106 lines
3.0 KiB
Markdown
106 lines
3.0 KiB
Markdown
# Authorization Update Guide for Existing Controllers
|
|
|
|
## Overview
|
|
All existing controllers need to be updated with appropriate authorization policies to work with the multi-tenancy system.
|
|
|
|
## Required Changes
|
|
|
|
### 1. Add Authorization Attribute to Controllers
|
|
|
|
Add the `[Authorize(Policy = "CanViewData")]` attribute to all existing controllers:
|
|
|
|
- CustomersController
|
|
- JobsController
|
|
- QuotesController
|
|
- InventoryController
|
|
- EquipmentController
|
|
- MaintenanceController
|
|
- ShopFloorController
|
|
- ReportsController
|
|
- SettingsController
|
|
|
|
**Example:**
|
|
```csharp
|
|
[Authorize(Policy = "CanViewData")]
|
|
public class CustomersController : Controller
|
|
{
|
|
// ... controller code
|
|
}
|
|
```
|
|
|
|
### 2. Add Policy-Specific Authorization to Actions
|
|
|
|
For actions that require elevated permissions, add specific policies:
|
|
|
|
**Create/Edit/Delete Actions:**
|
|
```csharp
|
|
[Authorize(Policy = "CanManageJobs")]
|
|
public async Task<IActionResult> Create()
|
|
{
|
|
// ... action code
|
|
}
|
|
```
|
|
|
|
**Management Actions:**
|
|
```csharp
|
|
[Authorize(Policy = "CompanyAdminOnly")]
|
|
public async Task<IActionResult> AdminPanel()
|
|
{
|
|
// ... action code
|
|
}
|
|
```
|
|
|
|
## Available Policies
|
|
|
|
1. **SuperAdminOnly** - Platform administrators only
|
|
2. **CompanyAdminOnly** - Company administrators (and SuperAdmin)
|
|
3. **CanManageJobs** - Users who can manage jobs
|
|
4. **CanManageUsers** - Users who can manage other users
|
|
5. **CanViewData** - All authenticated users
|
|
|
|
## Controller-Specific Recommendations
|
|
|
|
### CustomersController
|
|
- Index/Details: `[Authorize(Policy = "CanViewData")]`
|
|
- Create/Edit/Delete: `[Authorize(Policy = "CanManageJobs")]` or create `CanManageCustomers` policy
|
|
|
|
### JobsController
|
|
- Index/Details: `[Authorize(Policy = "CanViewData")]`
|
|
- Create/Edit/Delete: `[Authorize(Policy = "CanManageJobs")]`
|
|
|
|
### QuotesController
|
|
- Index/Details: `[Authorize(Policy = "CanViewData")]`
|
|
- Create: Check `CanCreateQuotes` permission
|
|
- Approve: Check `CanApproveQuotes` permission
|
|
|
|
### InventoryController
|
|
- Index/Details: `[Authorize(Policy = "CanViewData")]`
|
|
- Create/Edit/Delete: Check `CanManageInventory` permission
|
|
|
|
### EquipmentController & MaintenanceController
|
|
- Index/Details: `[Authorize(Policy = "CanViewData")]`
|
|
- Create/Edit/Delete: `[Authorize(Policy = "CanManageJobs")]`
|
|
|
|
### ReportsController
|
|
- All actions: `[Authorize(Policy = "CanViewData")]`
|
|
|
|
### SettingsController
|
|
- All actions: `[Authorize(Policy = "CompanyAdminOnly")]`
|
|
|
|
## Testing Authorization
|
|
|
|
After adding authorization, test:
|
|
|
|
1. **As Viewer**: Should only be able to view, no create/edit/delete buttons
|
|
2. **As Worker**: Should be able to edit assigned jobs
|
|
3. **As Manager**: Should have full job management
|
|
4. **As CompanyAdmin**: Should be able to manage users
|
|
5. **As SuperAdmin**: Should see all companies' data
|
|
|
|
## Notes
|
|
|
|
- The global query filters in `ApplicationDbContext` handle data isolation automatically
|
|
- No code changes needed in methods - filtering happens at the database level
|
|
- SuperAdmin can bypass filters using `.IgnoreQueryFilters()` when needed
|
|
- Always test cross-company access to ensure data isolation works correctly
|