feat(rbac): enforce permissions on every café write endpoint
CI/CD / CI · API (dotnet build + test) (push) Successful in 40s
CI/CD / CI · Admin API (dotnet build) (push) Successful in 30s
CI/CD / CI · Dashboard (tsc) (push) Successful in 1m9s
CI/CD / CI · Admin Web (tsc) (push) Successful in 37s
CI/CD / CI · Website (tsc) (push) Successful in 45s
CI/CD / CI · Koja (tsc) (push) Has been cancelled
CI/CD / Deploy · all services (push) Has been cancelled
CI/CD / CI · API (dotnet build + test) (push) Successful in 40s
CI/CD / CI · Admin API (dotnet build) (push) Successful in 30s
CI/CD / CI · Dashboard (tsc) (push) Successful in 1m9s
CI/CD / CI · Admin Web (tsc) (push) Successful in 37s
CI/CD / CI · Website (tsc) (push) Successful in 45s
CI/CD / CI · Koja (tsc) (push) Has been cancelled
CI/CD / Deploy · all services (push) Has been cancelled
Closes the gap where the custom-role matrix was defined but unenforced — most write endpoints only checked café membership, so the API would accept writes a role's UI hid. Adds EnsurePermission(...) to all mutating/sensitive endpoints across 32 controllers, mapped to the granular catalog: - menu/inventory/coupons/customers/expenses/reservations/taxes/branches → CRUD perms - tables/queue/kitchen-stations/print-settings → manage perms - orders → ProcessOrders / EditOrder / VoidOrder / UpdateOrderStatus / HandlePayments, payment corrections → ManageFinancials - HR → CreateStaff / ManageSchedules / ReviewLeave / View+ManageSalaries / ManageStaffCredentials (self-service clock-in/leave preserved) - reports → ViewReports, export → ExportReports, audit → ViewAuditLog - billing → ManageBilling, sms → SendSms/ManageSmsSettings, reviews → ManageReviews, discover/public profile → ManageDiscoverProfile, café settings → ManageCafeSettings, custom roles → ManageRoles Removes legacy [Authorize(Roles=...)] attributes that would have overridden the permission model (orders, branch-menu, pos-device, print). Manual discount/comp have no backend endpoint yet (discounts come from coupons) — gated on the POS UI. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
@@ -1,8 +1,8 @@
|
||||
using FluentValidation;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
using Meezi.API.Models.Tables;
|
||||
using Meezi.API.Services;
|
||||
using Meezi.Core.Authorization;
|
||||
using Meezi.Core.Enums;
|
||||
using Meezi.Core.Interfaces;
|
||||
using Meezi.Shared;
|
||||
@@ -68,7 +68,6 @@ public class BranchTablesController : CafeApiControllerBase
|
||||
}
|
||||
|
||||
[HttpPost]
|
||||
[Authorize(Roles = "Manager,Owner")]
|
||||
public async Task<IActionResult> CreateTable(
|
||||
string cafeId,
|
||||
string branchId,
|
||||
@@ -77,6 +76,7 @@ public class BranchTablesController : CafeApiControllerBase
|
||||
CancellationToken ct)
|
||||
{
|
||||
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
||||
if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
|
||||
if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
|
||||
return Forbid();
|
||||
|
||||
@@ -88,7 +88,6 @@ public class BranchTablesController : CafeApiControllerBase
|
||||
}
|
||||
|
||||
[HttpPatch("{id}")]
|
||||
[Authorize(Roles = "Manager,Owner")]
|
||||
public async Task<IActionResult> PatchTable(
|
||||
string cafeId,
|
||||
string branchId,
|
||||
@@ -98,6 +97,7 @@ public class BranchTablesController : CafeApiControllerBase
|
||||
CancellationToken ct)
|
||||
{
|
||||
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
||||
if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
|
||||
if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
|
||||
return Forbid();
|
||||
|
||||
@@ -109,7 +109,6 @@ public class BranchTablesController : CafeApiControllerBase
|
||||
}
|
||||
|
||||
[HttpDelete("{id}")]
|
||||
[Authorize(Roles = "Manager,Owner")]
|
||||
public async Task<IActionResult> DeleteTable(
|
||||
string cafeId,
|
||||
string branchId,
|
||||
@@ -118,6 +117,7 @@ public class BranchTablesController : CafeApiControllerBase
|
||||
CancellationToken ct)
|
||||
{
|
||||
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
||||
if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
|
||||
if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
|
||||
return Forbid();
|
||||
|
||||
@@ -135,6 +135,7 @@ public class BranchTablesController : CafeApiControllerBase
|
||||
CancellationToken ct)
|
||||
{
|
||||
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
||||
if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
|
||||
if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
|
||||
return Forbid();
|
||||
|
||||
@@ -180,7 +181,6 @@ public class BranchTablesController : CafeApiControllerBase
|
||||
}
|
||||
|
||||
[HttpPost("sections")]
|
||||
[Authorize(Roles = "Manager,Owner")]
|
||||
public async Task<IActionResult> CreateSection(
|
||||
string cafeId,
|
||||
string branchId,
|
||||
@@ -189,6 +189,7 @@ public class BranchTablesController : CafeApiControllerBase
|
||||
CancellationToken ct = default)
|
||||
{
|
||||
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
||||
if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
|
||||
if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
|
||||
return Forbid();
|
||||
|
||||
@@ -200,7 +201,6 @@ public class BranchTablesController : CafeApiControllerBase
|
||||
}
|
||||
|
||||
[HttpPatch("sections/{sectionId}")]
|
||||
[Authorize(Roles = "Manager,Owner")]
|
||||
public async Task<IActionResult> PatchSection(
|
||||
string cafeId,
|
||||
string branchId,
|
||||
@@ -210,6 +210,7 @@ public class BranchTablesController : CafeApiControllerBase
|
||||
CancellationToken ct = default)
|
||||
{
|
||||
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
||||
if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
|
||||
if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
|
||||
return Forbid();
|
||||
|
||||
@@ -221,7 +222,6 @@ public class BranchTablesController : CafeApiControllerBase
|
||||
}
|
||||
|
||||
[HttpDelete("sections/{sectionId}")]
|
||||
[Authorize(Roles = "Manager,Owner")]
|
||||
public async Task<IActionResult> DeleteSection(
|
||||
string cafeId,
|
||||
string branchId,
|
||||
@@ -230,6 +230,7 @@ public class BranchTablesController : CafeApiControllerBase
|
||||
CancellationToken ct = default)
|
||||
{
|
||||
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
|
||||
if (EnsurePermission(tenant, Permission.ManageTables) is { } permDenied) return permDenied;
|
||||
if (!await _tables.CanAccessBranchAsync(cafeId, branchId, tenant.UserId, tenant.Role, ct))
|
||||
return Forbid();
|
||||
|
||||
|
||||
Reference in New Issue
Block a user