From 5b122d9c115b2e3c178514e0cf2ba9ac8cad00b0 Mon Sep 17 00:00:00 2001
From: Steven Lopez <lopezs2@mskcc.org>
Date: Tue, 15 Oct 2019 20:02:26 -0400
Subject: [PATCH] Update UsersController.cs

check rights before going to database
---
 Controllers/UsersController.cs | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/Controllers/UsersController.cs b/Controllers/UsersController.cs
index 2b8ee7b..1b22e1a 100644
--- a/Controllers/UsersController.cs
+++ b/Controllers/UsersController.cs
@@ -41,18 +41,17 @@ public IActionResult GetAll()
         [HttpGet("{id}")]
         public IActionResult GetById(int id)
         {
-            var user =  _userService.GetById(id);
-
-            if (user == null) {
-                return NotFound();
-            }
-
             // only allow admins to access other user records
             var currentUserId = int.Parse(User.Identity.Name);
             if (id != currentUserId && !User.IsInRole(Role.Admin)) {
                 return Forbid();
             }
 
+            var user =  _userService.GetById(id);
+
+            if (user == null) {
+                return NotFound();
+            }
             return Ok(user);
         }
     }