admin/raven
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Browse Source
This commit is contained in:
John Cardinal
2021-07-14 18:17:19 +00:00
parent 83a10744c9
commit a5b1baa3d8
2 changed files with 26 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
server/AyaNova/biz/WorkOrderBiz.cs
View File

@@ -2572,10 +2572,10 @@ namespace AyaNova.Biz
return;
}
if (UserIsTechRestricted && proposedObj.UserId != UserId)
if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId))
{
//no edits allowed on other people's expenses
AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror");
//no edits allowed on other people's records
AddError(ApiErrorCode.NOT_AUTHORIZED);
return;
}
@@ -2767,7 +2767,13 @@ namespace AyaNova.Biz
//
internal async Task<WorkOrderItemLabor> LaborGetAsync(long id, bool logTheGetEvent = true)
{
var ret = await ct.WorkOrderItemLabor.AsNoTracking().SingleOrDefaultAsync(z => z.Id == id);
if (UserIsRestrictedType && ret.UserId != UserId)
{
AddError(ApiErrorCode.NOT_AUTHORIZED);
return null;
}
if (logTheGetEvent && ret != null)
await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, id, ret.AyaType, AyaEvent.Retrieved), ct);
return ret;
@@ -3026,11 +3032,10 @@ namespace AyaNova.Biz
}
}
if (UserIsRestrictedType)
if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId))
{
//Labors: add (no user selection defaults to themselves), remove, view and edit only when they are the selected User
if (proposedObj.UserId != UserId)
AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror");
//no edits allowed on other people's records
AddError(ApiErrorCode.NOT_AUTHORIZED);
return;
}
@@ -5892,11 +5897,10 @@ namespace AyaNova.Biz
}
}
if (UserIsRestrictedType)
if (UserIsRestrictedType && (proposedObj.UserId != UserId || currentObj.UserId!=UserId))
{
//Travels: add (no user selection defaults to themselves), remove, view and edit only when they are the selected User
if (proposedObj.UserId != UserId)
AddError(ApiErrorCode.NOT_AUTHORIZED, "generalerror");
//no edits allowed on other people's records
AddError(ApiErrorCode.NOT_AUTHORIZED);
return;
}