server/AyaNova/Controllers/ReportController.cs

@@ -158,7 +158,7 @@ namespace AyaNova.Api.Controllers
 
 
 
- /// <summary>
+        /// <summary>
         /// Get Report list for object
         /// </summary>
         /// <param name="ayType">Type of object</param>
@@ -171,6 +171,9 @@ namespace AyaNova.Api.Controllers
             ReportBiz biz = ReportBiz.GetBiz(ct, HttpContext);
             if (!Authorized.HasReadFullRole(HttpContext.Items, biz.BizType))
                 return StatusCode(403, new ApiNotAuthorizedResponse());
+            //extra check if they have rights to the type of object in question, this nips it in the bud before they even get to the fetch data stage later
+            if (!Authorized.HasReadFullRole(HttpContext.Items, ayType))
+                return StatusCode(403, new ApiNotAuthorizedResponse());
             if (!ModelState.IsValid)
                 return BadRequest(new ApiErrorResponse(ModelState));
             var o = await biz.GetReportListAsync(ayType);
@@ -180,7 +183,7 @@ namespace AyaNova.Api.Controllers
 
 
         //======================================================================================================
-         public class ObjectReportDataParameter
+        public class ObjectReportDataParameter
         {
             public AyaType ObjectType { get; set; }
             public long[] ObjectIdArray { get; set; }
@@ -198,15 +201,15 @@ namespace AyaNova.Api.Controllers
             if (!serverState.IsOpen)
                 return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
             ReportBiz biz = ReportBiz.GetBiz(ct, HttpContext);
-            
+
             if (!ModelState.IsValid)
-                return BadRequest(new ApiErrorResponse(ModelState));         
+                return BadRequest(new ApiErrorResponse(ModelState));
 
             var reportData = await biz.GetReportData(reportDataParam.ObjectType, reportDataParam.ObjectIdArray);
             if (reportData == null)
                 return BadRequest(new ApiErrorResponse(biz.Errors));
             else
-               return Ok(ApiOkResponse.Response(reportData));
+                return Ok(ApiOkResponse.Response(reportData));
         }
 
 

server/AyaNova/biz/ReportBiz.cs

@@ -163,21 +163,23 @@ namespace AyaNova.Biz
         }
 
 
- ////////////////////////////////////////////////////////////////////////////////////////////////
+        ////////////////////////////////////////////////////////////////////////////////////////////////
         //GET LIST
         //      
         internal async Task<List<NameIdItem>> GetReportListAsync(AyaType ayType)
         {
-            var rpts = await ct.Report.AsNoTracking().Where(z=>z.ObjectType==ayType && z.Active==true).Select(z=> new {id=z.Id,name=z.Name,roles=z.Roles}).ToListAsync();
+            var rpts = await ct.Report.AsNoTracking().Where(z => z.ObjectType == ayType && z.Active == true).Select(z => new { id = z.Id, name = z.Name, roles = z.Roles }).ToListAsync();
-            var ret=new List<NameIdItem>();
+            var ret = new List<NameIdItem>();
-            foreach(var item in rpts){                
+            foreach (var item in rpts)
-                if(CurrentUserRoles.HasAnyFlags(item.roles)){
+            {
-                    ret.Add(new NameIdItem(){Name=item.name,Id=item.id});
+                if (CurrentUserRoles.HasAnyFlags(item.roles))
+                {
+                    ret.Add(new NameIdItem() { Name = item.name, Id = item.id });
                 }
             }
 
             //Sort by name
-            return ret.OrderBy(z=>z.Name).ToList();
+            return ret.OrderBy(z => z.Name).ToList();
         }