feat: Implement audit logging for POD view and download actions

Ngonie69 · Ngonie69 · commit cab33b9bed7a · 2026-06-09T10:58:45.000+02:00
diff --git a/ShopInventory.Web/Components/Pages/ProofOfDelivery.razor b/ShopInventory.Web/Components/Pages/ProofOfDelivery.razor
@@ -1949,10 +1949,21 @@ filterUploadedFromLocation.Trim();
         {
             var url = $"/download/pod/{pod.InvoiceDocEntry}/{pod.Id}";
             await JS.InvokeVoidAsync("downloadAuthenticatedFile", url, pod.FileName);
+            await LogPodAuditAsync(
+                AuditActions.DownloadPod,
+                pod,
+                true,
+                $"Downloaded POD '{pod.FileName}' for {GetPodInvoiceLabel(pod)}.");
         }
         catch (Exception ex)
         {
             Logger.LogError(ex, "Error downloading POD {PodId}", pod.Id);
+            await LogPodAuditAsync(
+                AuditActions.DownloadPod,
+                pod,
+                false,
+                $"Failed to download POD '{pod.FileName}' for {GetPodInvoiceLabel(pod)}.",
+                ex.Message);
         }
     }
 
@@ -1976,10 +1987,22 @@ filterUploadedFromLocation.Trim();
             viewerDataUri = await JS.InvokeAsync<string>(
                 "createAuthenticatedObjectUrl",
                 $"/download/pod/{pod.InvoiceDocEntry}/{pod.Id}");
+
+            await LogPodAuditAsync(
+                AuditActions.ViewPod,
+                pod,
+                true,
+                $"Viewed POD '{pod.FileName}' for {GetPodInvoiceLabel(pod)}.");
         }
         catch (Exception ex)
         {
             Logger.LogError(ex, "Error viewing POD {PodId}", pod.Id);
+            await LogPodAuditAsync(
+                AuditActions.ViewPod,
+                pod,
+                false,
+                $"Failed to view POD '{pod.FileName}' for {GetPodInvoiceLabel(pod)}.",
+                ex.Message);
             showViewer = false;
         }
         finally
@@ -2005,6 +2028,36 @@ filterUploadedFromLocation.Trim();
         }
     }
 
+    private async Task LogPodAuditAsync(
+        string action,
+        PodAttachmentItemDto pod,
+        bool isSuccess,
+        string details,
+        string? errorMessage = null)
+    {
+        try
+        {
+            await AuditService.LogAsync(
+                action,
+                "POD",
+                pod.Id.ToString(CultureInfo.InvariantCulture),
+                details,
+                isSuccess,
+                errorMessage);
+        }
+        catch (Exception ex)
+        {
+            Logger.LogWarning(ex, "Failed to write POD audit log for action {Action} and attachment {PodId}", action, pod.Id);
+        }
+    }
+
+    private static string GetPodInvoiceLabel(PodAttachmentItemDto pod)
+    {
+        return pod.InvoiceDocNum > 0
+            ? $"invoice #{pod.InvoiceDocNum}"
+            : $"invoice doc entry {pod.InvoiceDocEntry}";
+    }
+
     private void ConfirmDeletePod(PodAttachmentItemDto pod)
     {
         if (!canDeletePods) return;
diff --git a/ShopInventory.Web/Data/AuditLog.cs b/ShopInventory.Web/Data/AuditLog.cs
@@ -169,6 +169,8 @@ public static class AuditActions
     // POD actions
     public const string UploadPod = "UploadPod";
     public const string BulkUploadPod = "BulkUploadPod";
+    public const string ViewPod = "ViewPod";
+    public const string DownloadPod = "DownloadPod";
 
     // Customer actions
     public const string ViewCustomers = "ViewCustomers";
diff --git a/ShopInventory/Features/Documents/DocumentAttachmentAccessService.cs b/ShopInventory/Features/Documents/DocumentAttachmentAccessService.cs
@@ -3,6 +3,7 @@
 using Microsoft.EntityFrameworkCore;
 using ShopInventory.Common.Crates;
 using ShopInventory.Common.Errors;
+using ShopInventory.Common.Pods;
 using ShopInventory.Data;
 using ShopInventory.Models;
 using ShopInventory.Models.Entities;
@@ -189,15 +190,49 @@ private async Task<ErrorOr<bool>> EnsureInvoiceAccessAsync(
             }
 
             var scopedDocEntries = await documentService.GetScopedPodInvoiceDocEntriesAsync([entityId], assignedSection, cancellationToken);
-            if (!scopedDocEntries.Contains(entityId))
+            if (scopedDocEntries.Contains(entityId))
             {
-                return Errors.Document.AccessDenied("This invoice is outside your assigned POD section.");
+                return true;
+            }
+
+            if (!isWriteOperation && await MatchesUploaderAssignedSectionAsync(uploadedByUserId, assignedSection, cancellationToken))
+            {
+                return true;
             }
+
+            return Errors.Document.AccessDenied("This invoice is outside your assigned POD section.");
         }
 
         return true;
     }
 
+    private async Task<bool> MatchesUploaderAssignedSectionAsync(
+        Guid? uploadedByUserId,
+        string assignedSection,
+        CancellationToken cancellationToken)
+    {
+        if (!uploadedByUserId.HasValue || string.IsNullOrWhiteSpace(assignedSection))
+        {
+            return false;
+        }
+
+        var uploaderAssignedSection = await context.Users
+            .AsNoTracking()
+            .Where(user => user.Id == uploadedByUserId.Value)
+            .Select(user => user.AssignedSection)
+            .FirstOrDefaultAsync(cancellationToken);
+
+        if (string.IsNullOrWhiteSpace(uploaderAssignedSection))
+        {
+            return false;
+        }
+
+        return string.Equals(
+            PodLocationScope.CanonicalizeSection(uploaderAssignedSection),
+            PodLocationScope.CanonicalizeSection(assignedSection),
+            StringComparison.OrdinalIgnoreCase);
+    }
+
     private async Task<ErrorOr<bool>> EnsureExternalPurchaseOrderAccessAsync(
         string role,
         bool isWriteOperation,
