admin/marco.pms.api
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity

Checking the correct permission updating the notes

Browse Source
This commit is contained in:
ashutosh.nehete 2025-09-15 17:04:18 +05:30
parent b17d1d30e5
commit 0b150fed9a
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Marco.Pms.Services/Service/DirectoryService.cs
View File

@ -2109,10 +2109,11 @@ namespace Marco.Pms.Services.Service
return ApiResponse<object>.ErrorResponse("Invalid or empty payload", "Invalid or empty payload", 400); return ApiResponse<object>.ErrorResponse("Invalid or empty payload", "Invalid or empty payload", 400);
} }
var (hasAdminPermission, hasManagerPermission, hasUserPermission) = await CheckPermissionsAsync(loggedInEmployee.Id);
var bucketIds = await _context.ContactBucketMappings.Where(cb => cb.ContactId == noteDto.ContactId).Select(cb => cb.BucketId).ToListAsync(); var bucketIds = await _context.ContactBucketMappings.Where(cb => cb.ContactId == noteDto.ContactId).Select(cb => cb.BucketId).ToListAsync();
var hasContactAccess = await _context.EmployeeBucketMappings.AnyAsync(eb => bucketIds.Contains(eb.BucketId) && eb.EmployeeId == loggedInEmployee.Id); var hasContactAccess = await _context.EmployeeBucketMappings.AnyAsync(eb => bucketIds.Contains(eb.BucketId) && eb.EmployeeId == loggedInEmployee.Id);
if (hasContactAccess) if (!hasAdminPermission && hasContactAccess)
{ {
_logger.LogWarning("Employee {EmployeeId} does not have permission to delete contact {ContactId}", _logger.LogWarning("Employee {EmployeeId} does not have permission to delete contact {ContactId}",
loggedInEmployee.Id, noteDto.ContactId); loggedInEmployee.Id, noteDto.ContactId);