public async Task <IHttpActionResult> Patch(int userId, int elementFieldId, Delta <UserElementField> patch) { // Owner check: Entity must belong to the current user var currentUserId = User.Identity.GetUserId <int>(); if (currentUserId != userId) { return(StatusCode(HttpStatusCode.Forbidden)); } // REMARK UserCommandTreeInterceptor already filters "userId" on EntityFramework level, but that might be removed later on / coni2k - 31 Jul. '17 var userElementField = await _resourcePoolManager.GetUserElementFieldSet(userId, elementFieldId).SingleOrDefaultAsync(); patch.Patch(userElementField); await _resourcePoolManager.SaveChangesAsync(); return(Ok(userElementField)); }