This commit is contained in:
@@ -152,13 +152,27 @@ namespace AyaNova.Api.Controllers
|
||||
if (serverState.IsClosed)
|
||||
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
|
||||
|
||||
if (!Authorized.HasReadFullRole(HttpContext.Items, ayaType))
|
||||
{
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
}
|
||||
|
||||
if (!ModelState.IsValid)
|
||||
return BadRequest(new ApiErrorResponse(ModelState));
|
||||
|
||||
//Is this a customer user attempting to view a wo attachments??
|
||||
var userType = UserTypeFromContext.Type(HttpContext.Items);
|
||||
if (ayaType == AyaType.WorkOrder && (userType == UserType.Customer || userType == UserType.HeadOffice))
|
||||
{
|
||||
//check if allowed
|
||||
var woTags = await ct.WorkOrder.AsNoTracking().Where(x => x.Id == ayaId).Select(x => x.Tags).FirstOrDefaultAsync();
|
||||
var custUserRights = await UserBiz.CustomerUserEffectiveRightsAsync(UserIdFromContext.Id(HttpContext.Items), woTags);
|
||||
if (!custUserRights.ThisWOCanAttachments)
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
}
|
||||
else
|
||||
{
|
||||
if (!Authorized.HasReadFullRole(HttpContext.Items, ayaType))
|
||||
{
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
}
|
||||
}
|
||||
|
||||
var ret = await GetFileListForObjectAsync(ayaType, ayaId);
|
||||
return Ok(ApiOkResponse.Response(ret));
|
||||
}
|
||||
@@ -204,7 +218,7 @@ namespace AyaNova.Api.Controllers
|
||||
/// <returns>NameValue list of filenames and attachment id's</returns>
|
||||
[Authorize]
|
||||
[HttpPost]
|
||||
[DisableFormValueModelBinding]
|
||||
[DisableFormValueModelBinding]
|
||||
[RequestSizeLimit(ServerBootConfig.MAX_ATTACHMENT_UPLOAD_BYTES)]
|
||||
public async Task<IActionResult> UploadAsync()
|
||||
{
|
||||
@@ -546,10 +560,23 @@ namespace AyaNova.Api.Controllers
|
||||
}
|
||||
|
||||
//is this allowed?
|
||||
if (!Authorized.HasReadFullRole(DownloadUser.Roles, dbObject.AttachToAType))
|
||||
//Is this a customer user attempting to view a wo attachments??
|
||||
|
||||
if (dbObject.AttachToAType == AyaType.WorkOrder && (DownloadUser.UserType == UserType.Customer || DownloadUser.UserType == UserType.HeadOffice))
|
||||
{
|
||||
await Task.Delay(AyaNova.Util.ServerBootConfig.FAILED_AUTH_DELAY);//DOS protection
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
//check if allowed
|
||||
var woTags = await ct.WorkOrder.AsNoTracking().Where(x => x.Id == dbObject.AttachToObjectId).Select(x => x.Tags).FirstOrDefaultAsync();
|
||||
var custUserRights = await UserBiz.CustomerUserEffectiveRightsAsync(UserIdFromContext.Id(HttpContext.Items), woTags);
|
||||
if (!custUserRights.ThisWOCanAttachments)
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
}
|
||||
else
|
||||
{
|
||||
if (!Authorized.HasReadFullRole(DownloadUser.Roles, dbObject.AttachToAType))
|
||||
{
|
||||
await Task.Delay(AyaNova.Util.ServerBootConfig.FAILED_AUTH_DELAY);//DOS protection
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
}
|
||||
}
|
||||
|
||||
//they are allowed, let's send the file
|
||||
|
||||
@@ -160,6 +160,7 @@ namespace AyaNova.Biz
|
||||
bool ThisWOCanAttachments = false;
|
||||
if (WorkorderIsAllowed)
|
||||
{
|
||||
|
||||
//default report (may be null and may be more detailed tagged version below)
|
||||
ThisWOEffectiveWorkOrderReportId = AyaNova.Util.ServerGlobalBizSettings.Cache.CustomerDefaultWorkOrderReportId;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user