Tenant_Management #114
@ -258,6 +258,12 @@ namespace Marco.Pms.Services.Controllers
|
||||
return StatusCode(403,
|
||||
ApiResponse<object>.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403));
|
||||
}
|
||||
if ((hasModifyPermission || hasViewPermission) && id != loggedInEmployee.TenantId)
|
||||
{
|
||||
_logger.LogWarning("Permission denied: User {EmployeeId} attempted to access tenant details of other tenant.", loggedInEmployee.Id);
|
||||
return StatusCode(403,
|
||||
ApiResponse<object>.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403));
|
||||
}
|
||||
|
||||
// Create a single DbContext for main tenant fetch and related data requests
|
||||
await using var _context = await _dbContextFactory.CreateDbContextAsync();
|
||||
@ -652,7 +658,12 @@ namespace Marco.Pms.Services.Controllers
|
||||
_logger.LogWarning("Access denied: User {EmployeeId} lacks required permissions for UpdateTenant on TenantId: {TenantId}.", loggedInEmployee.Id, id);
|
||||
return StatusCode(403, ApiResponse<object>.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403));
|
||||
}
|
||||
|
||||
if (hasModifyPermission && id != loggedInEmployee.TenantId)
|
||||
{
|
||||
_logger.LogWarning("Permission denied: User {EmployeeId} attempted to access tenant details of other tenant.", loggedInEmployee.Id);
|
||||
return StatusCode(403,
|
||||
ApiResponse<object>.ErrorResponse("Access denied", "User does not have the required permissions for this action.", 403));
|
||||
}
|
||||
// 3. Use a single DbContext instance for data access
|
||||
await using var context = await _dbContextFactory.CreateDbContextAsync();
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user