From e8ef841590cd0fd11b001fdcf3ba5beb83defce5 Mon Sep 17 00:00:00 2001 From: John Cardinal Date: Tue, 30 Apr 2019 15:26:05 +0000 Subject: [PATCH] --- devdocs/todo.txt | 20 +++++++++++++++++-- .../Controllers/AttachmentController.cs | 6 +++--- server/AyaNova/Controllers/AuthController.cs | 4 +++- .../Controllers/DataFilterController.cs | 8 ++++---- .../AyaNova/Controllers/EventLogController.cs | 4 ++-- .../Controllers/FormCustomController.cs | 12 +++++------ .../Controllers/ImportAyaNova7Controller.cs | 8 ++++---- .../Controllers/JobOperationsController.cs | 4 ++-- .../AyaNova/Controllers/LicenseController.cs | 6 +++--- .../AyaNova/Controllers/LocaleController.cs | 6 +++--- .../AyaNova/Controllers/LogFilesController.cs | 4 ++-- .../AyaNova/Controllers/MetricsController.cs | 4 ++-- .../Controllers/ServerStateController.cs | 2 +- server/AyaNova/Controllers/UserController.cs | 14 ++++++------- .../Controllers/UserOptionsController.cs | 6 +++--- .../AyaNova/Controllers/WidgetController.cs | 16 +++++++-------- server/AyaNova/util/AyaNovaVersion.cs | 2 +- 17 files changed, 72 insertions(+), 54 deletions(-) diff --git a/devdocs/todo.txt b/devdocs/todo.txt index c56887be..9ab4fea1 100644 --- a/devdocs/todo.txt +++ b/devdocs/todo.txt @@ -14,8 +14,24 @@ Do the stuff in the Client todo first then back to the server as required. DO CLIENT STUFF NOW COME BACK TO THIS STUFF LATER - - + ### SERVER WORK NEEDED FIRST.... + - NOT done correctly at the server NEED TO CHANGE THIS SHIT FIRST: + - is returning a 401 (not authenticated) for rights issues that should return 403 (not authorized) + - Before can do below rights stuff need to go back to server and change that + - https://stackoverflow.com/questions/3297048/403-forbidden-vs-401-unauthorized-http-responses#6937030 + - I know it works when the user SubContractorLimited logs in and force to fetch widget gets a 403 instead of a 401 and instead of logging off redirects to home or back or something instead + - in GZAPI handleError has this: ErrorUserNotAuthenticated error string, I also need to check server and docs for the corresponding ErrorUserNotAuthorized which may need to be added and documented + - Also need a localized text for it in all languages apparently and also document it properly and add it as a type of error returned in those circumstances + - May be faster to just try to fetch the object and have rights checked that way and react accordingly in the client rather than try to pre-check before hand + - This is because need the actual object to check if self owned and can still edit, let the server handle that shit and just act accordingly + - If server returns a read only copy of an object due to read full record but not due to allow edit then perhaps the server can also tag it with a READONLY flag so client can adjust accordingly and not need to do the checking with a double request + - SO...SERVER Should return on request of an object one of these: + - Not authenticated at all 401 + - Not authorized for this object 403 (could be due to not own or whatever, we don't care, server handles that shit, client just knows not to show it) + - Object...BUT with READONLY flag of some kind present (in outer wrapper??), so client knows to show read only and not allow editing + - Object without readonly flag present so fully editable!!! WOOT! + - FINDINGS / TODO + - So early on the server is returning 401 not authenticated before the route is hit, so really, in any route my own rights check would always be 403, not 401, that's handled already by authentication middleware =-=-=-=-=-=- diff --git a/server/AyaNova/Controllers/AttachmentController.cs b/server/AyaNova/Controllers/AttachmentController.cs index e4439519..4e6ab605 100644 --- a/server/AyaNova/Controllers/AttachmentController.cs +++ b/server/AyaNova/Controllers/AttachmentController.cs @@ -199,7 +199,7 @@ namespace AyaNova.Api.Controllers { //delete temp files DeleteTempFileUploadDueToBadRequest(uploadFormData); - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } } @@ -295,7 +295,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, dbObj.AttachToObjectType, dbObj.OwnerId)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } //do the delete @@ -371,7 +371,7 @@ namespace AyaNova.Api.Controllers //is this allowed? if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, dbObj.AttachToObjectType)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } //they are allowed, let's send the file diff --git a/server/AyaNova/Controllers/AuthController.cs b/server/AyaNova/Controllers/AuthController.cs index ce6d7416..560d64d6 100644 --- a/server/AyaNova/Controllers/AuthController.cs +++ b/server/AyaNova/Controllers/AuthController.cs @@ -179,7 +179,9 @@ namespace AyaNova.Api.Controllers //If the user is inactive they may not login if (!u.Active) { - return StatusCode(401, new ApiErrorResponse(ApiErrorCode.NOT_AUTHORIZED, null, "User deactivated")); + //This is leaking information, instead just act like bad creds + //return StatusCode(401, new ApiErrorResponse(ApiErrorCode.NOT_AUTHORIZED, null, "User deactivated")); + return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED)); } //build the key (JWT set in startup.cs) diff --git a/server/AyaNova/Controllers/DataFilterController.cs b/server/AyaNova/Controllers/DataFilterController.cs index 52046372..3517a39c 100644 --- a/server/AyaNova/Controllers/DataFilterController.cs +++ b/server/AyaNova/Controllers/DataFilterController.cs @@ -62,7 +62,7 @@ namespace AyaNova.Api.Controllers DataFilterBiz biz = DataFilterBiz.GetBiz(ct, HttpContext); if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, biz.BizType)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -128,7 +128,7 @@ namespace AyaNova.Api.Controllers return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND)); if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); try { @@ -165,7 +165,7 @@ namespace AyaNova.Api.Controllers //If a user has change roles, or editOwnRoles then they can create, true is passed for isOwner since they are creating so by definition the owner if (!Authorized.IsAuthorizedToCreate(HttpContext.Items, biz.BizType)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -207,7 +207,7 @@ namespace AyaNova.Api.Controllers return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND)); if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, biz.BizType, o.OwnerId)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); if (!biz.Delete(o)) return BadRequest(new ApiErrorResponse(biz.Errors)); diff --git a/server/AyaNova/Controllers/EventLogController.cs b/server/AyaNova/Controllers/EventLogController.cs index 59496292..52ed4155 100644 --- a/server/AyaNova/Controllers/EventLogController.cs +++ b/server/AyaNova/Controllers/EventLogController.cs @@ -63,7 +63,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, opt.AyType)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } var result = await EventLogProcessor.GetLogForObject(opt, ct); @@ -99,7 +99,7 @@ namespace AyaNova.Api.Controllers //If not authorized to read a user and also not the current user asking for their own log then NO LOG FOR YOU! if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.User) && opt.AyId != UserId) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } var result = await EventLogProcessor.GetLogForUser(opt, ct); diff --git a/server/AyaNova/Controllers/FormCustomController.cs b/server/AyaNova/Controllers/FormCustomController.cs index 23dd476d..d8820c50 100644 --- a/server/AyaNova/Controllers/FormCustomController.cs +++ b/server/AyaNova/Controllers/FormCustomController.cs @@ -67,7 +67,7 @@ namespace AyaNova.Api.Controllers //Just have to be authenticated for this one if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, biz.BizType)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -110,7 +110,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.FormCustom)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -141,7 +141,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.FormCustom)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -165,7 +165,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.FormCustom)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -201,7 +201,7 @@ namespace AyaNova.Api.Controllers return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND)); if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); try { @@ -237,7 +237,7 @@ namespace AyaNova.Api.Controllers //check rights if (!Authorized.IsAuthorizedToCreate(HttpContext.Items, biz.BizType)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); diff --git a/server/AyaNova/Controllers/ImportAyaNova7Controller.cs b/server/AyaNova/Controllers/ImportAyaNova7Controller.cs index 590acedd..ce2e41d3 100644 --- a/server/AyaNova/Controllers/ImportAyaNova7Controller.cs +++ b/server/AyaNova/Controllers/ImportAyaNova7Controller.cs @@ -73,7 +73,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToCreate(HttpContext.Items, AyaType.AyaNova7Import)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } @@ -166,7 +166,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, AyaType.AyaNova7Import)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } //do the delete @@ -194,7 +194,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.AyaNova7Import)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } if (!ModelState.IsValid) @@ -247,7 +247,7 @@ namespace AyaNova.Api.Controllers //Create, in that they are creating new data in AyaNova if (!Authorized.IsAuthorizedToCreate(HttpContext.Items, AyaType.AyaNova7Import)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } //does the file even exist? diff --git a/server/AyaNova/Controllers/JobOperationsController.cs b/server/AyaNova/Controllers/JobOperationsController.cs index f5b195cb..1a94954c 100644 --- a/server/AyaNova/Controllers/JobOperationsController.cs +++ b/server/AyaNova/Controllers/JobOperationsController.cs @@ -65,7 +65,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.JobOperations)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } if (!ModelState.IsValid) @@ -104,7 +104,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.JobOperations)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } if (!ModelState.IsValid) diff --git a/server/AyaNova/Controllers/LicenseController.cs b/server/AyaNova/Controllers/LicenseController.cs index 8d9d84f3..5d8ecca0 100644 --- a/server/AyaNova/Controllers/LicenseController.cs +++ b/server/AyaNova/Controllers/LicenseController.cs @@ -62,7 +62,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.License)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } var ret = AyaNova.Core.License.LicenseInfoAsJson; @@ -94,7 +94,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToCreate(HttpContext.Items, AyaType.License)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } if (!ModelState.IsValid) @@ -157,7 +157,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToCreate(HttpContext.Items, AyaType.License)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } if (!ModelState.IsValid) diff --git a/server/AyaNova/Controllers/LocaleController.cs b/server/AyaNova/Controllers/LocaleController.cs index f4f7720f..d3023692 100644 --- a/server/AyaNova/Controllers/LocaleController.cs +++ b/server/AyaNova/Controllers/LocaleController.cs @@ -235,7 +235,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.Locale, oDbParent.OwnerId)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } //Instantiate the business object handler @@ -301,7 +301,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.Locale, oFromDb.OwnerId)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } //Instantiate the business object handler @@ -369,7 +369,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, AyaType.Locale, dbObj.OwnerId)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } diff --git a/server/AyaNova/Controllers/LogFilesController.cs b/server/AyaNova/Controllers/LogFilesController.cs index eec13b0c..5b8d194f 100644 --- a/server/AyaNova/Controllers/LogFilesController.cs +++ b/server/AyaNova/Controllers/LogFilesController.cs @@ -62,7 +62,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.LogFile)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } if (!ModelState.IsValid) @@ -109,7 +109,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.LogFile)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } if (!ModelState.IsValid) diff --git a/server/AyaNova/Controllers/MetricsController.cs b/server/AyaNova/Controllers/MetricsController.cs index aa9c54df..ab1099ef 100644 --- a/server/AyaNova/Controllers/MetricsController.cs +++ b/server/AyaNova/Controllers/MetricsController.cs @@ -62,7 +62,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.Metrics)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } string sResult = await GetTheMetrics("plain"); @@ -92,7 +92,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.Metrics)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } string sResult = await GetTheMetrics("json"); diff --git a/server/AyaNova/Controllers/ServerStateController.cs b/server/AyaNova/Controllers/ServerStateController.cs index d9798dc9..9afe23d1 100644 --- a/server/AyaNova/Controllers/ServerStateController.cs +++ b/server/AyaNova/Controllers/ServerStateController.cs @@ -70,7 +70,7 @@ namespace AyaNova.Api.Controllers { if (!Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.ServerState)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } if (serverState.IsSystemLocked)//no state change allowed when system locked, must correct the problem first diff --git a/server/AyaNova/Controllers/UserController.cs b/server/AyaNova/Controllers/UserController.cs index 2cb02dc9..cfc1127b 100644 --- a/server/AyaNova/Controllers/UserController.cs +++ b/server/AyaNova/Controllers/UserController.cs @@ -67,7 +67,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, biz.BizType)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } if (!ModelState.IsValid) @@ -106,7 +106,7 @@ namespace AyaNova.Api.Controllers UserBiz biz = UserBiz.GetBiz(ct, HttpContext); if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, biz.BizType)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); return Ok(new { @@ -137,7 +137,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, biz.BizType)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } if (!ModelState.IsValid) @@ -216,7 +216,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } @@ -280,7 +280,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } try @@ -330,7 +330,7 @@ namespace AyaNova.Api.Controllers //If a user has change roles, or editOwnRoles then they can create, true is passed for isOwner since they are creating so by definition the owner if (!Authorized.IsAuthorizedToCreate(HttpContext.Items, biz.BizType)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } if (!ModelState.IsValid) @@ -394,7 +394,7 @@ namespace AyaNova.Api.Controllers if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, biz.BizType, dbObj.OwnerId)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } diff --git a/server/AyaNova/Controllers/UserOptionsController.cs b/server/AyaNova/Controllers/UserOptionsController.cs index 9136fb4f..b4dce60a 100644 --- a/server/AyaNova/Controllers/UserOptionsController.cs +++ b/server/AyaNova/Controllers/UserOptionsController.cs @@ -70,7 +70,7 @@ namespace AyaNova.Api.Controllers //Different than normal here: a user is *always* allowed to retrieve their own user options object if (id != UserId && !Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, AyaType.UserOptions)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } //Instantiate the business object handler @@ -122,7 +122,7 @@ namespace AyaNova.Api.Controllers if (id != UserId && !Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.UserOptions, o.OwnerId)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } //Instantiate the business object handler @@ -191,7 +191,7 @@ namespace AyaNova.Api.Controllers if (id != UserId && !Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.UserOptions, o.OwnerId)) { - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); } diff --git a/server/AyaNova/Controllers/WidgetController.cs b/server/AyaNova/Controllers/WidgetController.cs index e17458ee..6a0ce696 100644 --- a/server/AyaNova/Controllers/WidgetController.cs +++ b/server/AyaNova/Controllers/WidgetController.cs @@ -65,7 +65,7 @@ namespace AyaNova.Api.Controllers WidgetBiz biz = WidgetBiz.GetBiz(ct, HttpContext); if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, biz.BizType)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -96,7 +96,7 @@ namespace AyaNova.Api.Controllers WidgetBiz biz = WidgetBiz.GetBiz(ct, HttpContext); if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, biz.BizType)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); return Ok(new { @@ -122,7 +122,7 @@ namespace AyaNova.Api.Controllers WidgetBiz biz = WidgetBiz.GetBiz(ct, HttpContext); if (!Authorized.IsAuthorizedToReadFullRecord(HttpContext.Items, biz.BizType)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -186,7 +186,7 @@ namespace AyaNova.Api.Controllers return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND)); if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); try { @@ -235,7 +235,7 @@ namespace AyaNova.Api.Controllers return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND)); if (!Authorized.IsAuthorizedToModify(HttpContext.Items, biz.BizType, o.OwnerId)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); try { @@ -273,7 +273,7 @@ namespace AyaNova.Api.Controllers //If a user has change roles, or editOwnRoles then they can create, true is passed for isOwner since they are creating so by definition the owner if (!Authorized.IsAuthorizedToCreate(HttpContext.Items, biz.BizType)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); if (!ModelState.IsValid) return BadRequest(new ApiErrorResponse(ModelState)); @@ -316,7 +316,7 @@ namespace AyaNova.Api.Controllers return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND)); if (!Authorized.IsAuthorizedToDelete(HttpContext.Items, biz.BizType, o.OwnerId)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); if (!biz.Delete(o)) return BadRequest(new ApiErrorResponse(biz.Errors)); @@ -361,7 +361,7 @@ namespace AyaNova.Api.Controllers return StatusCode(503, new ApiErrorResponse(ApiErrorCode.API_CLOSED, null, serverState.Reason)); if (!Authorized.IsAuthorizedToModify(HttpContext.Items, AyaType.JobOperations)) - return StatusCode(401, new ApiNotAuthorizedResponse()); + return StatusCode(403, new ApiNotAuthorizedResponse()); //Create the job here OpsJob j = new OpsJob(); diff --git a/server/AyaNova/util/AyaNovaVersion.cs b/server/AyaNova/util/AyaNovaVersion.cs index 91d2916a..43e4f1de 100644 --- a/server/AyaNova/util/AyaNovaVersion.cs +++ b/server/AyaNova/util/AyaNovaVersion.cs @@ -11,7 +11,7 @@ namespace AyaNova.Util { get { - return "8.0.0-alpha.2019.April.08"; + return "8.0.0-alpha.2019.April.30"; } }