Esempio n. 1
0
        // POST odata/ElementCell
        public async Task <IHttpActionResult> Post(Delta <ElementCell> patch)
        {
            var elementCell = patch.GetEntity();

            // Don't allow the user to set these fields / coni2k - 29 Jul. '17
            // TODO Use ForbiddenFieldsValidator?: Currently breeze doesn't allow to post custom (delta) entity
            // TODO Or use DTO?: Needs a different metadata than the context, which can be overkill
            elementCell.Id = 0;
            elementCell.NumericValueTotal = 0;
            elementCell.NumericValueCount = 0;
            elementCell.CreatedOn         = DateTime.UtcNow;
            elementCell.ModifiedOn        = DateTime.UtcNow;
            elementCell.DeletedOn         = null;

            // Owner check: Entity must belong to the current user
            var userId = await _resourcePoolManager
                         .GetElementFieldSet(elementCell.ElementFieldId, true, item => item.Element.ResourcePool)
                         .Select(item => item.Element.ResourcePool.UserId)
                         .Distinct()
                         .SingleOrDefaultAsync();

            var currentUserId = User.Identity.GetUserId <int>();

            if (currentUserId != userId)
            {
                return(StatusCode(HttpStatusCode.Forbidden));
            }

            await _resourcePoolManager.AddElementCellAsync(elementCell);

            return(Created(elementCell));
        }