// POST odata/ElementField
public async Task <IHttpActionResult> Post(Delta <ElementField> patch)
{
var elementField = patch.GetEntity();
// Don't allow the user to set these fields / coni2k - 29 Jul. '17
// TODO Use ForbiddenFieldsValidator?: Currently breeze doesn't allow to post custom (delta) entity
// TODO Or use DTO?: Needs a different metadata than the context, which can be overkill
elementField.Id = 0;
elementField.IndexRatingTotal = 0;
elementField.IndexRatingCount = 0;
elementField.CreatedOn = DateTime.UtcNow;
elementField.ModifiedOn = DateTime.UtcNow;
elementField.DeletedOn = null;
// Owner check: Entity must belong to the current user
var userId = await _resourcePoolManager
.GetElementSet(elementField.ElementId, true, item => item.ResourcePool)
.Select(item => item.ResourcePool.UserId)
.Distinct()
.SingleOrDefaultAsync();
var currentUserId = User.Identity.GetUserId <int>();
if (currentUserId != userId)
{
return(StatusCode(HttpStatusCode.Forbidden));
}
await _resourcePoolManager.AddElementFieldAsync(elementField);
return(Created(elementField));
}
public async Task <IHttpActionResult> Patch(int key, Delta <Element> patch)
{
var element = await _resourcePoolManager
.GetElementSet(key, true, item => item.ResourcePool)
.SingleOrDefaultAsync();
// Owner check: Entity must belong to the current user
var currentUserId = User.Identity.GetUserId <int>();
if (currentUserId != element.ResourcePool.UserId)
{
return(StatusCode(HttpStatusCode.Forbidden));
}
patch.Patch(element);
await _resourcePoolManager.SaveChangesAsync();
return(Ok(element));
}