public async Task <ActionResult <OrderDto> > GetOrder(int customerID, int orderID)
{
//Allow only admins to access other users records
var userid = int.Parse(User.Identity.Name);
if (userid != customerID && !User.IsInRole(Role.Admin))
{
return(Forbid());
}
_orm.OpenConn();
var orderFromDB = await _orm.GetOrderById(orderID);
if (orderFromDB == null || orderFromDB.Customer.Id != customerID)
{
return(NotFound());
}
var orderDto = _mapper.Map <OrderDto>(orderFromDB);
await _orm.CloseConn();
return(Ok(orderDto));
}