diff --git a/server/AyaNova/Controllers/ImportController.cs b/server/AyaNova/Controllers/ImportController.cs index 644d62f8..a580861b 100644 --- a/server/AyaNova/Controllers/ImportController.cs +++ b/server/AyaNova/Controllers/ImportController.cs @@ -56,6 +56,11 @@ namespace AyaNova.Api.Controllers if (!serverState.IsOpen) return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason)); + //This route is ONLY available to users with full rights to Global object + if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.Global)) + { + return StatusCode(403, new ApiNotAuthorizedResponse()); + } // AyaTypeId attachToObject = null; ApiUploadProcessor.ApiUploadedFilesResult uploadFormData = null; @@ -67,7 +72,7 @@ namespace AyaNova.Api.Controllers return BadRequest(new ApiErrorResponse(ApiErrorCode.INVALID_OPERATION, null, $"Expected a multipart request, but got {Request.ContentType}")); //Save uploads to disk under temporary file names until we decide how to handle them - // uploadFormData = await ApiUploadProcessor.ProcessUploadAsync(HttpContext);xx + // uploadFormData = await ApiUploadProcessor.ProcessUploadAsync(HttpContext);xx string UploadAType = string.Empty; @@ -76,7 +81,7 @@ namespace AyaNova.Api.Controllers string Notes = string.Empty; List FileData = new List(); - //Save uploads to disk under temporary file names until we decide how to handle them + //Save uploads to disk under temporary file names until we decide how to handle them uploadFormData = await ApiUploadProcessor.ProcessUploadAsync(HttpContext); if (!string.IsNullOrWhiteSpace(uploadFormData.Error)) { @@ -114,7 +119,7 @@ namespace AyaNova.Api.Controllers //Instantiate the business object handler AyaType TheType = System.Enum.Parse(UploadAType, true); log.LogDebug($"Instantiating biz object handler for {TheType}"); - var biz = BizObjectFactory.GetBizObject(TheType, ct); + var biz = BizObjectFactory.GetBizObject(TheType, ct, UserIdFromContext.Id(HttpContext.Items), UserRolesFromContext.Roles(HttpContext.Items)); if (!(biz is IImportAbleObject)) return BadRequest(new ApiErrorResponse(ApiErrorCode.INVALID_OPERATION, null, $"Import not supported for {TheType} objects")); diff --git a/server/AyaNova/biz/BizObjectFactory.cs b/server/AyaNova/biz/BizObjectFactory.cs index 46370109..1aff007a 100644 --- a/server/AyaNova/biz/BizObjectFactory.cs +++ b/server/AyaNova/biz/BizObjectFactory.cs @@ -14,8 +14,8 @@ namespace AyaNova.Biz //Used by SEARCH, REPORTING and objects with JOBS internal static BizObject GetBizObject(AyaType ayaType, AyContext ct, - long userId = 1, - AuthorizationRoles roles = AuthorizationRoles.All, + long userId, + AuthorizationRoles roles, long translationId = 0) { if (translationId == 0) @@ -89,8 +89,8 @@ namespace AyaNova.Biz case AyaType.WorkOrderItemTravel: case AyaType.WorkOrderItemUnit: case AyaType.WorkOrderItemOutsideService: - return new WorkOrderBiz(ct, userId, translationId, roles, UserType.NotService);//default to not service for now arbitrarily on the principle of least access - //--- + return new WorkOrderBiz(ct, userId, translationId, roles, UserType.Service); + //--- Quote @@ -105,7 +105,7 @@ namespace AyaNova.Biz case AyaType.QuoteItemTravel: case AyaType.QuoteItemUnit: case AyaType.QuoteItemOutsideService: - return new QuoteBiz(ct, userId, translationId, roles, UserType.NotService);//default to not service for now arbitrarily on the principle of least access + return new QuoteBiz(ct, userId, translationId, roles, UserType.Service); //--- @@ -121,7 +121,7 @@ namespace AyaNova.Biz case AyaType.PMItemTravel: case AyaType.PMItemUnit: case AyaType.PMItemOutsideService: - return new PMBiz(ct, userId, translationId, roles, UserType.NotService);//default to not service for now arbitrarily on the principle of least access + return new PMBiz(ct, userId, translationId, roles, UserType.Service); //--- case AyaType.Reminder: diff --git a/server/AyaNova/biz/JobsBiz.cs b/server/AyaNova/biz/JobsBiz.cs index 0cf05e15..d316b677 100644 --- a/server/AyaNova/biz/JobsBiz.cs +++ b/server/AyaNova/biz/JobsBiz.cs @@ -206,7 +206,7 @@ namespace AyaNova.Biz await CoreJobNotify.DoWorkAsync(); await CoreNotificationSweeper.DoWorkAsync(); - //PM GENERATION + //PM GENERATION await CoreJobPMGenerate.DoWorkAsync(); //JOB SWEEPER / AND USER COUNT CHECK @@ -303,18 +303,18 @@ namespace AyaNova.Biz await UpdateJobStatusAsync(job.GId, JobStatus.Completed); break; case JobType.TestJob: - o = (IJobObject)BizObjectFactory.GetBizObject(AyaType.ServerJob, ct); + o = (IJobObject)BizObjectFactory.GetBizObject(AyaType.ServerJob, ct, 1, AuthorizationRoles.BizAdmin); break; case JobType.SeedTestData: - o = (IJobObject)BizObjectFactory.GetBizObject(AyaType.TrialSeeder, ct); + o = (IJobObject)BizObjectFactory.GetBizObject(AyaType.TrialSeeder, ct, 1, AuthorizationRoles.BizAdmin); break; case JobType.AttachmentMaintenance: - o = (IJobObject)BizObjectFactory.GetBizObject(AyaType.FileAttachment, ct); + o = (IJobObject)BizObjectFactory.GetBizObject(AyaType.FileAttachment, ct, 1, AuthorizationRoles.BizAdmin); break; case JobType.BatchCoreObjectOperation: //batch op, hand off to biz object to deal with //note, convention is that there is an idList in job.jobinfo json if preselected else it's all objects of type - o = (IJobObject)BizObjectFactory.GetBizObject(job.AType, ct); + o = (IJobObject)BizObjectFactory.GetBizObject(job.AType, ct, 1, AuthorizationRoles.BizAdmin); break; default: throw new System.NotSupportedException($"ProcessJobAsync type {job.JobType.ToString()} is not supported"); diff --git a/server/AyaNova/biz/WorkOrderBiz.cs b/server/AyaNova/biz/WorkOrderBiz.cs index 0f7fb400..13005649 100644 --- a/server/AyaNova/biz/WorkOrderBiz.cs +++ b/server/AyaNova/biz/WorkOrderBiz.cs @@ -57,7 +57,7 @@ namespace AyaNova.Biz 1, ServerBootConfig.AYANOVA_DEFAULT_TRANSLATION_ID, AuthorizationRoles.BizAdmin, - UserType.NotService);//picked not service arbitrarily, probably a non-factor + UserType.Service); }