diff --git a/devdocs/todo.txt b/devdocs/todo.txt
index e37527bf..406b2128 100644
--- a/devdocs/todo.txt
+++ b/devdocs/todo.txt
@@ -13,7 +13,12 @@
todo: check attachment NOTES property is actually supported
- case https://rockfish.ayanova.com/default.htm#!/rfcaseEdit/2029
-//todo: search tables in schema, I think there is a missing index here, need to look at the search query section again as it was changed several times from the original schema creation
+todo: search tables in schema, I think there is a missing index here, need to look at the search query section again as it was changed several times from the original schema creation
+
+todo: Routes should check rights *BEFORE* they fetch the object, not after, all routes affected
+ i.e. delete route instantiates biz object, then it fetchs object from db *then* it checks if they have rights to delete (generically, not specific to that object)
+ This is out of order as it triggers a db call even if they have no rights to do it
+
todo: log failed
- Download attempts with wrong key
diff --git a/server/AyaNova/Controllers/WorkOrderController.cs b/server/AyaNova/Controllers/WorkOrderController.cs
index 70d24e46..8eb3cf7e 100644
--- a/server/AyaNova/Controllers/WorkOrderController.cs
+++ b/server/AyaNova/Controllers/WorkOrderController.cs
@@ -269,6 +269,195 @@ namespace AyaNova.Api.Controllers
//WorkOrder/{woid}/WorkorderItems <- all workorderitems, post to add new, put to update all as a collection
//WorkOrder/{woid}/WorkOrderItems/{woitemid} <- CRUD single woitemid
+
+// ///
+// /// Get full WorkOrder object
+// ///
+// ///
+// /// A single WorkOrder
+// [HttpGet("{id}")]
+// public async Task GetWorkOrder([FromRoute] long id)
+// {
+// if (!serverState.IsOpen)
+// return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
+
+// //Instantiate the business object handler
+// WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
+
+// //NOTE: This is the first check and often the only check but in some cases with some objects this will also need to check biz object rules
+// if (!Authorized.HasReadFullRole(HttpContext.Items, biz.BizType))
+// return StatusCode(403, new ApiNotAuthorizedResponse());
+
+// if (!ModelState.IsValid)
+// return BadRequest(new ApiErrorResponse(ModelState));
+
+// var o = await biz.GetAsync(id);
+// if (o == null)
+// return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
+
+// // NOTE: HERE would be the second check of biz rules before returning the object
+// // in cases where there is also a business rule to affect retrieval on top of basic rights
+
+// return Ok(ApiOkResponse.Response(o, !Authorized.HasModifyRole(HttpContext.Items, biz.BizType)));
+// }
+
+// //TODO: GET BY RELATIVE
+// //get by descendent type and id
+
+
+
+
+// ///
+// /// Put (update) WorkOrder
+// ///
+// ///
+// ///
+// ///
+// [HttpPut("{id}")]
+// public async Task PutWorkOrder([FromRoute] long id, [FromBody] WorkOrder inObj)
+// {
+// if (!serverState.IsOpen)
+// return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
+
+// if (!ModelState.IsValid)
+// return BadRequest(new ApiErrorResponse(ModelState));
+
+// //Instantiate the business object handler
+// WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
+
+// var o = await biz.GetAsync(id, false);
+// if (o == null)
+// return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
+
+// if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType))
+// return StatusCode(403, new ApiNotAuthorizedResponse());
+
+// try
+// {
+// if (!await biz.PutAsync(o, inObj))
+// return BadRequest(new ApiErrorResponse(biz.Errors));
+// }
+// catch (DbUpdateConcurrencyException)
+// {
+// if (!await biz.ExistsAsync(id))
+// return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
+// else
+// return StatusCode(409, new ApiErrorResponse(ApiErrorCode.CONCURRENCY_CONFLICT));
+// }
+// return Ok(ApiOkResponse.Response(new { ConcurrencyToken = o.ConcurrencyToken }, true));
+// }
+
+
+
+
+// ///
+// /// Post Workorder
+// ///
+// ///
+// /// Automatically filled from route path, no need to specify in body
+// ///
+// [HttpPost]
+// public async Task PostWorkOrder([FromBody] WorkOrder inObj, ApiVersion apiVersion)
+// {
+// if (!serverState.IsOpen)
+// return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
+
+// //Instantiate the business object handler
+// WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
+
+// //If a user has change roles
+// if (!Authorized.HasCreateRole(HttpContext.Items, biz.BizType))
+// return StatusCode(403, new ApiNotAuthorizedResponse());
+
+// if (!ModelState.IsValid)
+// return BadRequest(new ApiErrorResponse(ModelState));
+
+// //Create and validate
+// WorkOrder o = await biz.CreateAsync(inObj);
+// if (o == null)
+// return BadRequest(new ApiErrorResponse(biz.Errors));
+// else
+// return CreatedAtAction(nameof(WorkOrderController.GetWorkOrder), new { id = o.Id, version = apiVersion.ToString() }, new ApiCreatedResponse(o));
+
+// }
+
+
+
+
+
+
+ ///
+ /// Delete WorkOrderItems
+ ///
+ ///
+ /// Ok
+ [HttpDelete("{WorkOrderId}/WorkorderItems/")]
+ public async Task DeleteWorkOrderItems([FromRoute] long workOrderId)
+ {
+ ////WorkOrder/{woid}/WorkorderItems <- all workorderitems, post to add new, put to update all as a collection
+ ///WorkOrder/{WorkOrderId}/WorkorderItems
+ if (!serverState.IsOpen)
+ return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
+
+ if (!ModelState.IsValid)
+ return BadRequest(new ApiErrorResponse(ModelState));
+
+ //Instantiate the business object handler
+ WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
+
+ var o = await biz.GetAsync(workOrderId, false);
+ if (o == null)
+ return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
+
+ if (!Authorized.HasDeleteRole(HttpContext.Items, biz.BizType))
+ return StatusCode(403, new ApiNotAuthorizedResponse());
+
+//stubbed out for now just to see routes
+ // if (!await biz.DeleteItemsAsync(o))
+ // return BadRequest(new ApiErrorResponse(biz.Errors));
+
+ return NoContent();
+ }
+
+ ///
+ /// Delete WorkOrderItems
+ ///
+ ///
+ ///
+ /// Ok
+ [HttpDelete("{WorkOrderId}/WorkorderItems/{WorkOrderItemId}")]
+ public async Task DeleteWorkOrderItem([FromRoute] long workOrderId, [FromRoute] long workOrderItemId)
+ {
+ ////WorkOrder/{woid}/WorkorderItems <- all workorderitems, post to add new, put to update all as a collection
+ ///WorkOrder/{WorkOrderId}/WorkorderItems
+ if (!serverState.IsOpen)
+ return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
+
+ if (!ModelState.IsValid)
+ return BadRequest(new ApiErrorResponse(ModelState));
+
+ //Instantiate the business object handler
+ WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
+
+ if (!Authorized.HasDeleteRole(HttpContext.Items, biz.BizType))
+ return StatusCode(403, new ApiNotAuthorizedResponse());
+
+ var o = await biz.GetAsync(workOrderId, false);
+ if (o == null)
+ return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
+
+
+
+
+//stubbed out for now just to see routes
+ // if (!await biz.DeleteItemsAsync(o))
+ // return BadRequest(new ApiErrorResponse(biz.Errors));
+
+ return NoContent();
+ }
+
+
+
#endregion workorderitem