If user has manage tenant permission then only showing the tenants he/she created

Marco.Pms.Services/Controllers/TenantController.cs

@@ -88,20 +88,24 @@ namespace Marco.Pms.Services.Controllers
             try
             {
                 // --- 1. PERMISSION CHECK ---
+                var currentTenant = await _userHelper.GetCurrentTenant();
+                if (currentTenant == null)
+                {
+                    _logger.LogWarning("Authentication failed: No logged-in tenant found.");
+                    return StatusCode(403, ApiResponse<object>.ErrorResponse("Authentication required", "Tenant not found", 403));
+                }
                 var loggedInEmployee = await _userHelper.GetCurrentEmployeeAsync();
                 if (loggedInEmployee == null)
                 {
-                    // This case should be handled by the [Authorize] attribute.
-                    // This check is a safeguard.
                     _logger.LogWarning("Authentication failed: No logged-in employee found.");
                     return StatusCode(403, ApiResponse<object>.ErrorResponse("Authentication required", "User is not logged in.", 403));
                 }
 
                 // A root user should have access regardless of the specific permission.
-                var isRootUser = loggedInEmployee.ApplicationUser?.IsRootUser ?? false;
+                var isSuperTenant = currentTenant.IsSuperTenant;
                 var hasPermission = await _permissionService.HasPermission(PermissionsMaster.ManageTenants, loggedInEmployee.Id);
 
-                if (!hasPermission || !isRootUser)
+                if (!hasPermission && !isSuperTenant)
                 {
                     _logger.LogWarning("Permission denied: User {EmployeeId} attempted to list tenants without 'ManageTenants' permission or root access.", loggedInEmployee.Id);
                     return StatusCode(403, ApiResponse<object>.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403));
@@ -114,6 +118,11 @@ namespace Marco.Pms.Services.Controllers
                 // Start with a base IQueryable. Filters will be appended to this.
                 var tenantQuery = _context.Tenants.Where(t => t.IsActive);
 
+                if (hasPermission && !isSuperTenant)
+                {
+                    tenantQuery = tenantQuery.Where(t => t.Id == currentTenant.Id || t.CreatedById == loggedInEmployee.Id);
+                }
+
                 // Apply advanced filters from the JSON filter object.
                 var tenantFilter = TryDeserializeFilter(filter);
                 if (tenantFilter != null)

Marco.Pms.Services/Helpers/UserHelper.cs

@@ -1,9 +1,10 @@
-using System.Security.Claims;
-using Marco.Pms.DataAccess.Data;
+using Marco.Pms.DataAccess.Data;
 using Marco.Pms.Model.Employees;
 using Marco.Pms.Model.Entitlements;
+using Marco.Pms.Model.TenantModels;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.EntityFrameworkCore;
+using System.Security.Claims;
 
 namespace MarcoBMS.Services.Helpers
 {
@@ -25,6 +26,15 @@ namespace MarcoBMS.Services.Helpers
             var tenant = _httpContextAccessor.HttpContext?.User.FindFirst("TenantId")?.Value;
             return (tenant != null ? Guid.Parse(tenant) : Guid.Empty);
         }
+        public async Task<Tenant?> GetCurrentTenant()
+        {
+            var tenantId = _httpContextAccessor.HttpContext?.User.FindFirst("TenantId")?.Value;
+            if (tenantId != null)
+            {
+                return await _context.Tenants.FirstOrDefaultAsync(t => t.Id == Guid.Parse(tenantId));
+            }
+            return null;
+        }
 
         public async Task<IdentityUser?> GetCurrentUserAsync()
         {