2018-09-04 22:10:21 +00:00
parent 43db21cccd
commit 81fcc16486
2 changed files with 48 additions and 3 deletions
--- a/server/AyaNova/Controllers/UserController.cs
+++ b/server/AyaNova/Controllers/UserController.cs
@@ -353,10 +353,31 @@ namespace AyaNova.Api.Controllers
                await ct.SaveChangesAsync();

                //return success and link
-                return CreatedAtAction("GetUser", new { id = o.Id }, new ApiCreatedResponse(o));
+                //NOTE: this is a USER object so we don't want to return some key fields for security reasons
+                //So the easiest way to do that is to return an anonymous object created on the fly
+                // var returnObject = new
+                // {
+                //     Id = o.Id,
+                //     ConcurrencyToken = o.ConcurrencyToken,
+                //     OwnerId = o.OwnerId,
+                //     Active = o.Active,
+                //     Name = o.Name,
+                //     Roles = o.Roles,
+                //     LocaleId = o.LocaleId,
+                //     UserType = o.UserType,
+                //     EmployeeNumber = o.EmployeeNumber,
+                //     Notes = o.Notes,
+                //     ClientId = o.ClientId,
+                //     HeadOfficeId = o.HeadOfficeId,
+                //     SubVendorId = o.SubVendorId
+                // };
+
+
+                return CreatedAtAction("GetUser", new { id = o.Id }, new ApiCreatedResponse(UserBiz.CleanUserForReturn(o)));
            }
        }

+        


        /// <summary>
@@ -416,7 +437,7 @@ namespace AyaNova.Api.Controllers
        {
            return ct.User.Any(e => e.Id == id);
        }
-      
+

        //------------

--- a/server/AyaNova/biz/UserBiz.cs
+++ b/server/AyaNova/biz/UserBiz.cs
@@ -431,9 +431,33 @@ namespace AyaNova.Biz
        }


+        ////////////////////////////////////////////////////////////////////////////////////////////////
+        // Utilities
+        //
+        internal static object CleanUserForReturn(User o)
+        {
+            return new
+            {
+                Id = o.Id,
+                ConcurrencyToken = o.ConcurrencyToken,
+                OwnerId = o.OwnerId,
+                Active = o.Active,
+                Name = o.Name,
+                Roles = o.Roles,
+                LocaleId = o.LocaleId,
+                UserType = o.UserType,
+                EmployeeNumber = o.EmployeeNumber,
+                Notes = o.Notes,
+                ClientId = o.ClientId,
+                HeadOfficeId = o.HeadOfficeId,
+                SubVendorId = o.SubVendorId
+            };
+        }
+
+

        ////////////////////////////////////////////////////////////////////////////////////////////////
-        //JOB / OPERATIONS
+        // JOB / OPERATIONS
        //
        public async Task HandleJobAsync(OpsJob job)
        {