diff --git a/Marco.Pms.Services/Service/ProjectServices.cs b/Marco.Pms.Services/Service/ProjectServices.cs index 113c478..6124bba 100644 --- a/Marco.Pms.Services/Service/ProjectServices.cs +++ b/Marco.Pms.Services/Service/ProjectServices.cs @@ -999,15 +999,20 @@ namespace Marco.Pms.Services.Service // --- Step 1: Run independent permission checks in PARALLEL --- var projectPermissionTask = _permission.HasProjectPermission(loggedInEmployee, projectId); var viewInfraPermissionTask = _permission.HasPermission(PermissionsMaster.ViewProjectInfra, loggedInEmployee.Id, projectId); + var manageInfraPermissionTask = _permission.HasPermission(PermissionsMaster.ManageProjectInfra, loggedInEmployee.Id, projectId); - await Task.WhenAll(projectPermissionTask, viewInfraPermissionTask); + await Task.WhenAll(projectPermissionTask, viewInfraPermissionTask, manageInfraPermissionTask); - if (!await projectPermissionTask) + var hasProjectPermission = projectPermissionTask.Result; + var hasViewInfraPermission = viewInfraPermissionTask.Result; + var hasManageInfraPermission = manageInfraPermissionTask.Result; + + if (!hasProjectPermission) { _logger.LogWarning("Project access denied for EmployeeId: {EmployeeId} on ProjectId: {ProjectId}", loggedInEmployee.Id, projectId); return ApiResponse.ErrorResponse("Access denied", "You don't have access to this project", 403); } - if (!await viewInfraPermissionTask) + if (!hasViewInfraPermission && !hasManageInfraPermission) { _logger.LogWarning("ViewInfra permission denied for EmployeeId: {EmployeeId}", loggedInEmployee.Id); return ApiResponse.ErrorResponse("Access denied", "You don't have access to view this project's infrastructure", 403);