server/AyaNova/biz/ReportBiz.cs

@@ -248,18 +248,25 @@ namespace AyaNova.Biz
             AuthorizationRoles effectiveRoles = CurrentUserRoles;
             if (overrideUserId != 0)
             {
-                var effectiveUser=await ct.User.FirstOrDefaultAsync(z => z.Id == overrideUserId);
-                if (effectiveUser==null)
+                var effectiveUser = await ct.User.FirstOrDefaultAsync(z => z.Id == overrideUserId);
+                if (effectiveUser == null)
                 {
                     var msg = $"Override user id specifies user that doesn't exist({overrideUserId}) cannot generate report {report.Name}";
                     log.LogError(msg);
                     AddError(ApiErrorCode.NOT_FOUND, "UserId", msg);
                     return null;
                 }
-                effectiveRoles=effectiveUser.Roles;
+                effectiveRoles = effectiveUser.Roles;
             }
 
-            
+            if (!AyaNova.Api.ControllerHelpers.Authorized.HasReadFullRole(effectiveRoles, report.ObjectType))
+            {
+                AddError(ApiErrorCode.NOT_AUTHORIZED, null, $"User not authorized for {report.ObjectType} type object");
+                return null;
+            }
+
+
+            //Get data
 
 
             //initialization