public async Task <ActionResult> Edit(string id, [System.Web.Http.FromBody] SurveyEditViewModel editDetails)
{
var survey = await surveys.FindAsync(id);
if (survey == null)
{
return(HttpNotFound());
}
bool isCoAdmin = survey.SharedUsers.Select(u => u.UserName).Contains(security.UserName);
if (survey.Owner.UserName != security.UserName && !isCoAdmin)
{
return(new HttpStatusCodeResult(HttpStatusCode.Forbidden));
}
if (isCoAdmin) // "reset" the incoming co-admins field, only owners should be able to change that
{
editDetails.SharedUsers = survey.SharedUsers.Select(u => u.UserName);
}
try
{
await surveys.EditAsync(survey, editDetails);
}
catch (SurveyException e)
{
return(Json(new { error = e.Message }));
}
return(Json(new { success = "saved" }));
}
