public async Task <IHttpActionResult> Patch(int userId, int resourcePoolId, Delta <UserResourcePool> patch) { // Owner check: Entity must belong to the current user var currentUserId = User.Identity.GetUserId <int>(); if (currentUserId != userId) { return(StatusCode(HttpStatusCode.Forbidden)); } // REMARK UserCommandTreeInterceptor already filters "userId" on EntityFramework level, but that might be removed later on / coni2k - 31 Jul. '17 var userResourcePool = await _resourcePoolManager.GetUserResourcePoolSet(userId, resourcePoolId).SingleOrDefaultAsync(); patch.Patch(userResourcePool); await _resourcePoolManager.SaveChangesAsync(); return(Ok(userResourcePool)); }