admin/raven
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Browse Source
This commit is contained in:
John Cardinal
2021-09-08 19:49:41 +00:00
parent 15ae4ee682
commit c6df1aea27
1 changed files with 41 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
server/AyaNova/Controllers/DataListController.cs
View File

@@ -92,24 +92,10 @@ namespace AyaNova.Api.Controllers
if (!UserRoles.HasAnyFlags(DataList.AllowedRoles))
return StatusCode(403, new ApiNotAuthorizedResponse());
//IF user is a customer type check if they are allowed to view this datalist at all under global settings
//IF user is a customer type check if they are allowed to view this datalist
if (UType == UserType.Customer || UType == UserType.HeadOffice)
{
switch (tableRequest.DataListKey)
{
case "CustomerServiceRequestDataList":
if (!AyaNova.Util.ServerGlobalBizSettings.Cache.CustomerAllowCSR)
return StatusCode(403, new ApiNotAuthorizedResponse());
//TODO: user must match headoffice or customer id extra data or else it's not allowed
break;
//todo: workorder list
default://pretty much anything is not allowed
return StatusCode(403, new ApiNotAuthorizedResponse());
}
}
if (!await CustomerTypeUserIsAllowedThisDataList(UserId, UserRoles, tableRequest.ClientCriteria, tableRequest.DataListKey))
return StatusCode(403, new ApiNotAuthorizedResponse());
//hydrate the saved view and filter
DataListTableProcessingOptions dataListTableOptions = new DataListTableProcessingOptions(tableRequest, DataList, SavedView, SavedFilter, UserId, UserRoles);
@@ -129,35 +115,49 @@ namespace AyaNova.Api.Controllers
private async Task<bool> CustomerTypeUserIsAllowedThisDataList(long currentUserId, AuthorizationRoles userRoles, string clientCriteria, string dataListKey)
{
//all customer data lists require client criteria
if (string.IsNullOrWhiteSpace(clientCriteria))
return false;
//ClientCriteria format for this list is "OBJECTID,AYATYPE"
var crit = (clientCriteria ?? "").Split(',').Select(z => z.Trim()).ToArray();
if (crit.Length > 1)
if (crit.Length < 3)
return false;
int nType = 0;
if (!int.TryParse(crit[1], out nType)) return false;
AyaType forType = (AyaType)nType;
if (forType != AyaType.Customer && forType != AyaType.HeadOffice) return false;
long lId = 0;
if (!long.TryParse(crit[0], out lId)) return false;
if (lId == 0) return false;
//Have valid type, have an id, is this User actually connected to the entity they are requesting data for
var User = await ct.User.AsNoTracking().Select(x => new { x.CustomerId, x.HeadOfficeId }).FirstOrDefaultAsync();
switch (forType)
{
int nType = 0;
if (!int.TryParse(crit[1], out nType)) return false;
AyaType forType = (AyaType)nType;
if (forType != AyaType.Customer && forType != AyaType.HeadOffice) return false;
long lId = 0;
if (!long.TryParse(crit[0], out lId)) return false;
if (lId == 0) return false;
//Have valid type, have an id, is this User actually connected to the entity they are requesting data for
var User = await ct.User.AsNoTracking().Select(x => new { x.CustomerId, x.HeadOfficeId }).FirstOrDefaultAsync();
switch (forType)
{
case AyaType.Customer:
if (lId != User.CustomerId)
return false;
break;
case AyaType.HeadOffice:
if (lId != User.HeadOfficeId)
return false;
break;
}
case AyaType.Customer:
if (lId != User.CustomerId)
return false;
break;
case AyaType.HeadOffice:
if (lId != User.HeadOfficeId)
return false;
break;
}
switch (dataListKey)
{
case "CustomerServiceRequestDataList":
if (!AyaNova.Util.ServerGlobalBizSettings.Cache.CustomerAllowCSR)
return false;
break;
//todo: workorder list
default://pretty much anything is not allowed
return false;
}
return true;
}