soroushdes/meezi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4cc1c3a423c84b2d58d3e16306e6a29da1fc1670
meezi/src/Meezi.API/Controllers/MenuController.cs
T
soroush.asadi 7a5ea75b50
CI/CD / CI · API (dotnet build + test) (push) Successful in 40s
Details
CI/CD / CI · Admin API (dotnet build) (push) Successful in 30s
Details
CI/CD / CI · Dashboard (tsc) (push) Successful in 1m9s
Details
CI/CD / CI · Admin Web (tsc) (push) Successful in 37s
Details
CI/CD / CI · Website (tsc) (push) Successful in 45s
Details
CI/CD / CI · Koja (tsc) (push) Has been cancelled
Details
CI/CD / Deploy · all services (push) Has been cancelled
Details
feat(rbac): enforce permissions on every café write endpoint 
Closes the gap where the custom-role matrix was defined but unenforced — most
write endpoints only checked café membership, so the API would accept writes a
role's UI hid. Adds EnsurePermission(...) to all mutating/sensitive endpoints
across 32 controllers, mapped to the granular catalog:

- menu/inventory/coupons/customers/expenses/reservations/taxes/branches → CRUD perms
- tables/queue/kitchen-stations/print-settings → manage perms
- orders → ProcessOrders / EditOrder / VoidOrder / UpdateOrderStatus / HandlePayments,
  payment corrections → ManageFinancials
- HR → CreateStaff / ManageSchedules / ReviewLeave / View+ManageSalaries /
  ManageStaffCredentials (self-service clock-in/leave preserved)
- reports → ViewReports, export → ExportReports, audit → ViewAuditLog
- billing → ManageBilling, sms → SendSms/ManageSmsSettings, reviews → ManageReviews,
  discover/public profile → ManageDiscoverProfile, café settings → ManageCafeSettings,
  custom roles → ManageRoles

Removes legacy [Authorize(Roles=...)] attributes that would have overridden the
permission model (orders, branch-menu, pos-device, print). Manual discount/comp
have no backend endpoint yet (discounts come from coupons) — gated on the POS UI.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 05:43:07 +03:30

225 lines
10 KiB
C#
Raw Blame History

using FluentValidation;
using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
using Meezi.API.Models.Menu;
using Meezi.API.Services;
using Meezi.Core.Authorization;
using Meezi.Core.Constants;
using Meezi.Core.Enums;
using Meezi.Core.Interfaces;
using Meezi.Infrastructure.Data;
using Meezi.Infrastructure.Services.Platform;
using Meezi.Shared;
namespace Meezi.API.Controllers;
[Route("api/cafes/{cafeId}/menu")]
public class MenuController : CafeApiControllerBase
{
private readonly IMenuService _menuService;
private readonly IMenuAi3dGenerationService _menuAi3d;
private readonly IValidator<CreateMenuCategoryRequest> _createCategoryValidator;
private readonly IValidator<CreateMenuItemRequest> _createItemValidator;
private readonly AppDbContext _db;
private readonly IPlatformCatalogService _catalog;
private const string CategoryLimitMessage =
"به سقف دسته‌بندی منوی پلن شما رسیدید. برای افزودن دسته‌بندی بیشتر، پلن خود را ارتقا دهید.";
private const string ItemLimitMessage =
"به سقف آیتم منوی پلن شما رسیدید. برای افزودن آیتم بیشتر، پلن خود را ارتقا دهید.";
public MenuController(
IMenuService menuService,
IMenuAi3dGenerationService menuAi3d,
IValidator<CreateMenuCategoryRequest> createCategoryValidator,
IValidator<CreateMenuItemRequest> createItemValidator,
AppDbContext db,
IPlatformCatalogService catalog)
{
_menuService = menuService;
_menuAi3d = menuAi3d;
_createCategoryValidator = createCategoryValidator;
_createItemValidator = createItemValidator;
_db = db;
_catalog = catalog;
}
[HttpGet("categories")]
public async Task<IActionResult> GetCategories(string cafeId, ITenantContext tenant, CancellationToken cancellationToken)
{
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
var data = await _menuService.GetCategoriesAsync(cafeId, cancellationToken);
return Ok(new ApiResponse<IReadOnlyList<MenuCategoryDto>>(true, data));
}
[HttpPost("categories")]
public async Task<IActionResult> CreateCategory(
string cafeId,
[FromBody] CreateMenuCategoryRequest request,
ITenantContext tenant,
CancellationToken cancellationToken)
{
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
if (EnsurePermission(tenant, Permission.CreateMenuItem) is { } permDenied) return permDenied;
var validation = await _createCategoryValidator.ValidateAsync(request, cancellationToken);
if (!validation.IsValid) return BadRequest(ValidationError(validation));
var tier = tenant.PlanTier ?? PlanTier.Free;
var max = (await _catalog.GetLimitsAsync(tier, cancellationToken)).MaxMenuCategories;
if (max != int.MaxValue)
{
var count = await _db.MenuCategories.CountAsync(
c => c.CafeId == cafeId && c.DeletedAt == null, cancellationToken);
if (count >= max)
return StatusCode(403, new ApiResponse<object>(false, null,
new ApiError("PLAN_LIMIT_REACHED", CategoryLimitMessage)));
}
var data = await _menuService.CreateCategoryAsync(cafeId, request, cancellationToken);
return Ok(new ApiResponse<MenuCategoryDto>(true, data));
}
[HttpPatch("categories/{id}")]
public async Task<IActionResult> UpdateCategory(
string cafeId,
string id,
[FromBody] UpdateMenuCategoryRequest request,
ITenantContext tenant,
CancellationToken cancellationToken)
{
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
if (EnsurePermission(tenant, Permission.EditMenuItem) is { } permDenied) return permDenied;
var data = await _menuService.UpdateCategoryAsync(cafeId, id, request, cancellationToken);
if (data is null) return NotFoundError();
return Ok(new ApiResponse<MenuCategoryDto>(true, data));
}
[HttpDelete("categories/{id}")]
public async Task<IActionResult> DeleteCategory(string cafeId, string id, ITenantContext tenant, CancellationToken cancellationToken)
{
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
if (EnsurePermission(tenant, Permission.DeleteMenuItem) is { } permDenied) return permDenied;
var deleted = await _menuService.DeleteCategoryAsync(cafeId, id, cancellationToken);
if (!deleted) return NotFoundError();
return Ok(new ApiResponse<object>(true, new { id }));
}
[HttpGet("items")]
public async Task<IActionResult> GetItems(
string cafeId,
[FromQuery] string? categoryId,
ITenantContext tenant,
CancellationToken cancellationToken)
{
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
var data = await _menuService.GetItemsAsync(cafeId, categoryId, cancellationToken);
return Ok(new ApiResponse<IReadOnlyList<MenuItemDto>>(true, data));
}
[HttpPost("items")]
public async Task<IActionResult> CreateItem(
string cafeId,
[FromBody] CreateMenuItemRequest request,
ITenantContext tenant,
CancellationToken cancellationToken)
{
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
if (EnsurePermission(tenant, Permission.CreateMenuItem) is { } permDenied) return permDenied;
var validation = await _createItemValidator.ValidateAsync(request, cancellationToken);
if (!validation.IsValid) return BadRequest(ValidationError(validation));
var tier = tenant.PlanTier ?? PlanTier.Free;
var max = (await _catalog.GetLimitsAsync(tier, cancellationToken)).MaxMenuItems;
if (max != int.MaxValue)
{
var count = await _db.MenuItems.CountAsync(
i => i.CafeId == cafeId && i.DeletedAt == null, cancellationToken);
if (count >= max)
return StatusCode(403, new ApiResponse<object>(false, null,
new ApiError("PLAN_LIMIT_REACHED", ItemLimitMessage)));
}
var data = await _menuService.CreateItemAsync(cafeId, request, cancellationToken);
if (data is null) return NotFoundError("Category not found.");
return Ok(new ApiResponse<MenuItemDto>(true, data));
}
[HttpPatch("items/{id}")]
public async Task<IActionResult> UpdateItem(
string cafeId,
string id,
[FromBody] UpdateMenuItemRequest request,
ITenantContext tenant,
CancellationToken cancellationToken)
{
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
if (EnsurePermission(tenant, Permission.EditMenuItem) is { } permDenied) return permDenied;
var data = await _menuService.UpdateItemAsync(cafeId, id, request, cancellationToken);
if (data is null) return NotFoundError();
return Ok(new ApiResponse<MenuItemDto>(true, data));
}
[HttpPatch("items/{id}/availability")]
public async Task<IActionResult> SetAvailability(
string cafeId,
string id,
[FromBody] UpdateMenuItemAvailabilityRequest request,
ITenantContext tenant,
CancellationToken cancellationToken)
{
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
if (EnsurePermission(tenant, Permission.EditMenuItem) is { } permDenied) return permDenied;
var data = await _menuService.SetAvailabilityAsync(cafeId, id, request.IsAvailable, cancellationToken);
if (data is null) return NotFoundError();
return Ok(new ApiResponse<MenuItemDto>(true, data));
}
[HttpDelete("items/{id}")]
public async Task<IActionResult> DeleteItem(string cafeId, string id, ITenantContext tenant, CancellationToken cancellationToken)
{
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
if (EnsurePermission(tenant, Permission.DeleteMenuItem) is { } permDenied) return permDenied;
var deleted = await _menuService.DeleteItemAsync(cafeId, id, cancellationToken);
if (!deleted) return NotFoundError();
return Ok(new ApiResponse<object>(true, new { id }));
}
[HttpGet("ai-3d/usage")]
public async Task<IActionResult> GetAi3dUsage(string cafeId, ITenantContext tenant, CancellationToken cancellationToken)
{
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
var tier = tenant.PlanTier ?? PlanTier.Free;
var data = await _menuAi3d.GetUsageAsync(cafeId, tier, cancellationToken);
return Ok(new ApiResponse<MenuAi3dUsageDto>(true, data));
}
[HttpPost("items/{id}/ai-3d")]
public async Task<IActionResult> GenerateAi3d(
string cafeId,
string id,
ITenantContext tenant,
CancellationToken cancellationToken)
{
if (EnsureCafeAccess(cafeId, tenant) is { } denied) return denied;
if (EnsurePermission(tenant, Permission.EditMenuItem) is { } permDenied) return permDenied;
var tier = tenant.PlanTier ?? PlanTier.Free;
var (data, code, message) = await _menuAi3d.GenerateFromItemImageAsync(cafeId, id, tier, cancellationToken);
if (code is not null)
{
return code switch
{
"NOT_FOUND" => NotFound(new ApiResponse<object>(false, null, new ApiError(code, message ?? ""))),
"PLAN_FEATURE_DISABLED" => StatusCode(
StatusCodes.Status403Forbidden,
new ApiResponse<object>(false, null, new ApiError(code, message ?? ""))),
"PLAN_LIMIT_REACHED" => StatusCode(
StatusCodes.Status403Forbidden,
new ApiResponse<object>(false, null, new ApiError(code, message ?? ""))),
_ => BadRequest(new ApiResponse<object>(false, null, new ApiError(code, message ?? "")))
};
}
return Ok(new ApiResponse<MenuAi3dGenerateResultDto>(true, data));
}
}
Reference in New Issue View Git Blame Copy Permalink