From 68027ded777179d2ae6dc65f07af9210043e1ba0 Mon Sep 17 00:00:00 2001 From: "ashutosh.nehete" Date: Sat, 23 Aug 2025 13:07:20 +0530 Subject: [PATCH] If user has manage tenant permission then only showing the tenants he/she created --- .../Controllers/TenantController.cs | 17 +++++++++++++---- Marco.Pms.Services/Helpers/UserHelper.cs | 14 ++++++++++++-- 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/Marco.Pms.Services/Controllers/TenantController.cs b/Marco.Pms.Services/Controllers/TenantController.cs index 236fb26..7371661 100644 --- a/Marco.Pms.Services/Controllers/TenantController.cs +++ b/Marco.Pms.Services/Controllers/TenantController.cs @@ -88,20 +88,24 @@ namespace Marco.Pms.Services.Controllers try { // --- 1. PERMISSION CHECK --- + var currentTenant = await _userHelper.GetCurrentTenant(); + if (currentTenant == null) + { + _logger.LogWarning("Authentication failed: No logged-in tenant found."); + return StatusCode(403, ApiResponse.ErrorResponse("Authentication required", "Tenant not found", 403)); + } var loggedInEmployee = await _userHelper.GetCurrentEmployeeAsync(); if (loggedInEmployee == null) { - // This case should be handled by the [Authorize] attribute. - // This check is a safeguard. _logger.LogWarning("Authentication failed: No logged-in employee found."); return StatusCode(403, ApiResponse.ErrorResponse("Authentication required", "User is not logged in.", 403)); } // A root user should have access regardless of the specific permission. - var isRootUser = loggedInEmployee.ApplicationUser?.IsRootUser ?? false; + var isSuperTenant = currentTenant.IsSuperTenant; var hasPermission = await _permissionService.HasPermission(PermissionsMaster.ManageTenants, loggedInEmployee.Id); - if (!hasPermission || !isRootUser) + if (!hasPermission && !isSuperTenant) { _logger.LogWarning("Permission denied: User {EmployeeId} attempted to list tenants without 'ManageTenants' permission or root access.", loggedInEmployee.Id); return StatusCode(403, ApiResponse.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403)); @@ -114,6 +118,11 @@ namespace Marco.Pms.Services.Controllers // Start with a base IQueryable. Filters will be appended to this. var tenantQuery = _context.Tenants.Where(t => t.IsActive); + if (hasPermission && !isSuperTenant) + { + tenantQuery = tenantQuery.Where(t => t.Id == currentTenant.Id || t.CreatedById == loggedInEmployee.Id); + } + // Apply advanced filters from the JSON filter object. var tenantFilter = TryDeserializeFilter(filter); if (tenantFilter != null) diff --git a/Marco.Pms.Services/Helpers/UserHelper.cs b/Marco.Pms.Services/Helpers/UserHelper.cs index fabc0f3..0b93db4 100644 --- a/Marco.Pms.Services/Helpers/UserHelper.cs +++ b/Marco.Pms.Services/Helpers/UserHelper.cs @@ -1,9 +1,10 @@ -using System.Security.Claims; -using Marco.Pms.DataAccess.Data; +using Marco.Pms.DataAccess.Data; using Marco.Pms.Model.Employees; using Marco.Pms.Model.Entitlements; +using Marco.Pms.Model.TenantModels; using Microsoft.AspNetCore.Identity; using Microsoft.EntityFrameworkCore; +using System.Security.Claims; namespace MarcoBMS.Services.Helpers { @@ -25,6 +26,15 @@ namespace MarcoBMS.Services.Helpers var tenant = _httpContextAccessor.HttpContext?.User.FindFirst("TenantId")?.Value; return (tenant != null ? Guid.Parse(tenant) : Guid.Empty); } + public async Task GetCurrentTenant() + { + var tenantId = _httpContextAccessor.HttpContext?.User.FindFirst("TenantId")?.Value; + if (tenantId != null) + { + return await _context.Tenants.FirstOrDefaultAsync(t => t.Id == Guid.Parse(tenantId)); + } + return null; + } public async Task GetCurrentUserAsync() {