From eb9fc5c72a9d2310e9eb6496a6e3bcb35cb23f08 Mon Sep 17 00:00:00 2001
From: "ashutosh.nehete" <ashutosh.nehete@marcoaiot.com>
Date: Thu, 6 Nov 2025 12:34:51 +0530
Subject: [PATCH] Checking th eupload permission when creating the payment
 request

---
 Marco.Pms.Services/Service/ExpensesService.cs | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/Marco.Pms.Services/Service/ExpensesService.cs b/Marco.Pms.Services/Service/ExpensesService.cs
index 32dc911..09b9e6e 100644
--- a/Marco.Pms.Services/Service/ExpensesService.cs
+++ b/Marco.Pms.Services/Service/ExpensesService.cs
@@ -1641,6 +1641,16 @@ namespace Marco.Pms.Services.Service
 
             try
             {
+                using var scope = _serviceScopeFactory.CreateScope();
+                var permissionService = scope.ServiceProvider.GetRequiredService<PermissionServices>();
+                var hasUploadPermission = await permissionService.HasPermission(PermissionsMaster.ExpenseUpload, loggedInEmployee.Id);
+
+                if (!hasUploadPermission)
+                {
+                    _logger.LogWarning("Access DENIED: Employee {EmployeeId} has no permission to create payment requests.", loggedInEmployee.Id);
+                    return ApiResponse<object>.ErrorResponse("Access Denied", "You do not have permission to create any payment request.", 409);
+                }
+
                 // Execute database lookups concurrently
                 var expenseCategoryTask = Task.Run(async () =>
                 {