From bb2052bca8c16125ea540b3bf3bff18edb512414 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ole=20J=C3=B8rgen=20Skogstad?= <skogstad@softis.net>
Date: Tue, 13 Aug 2024 15:50:15 +0200
Subject: [PATCH] fx

---
 .../Common/Authorization/Constants.cs                    | 1 +
 .../Common/IUserResourceRegistry.cs                      | 4 ++++
 .../Dialogs/Commands/Create/CreateDialogCommand.cs       | 9 ++++++---
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/Digdir.Domain.Dialogporten.Application/Common/Authorization/Constants.cs b/src/Digdir.Domain.Dialogporten.Application/Common/Authorization/Constants.cs
index 5f6fb1495..054f4fa0d 100644
--- a/src/Digdir.Domain.Dialogporten.Application/Common/Authorization/Constants.cs
+++ b/src/Digdir.Domain.Dialogporten.Application/Common/Authorization/Constants.cs
@@ -7,4 +7,5 @@ public static class Constants
     public const string TransmissionReadAction = "transmissionread";
     public static readonly Uri UnauthorizedUri = new("urn:dialogporten:unauthorized");
     public const string CorrespondenceScope = "digdir:dialogporten.correspondence";
+    public const string ServiceOwnerAdminScope = "digdir:dialogporten.serviceprovider.admin";
 }
diff --git a/src/Digdir.Domain.Dialogporten.Application/Common/IUserResourceRegistry.cs b/src/Digdir.Domain.Dialogporten.Application/Common/IUserResourceRegistry.cs
index 5e904bbe3..ec8e7779b 100644
--- a/src/Digdir.Domain.Dialogporten.Application/Common/IUserResourceRegistry.cs
+++ b/src/Digdir.Domain.Dialogporten.Application/Common/IUserResourceRegistry.cs
@@ -12,6 +12,7 @@ public interface IUserResourceRegistry
     Task<IReadOnlyCollection<string>> GetCurrentUserResourceIds(CancellationToken cancellationToken);
     Task<string> GetResourceType(string serviceResourceId, CancellationToken cancellationToken);
     bool UserCanModifyResourceType(string serviceResourceType);
+    bool IsCurrentUserServiceOwnerAdmin();
 }
 
 public class UserResourceRegistry : IUserResourceRegistry
@@ -46,6 +47,8 @@ public Task<string> GetResourceType(string serviceResourceId, CancellationToken
         ResourceRegistry.Constants.Correspondence => _user.GetPrincipal().HasScope(Constants.CorrespondenceScope),
         _ => true
     };
+
+    public bool IsCurrentUserServiceOwnerAdmin() => _user.GetPrincipal().HasScope(Constants.ServiceOwnerAdminScope);
 }
 
 internal sealed class LocalDevelopmentUserResourceRegistryDecorator : IUserResourceRegistry
@@ -67,4 +70,5 @@ public Task<string> GetResourceType(string serviceResourceId, CancellationToken
         Task.FromResult("LocalResourceType");
 
     public bool UserCanModifyResourceType(string serviceResourceType) => true;
+    public bool IsCurrentUserServiceOwnerAdmin() => true;
 }
diff --git a/src/Digdir.Domain.Dialogporten.Application/Features/V1/ServiceOwner/Dialogs/Commands/Create/CreateDialogCommand.cs b/src/Digdir.Domain.Dialogporten.Application/Features/V1/ServiceOwner/Dialogs/Commands/Create/CreateDialogCommand.cs
index 143e7849c..e1956ffc0 100644
--- a/src/Digdir.Domain.Dialogporten.Application/Features/V1/ServiceOwner/Dialogs/Commands/Create/CreateDialogCommand.cs
+++ b/src/Digdir.Domain.Dialogporten.Application/Features/V1/ServiceOwner/Dialogs/Commands/Create/CreateDialogCommand.cs
@@ -54,11 +54,14 @@ public CreateDialogCommandHandler(
 
     public async Task<CreateDialogResult> Handle(CreateDialogCommand request, CancellationToken cancellationToken)
     {
-        foreach (var serviceResourceReference in GetServiceResourceReferences(request))
+        if (!_userResourceRegistry.IsCurrentUserServiceOwnerAdmin())
         {
-            if (!await _userResourceRegistry.CurrentUserIsOwner(serviceResourceReference, cancellationToken))
+            foreach (var serviceResourceReference in GetServiceResourceReferences(request))
             {
-                return new Forbidden($"Not allowed to reference {serviceResourceReference}.");
+                if (!await _userResourceRegistry.CurrentUserIsOwner(serviceResourceReference, cancellationToken))
+                {
+                    return new Forbidden($"Not allowed to reference {serviceResourceReference}.");
+                }
             }
         }