server/AyaNova/Controllers/UserController.cs

@@ -61,23 +61,30 @@ namespace AyaNova.Api.Controllers
             //Instantiate the business object handler
             UserBiz biz = UserBiz.GetBiz(ct, HttpContext);
 
-            if (!Authorized.HasReadFullRole(HttpContext.Items, biz.BizType))
+
-            {
+
+            //Also used for Contacts (customer type user or ho type user)
+            //by users with no User right so further biz rule required depending on usertype
+            //this is just phase 1
+            bool AllowedOutsideUser = Authorized.HasReadFullRole(HttpContext.Items, AyaType.Customer);
+            bool AllowedInsideUser = Authorized.HasReadFullRole(HttpContext.Items, AyaType.User);
+
+            if (!AllowedOutsideUser && !AllowedInsideUser)
                 return StatusCode(403, new ApiNotAuthorizedResponse());
-            }
 
             if (!ModelState.IsValid)
-            {
                 return BadRequest(new ApiErrorResponse(ModelState));
-            }
-
-
-
             var o = await biz.GetAsync(id);
             if (o == null)
-            {
                 return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
-            }
+
+            bool IsOutsideUser = (o.UserType == UserType.Customer || o.UserType == UserType.HeadOffice);
+
+            if (IsOutsideUser && !AllowedOutsideUser)
+                return StatusCode(403, new ApiNotAuthorizedResponse());
+
+            if (!IsOutsideUser && !AllowedInsideUser)
+                return StatusCode(403, new ApiNotAuthorizedResponse());
 
             return Ok(ApiOkResponse.Response(o));
         }
@@ -97,8 +104,13 @@ namespace AyaNova.Api.Controllers
             if (!ModelState.IsValid)
                 return BadRequest(new ApiErrorResponse(ModelState));
             UserBiz biz = UserBiz.GetBiz(ct, HttpContext);
-            if (!Authorized.HasModifyRole(HttpContext.Items, biz.BizType))
+
+            //Also used for Contacts (customer type user or ho type user)
+            //by users with no User right so further biz rule required depending on usertype
+            //this is just phase 1
+            if (!Authorized.HasModifyRole(HttpContext.Items, AyaType.User) && !Authorized.HasModifyRole(HttpContext.Items, AyaType.Customer))
                 return StatusCode(403, new ApiNotAuthorizedResponse());
+
             var o = await biz.PutAsync(updatedObject);//In future may need to return entire object, for now just concurrency token 
             if (o == null)
             {
@@ -126,27 +138,21 @@ namespace AyaNova.Api.Controllers
             //Instantiate the business object handler
             UserBiz biz = UserBiz.GetBiz(ct, HttpContext);
 
-            //If a user has change roles
+            //Also used for Contacts (customer type user or ho type user)
-            if (!Authorized.HasCreateRole(HttpContext.Items, biz.BizType))
+            //by users with no User right so further biz rule required depending on usertype
-            {
+            //this is just phase 1
+            if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.User) && !Authorized.HasCreateRole(HttpContext.Items, AyaType.Customer))
                 return StatusCode(403, new ApiNotAuthorizedResponse());
-            }
 
             if (!ModelState.IsValid)
-            {
                 return BadRequest(new ApiErrorResponse(ModelState));
-            }
-
 
 
             //Create and validate
             dtUser o = await biz.CreateAsync(inObj);
 
             if (o == null)
-            {
-                //error return
                 return BadRequest(new ApiErrorResponse(biz.Errors));
-            }
             else
             {
 
@@ -170,8 +176,14 @@ namespace AyaNova.Api.Controllers
             if (!serverState.IsOpen)
                 return StatusCode(503, new ApiErrorResponse(serverState.ApiErrorCode, null, serverState.Reason));
             UserBiz biz = UserBiz.GetBiz(ct, HttpContext);
-            if (!Authorized.HasCreateRole(HttpContext.Items, biz.BizType))
+
+
+            //Also used for Contacts (customer type user or ho type user)
+            //by users with no User right so further biz rule required depending on usertype
+            //this is just phase 1
+            if (!Authorized.HasCreateRole(HttpContext.Items, AyaType.User) && !Authorized.HasCreateRole(HttpContext.Items, AyaType.Customer))
                 return StatusCode(403, new ApiNotAuthorizedResponse());
+
             if (!ModelState.IsValid)
                 return BadRequest(new ApiErrorResponse(ModelState));
             User o = await biz.DuplicateAsync(id);
@@ -195,8 +207,14 @@ namespace AyaNova.Api.Controllers
             if (!ModelState.IsValid)
                 return BadRequest(new ApiErrorResponse(ModelState));
             UserBiz biz = UserBiz.GetBiz(ct, HttpContext);
-            if (!Authorized.HasDeleteRole(HttpContext.Items, biz.BizType))
+
+            //Also used for Contacts (customer type user or ho type user)
+            //by users with no User right so further biz rule required depending on usertype
+            //this is just phase 1
+            if (!Authorized.HasDeleteRole(HttpContext.Items, AyaType.User) && !Authorized.HasDeleteRole(HttpContext.Items, AyaType.Customer))
                 return StatusCode(403, new ApiNotAuthorizedResponse());
+
+
             if (!await biz.DeleteAsync(id))
                 return BadRequest(new ApiErrorResponse(biz.Errors));
             return NoContent();
@@ -295,7 +313,7 @@ namespace AyaNova.Api.Controllers
             return Ok(ApiOkResponse.Response(ret));
         }
 
-          /// <summary>
+        /// <summary>
         /// Get list of HeadOffice Contact Users
         /// (Rights to HeadOffice object required)
         /// </summary>     
@@ -347,7 +365,7 @@ namespace AyaNova.Api.Controllers
             return Ok(ApiOkResponse.Response(u.UserType != UserType.Customer && u.UserType != UserType.HeadOffice));
         }
 
-      
+
 
         //------------