// POST odata/UserResourcePool public async Task <IHttpActionResult> Post(Delta <UserResourcePool> patch) { var userResourcePool = patch.GetEntity(); // Don't allow the user to set these fields / coni2k - 29 Jul. '17 // TODO Use ForbiddenFieldsValidator?: Currently breeze doesn't allow to post custom (delta) entity // TODO Or use DTO?: Needs a different metadata than the context, which can be overkill //userResourcePool.UserId = 0; userResourcePool.CreatedOn = DateTime.UtcNow; userResourcePool.ModifiedOn = DateTime.UtcNow; userResourcePool.DeletedOn = null; // Owner check: Entity must belong to the current user // REMARK UserCommandTreeInterceptor already filters "userId" on EntityFramework level, but that might be removed later on / coni2k - 31 Jul. '17 var currentUserId = User.Identity.GetUserId <int>(); if (currentUserId != userResourcePool.UserId) { return(StatusCode(HttpStatusCode.Forbidden)); } await _resourcePoolManager.AddUserResourcePoolAsync(userResourcePool); return(Created(userResourcePool)); }