Initial commit
This commit is contained in:
@@ -0,0 +1,105 @@
|
||||
# Authorization Update Guide for Existing Controllers
|
||||
|
||||
## Overview
|
||||
All existing controllers need to be updated with appropriate authorization policies to work with the multi-tenancy system.
|
||||
|
||||
## Required Changes
|
||||
|
||||
### 1. Add Authorization Attribute to Controllers
|
||||
|
||||
Add the `[Authorize(Policy = "CanViewData")]` attribute to all existing controllers:
|
||||
|
||||
- CustomersController
|
||||
- JobsController
|
||||
- QuotesController
|
||||
- InventoryController
|
||||
- EquipmentController
|
||||
- MaintenanceController
|
||||
- ShopFloorController
|
||||
- ReportsController
|
||||
- SettingsController
|
||||
|
||||
**Example:**
|
||||
```csharp
|
||||
[Authorize(Policy = "CanViewData")]
|
||||
public class CustomersController : Controller
|
||||
{
|
||||
// ... controller code
|
||||
}
|
||||
```
|
||||
|
||||
### 2. Add Policy-Specific Authorization to Actions
|
||||
|
||||
For actions that require elevated permissions, add specific policies:
|
||||
|
||||
**Create/Edit/Delete Actions:**
|
||||
```csharp
|
||||
[Authorize(Policy = "CanManageJobs")]
|
||||
public async Task<IActionResult> Create()
|
||||
{
|
||||
// ... action code
|
||||
}
|
||||
```
|
||||
|
||||
**Management Actions:**
|
||||
```csharp
|
||||
[Authorize(Policy = "CompanyAdminOnly")]
|
||||
public async Task<IActionResult> AdminPanel()
|
||||
{
|
||||
// ... action code
|
||||
}
|
||||
```
|
||||
|
||||
## Available Policies
|
||||
|
||||
1. **SuperAdminOnly** - Platform administrators only
|
||||
2. **CompanyAdminOnly** - Company administrators (and SuperAdmin)
|
||||
3. **CanManageJobs** - Users who can manage jobs
|
||||
4. **CanManageUsers** - Users who can manage other users
|
||||
5. **CanViewData** - All authenticated users
|
||||
|
||||
## Controller-Specific Recommendations
|
||||
|
||||
### CustomersController
|
||||
- Index/Details: `[Authorize(Policy = "CanViewData")]`
|
||||
- Create/Edit/Delete: `[Authorize(Policy = "CanManageJobs")]` or create `CanManageCustomers` policy
|
||||
|
||||
### JobsController
|
||||
- Index/Details: `[Authorize(Policy = "CanViewData")]`
|
||||
- Create/Edit/Delete: `[Authorize(Policy = "CanManageJobs")]`
|
||||
|
||||
### QuotesController
|
||||
- Index/Details: `[Authorize(Policy = "CanViewData")]`
|
||||
- Create: Check `CanCreateQuotes` permission
|
||||
- Approve: Check `CanApproveQuotes` permission
|
||||
|
||||
### InventoryController
|
||||
- Index/Details: `[Authorize(Policy = "CanViewData")]`
|
||||
- Create/Edit/Delete: Check `CanManageInventory` permission
|
||||
|
||||
### EquipmentController & MaintenanceController
|
||||
- Index/Details: `[Authorize(Policy = "CanViewData")]`
|
||||
- Create/Edit/Delete: `[Authorize(Policy = "CanManageJobs")]`
|
||||
|
||||
### ReportsController
|
||||
- All actions: `[Authorize(Policy = "CanViewData")]`
|
||||
|
||||
### SettingsController
|
||||
- All actions: `[Authorize(Policy = "CompanyAdminOnly")]`
|
||||
|
||||
## Testing Authorization
|
||||
|
||||
After adding authorization, test:
|
||||
|
||||
1. **As Viewer**: Should only be able to view, no create/edit/delete buttons
|
||||
2. **As Worker**: Should be able to edit assigned jobs
|
||||
3. **As Manager**: Should have full job management
|
||||
4. **As CompanyAdmin**: Should be able to manage users
|
||||
5. **As SuperAdmin**: Should see all companies' data
|
||||
|
||||
## Notes
|
||||
|
||||
- The global query filters in `ApplicationDbContext` handle data isolation automatically
|
||||
- No code changes needed in methods - filtering happens at the database level
|
||||
- SuperAdmin can bypass filters using `.IgnoreQueryFilters()` when needed
|
||||
- Always test cross-company access to ensure data isolation works correctly
|
||||
Reference in New Issue
Block a user