admin/raven
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Browse Source
This commit is contained in:
John Cardinal
2021-07-14 18:17:19 +00:00
parent 83a10744c9
commit a5b1baa3d8
2 changed files with 26 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
server/AyaNova/Controllers/WorkOrderController.cs
View File

@@ -147,7 +147,7 @@ namespace AyaNova.Api.Controllers
return BadRequest(new ApiErrorResponse(ApiErrorCode.INVALID_OPERATION, "generalerror", "Work order PUT route accepts header only; PUT Work order descendants separately"));
}
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType))
if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType) || biz.UserIsRestrictedType)
return StatusCode(403, new ApiNotAuthorizedResponse());
var o = await biz.WorkOrderPutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token
if (o == null)
@@ -173,7 +173,7 @@ namespace AyaNova.Api.Controllers
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrder))
if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrder) || biz.UserIsRestrictedType)
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!await biz.WorkOrderDeleteAsync(id))
return BadRequest(new ApiErrorResponse(biz.Errors));
@@ -206,33 +206,6 @@ namespace AyaNova.Api.Controllers
}
// /// <summary>
// /// Change existing work order's Contract
// /// applies new Contract and returns complete updated work order
// /// </summary>
// /// <param name="workOrderId">Work order id</param>
// /// <param name="newContractChangeRecord">new contract id</param>
// /// <param name="apiVersion">From route path</param>
// /// <returns>WorkOrder</returns>
// [HttpPost("set-contract/{workOrderId}")]
// public async Task<IActionResult> ChangeContract([FromRoute] long workOrderId, [FromBody] ContractChangeRecord newContractChangeRecord, ApiVersion apiVersion)
// {
// if (!serverState.IsOpen)
// return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
// WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
// if (!Authorized.HasCreateRole(HttpContext.Items, biz.BizType))
// return StatusCode(403, new ApiNotAuthorizedResponse());
// if (!ModelState.IsValid)
// return BadRequest(new ApiErrorResponse(ModelState));
// WorkOrder o = await biz.ChangeContract(workOrderId, newContractChangeRecord.NewContractId);
// if (o == null)
// return BadRequest(new ApiErrorResponse(biz.Errors));
// else
// return Ok(ApiOkResponse.Response(o));
// }
// public record ContractChangeRecord(long? NewContractId);
#endregion WorkOrderTopLevel routes
@@ -262,7 +235,7 @@ namespace AyaNova.Api.Controllers
if (!serverState.IsOpen)
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderStatus))
if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderStatus) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted)
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
@@ -297,53 +270,6 @@ namespace AyaNova.Api.Controllers
// /// <summary>
// /// Update WorkOrderState
// ///
// /// </summary>
// /// <param name="updatedObject">WorkOrderState - top level only, no descendants</param>
// /// <returns>New concurrency token</returns>
// [HttpPut("states/")]
// public async Task<IActionResult> PutWorkOrderState([FromBody] WorkOrderState updatedObject)
// {
// if (!serverState.IsOpen)
// return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
// if (!ModelState.IsValid)
// return BadRequest(new ApiErrorResponse(ModelState));
// WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
// if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderStatus))
// return StatusCode(403, new ApiNotAuthorizedResponse());
// var o = await biz.StatePutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token
// if (o == null)
// {
// if (biz.Errors.Exists(z => z.Code == ApiErrorCode.CONCURRENCY_CONFLICT))
// return StatusCode(409, new ApiErrorResponse(biz.Errors));
// else
// return BadRequest(new ApiErrorResponse(biz.Errors));
// }
// return Ok(ApiOkResponse.Response(new { Concurrency = o.Concurrency }));
// }
// /// <summary>
// /// Delete WorkOrderState
// /// </summary>
// /// <param name="WorkOrderStateId"></param>
// /// <returns>NoContent</returns>
// [HttpDelete("states/{WorkOrderStateId}")]
// public async Task<IActionResult> DeleteWorkOrderState([FromRoute] long WorkOrderStateId)
// {
// if (!serverState.IsOpen)
// return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
// if (!ModelState.IsValid)
// return BadRequest(new ApiErrorResponse(ModelState));
// WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
// if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderStatus))
// return StatusCode(403, new ApiNotAuthorizedResponse());
// if (!await biz.StateDeleteAsync(WorkOrderStateId))
// return BadRequest(new ApiErrorResponse(biz.Errors));
// return NoContent();
// }
#endregion workorderstate
@@ -372,7 +298,7 @@ namespace AyaNova.Api.Controllers
if (!serverState.IsOpen)
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItem))
if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItem) || biz.UserIsRestrictedType)
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
@@ -395,7 +321,7 @@ namespace AyaNova.Api.Controllers
if (!serverState.IsOpen)
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItem))
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItem) || biz.UserIsRestrictedType)
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
@@ -421,7 +347,7 @@ namespace AyaNova.Api.Controllers
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItem))
if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItem) || biz.UserIsRestrictedType)
return StatusCode(403, new ApiNotAuthorizedResponse());
var o = await biz.ItemPutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token
if (o == null)
@@ -448,7 +374,7 @@ namespace AyaNova.Api.Controllers
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItem))
if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItem) || biz.UserIsRestrictedType)
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!await biz.ItemDeleteAsync(WorkOrderItemId))
return BadRequest(new ApiErrorResponse(biz.Errors));
@@ -481,7 +407,7 @@ namespace AyaNova.Api.Controllers
if (!serverState.IsOpen)
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemExpense))
if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemExpense) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted)
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
@@ -504,7 +430,7 @@ namespace AyaNova.Api.Controllers
if (!serverState.IsOpen)
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemExpense))
if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemExpense) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted)
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
@@ -528,7 +454,7 @@ namespace AyaNova.Api.Controllers
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemExpense))
if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemExpense) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted)
return StatusCode(403, new ApiNotAuthorizedResponse());
var o = await biz.ExpensePutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token
if (o == null)
@@ -554,7 +480,7 @@ namespace AyaNova.Api.Controllers
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemExpense))
if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemExpense) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted)
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!await biz.ExpenseDeleteAsync(WorkOrderItemExpenseId))
return BadRequest(new ApiErrorResponse(biz.Errors));

26
server/AyaNova/biz/WorkOrderBiz.cs
View File

@@ -2572,10 +2572,10 @@ namespace AyaNova.Biz
return;
}
if (UserIsTechRestricted && proposedObj.UserId != UserId)
if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId))
{
//no edits allowed on other people's expenses
AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror");
//no edits allowed on other people's records
AddError(ApiErrorCode.NOT_AUTHORIZED);
return;
}
@@ -2767,7 +2767,13 @@ namespace AyaNova.Biz
//
internal async Task<WorkOrderItemLabor> LaborGetAsync(long id, bool logTheGetEvent = true)
{
var ret = await ct.WorkOrderItemLabor.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id);
if (UserIsRestrictedType && ret.UserId != UserId)
{
AddError(ApiErrorCode.NOT_AUTHORIZED);
return null;
}
if (logTheGetEvent && ret != null)
await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, ret.AyaType, AyaEvent.Retrieved), ct);
return ret;
@@ -3026,11 +3032,10 @@ namespace AyaNova.Biz
}
}
if (UserIsRestrictedType)
if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId))
{
//Labors: add (no user selection defaults to themselves), remove, view and edit only when they are the selected User
if (proposedObj.UserId != UserId)
AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror");
//no edits allowed on other people's records
AddError(ApiErrorCode.NOT_AUTHORIZED);
return;
}
@@ -5892,11 +5897,10 @@ namespace AyaNova.Biz
}
}
if (UserIsRestrictedType)
if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId))
{
//Travels: add (no user selection defaults to themselves), remove, view and edit only when they are the selected User
if (proposedObj.UserId != UserId)
AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror");
//no edits allowed on other people's records
AddError(ApiErrorCode.NOT_AUTHORIZED);
return;
}