diff --git a/Marco.Pms.Services/Controllers/ProjectController.cs b/Marco.Pms.Services/Controllers/ProjectController.cs index eb3619c..f5aa8f8 100644 --- a/Marco.Pms.Services/Controllers/ProjectController.cs +++ b/Marco.Pms.Services/Controllers/ProjectController.cs @@ -470,6 +470,13 @@ namespace MarcoBMS.Services.Controllers var response = await _projectServices.GetAssignedProjectLevelPermissionAsync(employeeId, projectId, tenantId, loggedInEmployee); return StatusCode(response.StatusCode, response); } + [HttpGet("get/all/project-level-permission/{projectId}")] + public async Task GetAllPermissionFroProject(Guid projectId) + { + Employee loggedInEmployee = await _userHelper.GetCurrentEmployeeAsync(); + var response = await _projectServices.GetAllPermissionFroProjectAsync(projectId, loggedInEmployee, tenantId); + return StatusCode(response.StatusCode, response); + } [HttpGet("get/proejct-level/modules")] public async Task AssignProjectLevelModules() { diff --git a/Marco.Pms.Services/Service/PermissionServices.cs b/Marco.Pms.Services/Service/PermissionServices.cs index d56c8bf..979c06d 100644 --- a/Marco.Pms.Services/Service/PermissionServices.cs +++ b/Marco.Pms.Services/Service/PermissionServices.cs @@ -88,7 +88,6 @@ namespace Marco.Pms.Services.Service { Guid.Parse("53176ebf-c75d-42e5-839f-4508ffac3def"), Guid.Parse("9d4b5489-2079-40b9-bd77-6e1bf90bc19f"), - Guid.Parse("81ab8a87-8ccd-4015-a917-0627cee6a100"), Guid.Parse("52c9cf54-1eb2-44d2-81bb-524cf29c0a94"), Guid.Parse("a8cf4331-8f04-4961-8360-a3f7c3cc7462") }; diff --git a/Marco.Pms.Services/Service/ProjectServices.cs b/Marco.Pms.Services/Service/ProjectServices.cs index 7856993..6124bba 100644 --- a/Marco.Pms.Services/Service/ProjectServices.cs +++ b/Marco.Pms.Services/Service/ProjectServices.cs @@ -16,6 +16,7 @@ using Marco.Pms.Model.ViewModels.Master; using Marco.Pms.Model.ViewModels.Projects; using Marco.Pms.Services.Helpers; using Marco.Pms.Services.Service.ServiceInterfaces; +using MarcoBMS.Services.Helpers; using MarcoBMS.Services.Service; using Microsoft.CodeAnalysis; using Microsoft.EntityFrameworkCore; @@ -28,26 +29,23 @@ namespace Marco.Pms.Services.Service private readonly IDbContextFactory _dbContextFactory; private readonly ApplicationDbContext _context; // Keeping this for direct scoped context use where appropriate private readonly ILoggingService _logger; - private readonly PermissionServices _permission; private readonly CacheUpdateHelper _cache; private readonly IMapper _mapper; - private readonly GeneralHelper _generalHelper; + private readonly IServiceScopeFactory _serviceScopeFactory; public ProjectServices( IDbContextFactory dbContextFactory, ApplicationDbContext context, ILoggingService logger, - PermissionServices permission, + IServiceScopeFactory serviceScopeFactory, CacheUpdateHelper cache, - IMapper mapper, - GeneralHelper generalHelper) + IMapper mapper) { _dbContextFactory = dbContextFactory ?? throw new ArgumentNullException(nameof(dbContextFactory)); + _serviceScopeFactory = serviceScopeFactory ?? throw new ArgumentNullException(nameof(serviceScopeFactory)); _context = context ?? throw new ArgumentNullException(nameof(context)); _logger = logger ?? throw new ArgumentNullException(nameof(logger)); - _permission = permission ?? throw new ArgumentNullException(nameof(permission)); _cache = cache ?? throw new ArgumentNullException(nameof(cache)); _mapper = mapper ?? throw new ArgumentNullException(nameof(mapper)); - _generalHelper = generalHelper ?? throw new ArgumentNullException(nameof(generalHelper)); } #region =================================================================== Project Get APIs =================================================================== @@ -87,7 +85,6 @@ namespace Marco.Pms.Services.Service return ApiResponse.ErrorResponse("An internal server error occurred. Please try again later.", null, 500); } } - public async Task> GetAllProjectsAsync(Guid tenantId, Employee loggedInEmployee) { try @@ -146,11 +143,12 @@ namespace Marco.Pms.Services.Service return ApiResponse.ErrorResponse("An internal server error occurred. Please try again later.", null, 500); } } - public async Task> GetProjectAsync(Guid id, Guid tenantId, Employee loggedInEmployee) { try { + using var scope = _serviceScopeFactory.CreateScope(); + var _permission = scope.ServiceProvider.GetRequiredService(); // --- Step 1: Run independent operations in PARALLEL --- // We can check permissions and fetch data at the same time to reduce latency. var permissionTask = _permission.HasProjectPermission(loggedInEmployee, id); @@ -190,13 +188,15 @@ namespace Marco.Pms.Services.Service return ApiResponse.ErrorResponse("An internal server error occurred.", null, 500); } } - public async Task> GetProjectDetailsAsync(Guid id, Guid tenantId, Employee loggedInEmployee) { try { _logger.LogInfo("Details requested by EmployeeId: {EmployeeId} for ProjectId: {ProjectId}", loggedInEmployee.Id, id); + using var scope = _serviceScopeFactory.CreateScope(); + var _permission = scope.ServiceProvider.GetRequiredService(); + // Step 1: Check global view project permission var hasViewProjectPermission = await _permission.HasPermission(PermissionsMaster.ViewProject, loggedInEmployee.Id, id); if (!hasViewProjectPermission) @@ -252,7 +252,6 @@ namespace Marco.Pms.Services.Service return ApiResponse.ErrorResponse("An internal server error occurred. Please try again later.", null, 500); } } - public async Task> GetProjectDetailsOldAsync(Guid id, Guid tenantId, Employee loggedInEmployee) { var project = await _context.Projects @@ -401,6 +400,8 @@ namespace Marco.Pms.Services.Service { try { + using var scope = _serviceScopeFactory.CreateScope(); + var _permission = scope.ServiceProvider.GetRequiredService(); // --- Step 1: Fetch the Existing Entity from the Database --- // This is crucial to avoid the data loss bug. We only want to modify an existing record. var existingProject = await _context.Projects @@ -489,6 +490,9 @@ namespace Marco.Pms.Services.Service try { + using var scope = _serviceScopeFactory.CreateScope(); + var _permission = scope.ServiceProvider.GetRequiredService(); + // --- CRITICAL: Security Check --- // Before fetching data, you MUST verify the user has permission to see it. // This is a placeholder for your actual permission logic. @@ -559,6 +563,9 @@ namespace Marco.Pms.Services.Service try { + using var scope = _serviceScopeFactory.CreateScope(); + var _permission = scope.ServiceProvider.GetRequiredService(); + // --- Step 2: Security and Existence Checks --- // Before fetching data, you MUST verify the user has permission to see it. // This is a placeholder for your actual permission logic. @@ -627,6 +634,9 @@ namespace Marco.Pms.Services.Service _logger.LogInfo("Starting to manage {AllocationCount} allocations for user {UserId}.", allocationsDto.Count, loggedInEmployee.Id); + using var scope = _serviceScopeFactory.CreateScope(); + var _permission = scope.ServiceProvider.GetRequiredService(); + // --- (Placeholder) Security Check --- // In a real application, you would check if the loggedInEmployee has permission // to manage allocations for ALL projects involved in this batch. @@ -735,6 +745,9 @@ namespace Marco.Pms.Services.Service try { + using var scope = _serviceScopeFactory.CreateScope(); + var _permission = scope.ServiceProvider.GetRequiredService(); + // --- Step 2: Clarified Security Check --- // The permission should be about viewing another employee's assignments, not a generic "Manage Team". // This is a placeholder for your actual, more specific permission logic. @@ -808,6 +821,9 @@ namespace Marco.Pms.Services.Service _logger.LogInfo("Starting to manage {AllocationCount} project assignments for Employee {EmployeeId}.", allocationsDto.Count, employeeId); + using var scope = _serviceScopeFactory.CreateScope(); + var _permission = scope.ServiceProvider.GetRequiredService(); + // --- (Placeholder) Security Check --- // You MUST verify that the loggedInEmployee has permission to modify the assignments for the target employeeId. var hasPermission = await _permission.HasPermission(PermissionsMaster.ManageTeam, loggedInEmployee.Id); @@ -977,18 +993,26 @@ namespace Marco.Pms.Services.Service try { + using var scope = _serviceScopeFactory.CreateScope(); + var _permission = scope.ServiceProvider.GetRequiredService(); + var _generalHelper = scope.ServiceProvider.GetRequiredService(); // --- Step 1: Run independent permission checks in PARALLEL --- var projectPermissionTask = _permission.HasProjectPermission(loggedInEmployee, projectId); var viewInfraPermissionTask = _permission.HasPermission(PermissionsMaster.ViewProjectInfra, loggedInEmployee.Id, projectId); + var manageInfraPermissionTask = _permission.HasPermission(PermissionsMaster.ManageProjectInfra, loggedInEmployee.Id, projectId); - await Task.WhenAll(projectPermissionTask, viewInfraPermissionTask); + await Task.WhenAll(projectPermissionTask, viewInfraPermissionTask, manageInfraPermissionTask); - if (!await projectPermissionTask) + var hasProjectPermission = projectPermissionTask.Result; + var hasViewInfraPermission = viewInfraPermissionTask.Result; + var hasManageInfraPermission = manageInfraPermissionTask.Result; + + if (!hasProjectPermission) { _logger.LogWarning("Project access denied for EmployeeId: {EmployeeId} on ProjectId: {ProjectId}", loggedInEmployee.Id, projectId); return ApiResponse.ErrorResponse("Access denied", "You don't have access to this project", 403); } - if (!await viewInfraPermissionTask) + if (!hasViewInfraPermission && !hasManageInfraPermission) { _logger.LogWarning("ViewInfra permission denied for EmployeeId: {EmployeeId}", loggedInEmployee.Id); return ApiResponse.ErrorResponse("Access denied", "You don't have access to view this project's infrastructure", 403); @@ -1033,6 +1057,9 @@ namespace Marco.Pms.Services.Service try { + using var scope = _serviceScopeFactory.CreateScope(); + var _permission = scope.ServiceProvider.GetRequiredService(); + var _generalHelper = scope.ServiceProvider.GetRequiredService(); // --- Step 1: Cache-First Strategy --- var cachedWorkItems = await _cache.GetWorkItemDetailsByWorkArea(workAreaId); if (cachedWorkItems != null) @@ -1268,6 +1295,9 @@ namespace Marco.Pms.Services.Service { _logger.LogInfo("CreateProjectTask called with {Count} items by user {UserId}", workItemDtos?.Count ?? 0, loggedInEmployee.Id); + using var scope = _serviceScopeFactory.CreateScope(); + var _permission = scope.ServiceProvider.GetRequiredService(); + // --- Step 1: Input Validation --- if (workItemDtos == null || !workItemDtos.Any()) { @@ -1382,7 +1412,6 @@ namespace Marco.Pms.Services.Service return ApiResponse>.SuccessResponse(responseList, message, 200); } - public async Task DeleteProjectTaskAsync(Guid id, Guid tenantId, Employee loggedInEmployee) { // 1. Fetch the task and its parent data in a single query. @@ -1483,6 +1512,9 @@ namespace Marco.Pms.Services.Service _logger.LogInfo("ManageProjectLevelPermissionAsync started for EmployeeId: {EmployeeId}, ProjectId: {ProjectId}, TenantId: {TenantId}", model.EmployeeId, model.ProjectId, tenantId); + using var scope = _serviceScopeFactory.CreateScope(); + var _permission = scope.ServiceProvider.GetRequiredService(); + var hasTeamPermission = await _permission.HasPermission(PermissionsMaster.ManageTeam, loggedInEmployee.Id, model.ProjectId); if (!hasTeamPermission) { @@ -1621,31 +1653,30 @@ namespace Marco.Pms.Services.Service employeeId, projectId, tenantId, loggedInEmployee.Id); // Query the database for relevant project-level permission mappings - var permissionMappings = await _context.ProjectLevelPermissionMappings - .Include(p => p.Employee) - .ThenInclude(e => e!.JobRole) - .Include(p => p.Project) - .Include(p => p.Permission) - .ThenInclude(fp => fp!.Feature) - .AsNoTracking() - .Where(p => p.EmployeeId == employeeId - && p.ProjectId == projectId - && p.TenantId == tenantId) - .ToListAsync(); - - if (permissionMappings == null || !permissionMappings.Any()) + var employeeTask = Task.Run(async () => { - _logger.LogWarning("No project-level permissions found for EmployeeId: {EmployeeId}, ProjectId: {ProjectId}, TenantId: {TenantId}", - employeeId, projectId, tenantId); - return ApiResponse.ErrorResponse("Project-Level Permissions not found", "Project-Level Permissions not found in database", 404); - } + await using var context = await _dbContextFactory.CreateDbContextAsync(); + return await context.Employees.FirstOrDefaultAsync(e => e.Id == employeeId); + }); + var projectTask = Task.Run(async () => + { + await using var context = await _dbContextFactory.CreateDbContextAsync(); + return await context.Projects.FirstOrDefaultAsync(p => p.Id == projectId && p.TenantId == tenantId); + }); + var permissionIdsTask = Task.Run(async () => + { + return await GetPermissionIdsByProject(projectId, employeeId, tenantId); + }); - // Map the employee, project, and permissions. - var employee = _mapper.Map(permissionMappings.First().Employee); - var project = _mapper.Map(permissionMappings.First().Project); - var permissions = permissionMappings - .Select(p => _mapper.Map(p.Permission)) - .ToList(); + await Task.WhenAll(employeeTask, projectTask, permissionIdsTask); + + var employee = employeeTask.Result; + var project = projectTask.Result; + var permissionIds = permissionIdsTask.Result; + + var permissions = await _context.FeaturePermissions + .Include(fp => fp.Feature) + .Where(fp => permissionIds.Contains(fp.Id)).ToListAsync(); if (employee == null) { @@ -1658,12 +1689,26 @@ namespace Marco.Pms.Services.Service return ApiResponse.ErrorResponse("Project not found", "Project not found in database", 404); } + if (permissions == null || !permissions.Any()) + { + _logger.LogWarning("No project-level permissions found for EmployeeId: {EmployeeId}, ProjectId: {ProjectId}, TenantId: {TenantId}", + employeeId, projectId, tenantId); + return ApiResponse.ErrorResponse("Project-Level Permissions not found", "Project-Level Permissions not found in database", 404); + } + + // Map the employee, project, and permissions. + var employeeVm = _mapper.Map(employee); + var projectVm = _mapper.Map(project); + var permissionVms = permissions + .Select(p => _mapper.Map(p)) + .ToList(); + // Prepare the result object. var result = new { - Employee = employee, - Project = project, - Permissions = permissions + Employee = employeeVm, + Project = projectVm, + Permissions = permissionVms }; _logger.LogInfo("Project-level permissions fetched successfully for EmployeeId: {EmployeeId}, ProjectId: {ProjectId}, TenantId: {TenantId}", @@ -1688,7 +1733,6 @@ namespace Marco.Pms.Services.Service { Guid.Parse("53176ebf-c75d-42e5-839f-4508ffac3def"), Guid.Parse("9d4b5489-2079-40b9-bd77-6e1bf90bc19f"), - Guid.Parse("81ab8a87-8ccd-4015-a917-0627cee6a100"), Guid.Parse("52c9cf54-1eb2-44d2-81bb-524cf29c0a94"), Guid.Parse("a8cf4331-8f04-4961-8360-a3f7c3cc7462") }; @@ -1768,6 +1812,11 @@ namespace Marco.Pms.Services.Service return ApiResponse.ErrorResponse("An error occurred while retrieving employees with project-level permissions.", 500); } } + public async Task> GetAllPermissionFroProjectAsync(Guid projectId, Employee loggedInEmployee, Guid tenantId) + { + var featurePermissionIds = await GetPermissionIdsByProject(projectId, loggedInEmployee.Id, tenantId); + return ApiResponse.SuccessResponse(featurePermissionIds, "Successfully featched the permission ids", 200); + } #endregion #region =================================================================== Helper Functions =================================================================== @@ -1777,13 +1826,11 @@ namespace Marco.Pms.Services.Service List alloc = await _context.Projects.Where(c => c.TenantId == tanentId).ToListAsync(); return alloc; } - public async Task> GetProjectByEmployeeID(Guid employeeId) { List alloc = await _context.ProjectAllocations.Where(c => c.EmployeeId == employeeId && c.IsActive == true).Include(c => c.Project).ToListAsync(); return alloc; } - public async Task> GetTeamByProject(Guid TenantId, Guid ProjectId, bool IncludeInactive) { if (IncludeInactive) @@ -1800,9 +1847,11 @@ namespace Marco.Pms.Services.Service return employees; } } - public async Task> GetMyProjects(Guid tenantId, Employee LoggedInEmployee) { + using var scope = _serviceScopeFactory.CreateScope(); + var _permission = scope.ServiceProvider.GetRequiredService(); + var projectIds = await _cache.GetProjects(LoggedInEmployee.Id); if (projectIds == null) @@ -1826,9 +1875,11 @@ namespace Marco.Pms.Services.Service } return projectIds; } - public async Task> GetMyProjectIdsAsync(Guid tenantId, Employee loggedInEmployee) { + using var scope = _serviceScopeFactory.CreateScope(); + var _permission = scope.ServiceProvider.GetRequiredService(); + // 1. Attempt to retrieve the list of project IDs from the cache first. // This is the "happy path" and should be as fast as possible. List? projectIds = await _cache.GetProjects(loggedInEmployee.Id); @@ -1875,7 +1926,6 @@ namespace Marco.Pms.Services.Service return newProjectIds; } - /// /// Retrieves a list of ProjectInfoVMs by their IDs, using an efficient partial cache-hit strategy. /// It fetches what it can from the cache (as ProjectMongoDB), gets the rest from the @@ -1926,7 +1976,6 @@ namespace Marco.Pms.Services.Service return finalViewModels; } - private async Task GetProjectViewModel(Guid? id, Project project) { ProjectDetailsVM vm = new ProjectDetailsVM(); @@ -2076,7 +2125,6 @@ namespace Marco.Pms.Services.Service // Map from the database entity to the response ViewModel. return dbProject; } - private async Task UpdateCacheInBackground(Project project) { try @@ -2094,7 +2142,6 @@ namespace Marco.Pms.Services.Service _logger.LogError(ex, "Background cache update failed for project {ProjectId} ", project.Id); } } - private async Task UpdateCacheAndNotify(Dictionary workDelta, List affectedItems) { try @@ -2116,7 +2163,6 @@ namespace Marco.Pms.Services.Service _logger.LogError(ex, "An error occurred during background cache update/notification."); } } - private void ProcessBuilding(BuildingDto dto, Guid tenantId, InfraVM responseData, List messages, ISet projectIds, List cacheTasks) { Building building = _mapper.Map(dto); @@ -2139,7 +2185,6 @@ namespace Marco.Pms.Services.Service responseData.building = building; projectIds.Add(building.ProjectId); } - private void ProcessFloor(FloorDto dto, Guid tenantId, InfraVM responseData, List messages, ISet projectIds, List cacheTasks, IDictionary buildings) { Floor floor = _mapper.Map(dto); @@ -2165,7 +2210,6 @@ namespace Marco.Pms.Services.Service responseData.floor = floor; if (parentBuilding != null) projectIds.Add(parentBuilding.ProjectId); } - private void ProcessWorkArea(WorkAreaDto dto, Guid tenantId, InfraVM responseData, List messages, ISet projectIds, List cacheTasks, IDictionary floors) { WorkArea workArea = _mapper.Map(dto); @@ -2192,6 +2236,62 @@ namespace Marco.Pms.Services.Service responseData.workArea = workArea; if (parentBuilding != null) projectIds.Add(parentBuilding.ProjectId); } + private async Task> GetPermissionIdsByProject(Guid projectId, Guid EmployeeId, Guid tenantId) + { + await using var context = await _dbContextFactory.CreateDbContextAsync(); + using var scope = _serviceScopeFactory.CreateScope(); + + var _rolesHelper = scope.ServiceProvider.GetRequiredService(); + // 1. Try fetching permissions from cache (fast-path lookup). + var featurePermissionIds = await _cache.GetPermissions(EmployeeId); + + // If not found in cache, fallback to database (slower). + if (featurePermissionIds == null) + { + var featurePermissions = await _rolesHelper.GetFeaturePermissionByEmployeeId(EmployeeId); + featurePermissionIds = featurePermissions.Select(fp => fp.Id).ToList(); + } + + // 2. Handle project-level permission overrides if a project is specified. + if (projectId != Guid.Empty) + { + // Fetch permissions explicitly assigned to this employee in the project. + var projectLevelPermissionIds = await context.ProjectLevelPermissionMappings + .Where(pl => pl.ProjectId == projectId && pl.EmployeeId == EmployeeId && pl.TenantId == tenantId) + .Select(pl => pl.PermissionId) + .ToListAsync(); + + if (projectLevelPermissionIds?.Any() ?? false) + { + + // Define modules where project-level overrides apply. + var projectLevelModuleIds = new HashSet + { + Guid.Parse("53176ebf-c75d-42e5-839f-4508ffac3def"), + Guid.Parse("9d4b5489-2079-40b9-bd77-6e1bf90bc19f"), + Guid.Parse("52c9cf54-1eb2-44d2-81bb-524cf29c0a94"), + Guid.Parse("a8cf4331-8f04-4961-8360-a3f7c3cc7462") + }; + + // Get all feature permissions under those modules where the user didn't have explicit project-level grants. + var allOverriddenPermissions = await context.FeaturePermissions + .Where(fp => projectLevelModuleIds.Contains(fp.FeatureId) && + !projectLevelPermissionIds.Contains(fp.Id)) + .Select(fp => fp.Id) + .ToListAsync(); + + // Apply overrides: + // - Remove global permissions overridden by project-level rules. + // - Add explicit project-level permissions. + featurePermissionIds = featurePermissionIds + .Except(allOverriddenPermissions) // Remove overridden + .Concat(projectLevelPermissionIds) // Add project-level + .Distinct() // Ensure no duplicates + .ToList(); + } + } + return featurePermissionIds; + } #endregion } diff --git a/Marco.Pms.Services/Service/ServiceInterfaces/IProjectServices.cs b/Marco.Pms.Services/Service/ServiceInterfaces/IProjectServices.cs index c95559a..4f7eb5e 100644 --- a/Marco.Pms.Services/Service/ServiceInterfaces/IProjectServices.cs +++ b/Marco.Pms.Services/Service/ServiceInterfaces/IProjectServices.cs @@ -40,6 +40,7 @@ namespace Marco.Pms.Services.Service.ServiceInterfaces Task> GetAssignedProjectLevelPermissionAsync(Guid employeeId, Guid projectId, Guid tenantId, Employee loggedInEmployee); Task> AssignProjectLevelModulesAsync(Guid tenantId, Employee loggedInEmployee); Task> GetEmployeeToWhomProjectLevelAssignedAsync(Guid projectId, Guid tenantId, Employee loggedInEmployee); + Task> GetAllPermissionFroProjectAsync(Guid projectId, Employee loggedInEmployee, Guid tenantId); } }