From 9e64c02b773409d29d46149bfc70f3ce8c93dce4 Mon Sep 17 00:00:00 2001 From: John Cardinal Date: Wed, 14 Jul 2021 18:50:06 +0000 Subject: [PATCH] --- .../Controllers/WorkOrderController.cs | 34 +++++++++---------- server/AyaNova/biz/WorkOrderBiz.cs | 2 ++ 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/server/AyaNova/Controllers/WorkOrderController.cs b/server/AyaNova/Controllers/WorkOrderController.cs index c1fbc724..1a04a071 100644 --- a/server/AyaNova/Controllers/WorkOrderController.cs +++ b/server/AyaNova/Controllers/WorkOrderController.cs @@ -839,7 +839,7 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemPart)) + if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemPart) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -862,7 +862,7 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemPart)) + if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemPart) || biz.UserIsSubContractorRestricted) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -886,7 +886,7 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemPart)) + if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemPart) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); var o = await biz.PartPutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token if (o == null) @@ -912,7 +912,7 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemPart)) + if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemPart) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!await biz.PartDeleteAsync(WorkOrderItemPartId)) return BadRequest(new ApiErrorResponse(biz.Errors)); @@ -945,7 +945,7 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemPartRequest)) + if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemPartRequest) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -968,7 +968,7 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemPartRequest)) + if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemPartRequest) || biz.UserIsSubContractorRestricted) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -992,7 +992,7 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemPartRequest)) + if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemPartRequest) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); var o = await biz.PartRequestPutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token if (o == null) @@ -1018,7 +1018,7 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemPartRequest)) + if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemPartRequest) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!await biz.PartRequestDeleteAsync(WorkOrderItemPartRequestId)) return BadRequest(new ApiErrorResponse(biz.Errors)); @@ -1051,7 +1051,7 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemScheduledUser)) + if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemScheduledUser) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -1098,7 +1098,7 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemScheduledUser)) + if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemScheduledUser) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); var o = await biz.ScheduledUserPutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token if (o == null) @@ -1124,7 +1124,7 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemScheduledUser)) + if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemScheduledUser) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!await biz.ScheduledUserDeleteAsync(WorkOrderItemScheduledUserId)) return BadRequest(new ApiErrorResponse(biz.Errors)); @@ -1157,7 +1157,7 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemTask)) + if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemTask) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -1230,7 +1230,7 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemTask)) + if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemTask) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!await biz.TaskDeleteAsync(WorkOrderItemTaskId)) return BadRequest(new ApiErrorResponse(biz.Errors)); @@ -1369,7 +1369,7 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemUnit)) + if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemUnit) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -1392,7 +1392,7 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemUnit)) + if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemUnit) || biz.UserIsSubContractorRestricted) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -1416,7 +1416,7 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemUnit)) + if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemUnit) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); var o = await biz.UnitPutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token if (o == null) @@ -1442,7 +1442,7 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemUnit)) + if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemUnit) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!await biz.UnitDeleteAsync(WorkOrderItemUnitId)) return BadRequest(new ApiErrorResponse(biz.Errors)); diff --git a/server/AyaNova/biz/WorkOrderBiz.cs b/server/AyaNova/biz/WorkOrderBiz.cs index 03a6321f..078f34c2 100644 --- a/server/AyaNova/biz/WorkOrderBiz.cs +++ b/server/AyaNova/biz/WorkOrderBiz.cs @@ -4956,6 +4956,8 @@ namespace AyaNova.Biz internal async Task ScheduledUserGetAsync(long id, bool logTheGetEvent = true) { var ret = await ct.WorkOrderItemScheduledUser.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id); + if (UserIsRestrictedType && ret.UserId != UserId)//restricted users can only see their own + return null; if (logTheGetEvent && ret != null) await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, ret.AyaType, AyaEvent.Retrieved), ct); return ret;