Intregating the project-level permissions in document controller

This commit is contained in:
ashutosh.nehete 2025-09-04 14:52:25 +05:30
parent 28caee40e3
commit d507b9ede2
2 changed files with 100 additions and 23 deletions

View File

@ -68,7 +68,16 @@ namespace Marco.Pms.Services.Controllers
var loggedInEmployee = await _userHelper.GetCurrentEmployeeAsync();
// Check global permission
var hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id);
var hasViewPermission = false;
if (ProjectEntity == entityTypeId)
{
hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id, entityId);
}
else if (EmployeeEntity == entityTypeId)
{
hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id);
}
if (!hasViewPermission && loggedInEmployee.Id != entityId)
{
_logger.LogWarning("Access Denied for Employee {EmployeeId} on EntityId {EntityId}", loggedInEmployee.Id, entityId);
@ -280,7 +289,16 @@ namespace Marco.Pms.Services.Controllers
}
// Check if the logged in employee has permission to view the document OR is the owner of the attachment entity
var hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id);
var hasViewPermission = false;
if (ProjectEntity == versionMapping.ChildAttachment.DocumentType!.DocumentCategory!.EntityTypeId)
{
hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id, versionMapping.ChildAttachment.EntityId);
}
else if (EmployeeEntity == versionMapping.ChildAttachment.DocumentType!.DocumentCategory!.EntityTypeId)
{
hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id);
}
if (!hasViewPermission && loggedInEmployee.Id != versionMapping.ChildAttachment.EntityId)
{
_logger.LogWarning("Access Denied for Employee {EmployeeId} on EntityId {EntityId}",
@ -422,6 +440,9 @@ namespace Marco.Pms.Services.Controllers
// Retrieve all version mappings linked to the parent attachment and tenant
var versionMappingsQuery = _context.AttachmentVersionMappings
.Include(av => av.ChildAttachment)
.ThenInclude(da => da!.DocumentType)
.ThenInclude(dt => dt!.DocumentCategory)
.Include(av => av.ChildAttachment)
.ThenInclude(da => da!.UploadedBy)
.ThenInclude(e => e!.JobRole)
@ -445,9 +466,18 @@ namespace Marco.Pms.Services.Controllers
.ToListAsync();
var entityId = versionMappings.Select(av => av.ChildAttachment?.EntityId).FirstOrDefault();
var entityTypeId = versionMappings.Select(av => av.ChildAttachment?.DocumentType?.DocumentCategory?.EntityTypeId).FirstOrDefault();
// Check global permission
var hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id);
var hasViewPermission = false;
if (ProjectEntity == entityTypeId)
{
hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id, entityId);
}
else if (EmployeeEntity == entityTypeId)
{
hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id);
}
if (!hasViewPermission && loggedInEmployee.Id != entityId)
{
_logger.LogWarning("Access Denied for Employee {EmployeeId} on EntityId {EntityId}", loggedInEmployee.Id, entityId ?? Guid.Empty);
@ -507,6 +537,9 @@ namespace Marco.Pms.Services.Controllers
// Retrieve version mapping including the child attachment and its document
.Include(av => av.ChildAttachment)
.ThenInclude(da => da!.Document)
.Include(av => av.ChildAttachment)
.ThenInclude(da => da!.DocumentType)
.ThenInclude(dt => dt!.DocumentCategory)
.FirstOrDefaultAsync(av => av.ChildAttachmentId == id);
if (versionMapping == null || versionMapping.ChildAttachment == null || versionMapping.ChildAttachment.Document == null)
@ -516,7 +549,16 @@ namespace Marco.Pms.Services.Controllers
return NotFound(ApiResponse<object>.ErrorResponse("Version not found", "Version not found in database", 404));
}
var _permission = scope.ServiceProvider.GetRequiredService<PermissionServices>();
var hasDownloadPermission = await _permission.HasPermission(PermissionsMaster.DownloadDocument, loggedInEmployee.Id);
var hasDownloadPermission = false;
if (ProjectEntity == versionMapping.ChildAttachment.DocumentType?.DocumentCategory?.EntityTypeId)
{
hasDownloadPermission = await _permission.HasPermission(PermissionsMaster.DownloadDocument, loggedInEmployee.Id, versionMapping.ChildAttachment.EntityId);
}
else if (EmployeeEntity == versionMapping.ChildAttachment.DocumentType?.DocumentCategory?.EntityTypeId)
{
hasDownloadPermission = await _permission.HasPermission(PermissionsMaster.DownloadDocument, loggedInEmployee.Id);
}
if (!hasDownloadPermission && loggedInEmployee.Id != versionMapping.ChildAttachment.EntityId)
{
_logger.LogWarning("Access Denied for Employee {EmployeeId} on EntityId {EntityId} for downloading",
@ -597,16 +639,6 @@ namespace Marco.Pms.Services.Controllers
// Get logged in user
var loggedInEmployee = await _userHelper.GetCurrentEmployeeAsync();
// Permission check
var permissionService = scope.ServiceProvider.GetRequiredService<PermissionServices>();
var hasUploadPermission = await permissionService.HasPermission(PermissionsMaster.UploadDocument, loggedInEmployee.Id);
if (!hasUploadPermission && loggedInEmployee.Id != model.EntityId)
{
_logger.LogWarning("Access Denied. User {UserId} tried to upload document for {EntityId}", loggedInEmployee.Id, model.EntityId);
return StatusCode(403, ApiResponse<object>.ErrorResponse("Access Denied.", "You do not have permission to upload this document", 403));
}
// Validate Document Type
var documentType = await _context.DocumentTypeMasters
.Include(dt => dt.DocumentCategory)
@ -618,6 +650,24 @@ namespace Marco.Pms.Services.Controllers
return NotFound(ApiResponse<object>.ErrorResponse("Document Type not found", "Document Type not found in database", 404));
}
// Permission check
var _permission = scope.ServiceProvider.GetRequiredService<PermissionServices>();
var hasUploadPermission = false;
if (ProjectEntity == documentType.DocumentCategory?.EntityTypeId)
{
hasUploadPermission = await _permission.HasPermission(PermissionsMaster.UploadDocument, loggedInEmployee.Id, model.EntityId);
}
else if (EmployeeEntity == documentType.DocumentCategory?.EntityTypeId)
{
hasUploadPermission = await _permission.HasPermission(PermissionsMaster.UploadDocument, loggedInEmployee.Id);
}
if (!hasUploadPermission && loggedInEmployee.Id != model.EntityId)
{
_logger.LogWarning("Access Denied. User {UserId} tried to upload document for {EntityId}", loggedInEmployee.Id, model.EntityId);
return StatusCode(403, ApiResponse<object>.ErrorResponse("Access Denied.", "You do not have permission to upload this document", 403));
}
// Document ID validation
if (documentType.IsMandatory && string.IsNullOrWhiteSpace(model.DocumentId))
{
@ -817,6 +867,8 @@ namespace Marco.Pms.Services.Controllers
// Fetch active/current document by Id, TenantId, and relevant conditions
var documentAttachment = await _context.DocumentAttachments
.Include(da => da.DocumentType)
.ThenInclude(dt => dt!.DocumentCategory)
.FirstOrDefaultAsync(da => da.Id == id && da.IsActive && da.IsCurrentVersion && da.TenantId == tenantId);
if (documentAttachment == null)
@ -826,9 +878,16 @@ namespace Marco.Pms.Services.Controllers
}
// Permission service: check if employee is authorized to verify documents
var permissionService = scope.ServiceProvider.GetRequiredService<PermissionServices>();
var hasVerifyPermission = await permissionService.HasPermission(PermissionsMaster.VerifyDocument, loggedInEmployee.Id);
var _permission = scope.ServiceProvider.GetRequiredService<PermissionServices>();
var hasVerifyPermission = false;
if (ProjectEntity == documentAttachment.DocumentType?.DocumentCategory?.EntityTypeId)
{
hasVerifyPermission = await _permission.HasPermission(PermissionsMaster.VerifyDocument, loggedInEmployee.Id, documentAttachment.EntityId);
}
else if (EmployeeEntity == documentAttachment.DocumentType?.DocumentCategory?.EntityTypeId)
{
hasVerifyPermission = await _permission.HasPermission(PermissionsMaster.VerifyDocument, loggedInEmployee.Id);
}
if (!hasVerifyPermission)
{
_logger.LogWarning("Access denied for document verification. EmployeeId: {EmployeeId}, DocumentId: {DocumentId}", loggedInEmployee.Id, id);
@ -891,9 +950,6 @@ namespace Marco.Pms.Services.Controllers
// Get logged-in employee details
var loggedInEmployee = await _userHelper.GetCurrentEmployeeAsync();
var permissionService = scope.ServiceProvider.GetRequiredService<PermissionServices>();
var hasUploadPermission = await permissionService.HasPermission(PermissionsMaster.UploadDocument, loggedInEmployee.Id);
// Fetch the existing attachment
var oldAttachment = await _context.DocumentAttachments
.Include(da => da.DocumentType)
@ -906,8 +962,19 @@ namespace Marco.Pms.Services.Controllers
return NotFound(ApiResponse<object>.ErrorResponse("Attachment not found", "Attachment not found in database", 404));
}
var _permission = scope.ServiceProvider.GetRequiredService<PermissionServices>();
var hasUpdatePermission = false;
if (ProjectEntity == oldAttachment.DocumentType?.DocumentCategory?.EntityTypeId)
{
hasUpdatePermission = await _permission.HasPermission(PermissionsMaster.UploadDocument, loggedInEmployee.Id, oldAttachment.EntityId);
}
else if (EmployeeEntity == oldAttachment.DocumentType?.DocumentCategory?.EntityTypeId)
{
hasUpdatePermission = await _permission.HasPermission(PermissionsMaster.UploadDocument, loggedInEmployee.Id);
}
// Permission check: ensure uploader is authorized
if (!hasUploadPermission && loggedInEmployee.Id != oldAttachment.EntityId)
if (!hasUpdatePermission && loggedInEmployee.Id != oldAttachment.EntityId)
{
_logger.LogWarning("Access denied for EmployeeId: {EmployeeId}", loggedInEmployee.Id);
return StatusCode(403, ApiResponse<object>.ErrorResponse("Access Denied.", "You do not have permission to upload this document", 403));
@ -950,7 +1017,7 @@ namespace Marco.Pms.Services.Controllers
entityExists = await _context.Projects.AnyAsync(p => p.Id == oldAttachment.EntityId && p.TenantId == tenantId);
if (entityExists)
{
entityExists = await permissionService.HasProjectPermission(loggedInEmployee, oldAttachment.EntityId);
entityExists = await _permission.HasProjectPermission(loggedInEmployee, oldAttachment.EntityId);
}
}
else
@ -1238,6 +1305,8 @@ namespace Marco.Pms.Services.Controllers
// Retrieve the document attachment matching the criteria from the database
var documentAttachment = await _context.DocumentAttachments
.Include(da => da.DocumentType)
.ThenInclude(dt => dt!.DocumentCategory)
.FirstOrDefaultAsync(da => da.Id == id && da.IsCurrentVersion && da.TenantId == tenantId && da.IsActive != isActive);
// If the document attachment is not found, log a warning and return 404 Not Found
@ -1249,6 +1318,15 @@ namespace Marco.Pms.Services.Controllers
// Check if the logged in employee has permission to delete OR is the owner of the document attachment
var hasDeletePermission = await _permission.HasPermission(PermissionsMaster.DeleteDocument, loggedInEmployee.Id);
var hasViewPermission = false;
if (ProjectEntity == documentAttachment.DocumentType?.DocumentCategory?.EntityTypeId)
{
hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id, documentAttachment.EntityId);
}
else if (EmployeeEntity == documentAttachment.DocumentType?.DocumentCategory?.EntityTypeId)
{
hasViewPermission = await _permission.HasPermission(PermissionsMaster.ViewDocument, loggedInEmployee.Id);
}
if (!hasDeletePermission && loggedInEmployee.Id != documentAttachment.EntityId)
{
_logger.LogWarning("Access denied for employee ID: {EmployeeId} when attempting to delete document ID: {DocumentId}", loggedInEmployee.Id, id);

View File

@ -1169,7 +1169,6 @@ namespace Marco.Pms.Services.Service
}
}
#endregion
#region =================================================================== Project Infrastructre Manage APIs ===================================================================