public async Task <ActionResult <EnrolmentStatus> > CreateEnrolmentStatus(int enrolleeId, Status status) { var enrollee = await _enrolleeService.GetEnrolleeAsync(enrolleeId); if (enrollee == null) { return(NotFound(new ApiResponse(404, $"Enrollee not found with id {enrolleeId}"))); } if (status?.Code == null || status.Code < 1) { this.ModelState.AddModelError("Status.Code", "Status Code is required to create statuses."); return(BadRequest(new ApiBadRequestResponse(this.ModelState))); } // if the user is not an ADMIN, make sure the enrolleeId matches the user, otherwise return not authorized if (!BelongsToEnrollee(enrollee)) { return(Forbid()); } if (!_enrolleeService.IsStatusChangeAllowed(enrollee.CurrentStatus?.Status, status)) { this.ModelState.AddModelError("Status.Code", $"Cannot change from current Status Code: {enrollee.CurrentStatus?.Status?.Code} to the new Status Code: {status.Code}"); return(BadRequest(new ApiBadRequestResponse(this.ModelState))); } var enrolmentStatus = await _enrolleeService.CreateEnrolmentStatusAsync(enrolleeId, status); return(Ok(new ApiOkResponse <EnrolmentStatus>(enrolmentStatus))); }