This commit is contained in:
@@ -94,7 +94,7 @@ namespace AyaNova.Api.Controllers
|
|||||||
|
|
||||||
//IF user is a customer type check if they are allowed to view this datalist
|
//IF user is a customer type check if they are allowed to view this datalist
|
||||||
if (UType == UserType.Customer || UType == UserType.HeadOffice)
|
if (UType == UserType.Customer || UType == UserType.HeadOffice)
|
||||||
if (!await CustomerTypeUserIsAllowedThisDataList(UserId, UserRoles, tableRequest.ClientCriteria, tableRequest.DataListKey))
|
if (!await HandleCustomerTypeUserDataListRequest(UserId, tableRequest))
|
||||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||||
|
|
||||||
//hydrate the saved view and filter
|
//hydrate the saved view and filter
|
||||||
@@ -113,38 +113,36 @@ namespace AyaNova.Api.Controllers
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private async Task<bool> CustomerTypeUserIsAllowedThisDataList(long currentUserId, AuthorizationRoles userRoles, string clientCriteria, string dataListKey)
|
private async Task<bool> HandleCustomerTypeUserDataListRequest(long currentUserId, DataListTableRequest tableRequest)
|
||||||
{
|
{
|
||||||
//all customer data lists require client criteria
|
|
||||||
if (string.IsNullOrWhiteSpace(clientCriteria))
|
|
||||||
return false;
|
|
||||||
|
|
||||||
//ClientCriteria format for this list is "OBJECTID,AYATYPE"
|
|
||||||
var crit = (clientCriteria ?? "").Split(',').Select(z => z.Trim()).ToArray();
|
|
||||||
if (crit.Length < 3)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
int nType = 0;
|
// //ClientCriteria format for this list is "OBJECTID,AYATYPE"
|
||||||
if (!int.TryParse(crit[1], out nType)) return false;
|
// var crit = (clientCriteria ?? "").Split(',').Select(z => z.Trim()).ToArray();
|
||||||
AyaType forType = (AyaType)nType;
|
// if (crit.Length < 3)
|
||||||
if (forType != AyaType.Customer && forType != AyaType.HeadOffice) return false;
|
// return false;
|
||||||
|
|
||||||
long lId = 0;
|
// int nType = 0;
|
||||||
if (!long.TryParse(crit[0], out lId)) return false;
|
// if (!int.TryParse(crit[1], out nType)) return false;
|
||||||
if (lId == 0) return false;
|
// AyaType forType = (AyaType)nType;
|
||||||
|
// if (forType != AyaType.Customer && forType != AyaType.HeadOffice) return false;
|
||||||
|
|
||||||
|
// long lId = 0;
|
||||||
|
// if (!long.TryParse(crit[0], out lId)) return false;
|
||||||
|
// if (lId == 0) return false;
|
||||||
|
|
||||||
//Have valid type, have an id, is this User actually connected to the entity they are requesting data for
|
//Have valid type, have an id, is this User actually connected to the entity they are requesting data for
|
||||||
var User = await ct.User.AsNoTracking().Select(x => new { x.CustomerId, x.HeadOfficeId }).FirstOrDefaultAsync();
|
var UserInfo = await ct.User.AsNoTracking().Select(x => new { x.UserType, x.CustomerId, x.HeadOfficeId }).FirstOrDefaultAsync();
|
||||||
switch (forType)
|
switch (UserInfo.UserType)
|
||||||
{
|
{
|
||||||
case AyaType.Customer:
|
case UserType.Customer:
|
||||||
if (lId != User.CustomerId)
|
tableRequest.ClientCriteria = $"{UserInfo.CustomerId},{(int)AyaType.Customer}";
|
||||||
return false;
|
|
||||||
break;
|
break;
|
||||||
case AyaType.HeadOffice:
|
case UserType.HeadOffice:
|
||||||
if (lId != User.HeadOfficeId)
|
tableRequest.ClientCriteria = $"{UserInfo.HeadOfficeId},{(int)AyaType.HeadOffice}";
|
||||||
return false;
|
|
||||||
break;
|
break;
|
||||||
|
default://other user types can fuck right off!
|
||||||
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
switch (dataListKey)
|
switch (dataListKey)
|
||||||
|
|||||||
Reference in New Issue
Block a user