admin/marco.pms.api
1
0
Fork 0
Code Issues Pull Requests 5 Actions Packages Projects Releases Wiki Activity

Change the check permssion check for tenant details API

Browse Source
This commit is contained in:
ashutosh.nehete 2025-10-31 11:26:57 +05:30
parent 83e8e8c7de
commit 08e893dcc8
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Marco.Pms.Services/Controllers/TenantController.cs
View File

@ -271,12 +271,6 @@ namespace Marco.Pms.Services.Controllers
return StatusCode(403, return StatusCode(403,
ApiResponse<object>.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403)); ApiResponse<object>.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403));
} }
if (!hasManagePermission && (hasModifyPermission || hasViewPermission) && id != loggedInEmployee.TenantId)
{
_logger.LogWarning("Permission denied: User {EmployeeId} attempted to access tenant details of other tenant.", loggedInEmployee.Id);
return StatusCode(403,
ApiResponse<object>.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403));
}
// Create a single DbContext for main tenant fetch and related data requests // Create a single DbContext for main tenant fetch and related data requests
await using var _context = await _dbContextFactory.CreateDbContextAsync(); await using var _context = await _dbContextFactory.CreateDbContextAsync();
@ -293,6 +287,14 @@ namespace Marco.Pms.Services.Controllers
_logger.LogWarning("Tenant {TenantId} not found in database", id); _logger.LogWarning("Tenant {TenantId} not found in database", id);
return NotFound(ApiResponse<object>.ErrorResponse("Tenant not found", "Tenant not found", 404)); return NotFound(ApiResponse<object>.ErrorResponse("Tenant not found", "Tenant not found", 404));
} }
if (!hasManagePermission && (tenant.OrganizationId != loggedInEmployee.OrganizationId || (!hasModifyPermission && !hasViewPermission)))
{
_logger.LogWarning("Permission denied: User {EmployeeId} attempted to access tenant details of other tenant.", loggedInEmployee.Id);
return StatusCode(403,
ApiResponse<object>.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403));
}
_logger.LogInfo("Tenant {TenantId} found.", tenant.Id); _logger.LogInfo("Tenant {TenantId} found.", tenant.Id);
// Fetch dependent data in parallel to improve performance // Fetch dependent data in parallel to improve performance