This commit is contained in:
@@ -623,7 +623,7 @@ namespace AyaNova.Api.Controllers
|
|||||||
if (!serverState.IsOpen)
|
if (!serverState.IsOpen)
|
||||||
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
|
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
|
||||||
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
||||||
if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemLoan))
|
if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemLoan) || biz.UserIsRestrictedType)
|
||||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||||
if (!ModelState.IsValid)
|
if (!ModelState.IsValid)
|
||||||
return BadRequest(new ApiErrorResponse(ModelState));
|
return BadRequest(new ApiErrorResponse(ModelState));
|
||||||
@@ -646,7 +646,7 @@ namespace AyaNova.Api.Controllers
|
|||||||
if (!serverState.IsOpen)
|
if (!serverState.IsOpen)
|
||||||
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
|
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
|
||||||
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
||||||
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemLoan))
|
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemLoan) || biz.UserIsSubContractorRestricted)
|
||||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||||
if (!ModelState.IsValid)
|
if (!ModelState.IsValid)
|
||||||
return BadRequest(new ApiErrorResponse(ModelState));
|
return BadRequest(new ApiErrorResponse(ModelState));
|
||||||
@@ -670,7 +670,7 @@ namespace AyaNova.Api.Controllers
|
|||||||
if (!ModelState.IsValid)
|
if (!ModelState.IsValid)
|
||||||
return BadRequest(new ApiErrorResponse(ModelState));
|
return BadRequest(new ApiErrorResponse(ModelState));
|
||||||
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
||||||
if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemLoan))
|
if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemLoan) || biz.UserIsRestrictedType)
|
||||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||||
var o = await biz.LoanPutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token
|
var o = await biz.LoanPutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token
|
||||||
if (o == null)
|
if (o == null)
|
||||||
@@ -696,7 +696,7 @@ namespace AyaNova.Api.Controllers
|
|||||||
if (!ModelState.IsValid)
|
if (!ModelState.IsValid)
|
||||||
return BadRequest(new ApiErrorResponse(ModelState));
|
return BadRequest(new ApiErrorResponse(ModelState));
|
||||||
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
||||||
if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemLoan))
|
if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemLoan) || biz.UserIsRestrictedType)
|
||||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||||
if (!await biz.LoanDeleteAsync(WorkOrderItemLoanId))
|
if (!await biz.LoanDeleteAsync(WorkOrderItemLoanId))
|
||||||
return BadRequest(new ApiErrorResponse(biz.Errors));
|
return BadRequest(new ApiErrorResponse(biz.Errors));
|
||||||
@@ -732,7 +732,7 @@ namespace AyaNova.Api.Controllers
|
|||||||
if (!serverState.IsOpen)
|
if (!serverState.IsOpen)
|
||||||
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
|
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
|
||||||
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
||||||
if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService))
|
if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService) || biz.UserIsRestrictedType)
|
||||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||||
if (!ModelState.IsValid)
|
if (!ModelState.IsValid)
|
||||||
return BadRequest(new ApiErrorResponse(ModelState));
|
return BadRequest(new ApiErrorResponse(ModelState));
|
||||||
@@ -755,7 +755,7 @@ namespace AyaNova.Api.Controllers
|
|||||||
if (!serverState.IsOpen)
|
if (!serverState.IsOpen)
|
||||||
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
|
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
|
||||||
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
||||||
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService))
|
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted)
|
||||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||||
if (!ModelState.IsValid)
|
if (!ModelState.IsValid)
|
||||||
return BadRequest(new ApiErrorResponse(ModelState));
|
return BadRequest(new ApiErrorResponse(ModelState));
|
||||||
@@ -779,7 +779,7 @@ namespace AyaNova.Api.Controllers
|
|||||||
if (!ModelState.IsValid)
|
if (!ModelState.IsValid)
|
||||||
return BadRequest(new ApiErrorResponse(ModelState));
|
return BadRequest(new ApiErrorResponse(ModelState));
|
||||||
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
||||||
if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService))
|
if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService) || biz.UserIsRestrictedType)
|
||||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||||
var o = await biz.OutsideServicePutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token
|
var o = await biz.OutsideServicePutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token
|
||||||
if (o == null)
|
if (o == null)
|
||||||
@@ -805,7 +805,7 @@ namespace AyaNova.Api.Controllers
|
|||||||
if (!ModelState.IsValid)
|
if (!ModelState.IsValid)
|
||||||
return BadRequest(new ApiErrorResponse(ModelState));
|
return BadRequest(new ApiErrorResponse(ModelState));
|
||||||
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
|
||||||
if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService))
|
if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemOutsideService) || biz.UserIsRestrictedType)
|
||||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||||
if (!await biz.OutsideServiceDeleteAsync(WorkOrderItemOutsideServiceId))
|
if (!await biz.OutsideServiceDeleteAsync(WorkOrderItemOutsideServiceId))
|
||||||
return BadRequest(new ApiErrorResponse(biz.Errors));
|
return BadRequest(new ApiErrorResponse(biz.Errors));
|
||||||
|
|||||||
@@ -2401,6 +2401,11 @@ namespace AyaNova.Biz
|
|||||||
if (UserIsSubContractorFull || UserIsSubContractorRestricted) //no access allowed at all
|
if (UserIsSubContractorFull || UserIsSubContractorRestricted) //no access allowed at all
|
||||||
return null;
|
return null;
|
||||||
var ret = await ct.WorkOrderItemExpense.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id);
|
var ret = await ct.WorkOrderItemExpense.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id);
|
||||||
|
if (UserIsTechRestricted && ret.UserId != UserId)//tech restricted can only see their own expenses
|
||||||
|
{
|
||||||
|
AddError(ApiErrorCode.NOT_AUTHORIZED);
|
||||||
|
return null;
|
||||||
|
}
|
||||||
if (logTheGetEvent && ret != null)
|
if (logTheGetEvent && ret != null)
|
||||||
await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, ret.AyaType, AyaEvent.Retrieved), ct);
|
await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, ret.AyaType, AyaEvent.Retrieved), ct);
|
||||||
return ret;
|
return ret;
|
||||||
@@ -2572,7 +2577,7 @@ namespace AyaNova.Biz
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId))
|
if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId != UserId))
|
||||||
{
|
{
|
||||||
//no edits allowed on other people's records
|
//no edits allowed on other people's records
|
||||||
AddError(ApiErrorCode.NOT_AUTHORIZED);
|
AddError(ApiErrorCode.NOT_AUTHORIZED);
|
||||||
@@ -3032,7 +3037,7 @@ namespace AyaNova.Biz
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId))
|
if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId != UserId))
|
||||||
{
|
{
|
||||||
//no edits allowed on other people's records
|
//no edits allowed on other people's records
|
||||||
AddError(ApiErrorCode.NOT_AUTHORIZED);
|
AddError(ApiErrorCode.NOT_AUTHORIZED);
|
||||||
@@ -5642,6 +5647,11 @@ namespace AyaNova.Biz
|
|||||||
internal async Task<WorkOrderItemTravel> TravelGetAsync(long id, bool logTheGetEvent = true)
|
internal async Task<WorkOrderItemTravel> TravelGetAsync(long id, bool logTheGetEvent = true)
|
||||||
{
|
{
|
||||||
var ret = await ct.WorkOrderItemTravel.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id);
|
var ret = await ct.WorkOrderItemTravel.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id);
|
||||||
|
if (UserIsRestrictedType && ret.UserId != UserId)
|
||||||
|
{
|
||||||
|
AddError(ApiErrorCode.NOT_AUTHORIZED);
|
||||||
|
return null;
|
||||||
|
}
|
||||||
if (logTheGetEvent && ret != null)
|
if (logTheGetEvent && ret != null)
|
||||||
await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, ret.AyaType, AyaEvent.Retrieved), ct);
|
await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, ret.AyaType, AyaEvent.Retrieved), ct);
|
||||||
return ret;
|
return ret;
|
||||||
@@ -5897,7 +5907,7 @@ namespace AyaNova.Biz
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId))
|
if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId != UserId))
|
||||||
{
|
{
|
||||||
//no edits allowed on other people's records
|
//no edits allowed on other people's records
|
||||||
AddError(ApiErrorCode.NOT_AUTHORIZED);
|
AddError(ApiErrorCode.NOT_AUTHORIZED);
|
||||||
|
|||||||
Reference in New Issue
Block a user