From fb3932fe25318ee1ceb3664ee7eb7d986bd0fcb9 Mon Sep 17 00:00:00 2001
From: "ashutosh.nehete" <ashutosh.nehete@marcoaiot.com>
Date: Tue, 27 May 2025 12:37:24 +0530
Subject: [PATCH] Enhancement #381: Update "Update Bucket" API to Enforce
 Feature

---
 .../Controllers/DirectoryController.cs        |  4 +++
 Marco.Pms.Services/Helpers/DirectoryHelper.cs | 29 ++++++++++++++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/Marco.Pms.Services/Controllers/DirectoryController.cs b/Marco.Pms.Services/Controllers/DirectoryController.cs
index 680a708..cfc9ed8 100644
--- a/Marco.Pms.Services/Controllers/DirectoryController.cs
+++ b/Marco.Pms.Services/Controllers/DirectoryController.cs
@@ -284,6 +284,10 @@ namespace Marco.Pms.Services.Controllers
             {
                 return NotFound(response);
             }
+            else if (response.StatusCode == 401)
+            {
+                return Unauthorized(response);
+            }
             else
             {
                 return BadRequest(response);
diff --git a/Marco.Pms.Services/Helpers/DirectoryHelper.cs b/Marco.Pms.Services/Helpers/DirectoryHelper.cs
index 2b1604d..760ae61 100644
--- a/Marco.Pms.Services/Helpers/DirectoryHelper.cs
+++ b/Marco.Pms.Services/Helpers/DirectoryHelper.cs
@@ -1088,12 +1088,39 @@ namespace Marco.Pms.Services.Helpers
             var LoggedInEmployee = await _userHelper.GetCurrentEmployeeAsync();
             if (bucketDto != null && id == bucketDto.Id)
             {
-                var bucket = await _context.Buckets.FirstOrDefaultAsync(b => b.Id == bucketDto.Id && b.TenantId == tenantId);
+                var assignedRoleIds = await _context.EmployeeRoleMappings.Where(r => r.EmployeeId == LoggedInEmployee.Id).Select(r => r.RoleId).ToListAsync();
+                var permissionIds = await _context.RolePermissionMappings.Where(rp => assignedRoleIds.Contains(rp.ApplicationRoleId)).Select(rp => rp.FeaturePermissionId).Distinct().ToListAsync();
+                var bucketIds = await _context.EmployeeBucketMappings.Where(eb => eb.EmployeeId == LoggedInEmployee.Id).Select(eb => eb.BucketId).ToListAsync();
+                Bucket? bucket = await _context.Buckets.FirstOrDefaultAsync(b => b.Id == bucketDto.Id && b.TenantId == tenantId);
+
                 if (bucket == null)
                 {
                     _logger.LogWarning("Employee ID {LoggedInEmployeeId} attempted to update a bucket but not found in database.", LoggedInEmployee.Id);
                     return ApiResponse<object>.ErrorResponse("Bucket not found", "Bucket not found", 404);
                 }
+
+                Bucket? accessableBucket = null;
+                if (permissionIds.Contains(directoryAdmin))
+                {
+                    accessableBucket = bucket;
+                }
+                else if (permissionIds.Contains(directoryManager) && bucketIds.Contains(id))
+                {
+                    accessableBucket = bucket;
+                }
+                else if (permissionIds.Contains(directoryUser))
+                {
+                    if (bucket.CreatedByID == LoggedInEmployee.Id)
+                    {
+                        accessableBucket = bucket;
+                    }
+                }
+                if (accessableBucket == null)
+                {
+                    _logger.LogError("Employee {EmployeeId} attempted to access bucket {BucketId} without the necessary permissions.", LoggedInEmployee.Id, bucket.Id);
+                    return ApiResponse<object>.ErrorResponse("You don't have permission to access this bucket", "You don't have permission to access this bucket", 401);
+                }
+
                 bucket.Name = bucketDto.Name ?? "";
                 bucket.Description = bucketDto.Description ?? "";