Esempio n. 1
0
        // POST odata/UserResourcePool
        public async Task <IHttpActionResult> Post(Delta <UserResourcePool> patch)
        {
            var userResourcePool = patch.GetEntity();

            // Don't allow the user to set these fields / coni2k - 29 Jul. '17
            // TODO Use ForbiddenFieldsValidator?: Currently breeze doesn't allow to post custom (delta) entity
            // TODO Or use DTO?: Needs a different metadata than the context, which can be overkill
            //userResourcePool.UserId = 0;
            userResourcePool.CreatedOn  = DateTime.UtcNow;
            userResourcePool.ModifiedOn = DateTime.UtcNow;
            userResourcePool.DeletedOn  = null;

            // Owner check: Entity must belong to the current user
            // REMARK UserCommandTreeInterceptor already filters "userId" on EntityFramework level, but that might be removed later on / coni2k - 31 Jul. '17
            var currentUserId = User.Identity.GetUserId <int>();

            if (currentUserId != userResourcePool.UserId)
            {
                return(StatusCode(HttpStatusCode.Forbidden));
            }

            await _resourcePoolManager.AddUserResourcePoolAsync(userResourcePool);

            return(Created(userResourcePool));
        }