operation is in violation of the user's permissions, checkPermission will throw an AuthorizationException.
2. The Permissions class looks up the privilege level of the current user and obtains an instance of the corresponding Level subclass.
3. The Permissions class calls one of the checkPermission* methods in the Level subclass named according to the table the operation affects. For example, user-related operations call checkPermissionUsers because the user table is named USERS. It passes a Context object as an argument.
4. Your Level subclass calls methods on the Context object to describe the restrictions your privilege level places on the particular table/field.

It's up to you to figure out:

1. How to use the Context class
2. How to implement the abstract methods from Level
3. How to ensure you cover all possible cases, without leaving any gaps for anyone to get through

There are some very basic examples in auth.levels.LoggedOutLevel. You'll also want to take a close look at the auth.levels.Level and auth.levels.Level.Context classes.

Important:

• When you begin, IntelliJ should detect that your class is invalid. You should see error indicators.
• When you are done, IntelliJ must not show any errors or warnings for your class.

Your task is not complete until:

• There are no warnings
• There are no errors
• All combinations of table/field are covered for your privilege level, except for UID fields, which aren't covered by permissions

IntelliJ tips:

• F2 will jump to the next error. If there aren't any more errors, it will jump to the next warning.
• Alt + Enter while the cursor is on an error/warning will provide options to automatically fix or aid in fixing the problem. You can use this to automaticlaly generate a lot of code that would normally be tedious to write.
• The InitDB class has a list of all fields for each table. Use Ctrl/Cmd + O to jump to a class by name.
• Fields are case-sensitive and will always be uppercase.

[Nhcdw57]

Participants Authorization

• userTable
  • userID
  • shouldn't be able to modify for anyone
  • shouldn't be able to view for anyone
  • level
  • should be able to view for self, not modify
  • shouldn't be able to view or modify for others
  • fName
  • should be able to modify and view for self
  • shouldn't be able to modify for but able to view others(who agree to share information)
  • lName
  • should be able to modify and view for self
  • shouldn't be able to modify for but able to view others(who agree to share information)
  • PWD
  • shouldn't be able to view by anyone
  • should be able to modify for self but not for others
  • email
  • should be able to view and modify for self
  • shouldn't be able to view or modify for participants
  • should only be able to view organizers; this allows for emailing organizers
  • phone
  • should be able to view and modify for self
  • shouldn't be able to modify for but able to view others(who agree to share information)
  • street
  • should be able to view and modify for self
  • shouldn't be able to modify for but able to view others(who agree to share information)
  • city
  • should be able to view and modify for self
  • shouldn't be able to modify for but able to view others(who agree to share information)
  • state
  • should be able to view and modify for self
  • shouldn't be able to modify for but able to view others(who agree to share information)
  • zipcode
  • should be able to view and modify for self
  • shouldn't be able to modify for but able to view others(who agree to share information)
  • country
  • should be able to view and modify for self
  • shouldn't be able to modify for but able to view others(who agree to share information)
  • participant (if this field is still being used as is and if Bill is right on the purpose)
  • shouldn't be able to view or modify by anyone
  • eventLevel
  • (what is this used for?)
• eventsTable
  • tableName
  • shouldn't be able to modify
  • should be able to view for events participating in
  • newUID
  • shouldn't be able to view or modify for any event
  • description
  • should be able to view but not modify for events participating in
  • details
  • should be able to view but not modify for events participating in
  • title
  • should be able to view but not modify for events participating in
  • startDate
  • should be able to view but not modify for events participating in
  • endDate
  • should be able to view but not modify for events participating in
  • complete
  • should be able to view but not modify for events participating in
  • street
  • should be able to view but not modify for events participating in
  • city
  • should be able to view but not modify for events participating in
  • state
  • should be able to view but not modify for events participating in
  • zipCode
  • should be able to view but not modify for events participating in
  • country
  • should be able to view but not modify for events participating in
  • organizerList
  • should be able to view but not modify for events participating in
  • subEventList
  • should be able to view but not modify for events participating in
  • participantList
  • should be able to view but not modify for events participating in
  • committee
  • should be able to view but not modify for events participating in
• subEventsTable
  • description
  • should be able to view but not modify for events participating in
  • details
  • should be able to view but not modify for events participating in
  • title
  • should be able to view but not modify for events participating in
  • complete
  • should be able to view but not modify for events participating in
  • street
  • should be able to view but not modify for events participating in
  • city
  • should be able to view but not modify for events participating in
  • state
  • should be able to view but not modify for events participating in
  • zipCode
  • should be able to view but not modify for events participating in
  • country
  • should be able to view but not modify for events participating in
  • startTime
  • should be able to view but not modify for events participating in
  • endTime
  • should be able to view but not modify for events participating in
• committeeTable
  • UID
  • shouldn't be able to view or modify
  • title
  • shouldn't be able to modify (but able to view for relevant committees to events participating in?)
  • chairman
  • shouldn't be able to modify but able to view for relevant committees to events participating in
  • budgetaccess
  • shouldn't be able to view or modify
  • members
  • shouldn't be able to view or modify
  • tasks
  • shouldn't be able to view or modify
  • income
  • shouldn't be able to view or modify
  • expense
  • shouldn't be able to view or modify
  • budget
  • shouldn't be able to view or modify
• tasksTable (Not really quite 100% on the details on all fields or what this table even is, just assuming its a table for committee tasks)
  • despcription
  • shouldn't be able to view or modify
  • details
  • shouldn't be able to view or modify
  • title
  • shouldn't be able to view or modify
  • street
  • shouldn't be able to view or modify
  • city
  • shouldn't be able to view or modify
  • state
  • shouldn't be able to view or modify
  • zipcode
  • shouldn't be able to view or modify
  • country
  • shouldn't be able to view or modify
  • startDate
  • shouldn't be able to view or modify
  • endDate
  • shouldn't be able to view or modify
  • complete
  • shouldn't be able to view or modify
  • manager
  • shouldn't be able to view or modify
• incomeTable
  • description
  • shouldn't be able to view or modify
  • time
  • shouldn't be able to view or modify
  • value
  • shouldn't be able to view or modify
• expenseTable
  • description
  • shouldn't be able to view or modify
  • date
  • shouldn't be able to view or modify
  • value
  • shouldn't be able to view or modify

[Zenexer]

@chocolatedounut

Questions due by: Monday at 3 PM Code due by: Tuesday at noon

See Step 2 above.