From c6df1aea27fd9aa7fedc1ec6c84129c6731fb792 Mon Sep 17 00:00:00 2001 From: John Cardinal Date: Wed, 8 Sep 2021 19:49:41 +0000 Subject: [PATCH] --- .../AyaNova/Controllers/DataListController.cs | 82 +++++++++---------- 1 file changed, 41 insertions(+), 41 deletions(-) diff --git a/server/AyaNova/Controllers/DataListController.cs b/server/AyaNova/Controllers/DataListController.cs index 6ce9c9b6..1e812e4e 100644 --- a/server/AyaNova/Controllers/DataListController.cs +++ b/server/AyaNova/Controllers/DataListController.cs @@ -92,24 +92,10 @@ namespace AyaNova.Api.Controllers if (!UserRoles.HasAnyFlags(DataList.AllowedRoles)) return StatusCode(403, new ApiNotAuthorizedResponse()); - //IF user is a customer type check if they are allowed to view this datalist at all under global settings + //IF user is a customer type check if they are allowed to view this datalist if (UType == UserType.Customer || UType == UserType.HeadOffice) - { - switch (tableRequest.DataListKey) - { - case "CustomerServiceRequestDataList": - if (!AyaNova.Util.ServerGlobalBizSettings.Cache.CustomerAllowCSR) - return StatusCode(403, new ApiNotAuthorizedResponse()); - - //TODO: user must match headoffice or customer id extra data or else it's not allowed - break; - //todo: workorder list - default://pretty much anything is not allowed - return StatusCode(403, new ApiNotAuthorizedResponse()); - } - - } - + if (!await CustomerTypeUserIsAllowedThisDataList(UserId, UserRoles, tableRequest.ClientCriteria, tableRequest.DataListKey)) + return StatusCode(403, new ApiNotAuthorizedResponse()); //hydrate the saved view and filter DataListTableProcessingOptions dataListTableOptions = new DataListTableProcessingOptions(tableRequest, DataList, SavedView, SavedFilter, UserId, UserRoles); @@ -129,35 +115,49 @@ namespace AyaNova.Api.Controllers private async Task CustomerTypeUserIsAllowedThisDataList(long currentUserId, AuthorizationRoles userRoles, string clientCriteria, string dataListKey) { + //all customer data lists require client criteria + if (string.IsNullOrWhiteSpace(clientCriteria)) + return false; //ClientCriteria format for this list is "OBJECTID,AYATYPE" var crit = (clientCriteria ?? "").Split(',').Select(z => z.Trim()).ToArray(); - if (crit.Length > 1) + if (crit.Length < 3) + return false; + + int nType = 0; + if (!int.TryParse(crit[1], out nType)) return false; + AyaType forType = (AyaType)nType; + if (forType != AyaType.Customer && forType != AyaType.HeadOffice) return false; + + long lId = 0; + if (!long.TryParse(crit[0], out lId)) return false; + if (lId == 0) return false; + + //Have valid type, have an id, is this User actually connected to the entity they are requesting data for + var User = await ct.User.AsNoTracking().Select(x => new { x.CustomerId, x.HeadOfficeId }).FirstOrDefaultAsync(); + switch (forType) { - - int nType = 0; - if (!int.TryParse(crit[1], out nType)) return false; - AyaType forType = (AyaType)nType; - if (forType != AyaType.Customer && forType != AyaType.HeadOffice) return false; - - long lId = 0; - if (!long.TryParse(crit[0], out lId)) return false; - if (lId == 0) return false; - - //Have valid type, have an id, is this User actually connected to the entity they are requesting data for - var User = await ct.User.AsNoTracking().Select(x => new { x.CustomerId, x.HeadOfficeId }).FirstOrDefaultAsync(); - switch (forType) - { - case AyaType.Customer: - if (lId != User.CustomerId) - return false; - break; - case AyaType.HeadOffice: - if (lId != User.HeadOfficeId) - return false; - break; - } + case AyaType.Customer: + if (lId != User.CustomerId) + return false; + break; + case AyaType.HeadOffice: + if (lId != User.HeadOfficeId) + return false; + break; } + + switch (dataListKey) + { + case "CustomerServiceRequestDataList": + if (!AyaNova.Util.ServerGlobalBizSettings.Cache.CustomerAllowCSR) + return false; + break; + //todo: workorder list + default://pretty much anything is not allowed + return false; + } + return true; }