This commit is contained in:
@@ -85,7 +85,7 @@ namespace AyaNova.Api.Controllers
|
||||
//Instantiate the business object handler
|
||||
UserOptionsBiz biz = new UserOptionsBiz(ct, UserId, UserRolesFromContext.Roles(HttpContext.Items));
|
||||
var o = await biz.GetAsync(id);
|
||||
if (o == null)
|
||||
if (o == null)
|
||||
return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
|
||||
return Ok(ApiOkResponse.Response(o));
|
||||
}
|
||||
@@ -118,9 +118,14 @@ namespace AyaNova.Api.Controllers
|
||||
return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
|
||||
}
|
||||
|
||||
if (id != UserId && !Authorized.HasModifyRole(HttpContext.Items, AyaType.UserOptions))
|
||||
if (id != UserId)
|
||||
{
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
//Also used for Contacts (customer type user or ho type user)
|
||||
//by users with no User right so further biz rule required depending on usertype
|
||||
//this is just phase 1
|
||||
if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.User) && !Authorized.HasModifyRole(HttpContext.Items, AyaType.Customer))
|
||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||
|
||||
}
|
||||
|
||||
//Instantiate the business object handler
|
||||
|
||||
@@ -1,12 +1,7 @@
|
||||
using System.Linq;
|
||||
using System.Threading.Tasks;
|
||||
using Microsoft.EntityFrameworkCore;
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
|
||||
using EnumsNET;
|
||||
using AyaNova.Util;
|
||||
using AyaNova.Api.ControllerHelpers;
|
||||
using AyaNova.Biz;
|
||||
using AyaNova.Models;
|
||||
|
||||
|
||||
@@ -45,7 +40,26 @@ namespace AyaNova.Biz
|
||||
//put
|
||||
internal async Task<bool> PutAsync(UserOptions dbObject, UserOptions inObj)
|
||||
{
|
||||
|
||||
//if it's not the user's own options then we need to check it just as for User / Contact objects
|
||||
if (dbObject.Id != UserId)
|
||||
{
|
||||
User u = await ct.User.AsNoTracking().SingleOrDefaultAsync(z => z.Id == dbObject.Id);
|
||||
if (u == null)
|
||||
{
|
||||
AddError(ApiErrorCode.NOT_FOUND, "id");
|
||||
return false;
|
||||
}
|
||||
//Also used for Contacts (customer type user or ho type user)
|
||||
//by users with no User right but with Customer rights so need to double check here
|
||||
if (
|
||||
(u.IsOutsideUser && !Authorized.HasModifyRole(CurrentUserRoles, AyaType.Customer)) ||
|
||||
(!u.IsOutsideUser && !Authorized.HasModifyRole(CurrentUserRoles, AyaType.User))
|
||||
)
|
||||
{
|
||||
AddError(ApiErrorCode.NOT_AUTHORIZED);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
//Replace the db object with the PUT object
|
||||
CopyObject.Copy(inObj, dbObject, "Id, UserId");
|
||||
@@ -62,7 +76,7 @@ namespace AyaNova.Biz
|
||||
await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, dbObject.Id, AyaType.User, AyaEvent.Modified), ct);
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
|
||||
////////////////////////////////////////////////////////////////////////////////////////////////
|
||||
//VALIDATION
|
||||
@@ -84,7 +98,7 @@ namespace AyaNova.Biz
|
||||
AddError(ApiErrorCode.VALIDATION_LENGTH_EXCEEDED, "UiColor", "UiColor must be HEX color value");
|
||||
}
|
||||
|
||||
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user