Reorder auth check in ProductController methods (User-controlled bypa…

…ss of sensitive method)

src/API/Grand.Api/Controllers/OData/ProductController.cs

@@ -90,11 +90,11 @@ public async Task<IActionResult> Put([FromBody] ProductDto model)
     [ProducesResponseType((int)HttpStatusCode.NotFound)]
     public async Task<IActionResult> Patch([FromRoute] string key, [FromBody] JsonPatchDocument<ProductDto> model)
     {
+        if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
+
         if (string.IsNullOrEmpty(key))
             return BadRequest("Key is null or empty");
 
-        if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
-
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();
 
@@ -155,10 +155,10 @@ await _mediator.Send(new UpdateProductStockCommand
     public async Task<IActionResult> CreateProductCategory([FromRoute] string key,
         [FromBody] ProductCategoryDto productCategory)
     {
-        if (productCategory == null) return BadRequest();
-
         if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
 
+        if (productCategory == null) return BadRequest();
+
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();
 
@@ -185,10 +185,10 @@ public async Task<IActionResult> CreateProductCategory([FromRoute] string key,
     public async Task<IActionResult> UpdateProductCategory([FromRoute] string key,
         [FromBody] ProductCategoryDto productCategory)
     {
-        if (productCategory == null) return BadRequest();
-
         if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
 
+        if (productCategory == null) return BadRequest();
+
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();
 
@@ -215,10 +215,10 @@ public async Task<IActionResult> UpdateProductCategory([FromRoute] string key,
     public async Task<IActionResult> DeleteProductCategory([FromRoute] string key,
         [FromBody] ProductCategoryDeleteDto model)
     {
-        if (model == null) return BadRequest();
-
         if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
 
+        if (model == null) return BadRequest();
+
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();
 
@@ -254,10 +254,10 @@ public async Task<IActionResult> DeleteProductCategory([FromRoute] string key,
     public async Task<IActionResult> CreateProductCollection([FromRoute] string key,
         [FromBody] ProductCollectionDto productCollection)
     {
-        if (productCollection == null) return BadRequest();
-
         if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
 
+        if (productCollection == null) return BadRequest();
+
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();
 
@@ -284,10 +284,10 @@ public async Task<IActionResult> CreateProductCollection([FromRoute] string key,
     public async Task<IActionResult> UpdateProductCollection([FromRoute] string key,
         [FromBody] ProductCollectionDto productCollection)
     {
-        if (productCollection == null) return BadRequest();
-
         if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
 
+        if (productCollection == null) return BadRequest();
+
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();
 
@@ -314,10 +314,10 @@ public async Task<IActionResult> UpdateProductCollection([FromRoute] string key,
     public async Task<IActionResult> DeleteProductCollection([FromRoute] string key,
         [FromBody] ProductCollectionDeleteDto model)
     {
-        if (model == null) return BadRequest();
-
         if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
 
+        if (model == null) return BadRequest();
+
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();
 
@@ -353,10 +353,10 @@ await _mediator.Send(new DeleteProductCollectionCommand
     public async Task<IActionResult> CreateProductPicture([FromRoute] string key,
         [FromBody] ProductPictureDto productPicture)
     {
-        if (productPicture == null) return BadRequest();
-
         if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
 
+        if (productPicture == null) return BadRequest();
+
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();
 
@@ -382,10 +382,10 @@ public async Task<IActionResult> CreateProductPicture([FromRoute] string key,
     public async Task<IActionResult> UpdateProductPicture([FromRoute] string key,
         [FromBody] ProductPictureDto productPicture)
     {
-        if (productPicture == null) return BadRequest();
-
         if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
 
+        if (productPicture == null) return BadRequest();
+
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();
 
@@ -411,10 +411,10 @@ public async Task<IActionResult> UpdateProductPicture([FromRoute] string key,
     public async Task<IActionResult> DeleteProductPicture([FromRoute] string key,
         [FromBody] ProductPictureDeleteDto model)
     {
-        if (model == null) return BadRequest();
-
         if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
 
+        if (model == null) return BadRequest();
+
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();
 
@@ -450,10 +450,10 @@ public async Task<IActionResult> DeleteProductPicture([FromRoute] string key,
     public async Task<IActionResult> CreateProductSpecification([FromRoute] string key,
         [FromBody] ProductSpecificationAttributeDto productSpecification)
     {
-        if (productSpecification == null) return BadRequest();
-
         if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
 
+        if (productSpecification == null) return BadRequest();
+
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();
 
@@ -480,10 +480,10 @@ public async Task<IActionResult> CreateProductSpecification([FromRoute] string k
     public async Task<IActionResult> UpdateProductSpecification([FromRoute] string key,
         [FromBody] ProductSpecificationAttributeDto productSpecification)
     {
-        if (productSpecification == null) return BadRequest();
-
         if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
 
+        if (productSpecification == null) return BadRequest();
+
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();
 
@@ -510,10 +510,10 @@ public async Task<IActionResult> UpdateProductSpecification([FromRoute] string k
     public async Task<IActionResult> DeleteProductSpecification([FromRoute] string key,
         [FromBody] ProductSpecificationAttributeDeleteDto model)
     {
-        if (model == null) return BadRequest();
-
         if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
 
+        if (model == null) return BadRequest();
+
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();
 
@@ -550,10 +550,10 @@ public async Task<IActionResult> DeleteProductSpecification([FromRoute] string k
     public async Task<IActionResult> CreateProductTierPrice([FromRoute] string key,
         [FromBody] ProductTierPriceDto productTierPrice)
     {
-        if (productTierPrice == null) return BadRequest();
-
         if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
 
+        if (productTierPrice == null) return BadRequest();
+
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();
 
@@ -579,10 +579,10 @@ public async Task<IActionResult> CreateProductTierPrice([FromRoute] string key,
     public async Task<IActionResult> UpdateProductTierPrice([FromRoute] string key,
         [FromBody] ProductTierPriceDto productTierPrice)
     {
-        if (productTierPrice == null) return BadRequest();
-
         if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
 
+        if (productTierPrice == null) return BadRequest();
+
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();
 
@@ -608,10 +608,10 @@ public async Task<IActionResult> UpdateProductTierPrice([FromRoute] string key,
     public async Task<IActionResult> DeleteProductTierPrice([FromRoute] string key,
         [FromBody] ProductTierPriceDeleteDto model)
     {
-        if (model == null) return BadRequest();
-
         if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
 
+        if (model == null) return BadRequest();
+
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();
 
@@ -647,10 +647,10 @@ public async Task<IActionResult> DeleteProductTierPrice([FromRoute] string key,
     public async Task<IActionResult> CreateProductAttributeMapping([FromRoute] string key,
         [FromBody] ProductAttributeMappingDto productAttributeMapping)
     {
-        if (productAttributeMapping == null) return BadRequest();
-
         if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
 
+        if (productAttributeMapping == null) return BadRequest();
+
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();
 
@@ -677,10 +677,10 @@ public async Task<IActionResult> CreateProductAttributeMapping([FromRoute] strin
     public async Task<IActionResult> UpdateProductAttributeMapping([FromRoute] string key,
         [FromBody] ProductAttributeMappingDto productAttributeMapping)
     {
-        if (productAttributeMapping == null) return BadRequest();
-
         if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
 
+        if (productAttributeMapping == null) return BadRequest();
+
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();
 
@@ -707,10 +707,10 @@ public async Task<IActionResult> UpdateProductAttributeMapping([FromRoute] strin
     public async Task<IActionResult> DeleteProductAttributeMapping([FromRoute] string key,
         [FromBody] ProductAttributeMappingDeleteDto model)
     {
-        if (model == null) return BadRequest();
-
         if (!await _permissionService.Authorize(PermissionSystemName.Products)) return Forbid();
 
+        if (model == null) return BadRequest();
+
         var product = await _mediator.Send(new GetGenericQuery<ProductDto, Product>(key));
         if (!product.Any()) return NotFound();