admin/raven
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Browse Source
This commit is contained in:
John Cardinal
2021-09-08 19:49:41 +00:00
parent 15ae4ee682
commit c6df1aea27
1 changed files with 41 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
server/AyaNova/Controllers/DataListController.cs
View File

@@ -92,25 +92,11 @@ namespace AyaNova.Api.Controllers
if (!UserRoles.HasAnyFlags(DataList.AllowedRoles)) if (!UserRoles.HasAnyFlags(DataList.AllowedRoles))
return StatusCode(403, new ApiNotAuthorizedResponse()); return StatusCode(403, new ApiNotAuthorizedResponse());
//IF user is a customer type check if they are allowed to view this datalist at all under global settings //IF user is a customer type check if they are allowed to view this datalist
if (UType == UserType.Customer || UType == UserType.HeadOffice) if (UType == UserType.Customer || UType == UserType.HeadOffice)
{ if (!await CustomerTypeUserIsAllowedThisDataList(UserId, UserRoles, tableRequest.ClientCriteria, tableRequest.DataListKey))
switch (tableRequest.DataListKey)
{
case "CustomerServiceRequestDataList":
if (!AyaNova.Util.ServerGlobalBizSettings.Cache.CustomerAllowCSR)
return StatusCode(403, new ApiNotAuthorizedResponse()); return StatusCode(403, new ApiNotAuthorizedResponse());
//TODO: user must match headoffice or customer id extra data or else it's not allowed
break;
//todo: workorder list
default://pretty much anything is not allowed
return StatusCode(403, new ApiNotAuthorizedResponse());
}
}
//hydrate the saved view and filter //hydrate the saved view and filter
DataListTableProcessingOptions dataListTableOptions = new DataListTableProcessingOptions(tableRequest, DataList, SavedView, SavedFilter, UserId, UserRoles); DataListTableProcessingOptions dataListTableOptions = new DataListTableProcessingOptions(tableRequest, DataList, SavedView, SavedFilter, UserId, UserRoles);
DataListReturnData r = await DataListFetcher.GetResponseAsync(ct, dataListTableOptions, DataList, UserRoles, log, UserId); DataListReturnData r = await DataListFetcher.GetResponseAsync(ct, dataListTableOptions, DataList, UserRoles, log, UserId);
@@ -129,11 +115,14 @@ namespace AyaNova.Api.Controllers
private async Task<bool> CustomerTypeUserIsAllowedThisDataList(long currentUserId, AuthorizationRoles userRoles, string clientCriteria, string dataListKey) private async Task<bool> CustomerTypeUserIsAllowedThisDataList(long currentUserId, AuthorizationRoles userRoles, string clientCriteria, string dataListKey)
{ {
//all customer data lists require client criteria
if (string.IsNullOrWhiteSpace(clientCriteria))
return false;
//ClientCriteria format for this list is "OBJECTID,AYATYPE" //ClientCriteria format for this list is "OBJECTID,AYATYPE"
var crit = (clientCriteria ?? "").Split(',').Select(z => z.Trim()).ToArray(); var crit = (clientCriteria ?? "").Split(',').Select(z => z.Trim()).ToArray();
if (crit.Length > 1) if (crit.Length < 3)
{ return false;
int nType = 0; int nType = 0;
if (!int.TryParse(crit[1], out nType)) return false; if (!int.TryParse(crit[1], out nType)) return false;
@@ -157,7 +146,18 @@ namespace AyaNova.Api.Controllers
return false; return false;
break; break;
} }
switch (dataListKey)
{
case "CustomerServiceRequestDataList":
if (!AyaNova.Util.ServerGlobalBizSettings.Cache.CustomerAllowCSR)
return false;
break;
//todo: workorder list
default://pretty much anything is not allowed
return false;
} }
return true; return true;
} }