From a5b1baa3d8748dcbe7ea5e08efad1df771b78020 Mon Sep 17 00:00:00 2001 From: John Cardinal Date: Wed, 14 Jul 2021 18:17:19 +0000 Subject: [PATCH] --- .../Controllers/WorkOrderController.cs | 96 +++---------------- server/AyaNova/biz/WorkOrderBiz.cs | 26 ++--- 2 files changed, 26 insertions(+), 96 deletions(-) diff --git a/server/AyaNova/Controllers/WorkOrderController.cs b/server/AyaNova/Controllers/WorkOrderController.cs index c6eaacc2..1e0df7fe 100644 --- a/server/AyaNova/Controllers/WorkOrderController.cs +++ b/server/AyaNova/Controllers/WorkOrderController.cs @@ -147,7 +147,7 @@ namespace AyaNova.Api.Controllers return BadRequest(new ApiErrorResponse(ApiErrorCode.INVALID_OPERATION, "generalerror", "Work order PUT route accepts header only; PUT Work order descendants separately")); } WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType)) + if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); var o = await biz.WorkOrderPutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token if (o == null) @@ -173,7 +173,7 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrder)) + if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrder) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!await biz.WorkOrderDeleteAsync(id)) return BadRequest(new ApiErrorResponse(biz.Errors)); @@ -206,33 +206,6 @@ namespace AyaNova.Api.Controllers } - - // /// - // /// Change existing work order's Contract - // /// applies new Contract and returns complete updated work order - // /// - // /// Work order id - // /// new contract id - // /// From route path - // /// WorkOrder - // [HttpPost("set-contract/{workOrderId}")] - // public async Task ChangeContract([FromRoute] long workOrderId, [FromBody] ContractChangeRecord newContractChangeRecord, ApiVersion apiVersion) - // { - // if (!serverState.IsOpen) - // return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); - // WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - // if (!Authorized.HasCreateRole(HttpContext.Items, biz.BizType)) - // return StatusCode(403, new ApiNotAuthorizedResponse()); - // if (!ModelState.IsValid) - // return BadRequest(new ApiErrorResponse(ModelState)); - // WorkOrder o = await biz.ChangeContract(workOrderId, newContractChangeRecord.NewContractId); - // if (o == null) - // return BadRequest(new ApiErrorResponse(biz.Errors)); - // else - // return Ok(ApiOkResponse.Response(o)); - // } - - // public record ContractChangeRecord(long? NewContractId); #endregion WorkOrderTopLevel routes @@ -262,7 +235,7 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderStatus)) + if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderStatus) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -297,53 +270,6 @@ namespace AyaNova.Api.Controllers - // /// - // /// Update WorkOrderState - // /// - // /// - // /// WorkOrderState - top level only, no descendants - // /// New concurrency token - // [HttpPut("states/")] - // public async Task PutWorkOrderState([FromBody] WorkOrderState updatedObject) - // { - // if (!serverState.IsOpen) - // return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); - // if (!ModelState.IsValid) - // return BadRequest(new ApiErrorResponse(ModelState)); - // WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - // if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderStatus)) - // return StatusCode(403, new ApiNotAuthorizedResponse()); - // var o = await biz.StatePutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token - // if (o == null) - // { - // if (biz.Errors.Exists(z => z.Code == ApiErrorCode.CONCURRENCY_CONFLICT)) - // return StatusCode(409, new ApiErrorResponse(biz.Errors)); - // else - // return BadRequest(new ApiErrorResponse(biz.Errors)); - // } - // return Ok(ApiOkResponse.Response(new { Concurrency = o.Concurrency })); - // } - - - // /// - // /// Delete WorkOrderState - // /// - // /// - // /// NoContent - // [HttpDelete("states/{WorkOrderStateId}")] - // public async Task DeleteWorkOrderState([FromRoute] long WorkOrderStateId) - // { - // if (!serverState.IsOpen) - // return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); - // if (!ModelState.IsValid) - // return BadRequest(new ApiErrorResponse(ModelState)); - // WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - // if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderStatus)) - // return StatusCode(403, new ApiNotAuthorizedResponse()); - // if (!await biz.StateDeleteAsync(WorkOrderStateId)) - // return BadRequest(new ApiErrorResponse(biz.Errors)); - // return NoContent(); - // } #endregion workorderstate @@ -372,7 +298,7 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItem)) + if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItem) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -395,7 +321,7 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItem)) + if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItem) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -421,7 +347,7 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItem)) + if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItem) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); var o = await biz.ItemPutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token if (o == null) @@ -448,7 +374,7 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItem)) + if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItem) || biz.UserIsRestrictedType) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!await biz.ItemDeleteAsync(WorkOrderItemId)) return BadRequest(new ApiErrorResponse(biz.Errors)); @@ -481,7 +407,7 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemExpense)) + if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.WorkOrderItemExpense) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -504,7 +430,7 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemExpense)) + if (!Authorized.HasReadFullRole(HttpContext.Items, AyaType.WorkOrderItemExpense) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -528,7 +454,7 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemExpense)) + if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.WorkOrderItemExpense) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted) return StatusCode(403, new ApiNotAuthorizedResponse()); var o = await biz.ExpensePutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token if (o == null) @@ -554,7 +480,7 @@ namespace AyaNova.Api.Controllers if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); WorkOrderBiz biz = WorkOrderBiz.GetBiz(ct, HttpContext); - if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemExpense)) + if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.WorkOrderItemExpense) || biz.UserIsSubContractorFull || biz.UserIsSubContractorRestricted) return StatusCode(403, new ApiNotAuthorizedResponse()); if (!await biz.ExpenseDeleteAsync(WorkOrderItemExpenseId)) return BadRequest(new ApiErrorResponse(biz.Errors)); diff --git a/server/AyaNova/biz/WorkOrderBiz.cs b/server/AyaNova/biz/WorkOrderBiz.cs index 795602d5..774046c7 100644 --- a/server/AyaNova/biz/WorkOrderBiz.cs +++ b/server/AyaNova/biz/WorkOrderBiz.cs @@ -2572,10 +2572,10 @@ namespace AyaNova.Biz return; } - if (UserIsTechRestricted && proposedObj.UserId != UserId) + if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId)) { - //no edits allowed on other people's expenses - AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); + //no edits allowed on other people's records + AddError(ApiErrorCode.NOT_AUTHORIZED); return; } @@ -2767,7 +2767,13 @@ namespace AyaNova.Biz // internal async Task LaborGetAsync(long id, bool logTheGetEvent = true) { + var ret = await ct.WorkOrderItemLabor.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id); + if (UserIsRestrictedType && ret.UserId != UserId) + { + AddError(ApiErrorCode.NOT_AUTHORIZED); + return null; + } if (logTheGetEvent && ret != null) await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, ret.AyaType, AyaEvent.Retrieved), ct); return ret; @@ -3026,11 +3032,10 @@ namespace AyaNova.Biz } } - if (UserIsRestrictedType) + if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId)) { - //Labors: add (no user selection defaults to themselves), remove, view and edit only when they are the selected User - if (proposedObj.UserId != UserId) - AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); + //no edits allowed on other people's records + AddError(ApiErrorCode.NOT_AUTHORIZED); return; } @@ -5892,11 +5897,10 @@ namespace AyaNova.Biz } } - if (UserIsRestrictedType) + if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId)) { - //Travels: add (no user selection defaults to themselves), remove, view and edit only when they are the selected User - if (proposedObj.UserId != UserId) - AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror"); + //no edits allowed on other people's records + AddError(ApiErrorCode.NOT_AUTHORIZED); return; }