Protège la déclaration des applis pour un autre que soi

Yavsc/ApiController/GCMController.cs

@@ -1,9 +1,11 @@
 using System.Linq;
+using System.Security.Claims;
 using Microsoft.AspNet.Authorization;
 using Microsoft.AspNet.Mvc;
 using Microsoft.Extensions.Logging;
 using Yavsc.Models;
 
+[Authorize,Route("~/api/gcm")]
 public class GCMController : Controller {
     ILogger _logger;
     ApplicationDbContext _context;
@@ -15,9 +17,14 @@ public class GCMController : Controller {
         _context = context;
     }
     
-    [Authorize]
-    public void Register (GoogleCloudMobileDeclaration declaration)
+    public IActionResult Register (GoogleCloudMobileDeclaration declaration)
     {
+        if (declaration.DeviceOwnerId!=null)
+            if (User.GetUserId() != declaration.DeviceOwnerId)
+                return new BadRequestObjectResult(
+                    new { error = "you're not allowed to register for another user" } 
+                );
+        declaration.DeviceOwnerId = User.GetUserId();
         if (_context.GCMDevices.Any(d => d.RegistrationId == declaration.RegistrationId))
         { 
             var alreadyRegisteredDevice = _context.GCMDevices.FirstOrDefault(d => d.RegistrationId == declaration.RegistrationId);
@@ -32,6 +39,7 @@ public class GCMController : Controller {
             _context.GCMDevices.Add(declaration);
             _context.SaveChanges();
         }
+        return Ok();
     }
 
 }