This commit is contained in:
@@ -68,21 +68,25 @@ namespace AyaNova.Api.Controllers
|
||||
var UserId = UserIdFromContext.Id(HttpContext.Items);
|
||||
|
||||
//Different than normal here: a user is *always* allowed to retrieve their own user options object
|
||||
if (id != UserId && !Authorized.HasReadFullRole(HttpContext.Items, AyaType.UserOptions))
|
||||
if (id != UserId)
|
||||
{
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
//Not users own options so need to check just as for User object as could be a Contact
|
||||
|
||||
//Also used for Contacts (customer type user or ho type user)
|
||||
//by users with no User right so further biz rule required depending on usertype
|
||||
//this is just phase 1
|
||||
bool AllowedOutsideUser = Authorized.HasReadFullRole(HttpContext.Items, AyaType.Customer);
|
||||
bool AllowedInsideUser = Authorized.HasReadFullRole(HttpContext.Items, AyaType.User);
|
||||
|
||||
if (!AllowedOutsideUser && !AllowedInsideUser)
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
}
|
||||
|
||||
//Instantiate the business object handler
|
||||
UserOptionsBiz biz = new UserOptionsBiz(ct, UserId, UserRolesFromContext.Roles(HttpContext.Items));
|
||||
|
||||
var o = await biz.GetAsync(id);
|
||||
|
||||
if (o == null)
|
||||
{
|
||||
if (o == null)
|
||||
return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
|
||||
}
|
||||
|
||||
return Ok(ApiOkResponse.Response(o));
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user