From 1e6b2d7527192227e2d46c23185645b0d08ee9f0 Mon Sep 17 00:00:00 2001 From: "ashutosh.nehete" Date: Tue, 27 May 2025 12:32:51 +0530 Subject: [PATCH] Enhancement #378: Update "Get Bucket List" API to Enforce Feature --- .../Controllers/DirectoryController.cs | 13 ++++++++- Marco.Pms.Services/Helpers/DirectoryHelper.cs | 28 +++++++++++++++---- 2 files changed, 35 insertions(+), 6 deletions(-) diff --git a/Marco.Pms.Services/Controllers/DirectoryController.cs b/Marco.Pms.Services/Controllers/DirectoryController.cs index 6b54891..d25c7e8 100644 --- a/Marco.Pms.Services/Controllers/DirectoryController.cs +++ b/Marco.Pms.Services/Controllers/DirectoryController.cs @@ -226,7 +226,18 @@ namespace Marco.Pms.Services.Controllers public async Task GetBucketList() { var response = await _directoryHelper.GetBucketList(); - return Ok(response); + if (response.StatusCode == 200) + { + return Ok(response); + } + else if (response.StatusCode == 401) + { + return Unauthorized(response); + } + else + { + return BadRequest(response); + } } [HttpPost("bucket")] diff --git a/Marco.Pms.Services/Helpers/DirectoryHelper.cs b/Marco.Pms.Services/Helpers/DirectoryHelper.cs index f5a3e1c..3d27b73 100644 --- a/Marco.Pms.Services/Helpers/DirectoryHelper.cs +++ b/Marco.Pms.Services/Helpers/DirectoryHelper.cs @@ -1002,20 +1002,38 @@ namespace Marco.Pms.Services.Helpers { Guid tenantId = _userHelper.GetTenantId(); var LoggedInEmployee = await _userHelper.GetCurrentEmployeeAsync(); + var assignedRoleIds = await _context.EmployeeRoleMappings.Where(r => r.EmployeeId == LoggedInEmployee.Id).Select(r => r.RoleId).ToListAsync(); + var permissionIds = await _context.RolePermissionMappings.Where(rp => assignedRoleIds.Contains(rp.ApplicationRoleId)).Select(rp => rp.FeaturePermissionId).Distinct().ToListAsync(); List employeeBuckets = await _context.EmployeeBucketMappings.Where(b => b.EmployeeId == LoggedInEmployee.Id).ToListAsync(); var bucketIds = employeeBuckets.Select(b => b.BucketId).ToList(); - List bucketList = await _context.Buckets.Where(b => bucketIds.Contains(b.Id)).ToListAsync(); + List bucketList = new List(); + if (permissionIds.Contains(directoryAdmin)) + { + bucketList = await _context.Buckets.Where(b => b.TenantId == tenantId).ToListAsync(); + } + else if (permissionIds.Contains(directoryManager) || permissionIds.Contains(directoryUser)) + { + bucketList = await _context.Buckets.Where(b => bucketIds.Contains(b.Id) || b.CreatedByID == LoggedInEmployee.Id).ToListAsync(); + } + else + { + _logger.LogError("Employee {EmployeeId} attemped to access a buckets list, but do not have permission", LoggedInEmployee.Id); + return ApiResponse.ErrorResponse("You don't have permission", "You don't have permission", 401); + } List bucketVMs = new List(); - foreach (var bucket in bucketList) + if (bucketList.Any()) { - BucketVM bucketVM = bucket.ToBucketVMFromBucket(); - bucketVMs.Add(bucketVM); + foreach (var bucket in bucketList) + { + BucketVM bucketVM = bucket.ToBucketVMFromBucket(); + bucketVMs.Add(bucketVM); + } } _logger.LogInfo("{count} Buckets are fetched by Employee with ID {LoggedInEmployeeId}", bucketVMs.Count, LoggedInEmployee.Id); - return ApiResponse.SuccessResponse(bucketVMs, System.String.Format("{0} buckets fetched successfully", bucketVMs.Count), 200); + return ApiResponse.SuccessResponse(bucketVMs, $"{bucketVMs.Count} buckets fetched successfully", 200); } public async Task> CreateBucket(CreateBucketDto bucketDto) {