admin/marco.pms.api
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity

Checking the project levelmpermission in project controller

Browse Source
This commit is contained in:
ashutosh.nehete 2025-09-18 18:04:22 +05:30
parent 51d86d7bfc
commit 2ce294904b
2 changed files with 12 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Marco.Pms.Services/Controllers/DocumentController.cs
View File

@ -1331,15 +1331,14 @@ namespace Marco.Pms.Services.Controllers
}
// Check if the logged in employee has permission to delete OR is the owner of the document attachment
var hasDeletePermission = await _permission.HasPermission(PermissionsMaster.DeleteDocument, loggedInEmployee.Id);
var hasViewPermission = false;
ar hasDeletePermission = false;
if (ProjectEntity == documentAttachment.DocumentType?.DocumentCategory?.EntityTypeId)
{
hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id, documentAttachment.EntityId);
hasDeletePermission = await _permission.HasPermission(PermissionsMaster.DeleteDocument, loggedInEmployee.Id, documentAttachment.EntityId);
}
else if (EmployeeEntity == documentAttachment.DocumentType?.DocumentCategory?.EntityTypeId)
{
hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id);
hasDeletePermission = await _permission.HasPermission(PermissionsMaster.DeleteDocument, loggedInEmployee.Id);
}
if (!hasDeletePermission && loggedInEmployee.Id != documentAttachment.EntityId)
{

10
Marco.Pms.Services/Service/ProjectServices.cs
View File

@ -641,7 +641,8 @@ namespace Marco.Pms.Services.Service
// In a real application, you would check if the loggedInEmployee has permission
// to manage allocations for ALL projects involved in this batch.
var projectIdsInBatch = allocationsDto.Select(a => a.ProjectId).Distinct().ToList();
var hasPermission = await _permission.HasPermission(PermissionsMaster.ManageTeam, loggedInEmployee.Id);
var projectId = projectIdsInBatch.FirstOrDefault();
var hasPermission = await _permission.HasPermission(PermissionsMaster.ManageTeam, loggedInEmployee.Id, projectId);
if (!hasPermission)
{
_logger.LogWarning("Access DENIED for user {UserId} trying to manage allocations for projects.", loggedInEmployee.Id);
@ -826,12 +827,15 @@ namespace Marco.Pms.Services.Service
// --- (Placeholder) Security Check ---
// You MUST verify that the loggedInEmployee has permission to modify the assignments for the target employeeId.
var hasPermission = await _permission.HasPermission(PermissionsMaster.ManageTeam, loggedInEmployee.Id);
if (!hasPermission)
foreach (var allocation in allocationsDto)
{
if (!await _permission.HasPermission(PermissionsMaster.ManageTeam, loggedInEmployee.Id, allocation.ProjectId))
{
_logger.LogWarning("Access DENIED for user {UserId} trying to manage assignments for employee {TargetEmployeeId}.", loggedInEmployee.Id, employeeId);
return ApiResponse<List<ProjectAllocationVM>>.ErrorResponse("Access Denied.", "You do not have permission to manage this employee's assignments.", 403);
}
}
// --- Step 2: Fetch all relevant existing data in ONE database call ---
var projectIdsInDto = allocationsDto.Select(p => p.ProjectId).ToList();