// POST odata/ElementCell public async Task <IHttpActionResult> Post(Delta <ElementCell> patch) { var elementCell = patch.GetEntity(); // Don't allow the user to set these fields / coni2k - 29 Jul. '17 // TODO Use ForbiddenFieldsValidator?: Currently breeze doesn't allow to post custom (delta) entity // TODO Or use DTO?: Needs a different metadata than the context, which can be overkill elementCell.Id = 0; elementCell.NumericValueTotal = 0; elementCell.NumericValueCount = 0; elementCell.CreatedOn = DateTime.UtcNow; elementCell.ModifiedOn = DateTime.UtcNow; elementCell.DeletedOn = null; // Owner check: Entity must belong to the current user var userId = await _resourcePoolManager .GetElementFieldSet(elementCell.ElementFieldId, true, item => item.Element.ResourcePool) .Select(item => item.Element.ResourcePool.UserId) .Distinct() .SingleOrDefaultAsync(); var currentUserId = User.Identity.GetUserId <int>(); if (currentUserId != userId) { return(StatusCode(HttpStatusCode.Forbidden)); } await _resourcePoolManager.AddElementCellAsync(elementCell); return(Created(elementCell)); }