server/AyaNova/biz/WorkOrderBiz.cs

@@ -1681,8 +1681,13 @@ namespace AyaNova.Biz
         //       
         private async Task StateValidateAsync(WorkOrderState proposedObj, WorkOrderState currentObj)
         {
-            //  //skip validation if seeding
-            // if (ServerBootConfig.SEEDING) return;
+
+            //of all restricted users, only a restricted tech can change status
+            if (UserIsSubContractorFull || UserIsSubContractorRestricted)
+            {
+                AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror");
+                return;
+            }
 
             //run validation and biz rules
             bool isNew = currentObj == null;
@@ -1697,22 +1702,6 @@ namespace AyaNova.Biz
         }
 
 
-        // private void StateValidateCanDelete(WorkOrderState obj)
-        // {
-        //     if (obj == null)
-        //     {
-        //         AddError(ApiErrorCode.NOT_FOUND, "id");
-        //         return;
-        //     }
-
-        //     //re-check rights here necessary due to traversal delete from Principle object
-        //     if (!Authorized.HasDeleteRole(CurrentUserRoles, AyaType.WorkOrderStatus))
-        //     {
-        //         AddError(ApiErrorCode.NOT_AUTHORIZED);
-        //         return;
-        //     }
-        // }
-
 
         ////////////////////////////////////////////////////////////////////////////////////////////////
         // NOTIFICATION PROCESSING
@@ -2010,6 +1999,16 @@ namespace AyaNova.Biz
         //    
         internal async Task<WorkOrderItem> ItemGetAsync(long id, bool logTheGetEvent = true)
         {
+
+            //Restricted users can not fetch a woitem directly
+            //arbitrary decision so don't have to put in all the cleanup code
+            //because from our own UI they wouldn't fetch this anyway and 
+            //so this is only to cover api use by 3rd parties
+            if (UserIsRestrictedType)
+            {
+                return null;
+            }
+
             //Note: there could be rules checking here in future, i.e. can only get own workorder or something
             //if so, then need to implement AddError and in route handle Null return with Error check just like PUT route does now
 
@@ -2243,9 +2242,6 @@ namespace AyaNova.Biz
             if (proposedObj.WorkOrderId == 0)
                 AddError(ApiErrorCode.VALIDATION_REQUIRED, "WorkOrderId");
 
-
-
-
             //Check restricted role preventing create
             if (isNew && UserIsRestrictedType)
             {
@@ -3428,6 +3424,13 @@ namespace AyaNova.Biz
             //run validation and biz rules
             bool isNew = currentObj == null;
 
+            if (UserIsRestrictedType)
+            {
+                //no edits allowed
+                AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror");
+                return;
+            }
+
             if (proposedObj.WorkOrderItemId == 0)
             {
                 AddError(ApiErrorCode.VALIDATION_REQUIRED, "WorkOrderItemId");
@@ -3475,6 +3478,13 @@ namespace AyaNova.Biz
 
         private void LoanValidateCanDelete(WorkOrderItemLoan obj)
         {
+            if (UserIsRestrictedType)
+            {
+                //no edits allowed
+                AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror");
+                return;
+            }
+
             if (obj == null)
             {
                 AddError(ApiErrorCode.NOT_FOUND, "id");
@@ -3572,7 +3582,7 @@ namespace AyaNova.Biz
         //    
         internal async Task<WorkOrderItemOutsideService> OutsideServiceGetAsync(long id, bool logTheGetEvent = true)
         {
-            if (UserIsSubContractorRestricted) //no access allowed at all
+            if (UserIsSubContractorRestricted || UserIsSubContractorFull) //no access allowed at all
                 return null;
             var ret = await ct.WorkOrderItemOutsideService.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id);
             if (logTheGetEvent && ret != null)
@@ -3747,6 +3757,13 @@ namespace AyaNova.Biz
             //run validation and biz rules
             bool isNew = currentObj == null;
 
+            if (UserIsRestrictedType)
+            {
+                //no edits allowed
+                AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror");
+                return;
+            }
+
             if (proposedObj.WorkOrderItemId == 0)
             {
                 AddError(ApiErrorCode.VALIDATION_REQUIRED, "WorkOrderItemId");
@@ -3791,6 +3808,13 @@ namespace AyaNova.Biz
 
         private void OutsideServiceValidateCanDelete(WorkOrderItemOutsideService obj)
         {
+            if (UserIsRestrictedType)
+            {
+                //no edits allowed
+                AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror");
+                return;
+            }
+
             if (obj == null)
             {
                 AddError(ApiErrorCode.NOT_FOUND, "id");
@@ -6195,12 +6219,6 @@ namespace AyaNova.Biz
 
         private void UnitValidateCanDelete(WorkOrderItemUnit obj)
         {
-            if (obj == null)
-            {
-                AddError(ApiErrorCode.NOT_FOUND, "id");
-                return;
-            }
-
             if (UserIsRestrictedType)
             {
                 //Units: no edits allowed
@@ -6208,6 +6226,12 @@ namespace AyaNova.Biz
                 return;
             }
 
+            if (obj == null)
+            {
+                AddError(ApiErrorCode.NOT_FOUND, "id");
+                return;
+            }
+
             //re-check rights here necessary due to traversal delete from Principle object
             if (!Authorized.HasDeleteRole(CurrentUserRoles, AyaType.WorkOrderItemUnit))
             {