From 498759f93ceda7ab1d3661b7f40d3c59723e10d5 Mon Sep 17 00:00:00 2001
From: John Cardinal <support@ayanova.com>
Date: Thu, 11 Feb 2021 22:24:05 +0000
Subject: [PATCH]

---
 server/AyaNova/biz/UserBiz.cs | 58 ++++++++++++++++-------------------
 1 file changed, 27 insertions(+), 31 deletions(-)

diff --git a/server/AyaNova/biz/UserBiz.cs b/server/AyaNova/biz/UserBiz.cs
index 2e429081..83fdc098 100644
--- a/server/AyaNova/biz/UserBiz.cs
+++ b/server/AyaNova/biz/UserBiz.cs
@@ -279,7 +279,8 @@ namespace AyaNova.Biz
         // //
         // internal async Task<User> PutAsync(User putObject)
         // {
-        //     User dbObject = await ct.User.SingleOrDefaultAsync(z => z.Id == putObject.Id);
+        //     //todo: update to use the new PUT methodology
+        //     var dbObject = await GetAsync(putObject.Id, false);
         //     if (dbObject == null)
         //     {
         //         AddError(ApiErrorCode.NOT_FOUND, "id");
@@ -359,13 +360,17 @@ namespace AyaNova.Biz
         //
         internal async Task<User> PutAsync(User putObject)
         {
-            //todo: update to use the new PUT methodology
             var dbObject = await GetAsync(putObject.Id, false);
             if (dbObject == null)
             {
                 AddError(ApiErrorCode.NOT_FOUND, "id");
                 return null;
             }
+            if (dbObject.Concurrency != putObject.Concurrency)
+            {
+                AddError(ApiErrorCode.CONCURRENCY_CONFLICT);
+                return null;
+            }
             //Also used for Contacts (customer type user or ho type user)
             //by users with no User right but with Customer rights so need to double check here
             if (
@@ -377,42 +382,33 @@ namespace AyaNova.Biz
                 return null;
             }
 
-
-            User SnapshotOfOriginalDBObj = new User();
-            CopyObject.Copy(dbObject, SnapshotOfOriginalDBObj);
-            CopyObject.Copy(putObject, dbObject, "Id, Salt, CurrentAuthToken, LoginKey, DlKey, DlKeyExpire");
-            dbObject.Tags = TagBiz.NormalizeTags(dbObject.Tags);
-            dbObject.CustomFields = JsonUtil.CompactJson(dbObject.CustomFields);
-
+            putObject.Tags = TagBiz.NormalizeTags(putObject.Tags);
+            putObject.CustomFields = JsonUtil.CompactJson(putObject.CustomFields);
+            await ValidateAsync(putObject, dbObject);
+            if (HasErrors) return null;
+            var OriginalSalt = dbObject.Salt;
+            var OriginalPW = dbObject.Password;
+            var OriginalLogin = dbObject.Login;
+            ct.Replace(dbObject, putObject);
             //NOTE: It's valid to call this without intending to change login or password (null values)
             //Is the user updating the password?
             if (!string.IsNullOrWhiteSpace(putObject.Password))
             {
                 //YES password is being updated:                
-                dbObject.Password = Hasher.hash(SnapshotOfOriginalDBObj.Salt, putObject.Password);
+                putObject.Password = Hasher.hash(OriginalSalt, putObject.Password);
             }
             else
             {
                 //No, use the snapshot password value
-                dbObject.Password = SnapshotOfOriginalDBObj.Password;
-                dbObject.Salt = SnapshotOfOriginalDBObj.Salt;
+                putObject.Password = OriginalPW;
+                putObject.Salt = OriginalSalt;
             }
             //Updating login?
-            if (!string.IsNullOrWhiteSpace(putObject.Login))
-            {
-                //YES Login is being updated:                
-                dbObject.Login = putObject.Login;
-            }
-            else
+            if (string.IsNullOrWhiteSpace(putObject.Login))
             {
                 //No, use the original value
-                dbObject.Login = SnapshotOfOriginalDBObj.Login;
+                putObject.Login = OriginalLogin;
             }
-
-
-            ct.Entry(dbObject).OriginalValues["Concurrency"] = putObject.Concurrency;
-            await ValidateAsync(dbObject, SnapshotOfOriginalDBObj);
-            if (HasErrors) return null;
             try
             {
                 await ct.SaveChangesAsync();
@@ -426,14 +422,14 @@ namespace AyaNova.Biz
                 return null;
             }
             await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, dbObject.Id, BizType, AyaEvent.Modified), ct);
-            await SearchIndexAsync(dbObject, false);
-            await TagBiz.ProcessUpdateTagsInRepositoryAsync(ct, dbObject.Tags, SnapshotOfOriginalDBObj.Tags);
-            await HandlePotentialNotificationEvent(AyaEvent.Modified, dbObject, SnapshotOfOriginalDBObj);
-
-
-            return dbObject;
+            await SearchIndexAsync(putObject, false);
+            await TagBiz.ProcessUpdateTagsInRepositoryAsync(ct, putObject.Tags, dbObject.Tags);
+            await HandlePotentialNotificationEvent(AyaEvent.Modified, putObject, dbObject);
+            return putObject;
         }
 
+
+
         /////////////////////////////////////////////
         //PASSWORD
         //
@@ -600,7 +596,7 @@ namespace AyaNova.Biz
                 //Note: will cascade delete notifyevent, and notification automatically
                 await ct.Database.ExecuteSqlInterpolatedAsync($"delete from anotifysubscription where userid = {dbObject.Id}");
                 //personal datalist options
-                await ct.Database.ExecuteSqlInterpolatedAsync($"delete from adatalistsavedfilter where public = {false} and userid = {dbObject.Id}");                 
+                await ct.Database.ExecuteSqlInterpolatedAsync($"delete from adatalistsavedfilter where public = {false} and userid = {dbObject.Id}");
                 await ct.Database.ExecuteSqlInterpolatedAsync($"delete from adatalistcolumnview where userid = {dbObject.Id}");
                 //Dashboard view
                 await ct.Database.ExecuteSqlInterpolatedAsync($"delete from adashboardview where userid = {dbObject.Id}");