Changed status code 401 to 403
This commit is contained in:
parent
9ef7946d89
commit
f02eb32143
@ -210,121 +210,6 @@ namespace Marco.Pms.Services.Controllers
|
||||
}
|
||||
|
||||
// GET api/<TenantController>/5
|
||||
[HttpGet("details/{id}")]
|
||||
private async Task<IActionResult> GetTenantDetails(Guid id)
|
||||
{
|
||||
var loggedInEmployee = await _userHelper.GetCurrentEmployeeAsync();
|
||||
|
||||
await using var _context = await _dbContextFactory.CreateDbContextAsync();
|
||||
|
||||
var manageTenantsTask = Task.Run(async () =>
|
||||
{
|
||||
using var scope = _serviceScopeFactory.CreateScope();
|
||||
var _permissionService = scope.ServiceProvider.GetRequiredService<PermissionServices>();
|
||||
return await _permissionService.HasPermission(PermissionsMaster.ManageTenants, loggedInEmployee.Id);
|
||||
});
|
||||
var modifyTenantTask = Task.Run(async () =>
|
||||
{
|
||||
using var scope = _serviceScopeFactory.CreateScope();
|
||||
var _permissionService = scope.ServiceProvider.GetRequiredService<PermissionServices>();
|
||||
return await _permissionService.HasPermission(PermissionsMaster.ModifyTenant, loggedInEmployee.Id);
|
||||
});
|
||||
var viewTenantTask = Task.Run(async () =>
|
||||
{
|
||||
using var scope = _serviceScopeFactory.CreateScope();
|
||||
var _permissionService = scope.ServiceProvider.GetRequiredService<PermissionServices>();
|
||||
return await _permissionService.HasPermission(PermissionsMaster.ViewTenant, loggedInEmployee.Id);
|
||||
});
|
||||
|
||||
await Task.WhenAll(manageTenantsTask, modifyTenantTask, viewTenantTask);
|
||||
|
||||
var hasManageTenantsPermission = manageTenantsTask.Result;
|
||||
var hasModifyTenantPermission = modifyTenantTask.Result;
|
||||
var hasViewTenantPermission = viewTenantTask.Result;
|
||||
|
||||
if (!hasManageTenantsPermission && !hasModifyTenantPermission && !hasViewTenantPermission)
|
||||
{
|
||||
_logger.LogWarning("Permission denied: User {EmployeeId} attempted to add subscription without permission or root access.",
|
||||
loggedInEmployee.Id);
|
||||
|
||||
return StatusCode(403,
|
||||
ApiResponse<object>.ErrorResponse("Access denied",
|
||||
"User does not have the required permissions for this action.", 403));
|
||||
}
|
||||
|
||||
var tenant = await _context.Tenants
|
||||
.Include(t => t.Industry)
|
||||
.Include(t => t.TenantStatus)
|
||||
.AsNoTracking()
|
||||
.FirstOrDefaultAsync(t => t.Id == id);
|
||||
if (tenant == null)
|
||||
{
|
||||
_logger.LogWarning("Tenant {TenantId} not found in database", id);
|
||||
return NotFound(ApiResponse<object>.ErrorResponse("Tenant not found", "Tenant not found", 404));
|
||||
}
|
||||
|
||||
var employeeTask = Task.Run(async () =>
|
||||
{
|
||||
await using var _dbContext = await _dbContextFactory.CreateDbContextAsync();
|
||||
return await _dbContext.Employees.Include(e => e.ApplicationUser).AsNoTracking().Where(e => e.TenantId == tenant.Id).ToListAsync();
|
||||
});
|
||||
var createdByTask = Task.Run(async () =>
|
||||
{
|
||||
await using var _dbContext = await _dbContextFactory.CreateDbContextAsync();
|
||||
return await _dbContext.Employees.AsNoTracking().Where(e => e.Id == tenant.CreatedById).Select(e => _mapper.Map<BasicEmployeeVM>(e)).FirstOrDefaultAsync();
|
||||
});
|
||||
var planTask = Task.Run(async () =>
|
||||
{
|
||||
await using var _dbContext = await _dbContextFactory.CreateDbContextAsync();
|
||||
return await _dbContext.TenantSubscriptions
|
||||
.Include(sp => sp!.CreatedBy)
|
||||
.Include(sp => sp!.UpdatedBy)
|
||||
.Include(sp => sp!.Currency)
|
||||
.Include(ts => ts.Plan).ThenInclude(sp => sp!.Plan)
|
||||
.AsNoTracking()
|
||||
.Where(ts => ts.TenantId == tenant.Id && ts.Plan != null)
|
||||
.OrderBy(ts => ts.CreatedBy).ToListAsync();
|
||||
});
|
||||
var projectTask = Task.Run(async () =>
|
||||
{
|
||||
await using var _dbContext = await _dbContextFactory.CreateDbContextAsync();
|
||||
return await _dbContext.Projects
|
||||
.Include(p => p.ProjectStatus)
|
||||
.AsNoTracking()
|
||||
.Where(p => p.TenantId == tenant.Id)
|
||||
.ToListAsync();
|
||||
});
|
||||
|
||||
await Task.WhenAll(employeeTask, projectTask, planTask, createdByTask);
|
||||
|
||||
var employees = employeeTask.Result;
|
||||
var projects = projectTask.Result;
|
||||
var plans = planTask.Result;
|
||||
var createdBy = createdByTask.Result;
|
||||
|
||||
var activeEmployeesCount = employees.Where(e => e.IsActive).Count();
|
||||
var inActiveEmployeesCount = employees.Where(e => !e.IsActive).Count();
|
||||
|
||||
var currentPlan = plans.FirstOrDefault(ts => !ts.IsCancelled);
|
||||
var expiryDate = currentPlan?.EndDate;
|
||||
var nextBillingDate = currentPlan?.NextBillingDate;
|
||||
|
||||
var response = _mapper.Map<TenantDetailsVM>(tenant);
|
||||
response.ActiveEmployees = activeEmployeesCount;
|
||||
response.InActiveEmployees = inActiveEmployeesCount;
|
||||
response.ActiveProjects = projects.Where(p => p.ProjectStatusId == projectActiveStatus).Count();
|
||||
response.InProgressProjects = projects.Where(p => p.ProjectStatusId == projectInProgressStatus).Count();
|
||||
response.OnHoldProjects = projects.Where(p => p.ProjectStatusId == projectOnHoldStatus).Count();
|
||||
response.InActiveProjects = projects.Where(p => p.ProjectStatusId == projectInActiveStatus).Count();
|
||||
response.CompletedProjects = projects.Where(p => p.ProjectStatusId == projectCompletedStatus).Count();
|
||||
response.ExpiryDate = expiryDate;
|
||||
response.NextBillingDate = nextBillingDate;
|
||||
response.CreatedBy = createdBy;
|
||||
response.SubscriptionHistery = _mapper.Map<List<SubscriptionPlanDetailsVM>>(plans);
|
||||
|
||||
return Ok(ApiResponse<object>.SuccessResponse(response, "Tenant profile fetched successfully", 200));
|
||||
}
|
||||
|
||||
[HttpGet("details/{id}")]
|
||||
public async Task<IActionResult> GetTenantDetailsAsync(Guid id)
|
||||
{
|
||||
@ -335,7 +220,7 @@ namespace Marco.Pms.Services.Controllers
|
||||
if (loggedInEmployee == null)
|
||||
{
|
||||
_logger.LogWarning("No logged-in employee found for the request.");
|
||||
return Unauthorized(ApiResponse<object>.ErrorResponse("Unauthorized", "User must be logged in.", 401));
|
||||
return StatusCode(403, ApiResponse<object>.ErrorResponse("Unauthorized", "User must be logged in.", 403));
|
||||
}
|
||||
|
||||
// Check permissions using a single service scope to avoid overhead
|
||||
@ -485,7 +370,7 @@ namespace Marco.Pms.Services.Controllers
|
||||
if (loggedInEmployee == null)
|
||||
{
|
||||
// This case should ideally be handled by an [Authorize] attribute, but it's good practice to double-check.
|
||||
return Unauthorized(ApiResponse<object>.ErrorResponse("Authentication required", "User is not logged in.", 401));
|
||||
return StatusCode(403, ApiResponse<object>.ErrorResponse("Authentication required", "User is not logged in.", 403));
|
||||
}
|
||||
|
||||
var hasPermission = await _permissionService.HasPermission(PermissionsMaster.ManageTenants, loggedInEmployee.Id);
|
||||
@ -729,7 +614,7 @@ namespace Marco.Pms.Services.Controllers
|
||||
if (loggedInEmployee == null)
|
||||
{
|
||||
_logger.LogWarning("No logged-in employee found.");
|
||||
return Unauthorized(ApiResponse<object>.ErrorResponse("Unauthorized", "User must be logged in.", 401));
|
||||
return StatusCode(403, ApiResponse<object>.ErrorResponse("Unauthorized", "User must be logged in.", 403));
|
||||
}
|
||||
|
||||
await using var _context = await _dbContextFactory.CreateDbContextAsync();
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user