Nicolaj Hartmann
1f75c5d791
This commit includes all previously untracked backend files: Domain: - Accounts, Attachments, BankConnections, Customers - FiscalYears, Invoices, JournalEntryDrafts - Orders, Products, UserAccess Commands & Handlers: - Full CQRS command structure for all domains Repositories: - PostgreSQL repositories for all read models - Bank transaction and ledger repositories GraphQL: - Input types, scalars, and types for all entities - Mutations and queries Infrastructure: - Banking integration (Enable Banking client) - File storage, Invoicing, Reporting, SAF-T export - Database migrations (003-029) Tests: - Integration tests for GraphQL endpoints - Domain tests - Invoicing and reporting tests Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
130 lines
4.3 KiB
C#
130 lines
4.3 KiB
C#
using Books.Api.Domain.UserAccess;
|
|
using Books.Api.EventFlow.Repositories;
|
|
|
|
namespace Books.Api.Authorization;
|
|
|
|
/// <summary>
|
|
/// Service for checking company access permissions.
|
|
/// </summary>
|
|
public interface ICompanyAccessService
|
|
{
|
|
/// <summary>
|
|
/// Check if the current user has access to the specified company with the required role.
|
|
/// Throws UnauthorizedAccessException if access is denied.
|
|
/// </summary>
|
|
Task RequireAccessAsync(
|
|
string companyId,
|
|
CompanyRole minimumRole,
|
|
CancellationToken cancellationToken = default);
|
|
|
|
/// <summary>
|
|
/// Check if the current user has access to the specified company.
|
|
/// Returns the access DTO if granted, null if denied.
|
|
/// </summary>
|
|
Task<UserCompanyAccessDto?> GetAccessAsync(
|
|
string companyId,
|
|
CancellationToken cancellationToken = default);
|
|
|
|
/// <summary>
|
|
/// Get all companies the current user has access to.
|
|
/// </summary>
|
|
Task<IReadOnlyList<UserCompanyAccessDto>> GetUserCompaniesAsync(
|
|
CancellationToken cancellationToken = default);
|
|
|
|
/// <summary>
|
|
/// Check if the current user has write access (Owner or Accountant) to the company.
|
|
/// </summary>
|
|
Task<bool> CanWriteAsync(
|
|
string companyId,
|
|
CancellationToken cancellationToken = default);
|
|
|
|
/// <summary>
|
|
/// Check if the current user can manage users for the company (Owner only).
|
|
/// </summary>
|
|
Task<bool> CanManageUsersAsync(
|
|
string companyId,
|
|
CancellationToken cancellationToken = default);
|
|
}
|
|
|
|
public class CompanyAccessService(
|
|
IHttpContextAccessor httpContextAccessor,
|
|
IUserCompanyAccessRepository accessRepository) : ICompanyAccessService
|
|
{
|
|
public async Task RequireAccessAsync(
|
|
string companyId,
|
|
CompanyRole minimumRole,
|
|
CancellationToken cancellationToken = default)
|
|
{
|
|
var userId = GetCurrentUserId();
|
|
if (userId == null)
|
|
{
|
|
throw new UnauthorizedAccessException("User is not authenticated");
|
|
}
|
|
|
|
var hasAccess = await accessRepository.HasAccessAsync(userId, companyId, minimumRole, cancellationToken);
|
|
if (!hasAccess)
|
|
{
|
|
var roleDescription = minimumRole switch
|
|
{
|
|
CompanyRole.Owner => "ejer",
|
|
CompanyRole.Accountant => "bogholder",
|
|
CompanyRole.Viewer => "læser",
|
|
_ => "ukendt"
|
|
};
|
|
|
|
throw new Domain.DomainException(
|
|
"ACCESS_DENIED",
|
|
$"You do not have {minimumRole} access to this company",
|
|
$"Du har ikke {roleDescription}-adgang til denne virksomhed");
|
|
}
|
|
}
|
|
|
|
public async Task<UserCompanyAccessDto?> GetAccessAsync(
|
|
string companyId,
|
|
CancellationToken cancellationToken = default)
|
|
{
|
|
var userId = GetCurrentUserId();
|
|
if (userId == null) return null;
|
|
|
|
return await accessRepository.GetAccessAsync(userId, companyId, cancellationToken);
|
|
}
|
|
|
|
public async Task<IReadOnlyList<UserCompanyAccessDto>> GetUserCompaniesAsync(
|
|
CancellationToken cancellationToken = default)
|
|
{
|
|
var userId = GetCurrentUserId();
|
|
if (userId == null) return [];
|
|
|
|
return await accessRepository.GetByUserIdAsync(userId, cancellationToken);
|
|
}
|
|
|
|
public async Task<bool> CanWriteAsync(
|
|
string companyId,
|
|
CancellationToken cancellationToken = default)
|
|
{
|
|
var userId = GetCurrentUserId();
|
|
if (userId == null) return false;
|
|
|
|
return await accessRepository.HasAccessAsync(userId, companyId, CompanyRole.Accountant, cancellationToken);
|
|
}
|
|
|
|
public async Task<bool> CanManageUsersAsync(
|
|
string companyId,
|
|
CancellationToken cancellationToken = default)
|
|
{
|
|
var userId = GetCurrentUserId();
|
|
if (userId == null) return false;
|
|
|
|
return await accessRepository.HasAccessAsync(userId, companyId, CompanyRole.Owner, cancellationToken);
|
|
}
|
|
|
|
private string? GetCurrentUserId()
|
|
{
|
|
var user = httpContextAccessor.HttpContext?.User;
|
|
if (user?.Identity?.IsAuthenticated != true) return null;
|
|
|
|
// For API keys, use the API key ID as the user ID
|
|
// For OIDC users, use the NameIdentifier claim (Keycloak user ID)
|
|
return user.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier)?.Value;
|
|
}
|
|
}
|