From 137cf4856e869754089963f45305646ae67c9579 Mon Sep 17 00:00:00 2001 From: John Cardinal Date: Thu, 18 Nov 2021 20:56:31 +0000 Subject: [PATCH] --- .../Controllers/AttachmentController.cs | 45 +++++++++++++++---- server/AyaNova/biz/UserBiz.cs | 1 + 2 files changed, 37 insertions(+), 9 deletions(-) diff --git a/server/AyaNova/Controllers/AttachmentController.cs b/server/AyaNova/Controllers/AttachmentController.cs index feb9fab5..aba83e11 100644 --- a/server/AyaNova/Controllers/AttachmentController.cs +++ b/server/AyaNova/Controllers/AttachmentController.cs @@ -152,13 +152,27 @@ namespace AyaNova.Api.Controllers if (serverState.IsClosed) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); - if (!Authorized.HasReadFullRole(HttpContext.Items, ayaType)) - { - return StatusCode(403, new ApiNotAuthorizedResponse()); - } - if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); + + //Is this a customer user attempting to view a wo attachments?? + var userType = UserTypeFromContext.Type(HttpContext.Items); + if (ayaType == AyaType.WorkOrder && (userType == UserType.Customer || userType == UserType.HeadOffice)) + { + //check if allowed + var woTags = await ct.WorkOrder.AsNoTracking().Where(x => x.Id == ayaId).Select(x => x.Tags).FirstOrDefaultAsync(); + var custUserRights = await UserBiz.CustomerUserEffectiveRightsAsync(UserIdFromContext.Id(HttpContext.Items), woTags); + if (!custUserRights.ThisWOCanAttachments) + return StatusCode(403, new ApiNotAuthorizedResponse()); + } + else + { + if (!Authorized.HasReadFullRole(HttpContext.Items, ayaType)) + { + return StatusCode(403, new ApiNotAuthorizedResponse()); + } + } + var ret = await GetFileListForObjectAsync(ayaType, ayaId); return Ok(ApiOkResponse.Response(ret)); } @@ -204,7 +218,7 @@ namespace AyaNova.Api.Controllers /// NameValue list of filenames and attachment id's [Authorize] [HttpPost] - [DisableFormValueModelBinding] + [DisableFormValueModelBinding] [RequestSizeLimit(ServerBootConfig.MAX_ATTACHMENT_UPLOAD_BYTES)] public async Task UploadAsync() { @@ -546,10 +560,23 @@ namespace AyaNova.Api.Controllers } //is this allowed? - if (!Authorized.HasReadFullRole(DownloadUser.Roles, dbObject.AttachToAType)) + //Is this a customer user attempting to view a wo attachments?? + + if (dbObject.AttachToAType == AyaType.WorkOrder && (DownloadUser.UserType == UserType.Customer || DownloadUser.UserType == UserType.HeadOffice)) { - await Task.Delay(AyaNova.Util.ServerBootConfig.FAILED_AUTH_DELAY);//DOS protection - return StatusCode(403, new ApiNotAuthorizedResponse()); + //check if allowed + var woTags = await ct.WorkOrder.AsNoTracking().Where(x => x.Id == dbObject.AttachToObjectId).Select(x => x.Tags).FirstOrDefaultAsync(); + var custUserRights = await UserBiz.CustomerUserEffectiveRightsAsync(UserIdFromContext.Id(HttpContext.Items), woTags); + if (!custUserRights.ThisWOCanAttachments) + return StatusCode(403, new ApiNotAuthorizedResponse()); + } + else + { + if (!Authorized.HasReadFullRole(DownloadUser.Roles, dbObject.AttachToAType)) + { + await Task.Delay(AyaNova.Util.ServerBootConfig.FAILED_AUTH_DELAY);//DOS protection + return StatusCode(403, new ApiNotAuthorizedResponse()); + } } //they are allowed, let's send the file diff --git a/server/AyaNova/biz/UserBiz.cs b/server/AyaNova/biz/UserBiz.cs index d5ec99a2..3b432c0c 100644 --- a/server/AyaNova/biz/UserBiz.cs +++ b/server/AyaNova/biz/UserBiz.cs @@ -160,6 +160,7 @@ namespace AyaNova.Biz bool ThisWOCanAttachments = false; if (WorkorderIsAllowed) { + //default report (may be null and may be more detailed tagged version below) ThisWOEffectiveWorkOrderReportId = AyaNova.Util.ServerGlobalBizSettings.Cache.CustomerDefaultWorkOrderReportId;