public IActionResult UpdateImage(UpdateImageUserModel imageModel) { string updateQuery = "UPDATE public.\"Image\" SET \"ImageName\" = @ImageName, \"Description\" = @Description, \"Price\" = @price, \"Quantity\" = @quantity, \"Isprivate\" = @IsPrivate, \"ImgByte\" = @ImgByte WHERE \"Id\" = @ImageId"; ImageService service = new ImageService(); if (imageModel.Path != null) { byte[] filebytes = service.ReadAllBytes(imageModel.Path); imageModel.ImgByte = filebytes; } return(ExecuteUpdateImage(updateQuery, imageModel) == true?Json(HttpStatusCode.OK) : Json(HttpStatusCode.BadRequest)); }
//should refactor to avoid duplicate code // surround with transaction public Boolean ExecuteUpdateImage(string updateQuery, UpdateImageUserModel imageUserModel) { bool success = true; //NpgsqlTransaction transaction = null; //first fetch the table to see owner and permissions: string selectSql = "SELECT * FROM public.\"Image\" WHERE \"Id\" = @id"; //transaction = connection.BeginTransaction(); DataTable dt = SelectData(selectSql, "Id", imageUserModel.Id); var objList = DataTableToList <Image>(dt); objList.Cast <Image>().ToList(); if (!objList.Any()) { Console.WriteLine("Image cannot be deleted as it does not exist"); //transaction.Rollback(); return(false); } var previousRecord = objList[0]; if (previousRecord.Isprivate && imageUserModel.CurrentUserId != previousRecord.UserId) { //users that aren't owners shouldn't be able to modify these fields: if (previousRecord.Isprivate != imageUserModel.Isprivate || previousRecord.Price != imageUserModel.Price || previousRecord.ImageName != imageUserModel.ImageName) { Console.WriteLine("Image cannot be modified as the current user does not have rights to modify!"); //transaction.Rollback(); return(false); } } connection.Open(); using (var cmd = new NpgsqlCommand(updateQuery, connection)) { try { cmd.Parameters.AddWithValue("ImageId", imageUserModel.Id); cmd.Parameters.AddWithValue("ImageName", imageUserModel.ImageName); cmd.Parameters.AddWithValue("Description", imageUserModel.Description); cmd.Parameters.AddWithValue("price", imageUserModel.Price); cmd.Parameters.AddWithValue("quantity", imageUserModel.Quantity); cmd.Parameters.AddWithValue("IsPrivate", imageUserModel.Isprivate); cmd.Parameters.AddWithValue("ImgByte", imageUserModel.ImgByte); int result = cmd.ExecuteNonQuery(); if (result < 0) { success = false; } } catch (SqlException e) { Console.WriteLine("SqlException caught " + e); } } //transaction.Commit(); connection.Close(); return(success); }