This commit is contained in:
@@ -118,9 +118,14 @@ namespace AyaNova.Api.Controllers
|
|||||||
return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
|
return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
|
||||||
}
|
}
|
||||||
|
|
||||||
if (id != UserId && !Authorized.HasModifyRole(HttpContext.Items, AyaType.UserOptions))
|
if (id != UserId)
|
||||||
{
|
{
|
||||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
//Also used for Contacts (customer type user or ho type user)
|
||||||
|
//by users with no User right so further biz rule required depending on usertype
|
||||||
|
//this is just phase 1
|
||||||
|
if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.User) && !Authorized.HasModifyRole(HttpContext.Items, AyaType.Customer))
|
||||||
|
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
//Instantiate the business object handler
|
//Instantiate the business object handler
|
||||||
|
|||||||
@@ -1,12 +1,7 @@
|
|||||||
using System.Linq;
|
|
||||||
using System.Threading.Tasks;
|
using System.Threading.Tasks;
|
||||||
using Microsoft.EntityFrameworkCore;
|
using Microsoft.EntityFrameworkCore;
|
||||||
using Microsoft.AspNetCore.Mvc;
|
|
||||||
|
|
||||||
using EnumsNET;
|
|
||||||
using AyaNova.Util;
|
using AyaNova.Util;
|
||||||
using AyaNova.Api.ControllerHelpers;
|
using AyaNova.Api.ControllerHelpers;
|
||||||
using AyaNova.Biz;
|
|
||||||
using AyaNova.Models;
|
using AyaNova.Models;
|
||||||
|
|
||||||
|
|
||||||
@@ -45,7 +40,26 @@ namespace AyaNova.Biz
|
|||||||
//put
|
//put
|
||||||
internal async Task<bool> PutAsync(UserOptions dbObject, UserOptions inObj)
|
internal async Task<bool> PutAsync(UserOptions dbObject, UserOptions inObj)
|
||||||
{
|
{
|
||||||
|
//if it's not the user's own options then we need to check it just as for User / Contact objects
|
||||||
|
if (dbObject.Id != UserId)
|
||||||
|
{
|
||||||
|
User u = await ct.User.AsNoTracking().SingleOrDefaultAsync(z => z.Id == dbObject.Id);
|
||||||
|
if (u == null)
|
||||||
|
{
|
||||||
|
AddError(ApiErrorCode.NOT_FOUND, "id");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
//Also used for Contacts (customer type user or ho type user)
|
||||||
|
//by users with no User right but with Customer rights so need to double check here
|
||||||
|
if (
|
||||||
|
(u.IsOutsideUser && !Authorized.HasModifyRole(CurrentUserRoles, AyaType.Customer)) ||
|
||||||
|
(!u.IsOutsideUser && !Authorized.HasModifyRole(CurrentUserRoles, AyaType.User))
|
||||||
|
)
|
||||||
|
{
|
||||||
|
AddError(ApiErrorCode.NOT_AUTHORIZED);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
//Replace the db object with the PUT object
|
//Replace the db object with the PUT object
|
||||||
CopyObject.Copy(inObj, dbObject, "Id, UserId");
|
CopyObject.Copy(inObj, dbObject, "Id, UserId");
|
||||||
|
|||||||
Reference in New Issue
Block a user