Enhancement #375: Update "Get Contact" API to Enforce Feature Permissions

2025-05-27 12:24:41 +05:30 · 2025-05-27 12:24:41 +05:30 · 3f74646437
commit 3f74646437
parent 6e2b0eaec0
2 changed files with 26 additions and 1 deletions
--- a/Marco.Pms.Services/Controllers/DirectoryController.cs
+++ b/Marco.Pms.Services/Controllers/DirectoryController.cs
@ -39,12 +39,17 @@ namespace Marco.Pms.Services.Controllers
            {
                return Ok(response);
            }
+            else if (response.StatusCode == 401)
+            {
+                return Unauthorized(response);
+            }
            else
            {
                return BadRequest(response);
            }

        }
+
        [HttpGet("contact-bucket/{bucketId}")]
        public async Task<IActionResult> GetContactsListByBucketId(Guid bucketId)
        {
--- a/Marco.Pms.Services/Helpers/DirectoryHelper.cs
+++ b/Marco.Pms.Services/Helpers/DirectoryHelper.cs
@ -1357,9 +1357,29 @@ namespace Marco.Pms.Services.Helpers
        {
            Guid tenantId = _userHelper.GetTenantId();
            var LoggedInEmployee = await _userHelper.GetCurrentEmployeeAsync();
+            var assignedRoleIds = await _context.EmployeeRoleMappings.Where(r => r.EmployeeId == LoggedInEmployee.Id).Select(r => r.RoleId).ToListAsync();
+            var permissionIds = await _context.RolePermissionMappings.Where(rp => assignedRoleIds.Contains(rp.ApplicationRoleId)).Select(rp => rp.FeaturePermissionId).Distinct().ToListAsync();
            List<EmployeeBucketMapping>? employeeBuckets = await _context.EmployeeBucketMappings.Where(eb => eb.EmployeeId == LoggedInEmployee.Id).ToListAsync();
            List<Guid> bucketIds = employeeBuckets.Select(c => c.BucketId).ToList();
-            List<Guid> filterbucketIds = employeeBuckets.Select(c => c.BucketId).ToList();
+            if (permissionIds.Contains(directoryAdmin))
+            {
+                var buckets = await _context.Buckets.Where(b => b.TenantId == tenantId).ToListAsync();
+                bucketIds = buckets.Select(b => b.Id).ToList();
+            }
+            else if (permissionIds.Contains(directoryManager) || permissionIds.Contains(directoryUser))
+            {
+                var buckets = await _context.Buckets.Where(b => b.CreatedByID == LoggedInEmployee.Id).ToListAsync();
+                var createdBucketIds = buckets.Select(b => b.Id).ToList();
+                bucketIds.AddRange(createdBucketIds);
+                bucketIds = bucketIds.Distinct().ToList();
+            }
+            else
+            {
+                _logger.LogError("Employee {EmployeeId} attemped to access a contacts, but do not have permission", LoggedInEmployee.Id);
+                return ApiResponse<object>.ErrorResponse("You don't have permission", "You don't have permission", 401);
+            }
+
+            List<Guid> filterbucketIds = bucketIds;
            if (filterDto != null && filterDto.BucketIds != null && filterDto.BucketIds.Count > 0)
            {
                filterbucketIds = filterDto.BucketIds;