diff --git a/server/AyaNova/biz/WorkOrderBiz.cs b/server/AyaNova/biz/WorkOrderBiz.cs index a016ee51..19502e32 100644 --- a/server/AyaNova/biz/WorkOrderBiz.cs +++ b/server/AyaNova/biz/WorkOrderBiz.cs @@ -2402,6 +2402,8 @@ namespace AyaNova.Biz // internal async Task ExpenseGetAsync(long id, bool logTheGetEvent = true) { + if (UserIsSubContractorRestricted) //no access allowed at all + return null; var ret = await ct.WorkOrderItemExpense.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id); if (logTheGetEvent && ret != null) await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, ret.AyaType, AyaEvent.Retrieved), ct); @@ -3019,10 +3021,11 @@ namespace AyaNova.Biz } } - if (UserIsRestrictedType + if (UserIsRestrictedType) { - //Scheduled Users: view only where they are the selected User and convert to labor record - AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); + //Labors: add (no user selection defaults to themselves), remove, view and edit only when they are the selected User + if (proposedObj.UserId != UserId) + AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); return; } @@ -3067,6 +3070,14 @@ namespace AyaNova.Biz return; } + if (UserIsRestrictedType) + { + //Labors: add (no user selection defaults to themselves), remove, view and edit only when they are the selected User + if (obj.UserId != UserId) + AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); + return; + } + //re-check rights here necessary due to traversal delete from Principle object if (!Authorized.HasDeleteRole(CurrentUserRoles, AyaType.WorkOrderItemLabor)) { @@ -3151,6 +3162,9 @@ namespace AyaNova.Biz // internal async Task LoanGetAsync(long id, bool logTheGetEvent = true) { + if (UserIsSubContractorRestricted) //no access allowed at all + return null; + var ret = await ct.WorkOrderItemLoan.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id); if (logTheGetEvent && ret != null) await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, ret.AyaType, AyaEvent.Retrieved), ct); @@ -3549,6 +3563,8 @@ namespace AyaNova.Biz // internal async Task OutsideServiceGetAsync(long id, bool logTheGetEvent = true) { + if (UserIsSubContractorRestricted) //no access allowed at all + return null; var ret = await ct.WorkOrderItemOutsideService.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id); if (logTheGetEvent && ret != null) await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, AyaType.WorkOrderItemOutsideService, AyaEvent.Retrieved), ct); @@ -4016,6 +4032,9 @@ namespace AyaNova.Biz // internal async Task PartGetAsync(long id, bool logTheGetEvent = true) { + if (UserIsSubContractorRestricted) //no access allowed at all + return null; + var ret = await ct.WorkOrderItemPart.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id); if (logTheGetEvent && ret != null) await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, ret.AyaType, AyaEvent.Retrieved), ct); @@ -4464,6 +4483,13 @@ namespace AyaNova.Biz //run validation and biz rules bool isNew = currentObj == null; + if (UserIsRestrictedType) + { + //Parts: no edits allowed + AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); + return; + } + if (proposedObj.WorkOrderItemId == 0) { AddError(ApiErrorCode.VALIDATION_REQUIRED, "WorkOrderItemId"); @@ -4513,6 +4539,13 @@ namespace AyaNova.Biz private void PartValidateCanDelete(WorkOrderItemPart obj) { + if (UserIsRestrictedType) + { + //Parts: no edits allowed + AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); + return; + } + if (obj == null) { AddError(ApiErrorCode.NOT_FOUND, "id"); @@ -4604,6 +4637,8 @@ namespace AyaNova.Biz // internal async Task PartRequestGetAsync(long id, bool logTheGetEvent = true) { + if (UserIsSubContractorRestricted) //no access allowed at all + return null; var ret = await ct.WorkOrderItemPartRequest.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id); if (logTheGetEvent && ret != null) await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, ret.AyaType, AyaEvent.Retrieved), ct); @@ -4724,6 +4759,13 @@ namespace AyaNova.Biz //run validation and biz rules bool isNew = currentObj == null; + if (UserIsRestrictedType) + { + //PartRequests: no edits allowed + AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); + return; + } + if (proposedObj.WorkOrderItemId == 0) { AddError(ApiErrorCode.VALIDATION_REQUIRED, "WorkOrderItemId"); @@ -4774,6 +4816,14 @@ namespace AyaNova.Biz private void PartRequestValidateCanDelete(WorkOrderItemPartRequest obj) { + + if (UserIsRestrictedType) + { + //PartRequests: no edits allowed + AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); + return; + } + if (obj == null) { AddError(ApiErrorCode.NOT_FOUND, "id"); @@ -5774,100 +5824,6 @@ namespace AyaNova.Biz } - // //////////////////////////////////////////////////////////////////////////////////////////////// - // //BIZ ACTIONS - // // - // // - // private async Task TravelBizActionsAsync(AyaEvent ayaEvent, WorkOrderItemTravel newObj, WorkOrderItemTravel oldObj, IDbContextTransaction transaction) - // { - // //automatic actions on record change, called AFTER validation - - // //currently no processing required except for created or modified at this time - // if (ayaEvent != AyaEvent.Created && ayaEvent != AyaEvent.Modified) - // return; - - // //SET TAXES AND PRICING - - // //by default apply all automatic actions with further restrictions possible below - // bool ApplyTax = true; - // bool ApplyPricingUpdate = true; - - // //if modifed, see what has changed and should be re-applied - // if (ayaEvent == AyaEvent.Modified) - // { - // //If it wasn't a service rate change there is no need to set pricing - // if (newObj.TravelRateId == oldObj.TravelRateId) - // { - // ApplyPricingUpdate = false; - // } - // //If taxes haven't change then no need to update taxes - // if (newObj.TaxCodeSaleId == oldObj.TaxCodeSaleId) - // ApplyTax = false; - // } - - // //Tax code - // if (ApplyTax) - // { - // //Default in case nothing to apply - // newObj.TaxAPct = 0; - // newObj.TaxBPct = 0; - // newObj.TaxOnTax = false; - - // if (newObj.TaxCodeSaleId != null) - // { - // var t = await ct.TaxCode.AsNoTracking().FirstOrDefaultAsync(z => z.Id == newObj.TaxCodeSaleId); - // if (t != null) - // { - // newObj.TaxAPct = t.TaxAPct; - // newObj.TaxBPct = t.TaxBPct; - // newObj.TaxOnTax = t.TaxOnTax; - // } - // } - // } - - // //Pricing - // if (ApplyPricingUpdate) - // { - // //default in case nothing to apply - // newObj.Cost = 0; - // newObj.ListPrice = 0; - // newObj.Price = 0; - - // //in v7 it was ok to have no service rate selected - // //not sure why but carried forward to v8 so.. - // if (newObj.TravelRateId != null) - // { - // var s = await ct.TravelRate.AsNoTracking().FirstOrDefaultAsync(z => z.Id == newObj.TravelRateId); - // if (s != null) - // { - // newObj.Cost = s.Cost; - // newObj.ListPrice = s.Charge; - // var Contract = await GetCurrentWorkOrderContractFromRelatedAsync(AyaType.WorkOrderItem, newObj.WorkOrderItemId); - // TravelSetListPrice(newObj, Contract); - // } - // } - // } - // } - - // //////////////////////////////////////////////////////////////////////////////////////////////// - // // SET PER UNIT LIST PRICE - // // - // //(called by woitemtravel save and also by header save on change of contract) - // private static void TravelSetListPrice(WorkOrderItemTravel o, Contract c) - // { - // if (c == null || c.ServiceRatesOverridePct == 0) - // { - // o.Price = o.ListPrice;//default with no contract - // return; - // } - // if (c.ServiceRatesOverrideType == ContractOverrideType.CostMarkup) - // o.Price = o.Cost + (o.Cost * c.ServiceRatesOverridePct); - // else if (c.ServiceRatesOverrideType == ContractOverrideType.PriceDiscount) - // o.Price = o.ListPrice - (o.ListPrice * c.ServiceRatesOverridePct); - // } - - - //////////////////////////////////////////////////////////////////////////////////////////////// //VALIDATION // @@ -5902,6 +5858,14 @@ namespace AyaNova.Biz } } + if (UserIsRestrictedType) + { + //Travels: add (no user selection defaults to themselves), remove, view and edit only when they are the selected User + if (proposedObj.UserId != UserId) + AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); + return; + } + if (proposedObj.TravelRateQuantity < 0)//negative quantities are not allowed AddError(ApiErrorCode.VALIDATION_INVALID_VALUE, "TravelRateQuantity"); @@ -5931,6 +5895,14 @@ namespace AyaNova.Biz return; } + if (UserIsRestrictedType) + { + //Travels: add (no user selection defaults to themselves), remove, view and edit only when they are the selected User + if (obj.UserId != UserId) + AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); + return; + } + //re-check rights here necessary due to traversal delete from Principle object if (!Authorized.HasDeleteRole(CurrentUserRoles, AyaType.WorkOrderItemTravel)) { @@ -6014,6 +5986,9 @@ namespace AyaNova.Biz // internal async Task UnitGetAsync(long id, bool logTheGetEvent = true) { + if (UserIsSubContractorRestricted) //no access allowed at all + return null; + var ret = await ct.WorkOrderItemUnit.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id); if (logTheGetEvent && ret != null) await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, ret.AyaType, AyaEvent.Retrieved), ct); @@ -6157,6 +6132,13 @@ namespace AyaNova.Biz //run validation and biz rules bool isNew = currentObj == null; + if (UserIsRestrictedType) + { + //Units: no edits allowed + AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); + return; + } + if (proposedObj.WorkOrderItemId == 0) { AddError(ApiErrorCode.VALIDATION_REQUIRED, "WorkOrderItemId"); @@ -6209,6 +6191,13 @@ namespace AyaNova.Biz return; } + if (UserIsRestrictedType) + { + //Units: no edits allowed + AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); + return; + } + //re-check rights here necessary due to traversal delete from Principle object if (!Authorized.HasDeleteRole(CurrentUserRoles, AyaType.WorkOrderItemUnit)) {