From 83a10744c93ee3768064feac1f20b68c4c992fa1 Mon Sep 17 00:00:00 2001 From: John Cardinal Date: Wed, 14 Jul 2021 18:05:29 +0000 Subject: [PATCH] --- server/AyaNova/biz/WorkOrderBiz.cs | 80 +++++++++++++++++++----------- 1 file changed, 52 insertions(+), 28 deletions(-) diff --git a/server/AyaNova/biz/WorkOrderBiz.cs b/server/AyaNova/biz/WorkOrderBiz.cs index 53d0b158..795602d5 100644 --- a/server/AyaNova/biz/WorkOrderBiz.cs +++ b/server/AyaNova/biz/WorkOrderBiz.cs @@ -1681,8 +1681,13 @@ namespace AyaNova.Biz // private async Task StateValidateAsync(WorkOrderState proposedObj, WorkOrderState currentObj) { - // //skip validation if seeding - // if (ServerBootConfig.SEEDING) return; + + //of all restricted users, only a restricted tech can change status + if (UserIsSubContractorFull || UserIsSubContractorRestricted) + { + AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); + return; + } //run validation and biz rules bool isNew = currentObj == null; @@ -1697,22 +1702,6 @@ namespace AyaNova.Biz } - // private void StateValidateCanDelete(WorkOrderState obj) - // { - // if (obj == null) - // { - // AddError(ApiErrorCode.NOT_FOUND, "id"); - // return; - // } - - // //re-check rights here necessary due to traversal delete from Principle object - // if (!Authorized.HasDeleteRole(CurrentUserRoles, AyaType.WorkOrderStatus)) - // { - // AddError(ApiErrorCode.NOT_AUTHORIZED); - // return; - // } - // } - //////////////////////////////////////////////////////////////////////////////////////////////// // NOTIFICATION PROCESSING @@ -2010,6 +1999,16 @@ namespace AyaNova.Biz // internal async Task ItemGetAsync(long id, bool logTheGetEvent = true) { + + //Restricted users can not fetch a woitem directly + //arbitrary decision so don't have to put in all the cleanup code + //because from our own UI they wouldn't fetch this anyway and + //so this is only to cover api use by 3rd parties + if (UserIsRestrictedType) + { + return null; + } + //Note: there could be rules checking here in future, i.e. can only get own workorder or something //if so, then need to implement AddError and in route handle Null return with Error check just like PUT route does now @@ -2243,9 +2242,6 @@ namespace AyaNova.Biz if (proposedObj.WorkOrderId == 0) AddError(ApiErrorCode.VALIDATION_REQUIRED, "WorkOrderId"); - - - //Check restricted role preventing create if (isNew && UserIsRestrictedType) { @@ -3428,6 +3424,13 @@ namespace AyaNova.Biz //run validation and biz rules bool isNew = currentObj == null; + if (UserIsRestrictedType) + { + //no edits allowed + AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); + return; + } + if (proposedObj.WorkOrderItemId == 0) { AddError(ApiErrorCode.VALIDATION_REQUIRED, "WorkOrderItemId"); @@ -3475,6 +3478,13 @@ namespace AyaNova.Biz private void LoanValidateCanDelete(WorkOrderItemLoan obj) { + if (UserIsRestrictedType) + { + //no edits allowed + AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); + return; + } + if (obj == null) { AddError(ApiErrorCode.NOT_FOUND, "id"); @@ -3572,7 +3582,7 @@ namespace AyaNova.Biz // internal async Task OutsideServiceGetAsync(long id, bool logTheGetEvent = true) { - if (UserIsSubContractorRestricted) //no access allowed at all + if (UserIsSubContractorRestricted || UserIsSubContractorFull) //no access allowed at all return null; var ret = await ct.WorkOrderItemOutsideService.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id); if (logTheGetEvent && ret != null) @@ -3747,6 +3757,13 @@ namespace AyaNova.Biz //run validation and biz rules bool isNew = currentObj == null; + if (UserIsRestrictedType) + { + //no edits allowed + AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); + return; + } + if (proposedObj.WorkOrderItemId == 0) { AddError(ApiErrorCode.VALIDATION_REQUIRED, "WorkOrderItemId"); @@ -3791,6 +3808,13 @@ namespace AyaNova.Biz private void OutsideServiceValidateCanDelete(WorkOrderItemOutsideService obj) { + if (UserIsRestrictedType) + { + //no edits allowed + AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); + return; + } + if (obj == null) { AddError(ApiErrorCode.NOT_FOUND, "id"); @@ -6195,12 +6219,6 @@ namespace AyaNova.Biz private void UnitValidateCanDelete(WorkOrderItemUnit obj) { - if (obj == null) - { - AddError(ApiErrorCode.NOT_FOUND, "id"); - return; - } - if (UserIsRestrictedType) { //Units: no edits allowed @@ -6208,6 +6226,12 @@ namespace AyaNova.Biz return; } + if (obj == null) + { + AddError(ApiErrorCode.NOT_FOUND, "id"); + return; + } + //re-check rights here necessary due to traversal delete from Principle object if (!Authorized.HasDeleteRole(CurrentUserRoles, AyaType.WorkOrderItemUnit)) {