diff --git a/server/AyaNova/Controllers/ReportController.cs b/server/AyaNova/Controllers/ReportController.cs index e4dac2b6..f17aa4f0 100644 --- a/server/AyaNova/Controllers/ReportController.cs +++ b/server/AyaNova/Controllers/ReportController.cs @@ -158,7 +158,7 @@ namespace AyaNova.Api.Controllers - /// + /// /// Get Report list for object /// /// Type of object @@ -171,6 +171,9 @@ namespace AyaNova.Api.Controllers ReportBiz biz = ReportBiz.GetBiz(ct, HttpContext); if (!Authorized.HasReadFullRole(HttpContext.Items, biz.BizType)) return StatusCode(403, new ApiNotAuthorizedResponse()); + //extra check if they have rights to the type of object in question, this nips it in the bud before they even get to the fetch data stage later + if (!Authorized.HasReadFullRole(HttpContext.Items, ayType)) + return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); var o = await biz.GetReportListAsync(ayType); @@ -180,7 +183,7 @@ namespace AyaNova.Api.Controllers //====================================================================================================== - public class ObjectReportDataParameter + public class ObjectReportDataParameter { public AyaType ObjectType { get; set; } public long[] ObjectIdArray { get; set; } @@ -198,15 +201,15 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); ReportBiz biz = ReportBiz.GetBiz(ct, HttpContext); - + if (!ModelState.IsValid) - return BadRequest(new ApiErrorResponse(ModelState)); + return BadRequest(new ApiErrorResponse(ModelState)); var reportData = await biz.GetReportData(reportDataParam.ObjectType, reportDataParam.ObjectIdArray); if (reportData == null) return BadRequest(new ApiErrorResponse(biz.Errors)); else - return Ok(ApiOkResponse.Response(reportData)); + return Ok(ApiOkResponse.Response(reportData)); } diff --git a/server/AyaNova/biz/ReportBiz.cs b/server/AyaNova/biz/ReportBiz.cs index 11d66d28..a76fcac5 100644 --- a/server/AyaNova/biz/ReportBiz.cs +++ b/server/AyaNova/biz/ReportBiz.cs @@ -163,21 +163,23 @@ namespace AyaNova.Biz } - //////////////////////////////////////////////////////////////////////////////////////////////// + //////////////////////////////////////////////////////////////////////////////////////////////// //GET LIST // internal async Task> GetReportListAsync(AyaType ayType) { - var rpts = await ct.Report.AsNoTracking().Where(z=>z.ObjectType==ayType && z.Active==true).Select(z=> new {id=z.Id,name=z.Name,roles=z.Roles}).ToListAsync(); - var ret=new List(); - foreach(var item in rpts){ - if(CurrentUserRoles.HasAnyFlags(item.roles)){ - ret.Add(new NameIdItem(){Name=item.name,Id=item.id}); + var rpts = await ct.Report.AsNoTracking().Where(z => z.ObjectType == ayType && z.Active == true).Select(z => new { id = z.Id, name = z.Name, roles = z.Roles }).ToListAsync(); + var ret = new List(); + foreach (var item in rpts) + { + if (CurrentUserRoles.HasAnyFlags(item.roles)) + { + ret.Add(new NameIdItem() { Name = item.name, Id = item.id }); } } //Sort by name - return ret.OrderBy(z=>z.Name).ToList(); + return ret.OrderBy(z => z.Name).ToList(); }