diff --git a/Marco.Pms.Services/Controllers/TenantController.cs b/Marco.Pms.Services/Controllers/TenantController.cs index a4739e4..511fa34 100644 --- a/Marco.Pms.Services/Controllers/TenantController.cs +++ b/Marco.Pms.Services/Controllers/TenantController.cs @@ -271,12 +271,6 @@ namespace Marco.Pms.Services.Controllers return StatusCode(403, ApiResponse.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403)); } - if (!hasManagePermission && (hasModifyPermission || hasViewPermission) && id != loggedInEmployee.TenantId) - { - _logger.LogWarning("Permission denied: User {EmployeeId} attempted to access tenant details of other tenant.", loggedInEmployee.Id); - return StatusCode(403, - ApiResponse.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403)); - } // Create a single DbContext for main tenant fetch and related data requests await using var _context = await _dbContextFactory.CreateDbContextAsync(); @@ -293,6 +287,14 @@ namespace Marco.Pms.Services.Controllers _logger.LogWarning("Tenant {TenantId} not found in database", id); return NotFound(ApiResponse.ErrorResponse("Tenant not found", "Tenant not found", 404)); } + + if (!hasManagePermission && (tenant.OrganizationId != loggedInEmployee.OrganizationId || (!hasModifyPermission && !hasViewPermission))) + { + _logger.LogWarning("Permission denied: User {EmployeeId} attempted to access tenant details of other tenant.", loggedInEmployee.Id); + return StatusCode(403, + ApiResponse.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403)); + } + _logger.LogInfo("Tenant {TenantId} found.", tenant.Id); // Fetch dependent data in parallel to improve performance