2020-12-07 18:47:57 +00:00
parent 74fa5d2700
commit a089333f76
2 changed files with 30 additions and 11 deletions
--- a/server/AyaNova/Controllers/UserOptionsController.cs
+++ b/server/AyaNova/Controllers/UserOptionsController.cs
@@ -85,7 +85,7 @@ namespace AyaNova.Api.Controllers
            //Instantiate the business object handler
            UserOptionsBiz biz = new UserOptionsBiz(ct, UserId, UserRolesFromContext.Roles(HttpContext.Items));
            var o = await biz.GetAsync(id);
-            if (o == null)            
+            if (o == null)
                return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
            return Ok(ApiOkResponse.Response(o));
        }
@@ -118,9 +118,14 @@ namespace AyaNova.Api.Controllers
                return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
            }

-            if (id != UserId && !Authorized.HasModifyRole(HttpContext.Items, AyaType.UserOptions))
+            if (id != UserId)
            {
-                return StatusCode(403, new ApiNotAuthorizedResponse());
+                //Also used for Contacts (customer type user or ho type user)
+                //by users with no User right so further biz rule required depending on usertype
+                //this is just phase 1
+                if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.User) && !Authorized.HasModifyRole(HttpContext.Items, AyaType.Customer))
+                    return StatusCode(403, new ApiNotAuthorizedResponse());
+
            }

            //Instantiate the business object handler