diff --git a/Marco.Pms.Services/Controllers/DocumentController.cs b/Marco.Pms.Services/Controllers/DocumentController.cs index ef73d3c..c17fd78 100644 --- a/Marco.Pms.Services/Controllers/DocumentController.cs +++ b/Marco.Pms.Services/Controllers/DocumentController.cs @@ -1331,15 +1331,14 @@ namespace Marco.Pms.Services.Controllers } // Check if the logged in employee has permission to delete OR is the owner of the document attachment - var hasDeletePermission = await _permission.HasPermission(PermissionsMaster.DeleteDocument, loggedInEmployee.Id); - var hasViewPermission = false; + ar hasDeletePermission = false; if (ProjectEntity == documentAttachment.DocumentType?.DocumentCategory?.EntityTypeId) { - hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id, documentAttachment.EntityId); + hasDeletePermission = await _permission.HasPermission(PermissionsMaster.DeleteDocument, loggedInEmployee.Id, documentAttachment.EntityId); } else if (EmployeeEntity == documentAttachment.DocumentType?.DocumentCategory?.EntityTypeId) { - hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id); + hasDeletePermission = await _permission.HasPermission(PermissionsMaster.DeleteDocument, loggedInEmployee.Id); } if (!hasDeletePermission && loggedInEmployee.Id != documentAttachment.EntityId) { diff --git a/Marco.Pms.Services/Service/ProjectServices.cs b/Marco.Pms.Services/Service/ProjectServices.cs index 8fcfb26..e9817af 100644 --- a/Marco.Pms.Services/Service/ProjectServices.cs +++ b/Marco.Pms.Services/Service/ProjectServices.cs @@ -641,7 +641,8 @@ namespace Marco.Pms.Services.Service // In a real application, you would check if the loggedInEmployee has permission // to manage allocations for ALL projects involved in this batch. var projectIdsInBatch = allocationsDto.Select(a => a.ProjectId).Distinct().ToList(); - var hasPermission = await _permission.HasPermission(PermissionsMaster.ManageTeam, loggedInEmployee.Id); + var projectId = projectIdsInBatch.FirstOrDefault(); + var hasPermission = await _permission.HasPermission(PermissionsMaster.ManageTeam, loggedInEmployee.Id, projectId); if (!hasPermission) { _logger.LogWarning("Access DENIED for user {UserId} trying to manage allocations for projects.", loggedInEmployee.Id); @@ -826,13 +827,16 @@ namespace Marco.Pms.Services.Service // --- (Placeholder) Security Check --- // You MUST verify that the loggedInEmployee has permission to modify the assignments for the target employeeId. - var hasPermission = await _permission.HasPermission(PermissionsMaster.ManageTeam, loggedInEmployee.Id); - if (!hasPermission) + foreach (var allocation in allocationsDto) { - _logger.LogWarning("Access DENIED for user {UserId} trying to manage assignments for employee {TargetEmployeeId}.", loggedInEmployee.Id, employeeId); - return ApiResponse>.ErrorResponse("Access Denied.", "You do not have permission to manage this employee's assignments.", 403); + if (!await _permission.HasPermission(PermissionsMaster.ManageTeam, loggedInEmployee.Id, allocation.ProjectId)) + { + _logger.LogWarning("Access DENIED for user {UserId} trying to manage assignments for employee {TargetEmployeeId}.", loggedInEmployee.Id, employeeId); + return ApiResponse>.ErrorResponse("Access Denied.", "You do not have permission to manage this employee's assignments.", 403); + } } + // --- Step 2: Fetch all relevant existing data in ONE database call --- var projectIdsInDto = allocationsDto.Select(p => p.ProjectId).ToList();