2025-05-27 07:49:17 +00:00
2 changed files with 32 additions and 1 deletions
--- a/Marco.Pms.Services/Controllers/DirectoryController.cs
+++ b/Marco.Pms.Services/Controllers/DirectoryController.cs
@ -284,6 +284,10 @@ namespace Marco.Pms.Services.Controllers
            {
                return NotFound(response);
            }
+            else if (response.StatusCode == 401)
+            {
+                return Unauthorized(response);
+            }
            else
            {
                return BadRequest(response);
--- a/Marco.Pms.Services/Helpers/DirectoryHelper.cs
+++ b/Marco.Pms.Services/Helpers/DirectoryHelper.cs
@ -1088,12 +1088,39 @@ namespace Marco.Pms.Services.Helpers
            var LoggedInEmployee = await _userHelper.GetCurrentEmployeeAsync();
            if (bucketDto != null && id == bucketDto.Id)
            {
-                var bucket = await _context.Buckets.FirstOrDefaultAsync(b => b.Id == bucketDto.Id && b.TenantId == tenantId);
+                var assignedRoleIds = await _context.EmployeeRoleMappings.Where(r => r.EmployeeId == LoggedInEmployee.Id).Select(r => r.RoleId).ToListAsync();
+                var permissionIds = await _context.RolePermissionMappings.Where(rp => assignedRoleIds.Contains(rp.ApplicationRoleId)).Select(rp => rp.FeaturePermissionId).Distinct().ToListAsync();
+                var bucketIds = await _context.EmployeeBucketMappings.Where(eb => eb.EmployeeId == LoggedInEmployee.Id).Select(eb => eb.BucketId).ToListAsync();
+                Bucket? bucket = await _context.Buckets.FirstOrDefaultAsync(b => b.Id == bucketDto.Id && b.TenantId == tenantId);
+
                if (bucket == null)
                {
                    _logger.LogWarning("Employee ID {LoggedInEmployeeId} attempted to update a bucket but not found in database.", LoggedInEmployee.Id);
                    return ApiResponse<object>.ErrorResponse("Bucket not found", "Bucket not found", 404);
                }
+
+                Bucket? accessableBucket = null;
+                if (permissionIds.Contains(directoryAdmin))
+                {
+                    accessableBucket = bucket;
+                }
+                else if (permissionIds.Contains(directoryManager) && bucketIds.Contains(id))
+                {
+                    accessableBucket = bucket;
+                }
+                else if (permissionIds.Contains(directoryUser))
+                {
+                    if (bucket.CreatedByID == LoggedInEmployee.Id)
+                    {
+                        accessableBucket = bucket;
+                    }
+                }
+                if (accessableBucket == null)
+                {
+                    _logger.LogError("Employee {EmployeeId} attempted to access bucket {BucketId} without the necessary permissions.", LoggedInEmployee.Id, bucket.Id);
+                    return ApiResponse<object>.ErrorResponse("You don't have permission to access this bucket", "You don't have permission to access this bucket", 401);
+                }
+
                bucket.Name = bucketDto.Name ?? "";
                bucket.Description = bucketDto.Description ?? "";