Introduce OrderCancellationAuthorizationHandler

Move order creation permission check to BasicOrderCancellationAuthorizationHandler
Resolve #105

common.props

@@ -1,7 +1,7 @@
 <Project>
   <PropertyGroup>
     <LangVersion>latest</LangVersion>
-    <Version>1.5.0</Version>
+    <Version>1.6.0</Version>
     <NoWarn>$(NoWarn);CS1591</NoWarn>
     <GeneratePackageOnBuild>true</GeneratePackageOnBuild>
     <Authors>EasyAbp Team</Authors>

modules/EasyAbp.EShop.Orders/src/EasyAbp.EShop.Orders.Application/EasyAbp/EShop/Orders/EShopOrdersApplicationModule.cs

@@ -23,6 +23,7 @@ namespace EasyAbp.EShop.Orders
         public override void PreConfigureServices(ServiceConfigurationContext context)
         {
             context.Services.AddSingleton<IAuthorizationHandler, BasicOrderCreationAuthorizationHandler>();
+            context.Services.AddSingleton<IAuthorizationHandler, BasicOrderCancellationAuthorizationHandler>();
         }
 
         public override void ConfigureServices(ServiceConfigurationContext context)

modules/EasyAbp.EShop.Orders/src/EasyAbp.EShop.Orders.Application/EasyAbp/EShop/Orders/Orders/BasicOrderCancellationAuthorizationHandler.cs

@@ -0,0 +1,60 @@
+using System;
+using System.Threading.Tasks;
+using EasyAbp.EShop.Orders.Authorization;
+using EasyAbp.EShop.Stores.StoreOwners;
+using Microsoft.AspNetCore.Authorization;
+using Volo.Abp.Authorization.Permissions;
+using Volo.Abp.Users;
+
+namespace EasyAbp.EShop.Orders.Orders
+{
+    public class BasicOrderCancellationAuthorizationHandler : OrderCancellationAuthorizationHandler
+    {
+        private readonly IStoreOwnerStore _storeOwnerStore;
+        private readonly IPermissionChecker _permissionChecker;
+        private readonly ICurrentUser _currentUser;
+
+        public BasicOrderCancellationAuthorizationHandler(
+            IStoreOwnerStore storeOwnerStore,
+            IPermissionChecker permissionChecker,
+            ICurrentUser currentUser)
+        {
+            _storeOwnerStore = storeOwnerStore;
+            _permissionChecker = permissionChecker;
+            _currentUser = currentUser;
+        }
+        
+        protected override async Task HandleOrderCreationAsync(AuthorizationHandlerContext context,
+            OrderOperationAuthorizationRequirement requirement, Order resource)
+        {
+            if (!await _permissionChecker.IsGrantedAsync(OrdersPermissions.Orders.Cancel))
+            {
+                context.Fail();
+                return;
+            }
+            
+            if (!resource.IsPaid())
+            {
+                context.Succeed(requirement);
+                return;
+            }
+            
+            if (resource.CustomerUserId != _currentUser.GetId())
+            {
+                if (!await _permissionChecker.IsGrantedAsync(OrdersPermissions.Orders.Manage))
+                {
+                    context.Fail();
+                    return;
+                }
+
+
+                if (await _storeOwnerStore.IsStoreOwnerAsync(resource.StoreId, _currentUser.GetId()) ||
+                    await _permissionChecker.IsGrantedAsync(OrdersPermissions.Orders.CrossStore))
+                {
+                    context.Succeed(requirement);
+                    return;
+                }
+            }
+        }
+    }
+}

modules/EasyAbp.EShop.Orders/src/EasyAbp.EShop.Orders.Application/EasyAbp/EShop/Orders/Orders/BasicOrderCreationAuthorizationHandler.cs

@@ -2,18 +2,33 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Threading.Tasks;
+using EasyAbp.EShop.Orders.Authorization;
 using EasyAbp.EShop.Orders.Orders.Dtos;
 using EasyAbp.EShop.Products.Products;
 using EasyAbp.EShop.Products.Products.Dtos;
 using Microsoft.AspNetCore.Authorization;
+using Volo.Abp.Authorization.Permissions;
 
 namespace EasyAbp.EShop.Orders.Orders
 {
     public class BasicOrderCreationAuthorizationHandler : OrderCreationAuthorizationHandler
     {
+        private readonly IPermissionChecker _permissionChecker;
+
+        public BasicOrderCreationAuthorizationHandler(IPermissionChecker permissionChecker)
+        {
+            _permissionChecker = permissionChecker;
+        }
+        
         protected override async Task HandleOrderCreationAsync(AuthorizationHandlerContext context,
             OrderOperationAuthorizationRequirement requirement, OrderCreationResource resource)
         {
+            if (!await _permissionChecker.IsGrantedAsync(OrdersPermissions.Orders.Create))
+            {
+                context.Fail();
+                return;
+            }
+            
             if (!await IsProductsPublishedAsync(resource.Input, resource.ProductDictionary))
             {
                 context.Fail();

modules/EasyAbp.EShop.Orders/src/EasyAbp.EShop.Orders.Application/EasyAbp/EShop/Orders/Orders/OrderAppService.cs

@@ -19,7 +19,6 @@ namespace EasyAbp.EShop.Orders.Orders
     public class OrderAppService : MultiStoreCrudAppService<Order, OrderDto, Guid, GetOrderListDto, CreateOrderDto>,
         IOrderAppService
     {
-        protected override string CreatePolicyName { get; set; } = OrdersPermissions.Orders.Create;
         protected override string GetPolicyName { get; set; } = OrdersPermissions.Orders.Manage;
         protected override string GetListPolicyName { get; set; } = OrdersPermissions.Orders.Manage;
         protected override string CrossStorePolicyName { get; set; } = OrdersPermissions.Orders.CrossStore;
@@ -83,8 +82,6 @@ namespace EasyAbp.EShop.Orders.Orders
 
         public override async Task<OrderDto> CreateAsync(CreateOrderDto input)
         {
-            await CheckCreatePolicyAsync();
-
             // Todo: Check if the store is open.
 
             var productDict = await GetProductDictionaryAsync(input.OrderLines.Select(dto => dto.ProductId).ToList(),
@@ -170,17 +167,14 @@ namespace EasyAbp.EShop.Orders.Orders
             return await MapToGetOutputDtoAsync(order);
         }
         
-        [Authorize(OrdersPermissions.Orders.Cancel)]
         public virtual async Task<OrderDto> CancelAsync(Guid id, CancelOrderInput input)
         {
             var order = await GetEntityByIdAsync(id);
-
-            if (order.IsPaid() || order.CustomerUserId != CurrentUser.GetId())
-            {
-                await AuthorizationService.CheckAsync(OrdersPermissions.Orders.Manage);
-
-                // Todo: Check if current user is an admin of the store.
-            }
+            
+            await AuthorizationService.CheckAsync(
+                order,
+                new OrderOperationAuthorizationRequirement(OrderOperation.Cancellation)
+            );
 
             order = await _orderManager.CancelAsync(order, input.CancellationReason);
 

modules/EasyAbp.EShop.Orders/src/EasyAbp.EShop.Orders.Application/EasyAbp/EShop/Orders/Orders/OrderCancellationAuthorizationHandler.cs

@@ -0,0 +1,22 @@
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization;
+
+namespace EasyAbp.EShop.Orders.Orders
+{
+    public abstract class OrderCancellationAuthorizationHandler : AuthorizationHandler<OrderOperationAuthorizationRequirement, Order>
+    {
+        protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, OrderOperationAuthorizationRequirement requirement,
+            Order resource)
+        {
+            if (requirement.OrderOperation != OrderOperation.Cancellation)
+            {
+                return;
+            }
+            
+            await HandleOrderCreationAsync(context, requirement, resource);
+        }
+
+        protected abstract Task HandleOrderCreationAsync(AuthorizationHandlerContext context,
+            OrderOperationAuthorizationRequirement requirement, Order resource);
+    }
+}

modules/EasyAbp.EShop.Orders/src/EasyAbp.EShop.Orders.Application/EasyAbp/EShop/Orders/Orders/OrderOperation.cs

@@ -5,6 +5,7 @@ namespace EasyAbp.EShop.Orders.Orders
     [Flags]
     public enum OrderOperation
     {
-        Creation = 0
+        Creation = 1,
+        Cancellation = 2
     }
 }