Enhancement #381: Update "Update Bucket" API to Enforce Feature
This commit is contained in:
parent
915ad7bdb5
commit
49988c9814
@ -284,6 +284,10 @@ namespace Marco.Pms.Services.Controllers
|
|||||||
{
|
{
|
||||||
return NotFound(response);
|
return NotFound(response);
|
||||||
}
|
}
|
||||||
|
else if (response.StatusCode == 401)
|
||||||
|
{
|
||||||
|
return Unauthorized(response);
|
||||||
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
return BadRequest(response);
|
return BadRequest(response);
|
||||||
|
|||||||
@ -2587,12 +2587,39 @@ namespace Marco.Pms.Services.Helpers
|
|||||||
var LoggedInEmployee = await _userHelper.GetCurrentEmployeeAsync();
|
var LoggedInEmployee = await _userHelper.GetCurrentEmployeeAsync();
|
||||||
if (bucketDto != null && id == bucketDto.Id)
|
if (bucketDto != null && id == bucketDto.Id)
|
||||||
{
|
{
|
||||||
var bucket = await _context.Buckets.FirstOrDefaultAsync(b => b.Id == bucketDto.Id && b.TenantId == tenantId);
|
var assignedRoleIds = await _context.EmployeeRoleMappings.Where(r => r.EmployeeId == LoggedInEmployee.Id).Select(r => r.RoleId).ToListAsync();
|
||||||
|
var permissionIds = await _context.RolePermissionMappings.Where(rp => assignedRoleIds.Contains(rp.ApplicationRoleId)).Select(rp => rp.FeaturePermissionId).Distinct().ToListAsync();
|
||||||
|
var bucketIds = await _context.EmployeeBucketMappings.Where(eb => eb.EmployeeId == LoggedInEmployee.Id).Select(eb => eb.BucketId).ToListAsync();
|
||||||
|
Bucket? bucket = await _context.Buckets.FirstOrDefaultAsync(b => b.Id == bucketDto.Id && b.TenantId == tenantId);
|
||||||
|
|
||||||
if (bucket == null)
|
if (bucket == null)
|
||||||
{
|
{
|
||||||
_logger.LogWarning("Employee ID {LoggedInEmployeeId} attempted to update a bucket but not found in database.", LoggedInEmployee.Id);
|
_logger.LogWarning("Employee ID {LoggedInEmployeeId} attempted to update a bucket but not found in database.", LoggedInEmployee.Id);
|
||||||
return ApiResponse<object>.ErrorResponse("Bucket not found", "Bucket not found", 404);
|
return ApiResponse<object>.ErrorResponse("Bucket not found", "Bucket not found", 404);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Bucket? accessableBucket = null;
|
||||||
|
if (permissionIds.Contains(directoryAdmin))
|
||||||
|
{
|
||||||
|
accessableBucket = bucket;
|
||||||
|
}
|
||||||
|
else if (permissionIds.Contains(directoryManager) && bucketIds.Contains(id))
|
||||||
|
{
|
||||||
|
accessableBucket = bucket;
|
||||||
|
}
|
||||||
|
else if (permissionIds.Contains(directoryUser))
|
||||||
|
{
|
||||||
|
if (bucket.CreatedByID == LoggedInEmployee.Id)
|
||||||
|
{
|
||||||
|
accessableBucket = bucket;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (accessableBucket == null)
|
||||||
|
{
|
||||||
|
_logger.LogError("Employee {EmployeeId} attempted to access bucket {BucketId} without the necessary permissions.", LoggedInEmployee.Id, bucket.Id);
|
||||||
|
return ApiResponse<object>.ErrorResponse("You don't have permission to access this bucket", "You don't have permission to access this bucket", 401);
|
||||||
|
}
|
||||||
|
|
||||||
bucket.Name = bucketDto.Name ?? "";
|
bucket.Name = bucketDto.Name ?? "";
|
||||||
bucket.Description = bucketDto.Description ?? "";
|
bucket.Description = bucketDto.Description ?? "";
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user