admin/marco.pms.api
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity

Enhancement #376: Update "Get Contact by Bucket ID" API to Enforce Feature Permissions

Browse Source
This commit is contained in:
ashutosh.nehete 2025-05-27 12:27:04 +05:30
parent 54ea82b984
commit fb2648ba17
1 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
Marco.Pms.Services/Helpers/DirectoryHelper.cs
View File

@ -188,12 +188,37 @@ namespace Marco.Pms.Services.Helpers
var LoggedInEmployee = await _userHelper.GetCurrentEmployeeAsync(); var LoggedInEmployee = await _userHelper.GetCurrentEmployeeAsync();
if (id != Guid.Empty) if (id != Guid.Empty)
{ {
EmployeeBucketMapping? employeeBucket = await _context.EmployeeBucketMappings.FirstOrDefaultAsync(em => em.BucketId == id && em.EmployeeId == LoggedInEmployee.Id); Bucket? bucket = await _context.Buckets.FirstOrDefaultAsync(b => b.Id == id && b.TenantId == tenantId);
if (bucket == null)
{
_logger.LogInfo("Employee ID {EmployeeId} attempted access to bucket ID {BucketId}, but not found in database", LoggedInEmployee.Id);
return ApiResponse<object>.ErrorResponse("Bucket not found", "Bucket not found", 404);
}
List<EmployeeBucketMapping>? employeeBuckets = await _context.EmployeeBucketMappings.Where(em => em.BucketId == id).ToListAsync();
var assignedRoleIds = await _context.EmployeeRoleMappings.Where(r => r.EmployeeId == LoggedInEmployee.Id).Select(r => r.RoleId).ToListAsync();
var permissionIds = await _context.RolePermissionMappings.Where(rp => assignedRoleIds.Contains(rp.ApplicationRoleId)).Select(rp => rp.FeaturePermissionId).Distinct().ToListAsync();
EmployeeBucketMapping? employeeBucket = null;
if (permissionIds.Contains(directoryAdmin))
{
employeeBucket = employeeBuckets.FirstOrDefault();
}
else if (permissionIds.Contains(directoryManager) || permissionIds.Contains(directoryUser))
{
employeeBucket = employeeBuckets.FirstOrDefault(eb => eb.EmployeeId == LoggedInEmployee.Id);
}
else
{
_logger.LogError("Employee {EmployeeId} attemped to access a contacts with in bucket {BucketId}, but do not have permission", LoggedInEmployee.Id, id);
return ApiResponse<object>.ErrorResponse("You don't have permission", "You don't have permission", 401);
}
if (employeeBucket == null) if (employeeBucket == null)
{ {
_logger.LogInfo("Employee ID {EmployeeId} does not have access to bucket ID {BucketId}", LoggedInEmployee.Id); _logger.LogInfo("Employee ID {EmployeeId} does not have access to bucket ID {BucketId}", LoggedInEmployee.Id);
return ApiResponse<object>.ErrorResponse("You do not have access to this bucket.", "You do not have access to this bucket.", 401); return ApiResponse<object>.ErrorResponse("You do not have access to this bucket.", "You do not have access to this bucket.", 401);
} }
List<ContactBucketMapping> contactBucket = await _context.ContactBucketMappings.Where(cb => cb.BucketId == id).ToListAsync() ?? new List<ContactBucketMapping>(); List<ContactBucketMapping> contactBucket = await _context.ContactBucketMappings.Where(cb => cb.BucketId == id).ToListAsync() ?? new List<ContactBucketMapping>();
List<ContactVM> contactVMs = new List<ContactVM>(); List<ContactVM> contactVMs = new List<ContactVM>();
if (contactBucket.Count > 0) if (contactBucket.Count > 0)