From 16f9ac727c13110035746ed0ad85a6fe58e7bc52 Mon Sep 17 00:00:00 2001
From: John Cardinal <support@ayanova.com>
Date: Fri, 11 Feb 2022 18:21:55 +0000
Subject: [PATCH]

---
 docs/8.0/ayanova/docs/svc-workorders.md |  6 ++++++
 server/AyaNova/biz/PMBiz.cs             | 19 ++++++++++++-------
 server/AyaNova/biz/QuoteBiz.cs          | 19 ++++++++++++-------
 server/AyaNova/biz/WorkOrderBiz.cs      | 21 +++++++++++++--------
 4 files changed, 43 insertions(+), 22 deletions(-)

diff --git a/docs/8.0/ayanova/docs/svc-workorders.md b/docs/8.0/ayanova/docs/svc-workorders.md
index 8cdcdaf9..bbf23c26 100644
--- a/docs/8.0/ayanova/docs/svc-workorders.md
+++ b/docs/8.0/ayanova/docs/svc-workorders.md
@@ -641,6 +641,12 @@ A work order item can have zero to many separate Work order item task records as
 
 All Work order item Task edit form fields here are **optional** unless stated as required.
 
+##### Restricted users and tasks
+
+[Restricted Users](#limited-access-role-rights) are only permitted to make edits to Tasks that for which *they* are the selected User.  Tasks for other Users can not be changed by a restricted User.
+
+This means the restricted User *must* be pre-selected as the Task "User" by the person creating the work order item tasks or the restricted user will not be able to complete the Tasks.
+
 #### Sequence
 
 This field is _required_ but is set automatically and can be manually changed.
diff --git a/server/AyaNova/biz/PMBiz.cs b/server/AyaNova/biz/PMBiz.cs
index 324841ce..d61ad224 100644
--- a/server/AyaNova/biz/PMBiz.cs
+++ b/server/AyaNova/biz/PMBiz.cs
@@ -3925,18 +3925,23 @@ namespace AyaNova.Biz
                 return;
             }
 
-            if (!isNew && UserIsRestrictedType)
+             if (!isNew && UserIsRestrictedType && currentObj.CompletedByUserId != UserId)
             {
-                //Existing record so just make sure they haven't changed the not changeable fields from the db version
+                 //restricted users are not allowed to edit any task unless they are the selected User
+                AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror");
+                return;
 
-                //* Tasks: view and edit existing tasks, set completion type and date only, no add or remove or changing other fields
-                //note that UI will prevent this, this rule is only backup for 3rd party api users
-                if (currentObj.Task != proposedObj.Task) AddError(ApiErrorCode.VALIDATION_NOT_CHANGEABLE, "Task");
-                if (currentObj.CompletedByUserId != UserId) AddError(ApiErrorCode.VALIDATION_INVALID_VALUE, "CompletedByUserId");
-                if (currentObj.Sequence != proposedObj.Sequence) AddError(ApiErrorCode.VALIDATION_NOT_CHANGEABLE, "Sequence");
+                // //Existing record so just make sure they haven't changed the not changeable fields from the db version
+
+                // //* Tasks: view and edit existing tasks, set completion type and date only, no add or remove or changing other fields
+                // //note that UI will prevent this, this rule is only backup for 3rd party api users
+                // if (currentObj.Task != proposedObj.Task) AddError(ApiErrorCode.VALIDATION_NOT_CHANGEABLE, "Task");
+                // if (currentObj.CompletedByUserId != UserId) AddError(ApiErrorCode.VALIDATION_INVALID_VALUE, "CompletedByUserId");
+                // if (currentObj.Sequence != proposedObj.Sequence) AddError(ApiErrorCode.VALIDATION_NOT_CHANGEABLE, "Sequence");
             }
 
 
+
             if (string.IsNullOrWhiteSpace(proposedObj.Task))
                 AddError(ApiErrorCode.VALIDATION_REQUIRED, "Task");
 
diff --git a/server/AyaNova/biz/QuoteBiz.cs b/server/AyaNova/biz/QuoteBiz.cs
index 0dc60a64..6e36bc60 100644
--- a/server/AyaNova/biz/QuoteBiz.cs
+++ b/server/AyaNova/biz/QuoteBiz.cs
@@ -4172,17 +4172,22 @@ namespace AyaNova.Biz
                 return;
             }
 
-            if (!isNew && UserIsRestrictedType)
+             if (!isNew && UserIsRestrictedType && currentObj.CompletedByUserId != UserId)
             {
-                //Existing record so just make sure they haven't changed the not changeable fields from the db version
+                 //restricted users are not allowed to edit any task unless they are the selected User
+                AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror");
+                return;
 
-                //* Tasks: view and edit existing tasks, set completion type and date only, no add or remove or changing other fields
-                //note that UI will prevent this, this rule is only backup for 3rd party api users
-                if (currentObj.Task != proposedObj.Task) AddError(ApiErrorCode.VALIDATION_NOT_CHANGEABLE, "Task");
-                if (currentObj.CompletedByUserId != UserId) AddError(ApiErrorCode.VALIDATION_INVALID_VALUE, "CompletedByUserId");
-                if (currentObj.Sequence != proposedObj.Sequence) AddError(ApiErrorCode.VALIDATION_NOT_CHANGEABLE, "Sequence");
+                // //Existing record so just make sure they haven't changed the not changeable fields from the db version
+
+                // //* Tasks: view and edit existing tasks, set completion type and date only, no add or remove or changing other fields
+                // //note that UI will prevent this, this rule is only backup for 3rd party api users
+                // if (currentObj.Task != proposedObj.Task) AddError(ApiErrorCode.VALIDATION_NOT_CHANGEABLE, "Task");
+                // if (currentObj.CompletedByUserId != UserId) AddError(ApiErrorCode.VALIDATION_INVALID_VALUE, "CompletedByUserId");
+                // if (currentObj.Sequence != proposedObj.Sequence) AddError(ApiErrorCode.VALIDATION_NOT_CHANGEABLE, "Sequence");
             }
 
+
             if (string.IsNullOrWhiteSpace(proposedObj.Task))
                 AddError(ApiErrorCode.VALIDATION_REQUIRED, "Task");
 
diff --git a/server/AyaNova/biz/WorkOrderBiz.cs b/server/AyaNova/biz/WorkOrderBiz.cs
index 3b0c3f62..f0018a7f 100644
--- a/server/AyaNova/biz/WorkOrderBiz.cs
+++ b/server/AyaNova/biz/WorkOrderBiz.cs
@@ -5768,15 +5768,20 @@ namespace AyaNova.Biz
                 return;
             }
 
-            if (!isNew && UserIsRestrictedType)
-            {
-                //Existing record so just make sure they haven't changed the not changeable fields from the db version
 
-                //* Tasks: view and edit existing tasks, set completion type and date only, no add or remove or changing other fields
-                //note that UI will prevent this, this rule is only backup for 3rd party api users
-                if (currentObj.Task != proposedObj.Task) AddError(ApiErrorCode.VALIDATION_NOT_CHANGEABLE, "Task");
-                if (currentObj.CompletedByUserId != UserId) AddError(ApiErrorCode.VALIDATION_INVALID_VALUE, "CompletedByUserId");
-                if (currentObj.Sequence != proposedObj.Sequence) AddError(ApiErrorCode.VALIDATION_NOT_CHANGEABLE, "Sequence");
+            if (!isNew && UserIsRestrictedType && currentObj.CompletedByUserId != UserId)
+            {
+                 //restricted users are not allowed to edit any task unless they are the selected User
+                AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror");
+                return;
+
+                // //Existing record so just make sure they haven't changed the not changeable fields from the db version
+
+                // //* Tasks: view and edit existing tasks, set completion type and date only, no add or remove or changing other fields
+                // //note that UI will prevent this, this rule is only backup for 3rd party api users
+                // if (currentObj.Task != proposedObj.Task) AddError(ApiErrorCode.VALIDATION_NOT_CHANGEABLE, "Task");
+                // if (currentObj.CompletedByUserId != UserId) AddError(ApiErrorCode.VALIDATION_INVALID_VALUE, "CompletedByUserId");
+                // if (currentObj.Sequence != proposedObj.Sequence) AddError(ApiErrorCode.VALIDATION_NOT_CHANGEABLE, "Sequence");
             }