From d507b9ede2ecf90f9da1f01bcfbb62b182a6d0fb Mon Sep 17 00:00:00 2001 From: "ashutosh.nehete" Date: Thu, 4 Sep 2025 14:52:25 +0530 Subject: [PATCH] Intregating the project-level permissions in document controller --- .../Controllers/DocumentController.cs | 122 ++++++++++++++---- Marco.Pms.Services/Service/ProjectServices.cs | 1 - 2 files changed, 100 insertions(+), 23 deletions(-) diff --git a/Marco.Pms.Services/Controllers/DocumentController.cs b/Marco.Pms.Services/Controllers/DocumentController.cs index f70ddcf..fbb5f5d 100644 --- a/Marco.Pms.Services/Controllers/DocumentController.cs +++ b/Marco.Pms.Services/Controllers/DocumentController.cs @@ -68,7 +68,16 @@ namespace Marco.Pms.Services.Controllers var loggedInEmployee = await _userHelper.GetCurrentEmployeeAsync(); // Check global permission - var hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id); + var hasViewPermission = false; + if (ProjectEntity == entityTypeId) + { + hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id, entityId); + } + else if (EmployeeEntity == entityTypeId) + { + hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id); + } + if (!hasViewPermission && loggedInEmployee.Id != entityId) { _logger.LogWarning("Access Denied for Employee {EmployeeId} on EntityId {EntityId}", loggedInEmployee.Id, entityId); @@ -280,7 +289,16 @@ namespace Marco.Pms.Services.Controllers } // Check if the logged in employee has permission to view the document OR is the owner of the attachment entity - var hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id); + var hasViewPermission = false; + if (ProjectEntity == versionMapping.ChildAttachment.DocumentType!.DocumentCategory!.EntityTypeId) + { + hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id, versionMapping.ChildAttachment.EntityId); + } + else if (EmployeeEntity == versionMapping.ChildAttachment.DocumentType!.DocumentCategory!.EntityTypeId) + { + hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id); + } + if (!hasViewPermission && loggedInEmployee.Id != versionMapping.ChildAttachment.EntityId) { _logger.LogWarning("Access Denied for Employee {EmployeeId} on EntityId {EntityId}", @@ -422,6 +440,9 @@ namespace Marco.Pms.Services.Controllers // Retrieve all version mappings linked to the parent attachment and tenant var versionMappingsQuery = _context.AttachmentVersionMappings + .Include(av => av.ChildAttachment) + .ThenInclude(da => da!.DocumentType) + .ThenInclude(dt => dt!.DocumentCategory) .Include(av => av.ChildAttachment) .ThenInclude(da => da!.UploadedBy) .ThenInclude(e => e!.JobRole) @@ -445,9 +466,18 @@ namespace Marco.Pms.Services.Controllers .ToListAsync(); var entityId = versionMappings.Select(av => av.ChildAttachment?.EntityId).FirstOrDefault(); + var entityTypeId = versionMappings.Select(av => av.ChildAttachment?.DocumentType?.DocumentCategory?.EntityTypeId).FirstOrDefault(); // Check global permission - var hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id); + var hasViewPermission = false; + if (ProjectEntity == entityTypeId) + { + hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id, entityId); + } + else if (EmployeeEntity == entityTypeId) + { + hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id); + } if (!hasViewPermission && loggedInEmployee.Id != entityId) { _logger.LogWarning("Access Denied for Employee {EmployeeId} on EntityId {EntityId}", loggedInEmployee.Id, entityId ?? Guid.Empty); @@ -507,6 +537,9 @@ namespace Marco.Pms.Services.Controllers // Retrieve version mapping including the child attachment and its document .Include(av => av.ChildAttachment) .ThenInclude(da => da!.Document) + .Include(av => av.ChildAttachment) + .ThenInclude(da => da!.DocumentType) + .ThenInclude(dt => dt!.DocumentCategory) .FirstOrDefaultAsync(av => av.ChildAttachmentId == id); if (versionMapping == null || versionMapping.ChildAttachment == null || versionMapping.ChildAttachment.Document == null) @@ -516,7 +549,16 @@ namespace Marco.Pms.Services.Controllers return NotFound(ApiResponse.ErrorResponse("Version not found", "Version not found in database", 404)); } var _permission = scope.ServiceProvider.GetRequiredService(); - var hasDownloadPermission = await _permission.HasPermission(PermissionsMaster.DownloadDocument, loggedInEmployee.Id); + var hasDownloadPermission = false; + if (ProjectEntity == versionMapping.ChildAttachment.DocumentType?.DocumentCategory?.EntityTypeId) + { + hasDownloadPermission = await _permission.HasPermission(PermissionsMaster.DownloadDocument, loggedInEmployee.Id, versionMapping.ChildAttachment.EntityId); + } + else if (EmployeeEntity == versionMapping.ChildAttachment.DocumentType?.DocumentCategory?.EntityTypeId) + { + hasDownloadPermission = await _permission.HasPermission(PermissionsMaster.DownloadDocument, loggedInEmployee.Id); + } + if (!hasDownloadPermission && loggedInEmployee.Id != versionMapping.ChildAttachment.EntityId) { _logger.LogWarning("Access Denied for Employee {EmployeeId} on EntityId {EntityId} for downloading", @@ -597,16 +639,6 @@ namespace Marco.Pms.Services.Controllers // Get logged in user var loggedInEmployee = await _userHelper.GetCurrentEmployeeAsync(); - // Permission check - var permissionService = scope.ServiceProvider.GetRequiredService(); - var hasUploadPermission = await permissionService.HasPermission(PermissionsMaster.UploadDocument, loggedInEmployee.Id); - - if (!hasUploadPermission && loggedInEmployee.Id != model.EntityId) - { - _logger.LogWarning("Access Denied. User {UserId} tried to upload document for {EntityId}", loggedInEmployee.Id, model.EntityId); - return StatusCode(403, ApiResponse.ErrorResponse("Access Denied.", "You do not have permission to upload this document", 403)); - } - // Validate Document Type var documentType = await _context.DocumentTypeMasters .Include(dt => dt.DocumentCategory) @@ -618,6 +650,24 @@ namespace Marco.Pms.Services.Controllers return NotFound(ApiResponse.ErrorResponse("Document Type not found", "Document Type not found in database", 404)); } + // Permission check + var _permission = scope.ServiceProvider.GetRequiredService(); + var hasUploadPermission = false; + if (ProjectEntity == documentType.DocumentCategory?.EntityTypeId) + { + hasUploadPermission = await _permission.HasPermission(PermissionsMaster.UploadDocument, loggedInEmployee.Id, model.EntityId); + } + else if (EmployeeEntity == documentType.DocumentCategory?.EntityTypeId) + { + hasUploadPermission = await _permission.HasPermission(PermissionsMaster.UploadDocument, loggedInEmployee.Id); + } + + if (!hasUploadPermission && loggedInEmployee.Id != model.EntityId) + { + _logger.LogWarning("Access Denied. User {UserId} tried to upload document for {EntityId}", loggedInEmployee.Id, model.EntityId); + return StatusCode(403, ApiResponse.ErrorResponse("Access Denied.", "You do not have permission to upload this document", 403)); + } + // Document ID validation if (documentType.IsMandatory && string.IsNullOrWhiteSpace(model.DocumentId)) { @@ -817,6 +867,8 @@ namespace Marco.Pms.Services.Controllers // Fetch active/current document by Id, TenantId, and relevant conditions var documentAttachment = await _context.DocumentAttachments + .Include(da => da.DocumentType) + .ThenInclude(dt => dt!.DocumentCategory) .FirstOrDefaultAsync(da => da.Id == id && da.IsActive && da.IsCurrentVersion && da.TenantId == tenantId); if (documentAttachment == null) @@ -826,9 +878,16 @@ namespace Marco.Pms.Services.Controllers } // Permission service: check if employee is authorized to verify documents - var permissionService = scope.ServiceProvider.GetRequiredService(); - var hasVerifyPermission = await permissionService.HasPermission(PermissionsMaster.VerifyDocument, loggedInEmployee.Id); - + var _permission = scope.ServiceProvider.GetRequiredService(); + var hasVerifyPermission = false; + if (ProjectEntity == documentAttachment.DocumentType?.DocumentCategory?.EntityTypeId) + { + hasVerifyPermission = await _permission.HasPermission(PermissionsMaster.VerifyDocument, loggedInEmployee.Id, documentAttachment.EntityId); + } + else if (EmployeeEntity == documentAttachment.DocumentType?.DocumentCategory?.EntityTypeId) + { + hasVerifyPermission = await _permission.HasPermission(PermissionsMaster.VerifyDocument, loggedInEmployee.Id); + } if (!hasVerifyPermission) { _logger.LogWarning("Access denied for document verification. EmployeeId: {EmployeeId}, DocumentId: {DocumentId}", loggedInEmployee.Id, id); @@ -891,9 +950,6 @@ namespace Marco.Pms.Services.Controllers // Get logged-in employee details var loggedInEmployee = await _userHelper.GetCurrentEmployeeAsync(); - var permissionService = scope.ServiceProvider.GetRequiredService(); - var hasUploadPermission = await permissionService.HasPermission(PermissionsMaster.UploadDocument, loggedInEmployee.Id); - // Fetch the existing attachment var oldAttachment = await _context.DocumentAttachments .Include(da => da.DocumentType) @@ -906,8 +962,19 @@ namespace Marco.Pms.Services.Controllers return NotFound(ApiResponse.ErrorResponse("Attachment not found", "Attachment not found in database", 404)); } + var _permission = scope.ServiceProvider.GetRequiredService(); + var hasUpdatePermission = false; + if (ProjectEntity == oldAttachment.DocumentType?.DocumentCategory?.EntityTypeId) + { + hasUpdatePermission = await _permission.HasPermission(PermissionsMaster.UploadDocument, loggedInEmployee.Id, oldAttachment.EntityId); + } + else if (EmployeeEntity == oldAttachment.DocumentType?.DocumentCategory?.EntityTypeId) + { + hasUpdatePermission = await _permission.HasPermission(PermissionsMaster.UploadDocument, loggedInEmployee.Id); + } + // Permission check: ensure uploader is authorized - if (!hasUploadPermission && loggedInEmployee.Id != oldAttachment.EntityId) + if (!hasUpdatePermission && loggedInEmployee.Id != oldAttachment.EntityId) { _logger.LogWarning("Access denied for EmployeeId: {EmployeeId}", loggedInEmployee.Id); return StatusCode(403, ApiResponse.ErrorResponse("Access Denied.", "You do not have permission to upload this document", 403)); @@ -950,7 +1017,7 @@ namespace Marco.Pms.Services.Controllers entityExists = await _context.Projects.AnyAsync(p => p.Id == oldAttachment.EntityId && p.TenantId == tenantId); if (entityExists) { - entityExists = await permissionService.HasProjectPermission(loggedInEmployee, oldAttachment.EntityId); + entityExists = await _permission.HasProjectPermission(loggedInEmployee, oldAttachment.EntityId); } } else @@ -1238,6 +1305,8 @@ namespace Marco.Pms.Services.Controllers // Retrieve the document attachment matching the criteria from the database var documentAttachment = await _context.DocumentAttachments + .Include(da => da.DocumentType) + .ThenInclude(dt => dt!.DocumentCategory) .FirstOrDefaultAsync(da => da.Id == id && da.IsCurrentVersion && da.TenantId == tenantId && da.IsActive != isActive); // If the document attachment is not found, log a warning and return 404 Not Found @@ -1249,6 +1318,15 @@ namespace Marco.Pms.Services.Controllers // Check if the logged in employee has permission to delete OR is the owner of the document attachment var hasDeletePermission = await _permission.HasPermission(PermissionsMaster.DeleteDocument, loggedInEmployee.Id); + var hasViewPermission = false; + if (ProjectEntity == documentAttachment.DocumentType?.DocumentCategory?.EntityTypeId) + { + hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id, documentAttachment.EntityId); + } + else if (EmployeeEntity == documentAttachment.DocumentType?.DocumentCategory?.EntityTypeId) + { + hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id); + } if (!hasDeletePermission && loggedInEmployee.Id != documentAttachment.EntityId) { _logger.LogWarning("Access denied for employee ID: {EmployeeId} when attempting to delete document ID: {DocumentId}", loggedInEmployee.Id, id); diff --git a/Marco.Pms.Services/Service/ProjectServices.cs b/Marco.Pms.Services/Service/ProjectServices.cs index ba6c580..7856993 100644 --- a/Marco.Pms.Services/Service/ProjectServices.cs +++ b/Marco.Pms.Services/Service/ProjectServices.cs @@ -1169,7 +1169,6 @@ namespace Marco.Pms.Services.Service } } - #endregion #region =================================================================== Project Infrastructre Manage APIs ===================================================================