From 08e893dcc85a839d721c71761c8c8d9be1fff3da Mon Sep 17 00:00:00 2001
From: "ashutosh.nehete" <ashutosh.nehete@marcoaiot.com>
Date: Fri, 31 Oct 2025 11:26:57 +0530
Subject: [PATCH] Change the check permssion check for tenant details API

---
 Marco.Pms.Services/Controllers/TenantController.cs | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/Marco.Pms.Services/Controllers/TenantController.cs b/Marco.Pms.Services/Controllers/TenantController.cs
index a4739e4..511fa34 100644
--- a/Marco.Pms.Services/Controllers/TenantController.cs
+++ b/Marco.Pms.Services/Controllers/TenantController.cs
@@ -271,12 +271,6 @@ namespace Marco.Pms.Services.Controllers
                 return StatusCode(403,
                     ApiResponse<object>.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403));
             }
-            if (!hasManagePermission && (hasModifyPermission || hasViewPermission) && id != loggedInEmployee.TenantId)
-            {
-                _logger.LogWarning("Permission denied: User {EmployeeId} attempted to access tenant details of other tenant.", loggedInEmployee.Id);
-                return StatusCode(403,
-                    ApiResponse<object>.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403));
-            }
 
             // Create a single DbContext for main tenant fetch and related data requests
             await using var _context = await _dbContextFactory.CreateDbContextAsync();
@@ -293,6 +287,14 @@ namespace Marco.Pms.Services.Controllers
                 _logger.LogWarning("Tenant {TenantId} not found in database", id);
                 return NotFound(ApiResponse<object>.ErrorResponse("Tenant not found", "Tenant not found", 404));
             }
+
+            if (!hasManagePermission && (tenant.OrganizationId != loggedInEmployee.OrganizationId || (!hasModifyPermission && !hasViewPermission)))
+            {
+                _logger.LogWarning("Permission denied: User {EmployeeId} attempted to access tenant details of other tenant.", loggedInEmployee.Id);
+                return StatusCode(403,
+                    ApiResponse<object>.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403));
+            }
+
             _logger.LogInfo("Tenant {TenantId} found.", tenant.Id);
 
             // Fetch dependent data in parallel to improve performance