This commit is contained in:
@@ -9,6 +9,7 @@ using AyaNova.DataList;
|
||||
using System.Threading.Tasks;
|
||||
using System.Linq;
|
||||
using EnumsNET;
|
||||
using Microsoft.EntityFrameworkCore;
|
||||
|
||||
namespace AyaNova.Api.Controllers
|
||||
{
|
||||
@@ -69,6 +70,7 @@ namespace AyaNova.Api.Controllers
|
||||
|
||||
var UserRoles = UserRolesFromContext.Roles(HttpContext.Items);
|
||||
var UserId = UserIdFromContext.Id(HttpContext.Items);
|
||||
var UType = UserTypeFromContext.Type(HttpContext.Items);
|
||||
|
||||
try
|
||||
{
|
||||
@@ -90,6 +92,25 @@ namespace AyaNova.Api.Controllers
|
||||
if (!UserRoles.HasAnyFlags(DataList.AllowedRoles))
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
|
||||
//IF user is a customer type check if they are allowed to view this datalist at all under global settings
|
||||
if (UType == UserType.Customer || UType == UserType.HeadOffice)
|
||||
{
|
||||
switch (tableRequest.DataListKey)
|
||||
{
|
||||
case "CustomerServiceRequestDataList":
|
||||
if (!AyaNova.Util.ServerGlobalBizSettings.Cache.CustomerAllowCSR)
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
|
||||
//TODO: user must match headoffice or customer id extra data or else it's not allowed
|
||||
break;
|
||||
//todo: workorder list
|
||||
default://pretty much anything is not allowed
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
//hydrate the saved view and filter
|
||||
DataListTableProcessingOptions dataListTableOptions = new DataListTableProcessingOptions(tableRequest, DataList, SavedView, SavedFilter, UserId, UserRoles);
|
||||
DataListReturnData r = await DataListFetcher.GetResponseAsync(ct, dataListTableOptions, DataList, UserRoles, log, UserId);
|
||||
@@ -106,6 +127,40 @@ namespace AyaNova.Api.Controllers
|
||||
}
|
||||
}
|
||||
|
||||
private async Task<bool> CustomerTypeUserIsAllowedThisDataList(long currentUserId, AuthorizationRoles userRoles, string clientCriteria, string dataListKey)
|
||||
{
|
||||
|
||||
//ClientCriteria format for this list is "OBJECTID,AYATYPE"
|
||||
var crit = (clientCriteria ?? "").Split(',').Select(z => z.Trim()).ToArray();
|
||||
if (crit.Length > 1)
|
||||
{
|
||||
|
||||
int nType = 0;
|
||||
if (!int.TryParse(crit[1], out nType)) return false;
|
||||
AyaType forType = (AyaType)nType;
|
||||
if (forType != AyaType.Customer && forType != AyaType.HeadOffice) return false;
|
||||
|
||||
long lId = 0;
|
||||
if (!long.TryParse(crit[0], out lId)) return false;
|
||||
if (lId == 0) return false;
|
||||
|
||||
//Have valid type, have an id, is this User actually connected to the entity they are requesting data for
|
||||
var User = await ct.User.AsNoTracking().Select(x => new { x.CustomerId, x.HeadOfficeId }).FirstOrDefaultAsync();
|
||||
switch (forType)
|
||||
{
|
||||
case AyaType.Customer:
|
||||
if (lId != User.CustomerId)
|
||||
return false;
|
||||
break;
|
||||
case AyaType.HeadOffice:
|
||||
if (lId != User.HeadOfficeId)
|
||||
return false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// List of all DataList keys available
|
||||
/// </summary>
|
||||
|
||||
Reference in New Issue
Block a user