public async Task <IActionResult> UpdateAccount(int userId, [FromBody] UserResource userResource) { if (userResource.InstitutionId != null) { int institutionId = userResource.InstitutionId.Value; if (institutionId < 1) { ProblemDetails problem = new ProblemDetails { Title = "Failed getting institution.", Detail = "The id of an institution can't be smaller than 1", Instance = "7C50A0D7-459D-473B-9ADE-7FC5B7EEE39E" }; return(BadRequest(problem)); } Institution foundInstitution = await institutionService.FindAsync(institutionId); if (foundInstitution == null) { ProblemDetails problem = new ProblemDetails { Title = "Failed getting institution.", Detail = "The institution could not be found in the database.", Instance = "6DECDE32-BE44-43B1-9DDD-4D14AE9CE731" }; return(NotFound(problem)); } } User userToUpdate = await userService.FindAsync(userId); if (userToUpdate == null) { ProblemDetails problem = new ProblemDetails { Title = "Failed getting the user account.", Detail = "The database does not contain a user with that user id.", Instance = "EF4DA55A-C31A-4BC4-AE30-098DEB0D3457" }; return(NotFound(problem)); } User currentUser = await HttpContext.GetContextUser(userService) .ConfigureAwait(false); bool hasFullAllowance = userService.UserHasScope(currentUser.IdentityId, nameof(Defaults.Scopes.UserWrite)); // Has institution excluded allowance if it's your own account or if the user has the right scope for the same institution. // In the last case, the institution has to be the same. bool hasInstitutionExcludedAllowance = currentUser.Id == userId || await authorizationHelper.SameInstitutionAndInstitutionScope(currentUser, nameof(Defaults.Scopes.InstitutionUserWrite), userToUpdate.Id); if (!hasFullAllowance && !hasInstitutionExcludedAllowance) { ProblemDetails problem = new ProblemDetails { Title = "Failed to edit the user.", Detail = "The user is not allowed to edit this user.", Instance = "E28BEBC0-AE7C-49F5-BDDC-3C13972B75D0" }; return(Unauthorized(problem)); } // Roles that have the institution excluded allowance or it's own account can update everything except the institution id. if (hasInstitutionExcludedAllowance) { // Check if no institution is specified, and if an institution is specified, this institution can't be // updated. However, the institution can be null, because the data officer has enough rights to delete // a user from their institution. if (userResource.InstitutionId != null && userResource.InstitutionId != userToUpdate.InstitutionId) { ProblemDetails problem = new ProblemDetails { Title = "Failed to edit the user", Detail = "The user has not enough rights to update the institution id", Instance = "DD72C521-1D06-4E11-A0E0-AAE515E7F900" }; return(Unauthorized(problem)); } } mapper.Map(userResource, userToUpdate); userService.Update(userToUpdate); userService.Save(); return(Ok(mapper.Map <User, UserResourceResult>(userToUpdate))); }