server/AyaNova/Controllers/UserOptionsController.cs

@@ -85,7 +85,7 @@ namespace AyaNova.Api.Controllers
             //Instantiate the business object handler
             UserOptionsBiz biz = new UserOptionsBiz(ct, UserId, UserRolesFromContext.Roles(HttpContext.Items));
             var o = await biz.GetAsync(id);
-            if (o == null)            
+            if (o == null)
                 return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
             return Ok(ApiOkResponse.Response(o));
         }
@@ -118,9 +118,14 @@ namespace AyaNova.Api.Controllers
                 return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
             }
 
-            if (id != UserId && !Authorized.HasModifyRole(HttpContext.Items, AyaType.UserOptions))
+            if (id != UserId)
             {
-                return StatusCode(403, new ApiNotAuthorizedResponse());
+                //Also used for Contacts (customer type user or ho type user)
+                //by users with no User right so further biz rule required depending on usertype
+                //this is just phase 1
+                if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.User) && !Authorized.HasModifyRole(HttpContext.Items, AyaType.Customer))
+                    return StatusCode(403, new ApiNotAuthorizedResponse());
+
             }
 
             //Instantiate the business object handler       

server/AyaNova/biz/UserOptionsBiz.cs

@@ -1,12 +1,7 @@
-using System.Linq;
 using System.Threading.Tasks;
 using Microsoft.EntityFrameworkCore;
-using Microsoft.AspNetCore.Mvc;
-
-using EnumsNET;
 using AyaNova.Util;
 using AyaNova.Api.ControllerHelpers;
-using AyaNova.Biz;
 using AyaNova.Models;
 
 
@@ -45,7 +40,26 @@ namespace AyaNova.Biz
         //put
         internal async Task<bool> PutAsync(UserOptions dbObject, UserOptions inObj)
         {
-
+            //if it's not the user's own options then we need to check it just as for User / Contact objects
+            if (dbObject.Id != UserId)
+            {
+                User u = await ct.User.AsNoTracking().SingleOrDefaultAsync(z => z.Id == dbObject.Id);
+                if (u == null)
+                {
+                    AddError(ApiErrorCode.NOT_FOUND, "id");
+                    return false;
+                }
+                //Also used for Contacts (customer type user or ho type user)
+                //by users with no User right but with Customer rights so need to double check here
+                if (
+                    (u.IsOutsideUser && !Authorized.HasModifyRole(CurrentUserRoles, AyaType.Customer)) ||
+                    (!u.IsOutsideUser && !Authorized.HasModifyRole(CurrentUserRoles, AyaType.User))
+                    )
+                {
+                    AddError(ApiErrorCode.NOT_AUTHORIZED);
+                    return false;
+                }
+            }
 
             //Replace the db object with the PUT object
             CopyObject.Copy(inObj, dbObject, "Id, UserId");
@@ -62,7 +76,7 @@ namespace AyaNova.Biz
             await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, dbObject.Id, AyaType.User, AyaEvent.Modified), ct);
             return true;
         }
-     
+
 
         ////////////////////////////////////////////////////////////////////////////////////////////////
         //VALIDATION
@@ -84,7 +98,7 @@ namespace AyaNova.Biz
                 AddError(ApiErrorCode.VALIDATION_LENGTH_EXCEEDED, "UiColor", "UiColor must be HEX color value");
             }
 
-            
+
             return;
         }