public void DebtorAPIKeySalesOrderGETRequestFilter(IRequest req, IResponse res, JiwaServiceModel.SalesOrderGETRequest dto)
{
// This filter is designed to be used when customers authenticated via Debtor API Key are retrieving an order.
// We want to make sure only orders belonging to the customer are able to be retrieved
JiwaAuthUserSession session = (JiwaAuthUserSession)req.GetSession();
if (session == null || session.Manager == null || session.Manager.Database.APIKey_Type != "Debtor")
return;
if (Helper.Service.IsStateful(req))
{
// a stateful request should always fetch from the in-memory ObjectDictionary instead of the database
object objectDictionaryValue = null;
if (!session.Manager.ObjectDictionary.TryGetValue(dto.InvoiceID, out objectDictionaryValue))
throw new JiwaApplication.Exceptions.RecordNotFoundException();
else
{
// Check the debtor this sales order belongs to is the same as the one associated with the Debtor API Key
JiwaFinancials.Jiwa.JiwaSales.SalesOrder.SalesOrder salesOrder = (JiwaFinancials.Jiwa.JiwaSales.SalesOrder.SalesOrder)objectDictionaryValue;
if (salesOrder.Debtor.DebtorID != session.Manager.Database.APIKey_PrincipalID)
throw new JiwaApplication.Exceptions.RecordNotFoundException();
}
}
else
{
var Db = AppHost.GetDbConnection();
SO_Main salesOrder = Db.Single(Db.From<SO_Main>().Where(x => x.InvoiceID == dto.InvoiceID).Take(1));
if (salesOrder != null && session.Manager.Database.APIKey_PrincipalID != salesOrder.DebtorID)
throw new JiwaApplication.Exceptions.RecordNotFoundException();
}
}
Users browsing this forum: No registered users and 4 guests