# Authorization Update Guide for Existing Controllers

## Overview
All existing controllers need to be updated with appropriate authorization policies to work with the multi-tenancy system.

## Required Changes

### 1. Add Authorization Attribute to Controllers

Add the `[Authorize(Policy = "CanViewData")]` attribute to all existing controllers:

- CustomersController
- JobsController
- QuotesController
- InventoryController
- EquipmentController
- MaintenanceController
- ShopFloorController
- ReportsController
- SettingsController

**Example:**
```csharp
[Authorize(Policy = "CanViewData")]
public class CustomersController : Controller
{
    // ... controller code
}
```

### 2. Add Policy-Specific Authorization to Actions

For actions that require elevated permissions, add specific policies:

**Create/Edit/Delete Actions:**
```csharp
[Authorize(Policy = "CanManageJobs")]
public async Task<IActionResult> Create()
{
    // ... action code
}
```

**Management Actions:**
```csharp
[Authorize(Policy = "CompanyAdminOnly")]
public async Task<IActionResult> AdminPanel()
{
    // ... action code
}
```

## Available Policies

1. **SuperAdminOnly** - Platform administrators only
2. **CompanyAdminOnly** - Company administrators (and SuperAdmin)
3. **CanManageJobs** - Users who can manage jobs
4. **CanManageUsers** - Users who can manage other users
5. **CanViewData** - All authenticated users

## Controller-Specific Recommendations

### CustomersController
- Index/Details: `[Authorize(Policy = "CanViewData")]`
- Create/Edit/Delete: `[Authorize(Policy = "CanManageJobs")]` or create `CanManageCustomers` policy

### JobsController
- Index/Details: `[Authorize(Policy = "CanViewData")]`
- Create/Edit/Delete: `[Authorize(Policy = "CanManageJobs")]`

### QuotesController
- Index/Details: `[Authorize(Policy = "CanViewData")]`
- Create: Check `CanCreateQuotes` permission
- Approve: Check `CanApproveQuotes` permission

### InventoryController
- Index/Details: `[Authorize(Policy = "CanViewData")]`
- Create/Edit/Delete: Check `CanManageInventory` permission

### EquipmentController & MaintenanceController
- Index/Details: `[Authorize(Policy = "CanViewData")]`
- Create/Edit/Delete: `[Authorize(Policy = "CanManageJobs")]`

### ReportsController
- All actions: `[Authorize(Policy = "CanViewData")]`

### SettingsController
- All actions: `[Authorize(Policy = "CompanyAdminOnly")]`

## Testing Authorization

After adding authorization, test:

1. **As Viewer**: Should only be able to view, no create/edit/delete buttons
2. **As Worker**: Should be able to edit assigned jobs
3. **As Manager**: Should have full job management
4. **As CompanyAdmin**: Should be able to manage users
5. **As SuperAdmin**: Should see all companies' data

## Notes

- The global query filters in `ApplicationDbContext` handle data isolation automatically
- No code changes needed in methods - filtering happens at the database level
- SuperAdmin can bypass filters using `.IgnoreQueryFilters()` when needed
- Always test cross-company access to ensure data isolation works correctly