From 10df95c481d3e32704721d0b3774835055321505 Mon Sep 17 00:00:00 2001 From: "ashutosh.nehete" Date: Tue, 27 May 2025 12:27:04 +0530 Subject: [PATCH] Enhancement #376: Update "Get Contact by Bucket ID" API to Enforce Feature Permissions --- Marco.Pms.Services/Helpers/DirectoryHelper.cs | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/Marco.Pms.Services/Helpers/DirectoryHelper.cs b/Marco.Pms.Services/Helpers/DirectoryHelper.cs index 1beb114..f3421b1 100644 --- a/Marco.Pms.Services/Helpers/DirectoryHelper.cs +++ b/Marco.Pms.Services/Helpers/DirectoryHelper.cs @@ -188,12 +188,37 @@ namespace Marco.Pms.Services.Helpers var LoggedInEmployee = await _userHelper.GetCurrentEmployeeAsync(); if (id != Guid.Empty) { - EmployeeBucketMapping? employeeBucket = await _context.EmployeeBucketMappings.FirstOrDefaultAsync(em => em.BucketId == id && em.EmployeeId == LoggedInEmployee.Id); + Bucket? bucket = await _context.Buckets.FirstOrDefaultAsync(b => b.Id == id && b.TenantId == tenantId); + if (bucket == null) + { + _logger.LogInfo("Employee ID {EmployeeId} attempted access to bucket ID {BucketId}, but not found in database", LoggedInEmployee.Id); + return ApiResponse.ErrorResponse("Bucket not found", "Bucket not found", 404); + } + List? employeeBuckets = await _context.EmployeeBucketMappings.Where(em => em.BucketId == id).ToListAsync(); + var assignedRoleIds = await _context.EmployeeRoleMappings.Where(r => r.EmployeeId == LoggedInEmployee.Id).Select(r => r.RoleId).ToListAsync(); + var permissionIds = await _context.RolePermissionMappings.Where(rp => assignedRoleIds.Contains(rp.ApplicationRoleId)).Select(rp => rp.FeaturePermissionId).Distinct().ToListAsync(); + + EmployeeBucketMapping? employeeBucket = null; + if (permissionIds.Contains(directoryAdmin)) + { + employeeBucket = employeeBuckets.FirstOrDefault(); + } + else if (permissionIds.Contains(directoryManager) || permissionIds.Contains(directoryUser)) + { + employeeBucket = employeeBuckets.FirstOrDefault(eb => eb.EmployeeId == LoggedInEmployee.Id); + } + else + { + _logger.LogError("Employee {EmployeeId} attemped to access a contacts with in bucket {BucketId}, but do not have permission", LoggedInEmployee.Id, id); + return ApiResponse.ErrorResponse("You don't have permission", "You don't have permission", 401); + } + if (employeeBucket == null) { _logger.LogInfo("Employee ID {EmployeeId} does not have access to bucket ID {BucketId}", LoggedInEmployee.Id); return ApiResponse.ErrorResponse("You do not have access to this bucket.", "You do not have access to this bucket.", 401); } + List contactBucket = await _context.ContactBucketMappings.Where(cb => cb.BucketId == id).ToListAsync() ?? new List(); List contactVMs = new List(); if (contactBucket.Count > 0)