diff --git a/server/AyaNova/Controllers/WorkOrderController.cs b/server/AyaNova/Controllers/WorkOrderController.cs
index c6eaacc2..1e0df7fe 100644
--- a/server/AyaNova/Controllers/WorkOrderController.cs
+++ b/server/AyaNova/Controllers/WorkOrderController.cs
@@ -147,7 +147,7 @@ namespace AyaNova.Api.Controllers
return BadRequest(new ApiErrorResponse(ApiErrorCode.INVALID_OPERATION, "generalerror", "Work order PUT route accepts header only; PUT Work order descendants separately"));
}
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
- if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType))
+ if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType) || biz.UserIsRestrictedType)
return StatusCode(403, new ApiNotAuthorizedResponse());
var o = await biz.WorkOrderPutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token
if (o == null)
@@ -173,7 +173,7 @@ namespace AyaNova.Api.Controllers
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
- if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrder))
+ if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrder) || biz.UserIsRestrictedType)
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!await biz.WorkOrderDeleteAsync(id))
return BadRequest(new ApiErrorResponse(biz.Errors));
@@ -206,33 +206,6 @@ namespace AyaNova.Api.Controllers
}
-
- // ///
- // /// Change existing work order's Contract
- // /// applies new Contract and returns complete updated work order
- // ///
- // /// Work order id
- // /// new contract id
- // /// From route path
- // /// WorkOrder
- // [HttpPost("set-contract/{workOrderId}")]
- // public async Task ChangeContract([FromRoute] long workOrderId, [FromBody] ContractChangeRecord newContractChangeRecord, ApiVersion apiVersion)
- // {
- // if (!serverState.IsOpen)
- // return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
- // WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
- // if (!Authorized.HasCreateRole(HttpContext.Items, biz.BizType))
- // return StatusCode(403, new ApiNotAuthorizedResponse());
- // if (!ModelState.IsValid)
- // return BadRequest(new ApiErrorResponse(ModelState));
- // WorkOrder o = await biz.ChangeContract(workOrderId, newContractChangeRecord.NewContractId);
- // if (o == null)
- // return BadRequest(new ApiErrorResponse(biz.Errors));
- // else
- // return Ok(ApiOkResponse.Response(o));
- // }
-
- // public record ContractChangeRecord(long? NewContractId);
#endregion WorkOrderTopLevel routes
@@ -262,7 +235,7 @@ namespace AyaNova.Api.Controllers
if (!serverState.IsOpen)
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
- if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderStatus))
+ if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderStatus) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted)
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
@@ -297,53 +270,6 @@ namespace AyaNova.Api.Controllers
- // ///
- // /// Update WorkOrderState
- // ///
- // ///
- // /// WorkOrderState - top level only, no descendants
- // /// New concurrency token
- // [HttpPut("states/")]
- // public async Task PutWorkOrderState([FromBody] WorkOrderState updatedObject)
- // {
- // if (!serverState.IsOpen)
- // return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
- // if (!ModelState.IsValid)
- // return BadRequest(new ApiErrorResponse(ModelState));
- // WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
- // if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderStatus))
- // return StatusCode(403, new ApiNotAuthorizedResponse());
- // var o = await biz.StatePutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token
- // if (o == null)
- // {
- // if (biz.Errors.Exists(z => z.Code == ApiErrorCode.CONCURRENCY_CONFLICT))
- // return StatusCode(409, new ApiErrorResponse(biz.Errors));
- // else
- // return BadRequest(new ApiErrorResponse(biz.Errors));
- // }
- // return Ok(ApiOkResponse.Response(new { Concurrency = o.Concurrency }));
- // }
-
-
- // ///
- // /// Delete WorkOrderState
- // ///
- // ///
- // /// NoContent
- // [HttpDelete("states/{WorkOrderStateId}")]
- // public async Task DeleteWorkOrderState([FromRoute] long WorkOrderStateId)
- // {
- // if (!serverState.IsOpen)
- // return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
- // if (!ModelState.IsValid)
- // return BadRequest(new ApiErrorResponse(ModelState));
- // WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
- // if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderStatus))
- // return StatusCode(403, new ApiNotAuthorizedResponse());
- // if (!await biz.StateDeleteAsync(WorkOrderStateId))
- // return BadRequest(new ApiErrorResponse(biz.Errors));
- // return NoContent();
- // }
#endregion workorderstate
@@ -372,7 +298,7 @@ namespace AyaNova.Api.Controllers
if (!serverState.IsOpen)
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
- if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItem))
+ if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItem) || biz.UserIsRestrictedType)
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
@@ -395,7 +321,7 @@ namespace AyaNova.Api.Controllers
if (!serverState.IsOpen)
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
- if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItem))
+ if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItem) || biz.UserIsRestrictedType)
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
@@ -421,7 +347,7 @@ namespace AyaNova.Api.Controllers
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
- if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItem))
+ if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItem) || biz.UserIsRestrictedType)
return StatusCode(403, new ApiNotAuthorizedResponse());
var o = await biz.ItemPutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token
if (o == null)
@@ -448,7 +374,7 @@ namespace AyaNova.Api.Controllers
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
- if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItem))
+ if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItem) || biz.UserIsRestrictedType)
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!await biz.ItemDeleteAsync(WorkOrderItemId))
return BadRequest(new ApiErrorResponse(biz.Errors));
@@ -481,7 +407,7 @@ namespace AyaNova.Api.Controllers
if (!serverState.IsOpen)
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
- if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemExpense))
+ if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemExpense) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted)
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
@@ -504,7 +430,7 @@ namespace AyaNova.Api.Controllers
if (!serverState.IsOpen)
return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
- if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemExpense))
+ if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemExpense) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted)
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
@@ -528,7 +454,7 @@ namespace AyaNova.Api.Controllers
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
- if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemExpense))
+ if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemExpense) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted)
return StatusCode(403, new ApiNotAuthorizedResponse());
var o = await biz.ExpensePutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token
if (o == null)
@@ -554,7 +480,7 @@ namespace AyaNova.Api.Controllers
if (!ModelState.IsValid)
return BadRequest(new ApiErrorResponse(ModelState));
WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext);
- if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemExpense))
+ if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemExpense) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted)
return StatusCode(403, new ApiNotAuthorizedResponse());
if (!await biz.ExpenseDeleteAsync(WorkOrderItemExpenseId))
return BadRequest(new ApiErrorResponse(biz.Errors));
diff --git a/server/AyaNova/biz/WorkOrderBiz.cs b/server/AyaNova/biz/WorkOrderBiz.cs
index 795602d5..774046c7 100644
--- a/server/AyaNova/biz/WorkOrderBiz.cs
+++ b/server/AyaNova/biz/WorkOrderBiz.cs
@@ -2572,10 +2572,10 @@ namespace AyaNova.Biz
return;
}
- if (UserIsTechRestricted && proposedObj.UserId != UserId)
+ if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId))
{
- //no edits allowed on other people's expenses
- AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror");
+ //no edits allowed on other people's records
+ AddError(ApiErrorCode.NOT_AUTHORIZED);
return;
}
@@ -2767,7 +2767,13 @@ namespace AyaNova.Biz
//
internal async Task LaborGetAsync(long id, bool logTheGetEvent = true)
{
+
var ret = await ct.WorkOrderItemLabor.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id);
+ if (UserIsRestrictedType && ret.UserId != UserId)
+ {
+ AddError(ApiErrorCode.NOT_AUTHORIZED);
+ return null;
+ }
if (logTheGetEvent && ret != null)
await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, ret.AyaType, AyaEvent.Retrieved), ct);
return ret;
@@ -3026,11 +3032,10 @@ namespace AyaNova.Biz
}
}
- if (UserIsRestrictedType)
+ if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId))
{
- //Labors: add (no user selection defaults to themselves), remove, view and edit only when they are the selected User
- if (proposedObj.UserId != UserId)
- AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror");
+ //no edits allowed on other people's records
+ AddError(ApiErrorCode.NOT_AUTHORIZED);
return;
}
@@ -5892,11 +5897,10 @@ namespace AyaNova.Biz
}
}
- if (UserIsRestrictedType)
+ if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId))
{
- //Travels: add (no user selection defaults to themselves), remove, view and edit only when they are the selected User
- if (proposedObj.UserId != UserId)
- AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror");
+ //no edits allowed on other people's records
+ AddError(ApiErrorCode.NOT_AUTHORIZED);
return;
}