public HttpResponseMessage PutExpenseImage(int id, ExpenseDto dto)
{
if (!ModelState.IsValid)
{
return Request.CreateErrorResponse(HttpStatusCode.BadRequest, ModelState);
}
if (id != dto.ExpenseId)
{
return Request.CreateResponse(HttpStatusCode.BadRequest);
}
var existingExpense = Uow.Expenses.Include(e => e.ExpenseReport.Employee).GetById(id);
if (existingExpense.ExpenseReport.Employee.UserId != User.Identity.Name)
{
// Trying to modify a record that does not belong to the user
return Request.CreateResponse(HttpStatusCode.Unauthorized);
}
// We only update images in this controller
existingExpense.Image = dto.Image;
existingExpense.ImageType = dto.ImageType;
try
{
Uow.Expenses.Update(existingExpense);
Uow.Commit();
}
catch (DbUpdateConcurrencyException)
{
return Request.CreateResponse(HttpStatusCode.InternalServerError);
}
return Request.CreateResponse(HttpStatusCode.OK);
}
public HttpResponseMessage PostExpense(ExpenseDto dto)
{
if (!ModelState.IsValid)
{
return Request.CreateErrorResponse(HttpStatusCode.BadRequest, ModelState);
}
var existingExpenseReport = Uow.ExpenseReports.Include(e => e.Employee).GetById(dto.ExpenseReportId);
if (existingExpenseReport.Employee.UserId != User.Identity.Name)
{
// Trying to modify a record that does not belong to the user
return Request.CreateResponse(HttpStatusCode.Unauthorized);
}
var expense = new Model.Expense { ExpenseReport = existingExpenseReport };
dto.UpdateEntity(expense);
try
{
Uow.Expenses.Add(expense);
Uow.Commit();
dto.ExpenseId = expense.Id;
}
catch (Exception exp)
{
return Request.CreateResponse(HttpStatusCode.InternalServerError, exp.Message);
}
var response = Request.CreateResponse(HttpStatusCode.Created, dto);
response.Headers.Location = new Uri(Url.Link("DefaultApi", new { id = dto.ExpenseId }));
return response;
}
public HttpResponseMessage GetExpenseImage(int id)
{
var expense = Uow.Expenses.Include(e => e.ExpenseReport.Employee).GetById(id);
if (expense == null)
{
throw new HttpResponseException(Request.CreateResponse(HttpStatusCode.NotFound));
}
if (expense.ExpenseReport.Employee.UserId != User.Identity.Name)
{
// Trying to access a record that does not belong to the user
throw new HttpResponseException(Request.CreateResponse(HttpStatusCode.Unauthorized));
}
var dto = new ExpenseDto
{
Image = expense.Image,
ImageType = expense.ImageType
};
var response = Request.CreateResponse(HttpStatusCode.Created, dto);
//response.Headers.CacheControl = new System.Net.Http.Headers.CacheControlHeaderValue { MaxAge = new System.TimeSpan(0, 10, 0) };
return response;
}
