admin/marco.pms.api
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity

Enhancement #375: Update "Get Contact" API to Enforce Feature Permissions

Browse Source
This commit is contained in:
ashutosh.nehete 2025-05-27 12:24:41 +05:30
parent 6e2b0eaec0
commit 3f74646437
2 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Marco.Pms.Services/Controllers/DirectoryController.cs
View File

@ -39,12 +39,17 @@ namespace Marco.Pms.Services.Controllers
{ {
return Ok(response); return Ok(response);
} }
else if (response.StatusCode == 401)
{
return Unauthorized(response);
}
else else
{ {
return BadRequest(response); return BadRequest(response);
} }
} }
[HttpGet("contact-bucket/{bucketId}")] [HttpGet("contact-bucket/{bucketId}")]
public async Task<IActionResult> GetContactsListByBucketId(Guid bucketId) public async Task<IActionResult> GetContactsListByBucketId(Guid bucketId)
{ {

22
Marco.Pms.Services/Helpers/DirectoryHelper.cs
View File

@ -1357,9 +1357,29 @@ namespace Marco.Pms.Services.Helpers
{ {
Guid tenantId = _userHelper.GetTenantId(); Guid tenantId = _userHelper.GetTenantId();
var LoggedInEmployee = await _userHelper.GetCurrentEmployeeAsync(); var LoggedInEmployee = await _userHelper.GetCurrentEmployeeAsync();
var assignedRoleIds = await _context.EmployeeRoleMappings.Where(r => r.EmployeeId == LoggedInEmployee.Id).Select(r => r.RoleId).ToListAsync();
var permissionIds = await _context.RolePermissionMappings.Where(rp => assignedRoleIds.Contains(rp.ApplicationRoleId)).Select(rp => rp.FeaturePermissionId).Distinct().ToListAsync();
List<EmployeeBucketMapping>? employeeBuckets = await _context.EmployeeBucketMappings.Where(eb => eb.EmployeeId == LoggedInEmployee.Id).ToListAsync(); List<EmployeeBucketMapping>? employeeBuckets = await _context.EmployeeBucketMappings.Where(eb => eb.EmployeeId == LoggedInEmployee.Id).ToListAsync();
List<Guid> bucketIds = employeeBuckets.Select(c => c.BucketId).ToList(); List<Guid> bucketIds = employeeBuckets.Select(c => c.BucketId).ToList();
List<Guid> filterbucketIds = employeeBuckets.Select(c => c.BucketId).ToList(); if (permissionIds.Contains(directoryAdmin))
{
var buckets = await _context.Buckets.Where(b => b.TenantId == tenantId).ToListAsync();
bucketIds = buckets.Select(b => b.Id).ToList();
}
else if (permissionIds.Contains(directoryManager) || permissionIds.Contains(directoryUser))
{
var buckets = await _context.Buckets.Where(b => b.CreatedByID == LoggedInEmployee.Id).ToListAsync();
var createdBucketIds = buckets.Select(b => b.Id).ToList();
bucketIds.AddRange(createdBucketIds);
bucketIds = bucketIds.Distinct().ToList();
}
else
{
_logger.LogError("Employee {EmployeeId} attemped to access a contacts, but do not have permission", LoggedInEmployee.Id);
return ApiResponse<object>.ErrorResponse("You don't have permission", "You don't have permission", 401);
}
List<Guid> filterbucketIds = bucketIds;
if (filterDto != null && filterDto.BucketIds != null && filterDto.BucketIds.Count > 0) if (filterDto != null && filterDto.BucketIds != null && filterDto.BucketIds.Count > 0)
{ {
filterbucketIds = filterDto.BucketIds; filterbucketIds = filterDto.BucketIds;