diff --git a/server/AyaNova/Controllers/AttachmentController.cs b/server/AyaNova/Controllers/AttachmentController.cs
index feb9fab5..aba83e11 100644
--- a/server/AyaNova/Controllers/AttachmentController.cs
+++ b/server/AyaNova/Controllers/AttachmentController.cs
@@ -152,13 +152,27 @@ namespace AyaNova.Api.Controllers
if (serverState.IsClosed)
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
- if (!Authorized.HasReadFullRole(HttpContext.Items, ayaType))
- {
- return StatusCode(403, new ApiNotAuthorizedResponse());
- }
-
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
+
+ //Is this a customer user attempting to view a wo attachments??
+ var userType = UserTypeFromContext.Type(HttpContext.Items);
+ if (ayaType == AyaType.WorkOrder && (userType == UserType.Customer || userType == UserType.HeadOffice))
+ {
+ //check if allowed
+ var woTags = await ct.WorkOrder.AsNoTracking().Where(x => x.Id == ayaId).Select(x => x.Tags).FirstOrDefaultAsync();
+ var custUserRights = await UserBiz.CustomerUserEffectiveRightsAsync(UserIdFromContext.Id(HttpContext.Items), woTags);
+ if (!custUserRights.ThisWOCanAttachments)
+ return StatusCode(403, new ApiNotAuthorizedResponse());
+ }
+ else
+ {
+ if (!Authorized.HasReadFullRole(HttpContext.Items, ayaType))
+ {
+ return StatusCode(403, new ApiNotAuthorizedResponse());
+ }
+ }
+
var ret = await GetFileListForObjectAsync(ayaType, ayaId);
return Ok(ApiOkResponse.Response(ret));
}
@@ -204,7 +218,7 @@ namespace AyaNova.Api.Controllers
/// NameValue list of filenames and attachment id's
[Authorize]
[HttpPost]
- [DisableFormValueModelBinding]
+ [DisableFormValueModelBinding]
[RequestSizeLimit(ServerBootConfig.MAX_ATTACHMENT_UPLOAD_BYTES)]
public async Task UploadAsync()
{
@@ -546,10 +560,23 @@ namespace AyaNova.Api.Controllers
}
//is this allowed?
- if (!Authorized.HasReadFullRole(DownloadUser.Roles, dbObject.AttachToAType))
+ //Is this a customer user attempting to view a wo attachments??
+
+ if (dbObject.AttachToAType == AyaType.WorkOrder && (DownloadUser.UserType == UserType.Customer || DownloadUser.UserType == UserType.HeadOffice))
{
- await Task.Delay(AyaNova.Util.ServerBootConfig.FAILED_AUTH_DELAY);//DOS protection
- return StatusCode(403, new ApiNotAuthorizedResponse());
+ //check if allowed
+ var woTags = await ct.WorkOrder.AsNoTracking().Where(x => x.Id == dbObject.AttachToObjectId).Select(x => x.Tags).FirstOrDefaultAsync();
+ var custUserRights = await UserBiz.CustomerUserEffectiveRightsAsync(UserIdFromContext.Id(HttpContext.Items), woTags);
+ if (!custUserRights.ThisWOCanAttachments)
+ return StatusCode(403, new ApiNotAuthorizedResponse());
+ }
+ else
+ {
+ if (!Authorized.HasReadFullRole(DownloadUser.Roles, dbObject.AttachToAType))
+ {
+ await Task.Delay(AyaNova.Util.ServerBootConfig.FAILED_AUTH_DELAY);//DOS protection
+ return StatusCode(403, new ApiNotAuthorizedResponse());
+ }
}
//they are allowed, let's send the file
diff --git a/server/AyaNova/biz/UserBiz.cs b/server/AyaNova/biz/UserBiz.cs
index d5ec99a2..3b432c0c 100644
--- a/server/AyaNova/biz/UserBiz.cs
+++ b/server/AyaNova/biz/UserBiz.cs
@@ -160,6 +160,7 @@ namespace AyaNova.Biz
bool ThisWOCanAttachments = false;
if (WorkorderIsAllowed)
{
+
//default report (may be null and may be more detailed tagged version below)
ThisWOEffectiveWorkOrderReportId = AyaNova.Util.ServerGlobalBizSettings.Cache.CustomerDefaultWorkOrderReportId;