diff --git a/Marco.Pms.Services/Controllers/TenantController.cs b/Marco.Pms.Services/Controllers/TenantController.cs index 00303d0..7e4e960 100644 --- a/Marco.Pms.Services/Controllers/TenantController.cs +++ b/Marco.Pms.Services/Controllers/TenantController.cs @@ -258,6 +258,12 @@ namespace Marco.Pms.Services.Controllers return StatusCode(403, ApiResponse.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403)); } + if ((hasModifyPermission || hasViewPermission) && id != loggedInEmployee.TenantId) + { + _logger.LogWarning("Permission denied: User {EmployeeId} attempted to access tenant details of other tenant.", loggedInEmployee.Id); + return StatusCode(403, + ApiResponse.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403)); + } // Create a single DbContext for main tenant fetch and related data requests await using var _context = await _dbContextFactory.CreateDbContextAsync(); @@ -652,7 +658,12 @@ namespace Marco.Pms.Services.Controllers _logger.LogWarning("Access denied: User {EmployeeId} lacks required permissions for UpdateTenant on TenantId: {TenantId}.", loggedInEmployee.Id, id); return StatusCode(403, ApiResponse.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403)); } - + if (hasModifyPermission && id != loggedInEmployee.TenantId) + { + _logger.LogWarning("Permission denied: User {EmployeeId} attempted to access tenant details of other tenant.", loggedInEmployee.Id); + return StatusCode(403, + ApiResponse.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403)); + } // 3. Use a single DbContext instance for data access await using var context = await _dbContextFactory.CreateDbContextAsync();