From 4ea07ada85aec0fba21cb5f7fc8410b750fc7df9 Mon Sep 17 00:00:00 2001
From: John Cardinal <support@ayanova.com>
Date: Wed, 26 Aug 2020 22:42:38 +0000
Subject: [PATCH]

---
 server/AyaNova/biz/ReportBiz.cs | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/server/AyaNova/biz/ReportBiz.cs b/server/AyaNova/biz/ReportBiz.cs
index 5d08b67f..9597a177 100644
--- a/server/AyaNova/biz/ReportBiz.cs
+++ b/server/AyaNova/biz/ReportBiz.cs
@@ -248,18 +248,25 @@ namespace AyaNova.Biz
             AuthorizationRoles effectiveRoles = CurrentUserRoles;
             if (overrideUserId != 0)
             {
-                var effectiveUser=await ct.User.FirstOrDefaultAsync(z => z.Id == overrideUserId);
-                if (effectiveUser==null)
+                var effectiveUser = await ct.User.FirstOrDefaultAsync(z => z.Id == overrideUserId);
+                if (effectiveUser == null)
                 {
                     var msg = $"Override user id specifies user that doesn't exist({overrideUserId}) cannot generate report {report.Name}";
                     log.LogError(msg);
                     AddError(ApiErrorCode.NOT_FOUND, "UserId", msg);
                     return null;
                 }
-                effectiveRoles=effectiveUser.Roles;
+                effectiveRoles = effectiveUser.Roles;
             }
 
-            
+            if (!AyaNova.Api.ControllerHelpers.Authorized.HasReadFullRole(effectiveRoles, report.ObjectType))
+            {
+                AddError(ApiErrorCode.NOT_AUTHORIZED, null, $"User not authorized for {report.ObjectType} type object");
+                return null;
+            }
+
+
+            //Get data
 
 
             //initialization