Improve SOR handling over API (NOJIRA)

tzeller · Nov 25, 2018 · f4dbca7 · f4dbca7
1 parent 66d7f96
commit f4dbca7
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/app/src/Controller/TierApiController.php b/app/src/Controller/TierApiController.php
@@ -547,16 +547,27 @@ public function isAuthorized(Array $user) {
 
     // Authorization is as follows:
 
-    // (0) Make sure the Matchgrid is active.
+    // (0) Make sure the Matchgrid is active and the requested SOR exists.
 
     if(!$this->cur_mg) {
       Log::write('debug', "TierApiController::isAuthorized() Requested matchgrid " . $mgid . " not found");
-      return false;
+      throw new \Cake\Http\Exception\ForbiddenException("Requested matchgrid " . $mgid . " not found");
     }
 
     if($this->cur_mg->status != StatusEnum::Active) {
       Log::write('debug', "TierApiController::isAuthorized() Requested matchgrid " . $mgid . " is not Active");
-      return false;
+      throw new \Cake\Http\Exception\ForbiddenException("Requested matchgrid " . $mgid . " is not Active");
+    }
+
+    if($sor && $mgid) {
+      $this->loadModel('SystemsOfRecord');
+
+      $count = $this->SystemsOfRecord->find()->where(['matchgrid_id' => $mgid, 'label' => $sor])->count();
+
+      if($count == 0) {
+        Log::write('debug', "TierApiController::isAuthorized() Requested SOR " . $sor . " not found");
+        throw new \Cake\Http\Exception\ForbiddenException("Requested SOR " . $sor . " not found");
+      }
     }
 
     // (1) A Platform API user ($user['matchgrid_id'] is NULL) may perform any action.