public async Task <ActionResult> Edit(string id, [System.Web.Http.FromBody] SurveyEditViewModel editDetails) { var survey = await surveys.FindAsync(id); if (survey == null) { return(HttpNotFound()); } bool isCoAdmin = survey.SharedUsers.Select(u => u.UserName).Contains(security.UserName); if (survey.Owner.UserName != security.UserName && !isCoAdmin) { return(new HttpStatusCodeResult(HttpStatusCode.Forbidden)); } if (isCoAdmin) // "reset" the incoming co-admins field, only owners should be able to change that { editDetails.SharedUsers = survey.SharedUsers.Select(u => u.UserName); } try { await surveys.EditAsync(survey, editDetails); } catch (SurveyException e) { return(Json(new { error = e.Message })); } return(Json(new { success = "saved" })); }