admin/marco.pms.api
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity

Added a new validation to check if the tenant is it's own tenant

Browse Source
This commit is contained in:
ashutosh.nehete 2025-08-22 14:50:59 +05:30
parent 88a7a90bfe
commit 6f7fad1ae4
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Marco.Pms.Services/Controllers/TenantController.cs
View File

@ -258,6 +258,12 @@ namespace Marco.Pms.Services.Controllers
return StatusCode(403, return StatusCode(403,
ApiResponse<object>.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403)); ApiResponse<object>.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403));
} }
if ((hasModifyPermission || hasViewPermission) && id != loggedInEmployee.TenantId)
{
_logger.LogWarning("Permission denied: User {EmployeeId} attempted to access tenant details of other tenant.", loggedInEmployee.Id);
return StatusCode(403,
ApiResponse<object>.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403));
}
// Create a single DbContext for main tenant fetch and related data requests // Create a single DbContext for main tenant fetch and related data requests
await using var _context = await _dbContextFactory.CreateDbContextAsync(); await using var _context = await _dbContextFactory.CreateDbContextAsync();
@ -652,7 +658,12 @@ namespace Marco.Pms.Services.Controllers
_logger.LogWarning("Access denied: User {EmployeeId} lacks required permissions for UpdateTenant on TenantId: {TenantId}.", loggedInEmployee.Id, id); _logger.LogWarning("Access denied: User {EmployeeId} lacks required permissions for UpdateTenant on TenantId: {TenantId}.", loggedInEmployee.Id, id);
return StatusCode(403, ApiResponse<object>.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403)); return StatusCode(403, ApiResponse<object>.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403));
} }
if (hasModifyPermission && id != loggedInEmployee.TenantId)
{
_logger.LogWarning("Permission denied: User {EmployeeId} attempted to access tenant details of other tenant.", loggedInEmployee.Id);
return StatusCode(403,
ApiResponse<object>.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403));
}
// 3. Use a single DbContext instance for data access // 3. Use a single DbContext instance for data access
await using var context = await _dbContextFactory.CreateDbContextAsync(); await using var context = await _dbContextFactory.CreateDbContextAsync();