This commit is contained in:
@@ -92,24 +92,10 @@ namespace AyaNova.Api.Controllers
|
|||||||
if (!UserRoles.HasAnyFlags(DataList.AllowedRoles))
|
if (!UserRoles.HasAnyFlags(DataList.AllowedRoles))
|
||||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||||
|
|
||||||
//IF user is a customer type check if they are allowed to view this datalist at all under global settings
|
//IF user is a customer type check if they are allowed to view this datalist
|
||||||
if (UType == UserType.Customer || UType == UserType.HeadOffice)
|
if (UType == UserType.Customer || UType == UserType.HeadOffice)
|
||||||
{
|
if (!await CustomerTypeUserIsAllowedThisDataList(UserId, UserRoles, tableRequest.ClientCriteria, tableRequest.DataListKey))
|
||||||
switch (tableRequest.DataListKey)
|
return StatusCode(403, new ApiNotAuthorizedResponse());
|
||||||
{
|
|
||||||
case "CustomerServiceRequestDataList":
|
|
||||||
if (!AyaNova.Util.ServerGlobalBizSettings.Cache.CustomerAllowCSR)
|
|
||||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
|
||||||
|
|
||||||
//TODO: user must match headoffice or customer id extra data or else it's not allowed
|
|
||||||
break;
|
|
||||||
//todo: workorder list
|
|
||||||
default://pretty much anything is not allowed
|
|
||||||
return StatusCode(403, new ApiNotAuthorizedResponse());
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
//hydrate the saved view and filter
|
//hydrate the saved view and filter
|
||||||
DataListTableProcessingOptions dataListTableOptions = new DataListTableProcessingOptions(tableRequest, DataList, SavedView, SavedFilter, UserId, UserRoles);
|
DataListTableProcessingOptions dataListTableOptions = new DataListTableProcessingOptions(tableRequest, DataList, SavedView, SavedFilter, UserId, UserRoles);
|
||||||
@@ -129,35 +115,49 @@ namespace AyaNova.Api.Controllers
|
|||||||
|
|
||||||
private async Task<bool> CustomerTypeUserIsAllowedThisDataList(long currentUserId, AuthorizationRoles userRoles, string clientCriteria, string dataListKey)
|
private async Task<bool> CustomerTypeUserIsAllowedThisDataList(long currentUserId, AuthorizationRoles userRoles, string clientCriteria, string dataListKey)
|
||||||
{
|
{
|
||||||
|
//all customer data lists require client criteria
|
||||||
|
if (string.IsNullOrWhiteSpace(clientCriteria))
|
||||||
|
return false;
|
||||||
|
|
||||||
//ClientCriteria format for this list is "OBJECTID,AYATYPE"
|
//ClientCriteria format for this list is "OBJECTID,AYATYPE"
|
||||||
var crit = (clientCriteria ?? "").Split(',').Select(z => z.Trim()).ToArray();
|
var crit = (clientCriteria ?? "").Split(',').Select(z => z.Trim()).ToArray();
|
||||||
if (crit.Length > 1)
|
if (crit.Length < 3)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
int nType = 0;
|
||||||
|
if (!int.TryParse(crit[1], out nType)) return false;
|
||||||
|
AyaType forType = (AyaType)nType;
|
||||||
|
if (forType != AyaType.Customer && forType != AyaType.HeadOffice) return false;
|
||||||
|
|
||||||
|
long lId = 0;
|
||||||
|
if (!long.TryParse(crit[0], out lId)) return false;
|
||||||
|
if (lId == 0) return false;
|
||||||
|
|
||||||
|
//Have valid type, have an id, is this User actually connected to the entity they are requesting data for
|
||||||
|
var User = await ct.User.AsNoTracking().Select(x => new { x.CustomerId, x.HeadOfficeId }).FirstOrDefaultAsync();
|
||||||
|
switch (forType)
|
||||||
{
|
{
|
||||||
|
case AyaType.Customer:
|
||||||
int nType = 0;
|
if (lId != User.CustomerId)
|
||||||
if (!int.TryParse(crit[1], out nType)) return false;
|
return false;
|
||||||
AyaType forType = (AyaType)nType;
|
break;
|
||||||
if (forType != AyaType.Customer && forType != AyaType.HeadOffice) return false;
|
case AyaType.HeadOffice:
|
||||||
|
if (lId != User.HeadOfficeId)
|
||||||
long lId = 0;
|
return false;
|
||||||
if (!long.TryParse(crit[0], out lId)) return false;
|
break;
|
||||||
if (lId == 0) return false;
|
|
||||||
|
|
||||||
//Have valid type, have an id, is this User actually connected to the entity they are requesting data for
|
|
||||||
var User = await ct.User.AsNoTracking().Select(x => new { x.CustomerId, x.HeadOfficeId }).FirstOrDefaultAsync();
|
|
||||||
switch (forType)
|
|
||||||
{
|
|
||||||
case AyaType.Customer:
|
|
||||||
if (lId != User.CustomerId)
|
|
||||||
return false;
|
|
||||||
break;
|
|
||||||
case AyaType.HeadOffice:
|
|
||||||
if (lId != User.HeadOfficeId)
|
|
||||||
return false;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
switch (dataListKey)
|
||||||
|
{
|
||||||
|
case "CustomerServiceRequestDataList":
|
||||||
|
if (!AyaNova.Util.ServerGlobalBizSettings.Cache.CustomerAllowCSR)
|
||||||
|
return false;
|
||||||
|
break;
|
||||||
|
//todo: workorder list
|
||||||
|
default://pretty much anything is not allowed
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user