admin/marco.pms.api
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity

Intregating the project-level permissions in document controller

Browse Source
This commit is contained in:
ashutosh.nehete 2025-09-04 14:52:25 +05:30
parent 28caee40e3
commit d507b9ede2
2 changed files with 100 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

122
Marco.Pms.Services/Controllers/DocumentController.cs
View File

@ -68,7 +68,16 @@ namespace Marco.Pms.Services.Controllers
var loggedInEmployee = await _userHelper.GetCurrentEmployeeAsync(); var loggedInEmployee = await _userHelper.GetCurrentEmployeeAsync();
// Check global permission // Check global permission
var hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id); var hasViewPermission = false;
if (ProjectEntity == entityTypeId)
{
hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id, entityId);
}
else if (EmployeeEntity == entityTypeId)
{
hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id);
}
if (!hasViewPermission && loggedInEmployee.Id != entityId) if (!hasViewPermission && loggedInEmployee.Id != entityId)
{ {
_logger.LogWarning("Access Denied for Employee {EmployeeId} on EntityId {EntityId}", loggedInEmployee.Id, entityId); _logger.LogWarning("Access Denied for Employee {EmployeeId} on EntityId {EntityId}", loggedInEmployee.Id, entityId);
@ -280,7 +289,16 @@ namespace Marco.Pms.Services.Controllers
} }
// Check if the logged in employee has permission to view the document OR is the owner of the attachment entity // Check if the logged in employee has permission to view the document OR is the owner of the attachment entity
var hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id); var hasViewPermission = false;
if (ProjectEntity == versionMapping.ChildAttachment.DocumentType!.DocumentCategory!.EntityTypeId)
{
hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id, versionMapping.ChildAttachment.EntityId);
}
else if (EmployeeEntity == versionMapping.ChildAttachment.DocumentType!.DocumentCategory!.EntityTypeId)
{
hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id);
}
if (!hasViewPermission && loggedInEmployee.Id != versionMapping.ChildAttachment.EntityId) if (!hasViewPermission && loggedInEmployee.Id != versionMapping.ChildAttachment.EntityId)
{ {
_logger.LogWarning("Access Denied for Employee {EmployeeId} on EntityId {EntityId}", _logger.LogWarning("Access Denied for Employee {EmployeeId} on EntityId {EntityId}",
@ -422,6 +440,9 @@ namespace Marco.Pms.Services.Controllers
// Retrieve all version mappings linked to the parent attachment and tenant // Retrieve all version mappings linked to the parent attachment and tenant
var versionMappingsQuery = _context.AttachmentVersionMappings var versionMappingsQuery = _context.AttachmentVersionMappings
.Include(av => av.ChildAttachment)
.ThenInclude(da => da!.DocumentType)
.ThenInclude(dt => dt!.DocumentCategory)
.Include(av => av.ChildAttachment) .Include(av => av.ChildAttachment)
.ThenInclude(da => da!.UploadedBy) .ThenInclude(da => da!.UploadedBy)
.ThenInclude(e => e!.JobRole) .ThenInclude(e => e!.JobRole)
@ -445,9 +466,18 @@ namespace Marco.Pms.Services.Controllers
.ToListAsync(); .ToListAsync();
var entityId = versionMappings.Select(av => av.ChildAttachment?.EntityId).FirstOrDefault(); var entityId = versionMappings.Select(av => av.ChildAttachment?.EntityId).FirstOrDefault();
var entityTypeId = versionMappings.Select(av => av.ChildAttachment?.DocumentType?.DocumentCategory?.EntityTypeId).FirstOrDefault();
// Check global permission // Check global permission
var hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id); var hasViewPermission = false;
if (ProjectEntity == entityTypeId)
{
hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id, entityId);
}
else if (EmployeeEntity == entityTypeId)
{
hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id);
}
if (!hasViewPermission && loggedInEmployee.Id != entityId) if (!hasViewPermission && loggedInEmployee.Id != entityId)
{ {
_logger.LogWarning("Access Denied for Employee {EmployeeId} on EntityId {EntityId}", loggedInEmployee.Id, entityId ?? Guid.Empty); _logger.LogWarning("Access Denied for Employee {EmployeeId} on EntityId {EntityId}", loggedInEmployee.Id, entityId ?? Guid.Empty);
@ -507,6 +537,9 @@ namespace Marco.Pms.Services.Controllers
// Retrieve version mapping including the child attachment and its document // Retrieve version mapping including the child attachment and its document
.Include(av => av.ChildAttachment) .Include(av => av.ChildAttachment)
.ThenInclude(da => da!.Document) .ThenInclude(da => da!.Document)
.Include(av => av.ChildAttachment)
.ThenInclude(da => da!.DocumentType)
.ThenInclude(dt => dt!.DocumentCategory)
.FirstOrDefaultAsync(av => av.ChildAttachmentId == id); .FirstOrDefaultAsync(av => av.ChildAttachmentId == id);
if (versionMapping == null || versionMapping.ChildAttachment == null || versionMapping.ChildAttachment.Document == null) if (versionMapping == null || versionMapping.ChildAttachment == null || versionMapping.ChildAttachment.Document == null)
@ -516,7 +549,16 @@ namespace Marco.Pms.Services.Controllers
return NotFound(ApiResponse<object>.ErrorResponse("Version not found", "Version not found in database", 404)); return NotFound(ApiResponse<object>.ErrorResponse("Version not found", "Version not found in database", 404));
} }
var _permission = scope.ServiceProvider.GetRequiredService<PermissionServices>(); var _permission = scope.ServiceProvider.GetRequiredService<PermissionServices>();
var hasDownloadPermission = await _permission.HasPermission(PermissionsMaster.DownloadDocument, loggedInEmployee.Id); var hasDownloadPermission = false;
if (ProjectEntity == versionMapping.ChildAttachment.DocumentType?.DocumentCategory?.EntityTypeId)
{
hasDownloadPermission = await _permission.HasPermission(PermissionsMaster.DownloadDocument, loggedInEmployee.Id, versionMapping.ChildAttachment.EntityId);
}
else if (EmployeeEntity == versionMapping.ChildAttachment.DocumentType?.DocumentCategory?.EntityTypeId)
{
hasDownloadPermission = await _permission.HasPermission(PermissionsMaster.DownloadDocument, loggedInEmployee.Id);
}
if (!hasDownloadPermission && loggedInEmployee.Id != versionMapping.ChildAttachment.EntityId) if (!hasDownloadPermission && loggedInEmployee.Id != versionMapping.ChildAttachment.EntityId)
{ {
_logger.LogWarning("Access Denied for Employee {EmployeeId} on EntityId {EntityId} for downloading", _logger.LogWarning("Access Denied for Employee {EmployeeId} on EntityId {EntityId} for downloading",
@ -597,16 +639,6 @@ namespace Marco.Pms.Services.Controllers
// Get logged in user // Get logged in user
var loggedInEmployee = await _userHelper.GetCurrentEmployeeAsync(); var loggedInEmployee = await _userHelper.GetCurrentEmployeeAsync();
// Permission check
var permissionService = scope.ServiceProvider.GetRequiredService<PermissionServices>();
var hasUploadPermission = await permissionService.HasPermission(PermissionsMaster.UploadDocument, loggedInEmployee.Id);
if (!hasUploadPermission && loggedInEmployee.Id != model.EntityId)
{
_logger.LogWarning("Access Denied. User {UserId} tried to upload document for {EntityId}", loggedInEmployee.Id, model.EntityId);
return StatusCode(403, ApiResponse<object>.ErrorResponse("Access Denied.", "You do not have permission to upload this document", 403));
}
// Validate Document Type // Validate Document Type
var documentType = await _context.DocumentTypeMasters var documentType = await _context.DocumentTypeMasters
.Include(dt => dt.DocumentCategory) .Include(dt => dt.DocumentCategory)
@ -618,6 +650,24 @@ namespace Marco.Pms.Services.Controllers
return NotFound(ApiResponse<object>.ErrorResponse("Document Type not found", "Document Type not found in database", 404)); return NotFound(ApiResponse<object>.ErrorResponse("Document Type not found", "Document Type not found in database", 404));
} }
// Permission check
var _permission = scope.ServiceProvider.GetRequiredService<PermissionServices>();
var hasUploadPermission = false;
if (ProjectEntity == documentType.DocumentCategory?.EntityTypeId)
{
hasUploadPermission = await _permission.HasPermission(PermissionsMaster.UploadDocument, loggedInEmployee.Id, model.EntityId);
}
else if (EmployeeEntity == documentType.DocumentCategory?.EntityTypeId)
{
hasUploadPermission = await _permission.HasPermission(PermissionsMaster.UploadDocument, loggedInEmployee.Id);
}
if (!hasUploadPermission && loggedInEmployee.Id != model.EntityId)
{
_logger.LogWarning("Access Denied. User {UserId} tried to upload document for {EntityId}", loggedInEmployee.Id, model.EntityId);
return StatusCode(403, ApiResponse<object>.ErrorResponse("Access Denied.", "You do not have permission to upload this document", 403));
}
// Document ID validation // Document ID validation
if (documentType.IsMandatory && string.IsNullOrWhiteSpace(model.DocumentId)) if (documentType.IsMandatory && string.IsNullOrWhiteSpace(model.DocumentId))
{ {
@ -817,6 +867,8 @@ namespace Marco.Pms.Services.Controllers
// Fetch active/current document by Id, TenantId, and relevant conditions // Fetch active/current document by Id, TenantId, and relevant conditions
var documentAttachment = await _context.DocumentAttachments var documentAttachment = await _context.DocumentAttachments
.Include(da => da.DocumentType)
.ThenInclude(dt => dt!.DocumentCategory)
.FirstOrDefaultAsync(da => da.Id == id && da.IsActive && da.IsCurrentVersion && da.TenantId == tenantId); .FirstOrDefaultAsync(da => da.Id == id && da.IsActive && da.IsCurrentVersion && da.TenantId == tenantId);
if (documentAttachment == null) if (documentAttachment == null)
@ -826,9 +878,16 @@ namespace Marco.Pms.Services.Controllers
} }
// Permission service: check if employee is authorized to verify documents // Permission service: check if employee is authorized to verify documents
var permissionService = scope.ServiceProvider.GetRequiredService<PermissionServices>(); var _permission = scope.ServiceProvider.GetRequiredService<PermissionServices>();
var hasVerifyPermission = await permissionService.HasPermission(PermissionsMaster.VerifyDocument, loggedInEmployee.Id); var hasVerifyPermission = false;
if (ProjectEntity == documentAttachment.DocumentType?.DocumentCategory?.EntityTypeId)
{
hasVerifyPermission = await _permission.HasPermission(PermissionsMaster.VerifyDocument, loggedInEmployee.Id, documentAttachment.EntityId);
}
else if (EmployeeEntity == documentAttachment.DocumentType?.DocumentCategory?.EntityTypeId)
{
hasVerifyPermission = await _permission.HasPermission(PermissionsMaster.VerifyDocument, loggedInEmployee.Id);
}
if (!hasVerifyPermission) if (!hasVerifyPermission)
{ {
_logger.LogWarning("Access denied for document verification. EmployeeId: {EmployeeId}, DocumentId: {DocumentId}", loggedInEmployee.Id, id); _logger.LogWarning("Access denied for document verification. EmployeeId: {EmployeeId}, DocumentId: {DocumentId}", loggedInEmployee.Id, id);
@ -891,9 +950,6 @@ namespace Marco.Pms.Services.Controllers
// Get logged-in employee details // Get logged-in employee details
var loggedInEmployee = await _userHelper.GetCurrentEmployeeAsync(); var loggedInEmployee = await _userHelper.GetCurrentEmployeeAsync();
var permissionService = scope.ServiceProvider.GetRequiredService<PermissionServices>();
var hasUploadPermission = await permissionService.HasPermission(PermissionsMaster.UploadDocument, loggedInEmployee.Id);
// Fetch the existing attachment // Fetch the existing attachment
var oldAttachment = await _context.DocumentAttachments var oldAttachment = await _context.DocumentAttachments
.Include(da => da.DocumentType) .Include(da => da.DocumentType)
@ -906,8 +962,19 @@ namespace Marco.Pms.Services.Controllers
return NotFound(ApiResponse<object>.ErrorResponse("Attachment not found", "Attachment not found in database", 404)); return NotFound(ApiResponse<object>.ErrorResponse("Attachment not found", "Attachment not found in database", 404));
} }
var _permission = scope.ServiceProvider.GetRequiredService<PermissionServices>();
var hasUpdatePermission = false;
if (ProjectEntity == oldAttachment.DocumentType?.DocumentCategory?.EntityTypeId)
{
hasUpdatePermission = await _permission.HasPermission(PermissionsMaster.UploadDocument, loggedInEmployee.Id, oldAttachment.EntityId);
}
else if (EmployeeEntity == oldAttachment.DocumentType?.DocumentCategory?.EntityTypeId)
{
hasUpdatePermission = await _permission.HasPermission(PermissionsMaster.UploadDocument, loggedInEmployee.Id);
}
// Permission check: ensure uploader is authorized // Permission check: ensure uploader is authorized
if (!hasUploadPermission && loggedInEmployee.Id != oldAttachment.EntityId) if (!hasUpdatePermission && loggedInEmployee.Id != oldAttachment.EntityId)
{ {
_logger.LogWarning("Access denied for EmployeeId: {EmployeeId}", loggedInEmployee.Id); _logger.LogWarning("Access denied for EmployeeId: {EmployeeId}", loggedInEmployee.Id);
return StatusCode(403, ApiResponse<object>.ErrorResponse("Access Denied.", "You do not have permission to upload this document", 403)); return StatusCode(403, ApiResponse<object>.ErrorResponse("Access Denied.", "You do not have permission to upload this document", 403));
@ -950,7 +1017,7 @@ namespace Marco.Pms.Services.Controllers
entityExists = await _context.Projects.AnyAsync(p => p.Id == oldAttachment.EntityId && p.TenantId == tenantId); entityExists = await _context.Projects.AnyAsync(p => p.Id == oldAttachment.EntityId && p.TenantId == tenantId);
if (entityExists) if (entityExists)
{ {
entityExists = await permissionService.HasProjectPermission(loggedInEmployee, oldAttachment.EntityId); entityExists = await _permission.HasProjectPermission(loggedInEmployee, oldAttachment.EntityId);
} }
} }
else else
@ -1238,6 +1305,8 @@ namespace Marco.Pms.Services.Controllers
// Retrieve the document attachment matching the criteria from the database // Retrieve the document attachment matching the criteria from the database
var documentAttachment = await _context.DocumentAttachments var documentAttachment = await _context.DocumentAttachments
.Include(da => da.DocumentType)
.ThenInclude(dt => dt!.DocumentCategory)
.FirstOrDefaultAsync(da => da.Id == id && da.IsCurrentVersion && da.TenantId == tenantId && da.IsActive != isActive); .FirstOrDefaultAsync(da => da.Id == id && da.IsCurrentVersion && da.TenantId == tenantId && da.IsActive != isActive);
// If the document attachment is not found, log a warning and return 404 Not Found // If the document attachment is not found, log a warning and return 404 Not Found
@ -1249,6 +1318,15 @@ namespace Marco.Pms.Services.Controllers
// Check if the logged in employee has permission to delete OR is the owner of the document attachment // Check if the logged in employee has permission to delete OR is the owner of the document attachment
var hasDeletePermission = await _permission.HasPermission(PermissionsMaster.DeleteDocument, loggedInEmployee.Id); var hasDeletePermission = await _permission.HasPermission(PermissionsMaster.DeleteDocument, loggedInEmployee.Id);
var hasViewPermission = false;
if (ProjectEntity == documentAttachment.DocumentType?.DocumentCategory?.EntityTypeId)
{
hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id, documentAttachment.EntityId);
}
else if (EmployeeEntity == documentAttachment.DocumentType?.DocumentCategory?.EntityTypeId)
{
hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id);
}
if (!hasDeletePermission && loggedInEmployee.Id != documentAttachment.EntityId) if (!hasDeletePermission && loggedInEmployee.Id != documentAttachment.EntityId)
{ {
_logger.LogWarning("Access denied for employee ID: {EmployeeId} when attempting to delete document ID: {DocumentId}", loggedInEmployee.Id, id); _logger.LogWarning("Access denied for employee ID: {EmployeeId} when attempting to delete document ID: {DocumentId}", loggedInEmployee.Id, id);

1
Marco.Pms.Services/Service/ProjectServices.cs
View File

@ -1169,7 +1169,6 @@ namespace Marco.Pms.Services.Service
} }
} }
#endregion #endregion
#region =================================================================== Project Infrastructre Manage APIs =================================================================== #region =================================================================== Project Infrastructre Manage APIs ===================================================================