public void AddDeviation(DeviationDto inputDeviation) // What if WorkMonth.Id is manipulated? { if (inputDeviation == null) { throw new Exception("Bad input, deviation is null"); } var targetWorkMonth = _timeKeeperRepo.GetWorkMonthByIdAsync(inputDeviation.WorkMonthId).Result; // Is user member of organisation? if (targetWorkMonth == null) { targetWorkMonth = GetNotYetCreatedWorkmonth(inputDeviation.RequestedDate); targetWorkMonth.UserId = inputDeviation.userId; targetWorkMonth = _timeKeeperRepo.AddWorkMonth(targetWorkMonth).Result; inputDeviation.WorkMonthId = targetWorkMonth.Id; } if (targetWorkMonth.IsApproved) { throw new Exception("Cannot add deviation to allready approved month."); } if (targetWorkMonth.IsSubmitted) { throw new Exception("The month is submitted, unsubmit and try again."); } if (targetWorkMonth.UserId != inputDeviation.userId) { throw new UnauthorizedAccessException(); } var result = _mapper.Map <Deviation>(inputDeviation); _timeKeeperRepo.AddDeviationAsync(result); }
private bool ValidateInputDeviationInput(DeviationDto inputDeviation) { var requestedMonth = _timeKeeperRepo.GetWorkMonthByIdAsync(inputDeviation.WorkMonthId).Result; if (requestedMonth.IsApproved) { throw new Exception("Cannot add deviations to allready approved months."); } if (requestedMonth.IsSubmitted) { throw new Exception("Cannot add deviations to allready submitted months. Recall the month and try again."); } if (inputDeviation.userId != requestedMonth.UserId) { throw new Exception("Unauthorized."); } return(true); }