spouliot/PowderCoatingLogix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
357ef84001185a4b80ffab499dd0481b622fecc4
PowderCoatingLogix/AUTHORIZATION_UPDATE_GUIDE.md
T
spouliot 63e12a9636 Initial commit
2026-04-23 21:38:24 -04:00

3.0 KiB
Raw Blame History

Authorization Update Guide for Existing Controllers

Overview

All existing controllers need to be updated with appropriate authorization policies to work with the multi-tenancy system.

Required Changes

1. Add Authorization Attribute to Controllers

Add the [Authorize(Policy = "CanViewData")] attribute to all existing controllers:

  • CustomersController
  • JobsController
  • QuotesController
  • InventoryController
  • EquipmentController
  • MaintenanceController
  • ShopFloorController
  • ReportsController
  • SettingsController

Example:

[Authorize(Policy = "CanViewData")]
public class CustomersController : Controller
{
    // ... controller code
}

2. Add Policy-Specific Authorization to Actions

For actions that require elevated permissions, add specific policies:

Create/Edit/Delete Actions:

[Authorize(Policy = "CanManageJobs")]
public async Task<IActionResult> Create()
{
    // ... action code
}

Management Actions:

[Authorize(Policy = "CompanyAdminOnly")]
public async Task<IActionResult> AdminPanel()
{
    // ... action code
}

Available Policies

  1. SuperAdminOnly - Platform administrators only
  2. CompanyAdminOnly - Company administrators (and SuperAdmin)
  3. CanManageJobs - Users who can manage jobs
  4. CanManageUsers - Users who can manage other users
  5. CanViewData - All authenticated users

Controller-Specific Recommendations

CustomersController

  • Index/Details: [Authorize(Policy = "CanViewData")]
  • Create/Edit/Delete: [Authorize(Policy = "CanManageJobs")] or create CanManageCustomers policy

JobsController

  • Index/Details: [Authorize(Policy = "CanViewData")]
  • Create/Edit/Delete: [Authorize(Policy = "CanManageJobs")]

QuotesController

  • Index/Details: [Authorize(Policy = "CanViewData")]
  • Create: Check CanCreateQuotes permission
  • Approve: Check CanApproveQuotes permission

InventoryController

  • Index/Details: [Authorize(Policy = "CanViewData")]
  • Create/Edit/Delete: Check CanManageInventory permission

EquipmentController & MaintenanceController

  • Index/Details: [Authorize(Policy = "CanViewData")]
  • Create/Edit/Delete: [Authorize(Policy = "CanManageJobs")]

ReportsController

  • All actions: [Authorize(Policy = "CanViewData")]

SettingsController

  • All actions: [Authorize(Policy = "CompanyAdminOnly")]

Testing Authorization

After adding authorization, test:

  1. As Viewer: Should only be able to view, no create/edit/delete buttons
  2. As Worker: Should be able to edit assigned jobs
  3. As Manager: Should have full job management
  4. As CompanyAdmin: Should be able to manage users
  5. As SuperAdmin: Should see all companies' data

Notes

  • The global query filters in ApplicationDbContext handle data isolation automatically
  • No code changes needed in methods - filtering happens at the database level
  • SuperAdmin can bypass filters using .IgnoreQueryFilters() when needed
  • Always test cross-company access to ensure data isolation works correctly
Reference in New Issue View Git Blame Copy Permalink