diff --git a/server/AyaNova/Controllers/WorkOrderController.cs b/server/AyaNova/Controllers/WorkOrderController.cs index 1e0df7fe..c1fbc724 100644 --- a/server/AyaNova/Controllers/WorkOrderController.cs +++ b/server/AyaNova/Controllers/WorkOrderController.cs @@ -623,7 +623,7 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemLoan)) + if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemLoan) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -646,7 +646,7 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemLoan)) + if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemLoan) || biz.UserIsSubContractorRestricted) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -670,7 +670,7 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemLoan)) + if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemLoan) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); var o = await biz.LoanPutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token if (o == null) @@ -696,7 +696,7 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemLoan)) + if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemLoan) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!await biz.LoanDeleteAsync(WorkOrderItemLoanId)) return BadRequest(new ApiErrorResponse(biz.Errors)); @@ -732,7 +732,7 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService)) + if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -755,7 +755,7 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService)) + if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -779,7 +779,7 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService)) + if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); var o = await biz.OutsideServicePutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token if (o == null) @@ -805,7 +805,7 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService)) + if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!await biz.OutsideServiceDeleteAsync(WorkOrderItemOutsideServiceId)) return BadRequest(new ApiErrorResponse(biz.Errors)); diff --git a/server/AyaNova/biz/WorkOrderBiz.cs b/server/AyaNova/biz/WorkOrderBiz.cs index 774046c7..03a6321f 100644 --- a/server/AyaNova/biz/WorkOrderBiz.cs +++ b/server/AyaNova/biz/WorkOrderBiz.cs @@ -2401,6 +2401,11 @@ namespace AyaNova.Biz if (UserIsSubContractorFull || UserIsSubContractorRestricted) //no access allowed at all return null; var ret = await ct.WorkOrderItemExpense.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id); + if (UserIsTechRestricted && ret.UserId != UserId)//tech restricted can only see their own expenses + { + AddError(ApiErrorCode.NOT_AUTHORIZED); + return null; + } if (logTheGetEvent && ret != null) await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, ret.AyaType, AyaEvent.Retrieved), ct); return ret; @@ -2572,7 +2577,7 @@ namespace AyaNova.Biz return; } - if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId)) + if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId != UserId)) { //no edits allowed on other people's records AddError(ApiErrorCode.NOT_AUTHORIZED); @@ -3032,7 +3037,7 @@ namespace AyaNova.Biz } } - if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId)) + if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId != UserId)) { //no edits allowed on other people's records AddError(ApiErrorCode.NOT_AUTHORIZED); @@ -5642,6 +5647,11 @@ namespace AyaNova.Biz internal async Task TravelGetAsync(long id, bool logTheGetEvent = true) { var ret = await ct.WorkOrderItemTravel.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id); + if (UserIsRestrictedType && ret.UserId != UserId) + { + AddError(ApiErrorCode.NOT_AUTHORIZED); + return null; + } if (logTheGetEvent && ret != null) await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, ret.AyaType, AyaEvent.Retrieved), ct); return ret; @@ -5897,7 +5907,7 @@ namespace AyaNova.Biz } } - if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId)) + if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId != UserId)) { //no edits allowed on other people's records AddError(ApiErrorCode.NOT_AUTHORIZED);