// POST odata/Element public async Task <IHttpActionResult> Post(Delta <Element> patch) { var element = patch.GetEntity(); // Don't allow the user to set these fields / coni2k - 29 Jul. '17 // TODO Use ForbiddenFieldsValidator?: Currently breeze doesn't allow to post custom (delta) entity // TODO Or use DTO?: Needs a different metadata than the context, which can be overkill element.Id = 0; element.CreatedOn = DateTime.UtcNow; element.ModifiedOn = DateTime.UtcNow; element.DeletedOn = null; // Owner check: Entity must belong to the current user var r = await _resourcePoolManager .GetResourcePoolSet(element.ResourcePoolId) .SingleOrDefaultAsync(); var userId = await _resourcePoolManager .GetResourcePoolSet(element.ResourcePoolId) .Select(item => item.UserId) .Distinct() .SingleOrDefaultAsync(); var currentUserId = User.Identity.GetUserId <int>(); if (currentUserId != userId) { return(StatusCode(HttpStatusCode.Forbidden)); } await _resourcePoolManager.AddElementAsync(element); return(Created(element)); }