public void Put(int id, [FromBody] Consultant consultant) { // check if consultant exists var oldConsultant = _repository.GetAll().FirstOrDefault(c => c.ID == id); if (oldConsultant == null) { throw new HttpResponseException(new HttpResponseMessage(HttpStatusCode.NotFound)); } consultant.ID = id; consultant.Owner = Thread.CurrentPrincipal.Identity.Name; // check moved to authorization manager //if (oldConsultant.Owner != consultant.Owner) //{ // throw new SecurityException("Not authorized to change record"); //} _repository.Update(consultant); }