This commit is contained in:
@@ -623,7 +623,7 @@ namespace AyaNova.Api.Controllers
|
||||
if (!serverState.IsOpen)
|
||||
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
|
||||
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
||||
if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemLoan))
|
||||
if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemLoan) || biz.UserIsRestrictedType)
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
if (!ModelState.IsValid)
|
||||
return BadRequest(new ApiErrorResponse(ModelState));
|
||||
@@ -646,7 +646,7 @@ namespace AyaNova.Api.Controllers
|
||||
if (!serverState.IsOpen)
|
||||
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
|
||||
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
||||
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemLoan))
|
||||
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemLoan) || biz.UserIsSubContractorRestricted)
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
if (!ModelState.IsValid)
|
||||
return BadRequest(new ApiErrorResponse(ModelState));
|
||||
@@ -670,7 +670,7 @@ namespace AyaNova.Api.Controllers
|
||||
if (!ModelState.IsValid)
|
||||
return BadRequest(new ApiErrorResponse(ModelState));
|
||||
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
||||
if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemLoan))
|
||||
if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemLoan) || biz.UserIsRestrictedType)
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
var o = await biz.LoanPutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token
|
||||
if (o == null)
|
||||
@@ -696,7 +696,7 @@ namespace AyaNova.Api.Controllers
|
||||
if (!ModelState.IsValid)
|
||||
return BadRequest(new ApiErrorResponse(ModelState));
|
||||
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
||||
if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemLoan))
|
||||
if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemLoan) || biz.UserIsRestrictedType)
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
if (!await biz.LoanDeleteAsync(WorkOrderItemLoanId))
|
||||
return BadRequest(new ApiErrorResponse(biz.Errors));
|
||||
@@ -732,7 +732,7 @@ namespace AyaNova.Api.Controllers
|
||||
if (!serverState.IsOpen)
|
||||
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
|
||||
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
||||
if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService))
|
||||
if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService) || biz.UserIsRestrictedType)
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
if (!ModelState.IsValid)
|
||||
return BadRequest(new ApiErrorResponse(ModelState));
|
||||
@@ -755,7 +755,7 @@ namespace AyaNova.Api.Controllers
|
||||
if (!serverState.IsOpen)
|
||||
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
|
||||
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
||||
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService))
|
||||
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted)
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
if (!ModelState.IsValid)
|
||||
return BadRequest(new ApiErrorResponse(ModelState));
|
||||
@@ -779,7 +779,7 @@ namespace AyaNova.Api.Controllers
|
||||
if (!ModelState.IsValid)
|
||||
return BadRequest(new ApiErrorResponse(ModelState));
|
||||
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
||||
if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService))
|
||||
if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService) || biz.UserIsRestrictedType)
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
var o = await biz.OutsideServicePutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token
|
||||
if (o == null)
|
||||
@@ -805,7 +805,7 @@ namespace AyaNova.Api.Controllers
|
||||
if (!ModelState.IsValid)
|
||||
return BadRequest(new ApiErrorResponse(ModelState));
|
||||
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
||||
if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService))
|
||||
if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService) || biz.UserIsRestrictedType)
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
if (!await biz.OutsideServiceDeleteAsync(WorkOrderItemOutsideServiceId))
|
||||
return BadRequest(new ApiErrorResponse(biz.Errors));
|
||||
|
||||
@@ -2401,6 +2401,11 @@ namespace AyaNova.Biz
|
||||
if (UserIsSubContractorFull || UserIsSubContractorRestricted) //no access allowed at all
|
||||
return null;
|
||||
var ret = await ct.WorkOrderItemExpense.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id);
|
||||
if (UserIsTechRestricted && ret.UserId != UserId)//tech restricted can only see their own expenses
|
||||
{
|
||||
AddError(ApiErrorCode.NOT_AUTHORIZED);
|
||||
return null;
|
||||
}
|
||||
if (logTheGetEvent && ret != null)
|
||||
await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, ret.AyaType, AyaEvent.Retrieved), ct);
|
||||
return ret;
|
||||
@@ -2572,7 +2577,7 @@ namespace AyaNova.Biz
|
||||
return;
|
||||
}
|
||||
|
||||
if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId))
|
||||
if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId != UserId))
|
||||
{
|
||||
//no edits allowed on other people's records
|
||||
AddError(ApiErrorCode.NOT_AUTHORIZED);
|
||||
@@ -3032,7 +3037,7 @@ namespace AyaNova.Biz
|
||||
}
|
||||
}
|
||||
|
||||
if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId))
|
||||
if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId != UserId))
|
||||
{
|
||||
//no edits allowed on other people's records
|
||||
AddError(ApiErrorCode.NOT_AUTHORIZED);
|
||||
@@ -5642,6 +5647,11 @@ namespace AyaNova.Biz
|
||||
internal async Task<WorkOrderItemTravel> TravelGetAsync(long id, bool logTheGetEvent = true)
|
||||
{
|
||||
var ret = await ct.WorkOrderItemTravel.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id);
|
||||
if (UserIsRestrictedType && ret.UserId != UserId)
|
||||
{
|
||||
AddError(ApiErrorCode.NOT_AUTHORIZED);
|
||||
return null;
|
||||
}
|
||||
if (logTheGetEvent && ret != null)
|
||||
await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, ret.AyaType, AyaEvent.Retrieved), ct);
|
||||
return ret;
|
||||
@@ -5897,7 +5907,7 @@ namespace AyaNova.Biz
|
||||
}
|
||||
}
|
||||
|
||||
if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId))
|
||||
if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId != UserId))
|
||||
{
|
||||
//no edits allowed on other people's records
|
||||
AddError(ApiErrorCode.NOT_AUTHORIZED);
|
||||
|
||||
Reference in New Issue
Block a user