diff --git a/ayanova/devdocs/todo.txt b/ayanova/devdocs/todo.txt index ce407263..20ae2de5 100644 --- a/ayanova/devdocs/todo.txt +++ b/ayanova/devdocs/todo.txt @@ -42,22 +42,13 @@ All platforms and browsers - DONE WIRE up save menu item and add code to disable save on broken rules (and make red, disabled etc) - DONE Move wire up event code from app.vue to gzmenu and call it from app.vue ### - RIGHTS in form state so can easily enable / disable etc - - ### SERVER WORK NEEDED FIRST.... - - NOT done correctly at the server NEED TO CHANGE THIS SHIT FIRST: - - is returning a 401 (not authenticated) for rights issues that should return 403 (not authorized) - - Before can do below rights stuff need to go back to server and change that - - https://stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses#6937030 - - I know it works when the user SubContractorLimited logs in and force to fetch widget gets a 403 instead of a 401 and instead of logging off redirects to home or back or something instead - - in GZAPI handleError has this: ErrorUserNotAuthenticated error string, I also need to check server and docs for the corresponding ErrorUserNotAuthorized which may need to be added and documented - - Also need a localized text for it in all languages apparently and also document it properly and add it as a type of error returned in those circumstances - - May be faster to just try to fetch the object and have rights checked that way and react accordingly in the client rather than try to pre-check before hand - - This is because need the actual object to check if self owned and can still edit, let the server handle that shit and just act accordingly - - If server returns a read only copy of an object due to read full record but not due to allow edit then perhaps the server can also tag it with a READONLY flag so client can adjust accordingly and not need to do the checking with a double request - - SO...SERVER Should return on request of an object one of these: - - Not authenticated at all 401 + - INFO - SERVER will return on request of an object one of these: + - DONE Not authenticated at all 401 + - DONE Redirect to login - Not authorized for this object 403 (could be due to not own or whatever, we don't care, server handles that shit, client just knows not to show it) - Object...BUT with READONLY flag of some kind present (in outer wrapper??), so client knows to show read only and not allow editing - - Object without readonly flag present so fully editable!!! WOOT! + - And client doesn't need to work out self owned etc + - DONE Object without readonly flag present so fully editable!!! WOOT! - Form (AND THE LIST OBJECT) should check rights and adapt accordingly - ReadFULL record but no change should show record read only - To test use accounts: ReadFullRecord = AuthorizationRoles.BizAdminLimited | AuthorizationRoles.InventoryLimited diff --git a/ayanova/src/api/gzapi.js b/ayanova/src/api/gzapi.js index af81a31b..8e4c310c 100644 --- a/ayanova/src/api/gzapi.js +++ b/ayanova/src/api/gzapi.js @@ -75,10 +75,16 @@ export default { status(response) { //Handle expected api errors if (response.status == 401) { - //must reject if not authorized + //must reject if not Authenticated return Promise.reject(new Error("[ErrorUserNotAuthenticated]")); } + if (response.status == 403) { + //must reject if not Authorized + return Promise.reject(new Error("[ErrorUserNotAuthorized]")); + } + + if (response.status >= 200 && response.status < 300) { return Promise.resolve(response); } else { diff --git a/ayanova/src/api/locale.js b/ayanova/src/api/locale.js index 167c1d39..abbae22d 100644 --- a/ayanova/src/api/locale.js +++ b/ayanova/src/api/locale.js @@ -90,7 +90,8 @@ export default { "ErrorAPI2208", "ErrorAPI2209", "ErrorServerUnresponsive", - "ErrorUserNotAuthenticated" + "ErrorUserNotAuthenticated", + "ErrorUserNotAuthorized" ], decimalValidate(required) { return { required: required, decimal: [2, this.formats.decimalSeparator] };