public void OnAuthorization(HttpActionContext actionContext)
{
// allowing super/system admin queries anything
if (_authorizationService.CanAccessEverything())
{
return;
}
// default to current user
// note: only AgencyAdministrator is allowed so call CanWriteUser
var currentUserId = _owinContext.GetCurrentUserId();
var userId = actionContext.GetOrSetQueryString("userId", currentUserId);
if (!_authorizationService.CanWriteUser(userId))
{
actionContext.SetUnauthorizedResponse();
}
// note: only AgencyAdministrator is allowed so call CanWriteBuyerAccount
var buyerAccountUuid = actionContext.GetQueryString <Guid?>("buyerAccountUuid");
if (buyerAccountUuid.HasValue && !_authorizationService.CanWriteBuyerAccount(buyerAccountUuid.Value))
{
actionContext.SetUnauthorizedResponse();
}
}