feat: Update user roles and permissions for enhanced user management

Ngonie69 · Ngonie69 · commit ffcef3ed4cdc · 2026-06-08T12:57:27.000+02:00
- Added new user roles: UserManagementRoles and MerchandiserAccountManagementRoles in UserRoles.cs.
- Updated authorization roles in CratesController and InvoiceController to include PodOperator.
- Modified InventoryTransferController to restrict access to Admin, StockController, and DepotController roles.
- Adjusted InvoiceController to restrict customer access based on user roles.
- Enhanced UserManagementController to require permissions for creating users and managing merchandiser accounts.
- Updated UploadCratePodHandler and ValidateBulkCratePodsHandler to include PodOperator in role checks.
- Introduced new permission: CreateMerchandiserAccounts in Permission.cs and updated related services.
diff --git a/ShopInventory.Web/Components/Pages/CratePodHistory.razor b/ShopInventory.Web/Components/Pages/CratePodHistory.razor
@@ -174,7 +174,7 @@
                                                                 @onclick="() => DownloadAttachmentAsync(attachment)">
                                                             Download
                                                         </button>
-                                                        @if (canSubmitPods)
+                                                        @if (canDeleteCratePods)
                                                         {
                                                             <button type="button" class="crpod-attachment-action crpod-attachment-action-delete"
                                                                     @onclick="() => BeginDeleteAttachment(pod, attachment)">
diff --git a/ShopInventory.Web/Components/Pages/CratePodsPageBase.cs b/ShopInventory.Web/Components/Pages/CratePodsPageBase.cs
@@ -552,6 +552,11 @@ protected async Task CloseAttachmentViewerAsync()
 
     protected void BeginDeleteAttachment(CratePodSubmissionDto pod, DocumentAttachmentDto attachment)
     {
+        if (!canDeleteCratePods)
+        {
+            return;
+        }
+
         podToDelete = pod;
         attachmentToDelete = attachment;
         attachmentDeleteContext = $"{GetPodReferenceLabel(pod)} {pod.SubmissionRole} submission";
@@ -568,7 +573,7 @@ protected void CancelDeleteAttachment()
 
     protected async Task DeletePodAsync()
     {
-        if (podToDelete is null || isDeletingAttachment)
+        if (!canDeleteCratePods || podToDelete is null || isDeletingAttachment)
         {
             return;
         }
diff --git a/ShopInventory.Web/Components/Pages/CrateTrackingPageBase.cs b/ShopInventory.Web/Components/Pages/CrateTrackingPageBase.cs
@@ -27,6 +27,7 @@ public abstract class CrateTrackingPageBase : ComponentBase
     protected bool canRaiseGrvs;
     protected bool canChoosePodRole;
     protected bool canSubmitPods;
+    protected bool canDeleteCratePods;
     protected bool canViewCrateTransactions;
     protected bool canViewCrateGrvs;
 
@@ -112,8 +113,9 @@ protected async Task LoadCurrentUserAsync()
 
         canManageOpeningBalances = isAdmin;
         canRaiseGrvs = isAdmin || isManager || isMerchandiser;
-        canChoosePodRole = isAdmin || isManager || isOperator;
-        canSubmitPods = isAdmin || isManager || isMerchandiser || isOperator || isDriver;
+        canChoosePodRole = isAdmin || isManager || isPodOperator || isOperator;
+        canSubmitPods = isAdmin || isManager || isMerchandiser || isPodOperator || isOperator || isDriver;
+        canDeleteCratePods = isAdmin || isManager || isMerchandiser || isOperator || isDriver;
         canViewCrateTransactions = canSubmitPods || isPodOperator || isOperator || isSalesRep;
         canViewCrateGrvs = canRaiseGrvs || isDriver || isSalesRep;
 
diff --git a/ShopInventory.Web/Components/Pages/CreateMerchandiserAccount.razor b/ShopInventory.Web/Components/Pages/CreateMerchandiserAccount.razor
@@ -1,7 +1,8 @@
 @page "/merchandiser-account"
+@using ShopInventory.Web.Data
 @using Microsoft.AspNetCore.Authorization
 @using Microsoft.AspNetCore.Components.Forms
-@attribute [Authorize(Roles = "Admin,SalesRep")]
+@attribute [Authorize(Roles = UserRoles.MerchandiserAccountManagementRoles)]
 @rendermode InteractiveServer
 
 <PageTitle>Manage Merchandiser Accounts - Shop Inventory</PageTitle>
diff --git a/ShopInventory.Web/Components/Pages/UserManagement.razor b/ShopInventory.Web/Components/Pages/UserManagement.razor
diff --git a/ShopInventory.Web/Data/UserRoles.cs b/ShopInventory.Web/Data/UserRoles.cs
@@ -74,6 +74,8 @@ public static class UserRoles
     public const string PurchasingRoles = "Admin,Manager";
 
     public const string PodRoles = "Admin,Cashier,PodOperator,Driver,SalesRep";
+    public const string UserManagementRoles = "Admin,PodOperator,SalesRep";
+    public const string MerchandiserAccountManagementRoles = "Admin,SalesRep";
 
     /// <summary>
     /// Get all available roles
diff --git a/ShopInventory/Controllers/CratesController.cs b/ShopInventory/Controllers/CratesController.cs
@@ -73,7 +73,7 @@ public async Task<IActionResult> GetPods(
     }
 
     [HttpPost("pods/validate-bulk")]
-    [Authorize(Roles = "Admin,Manager,Merchandiser,Operator,Driver")]
+    [Authorize(Roles = "Admin,Manager,Merchandiser,PodOperator,Operator,Driver")]
     [ProducesResponseType(typeof(BulkCratePodValidationResponseDto), StatusCodes.Status200OK)]
     [ProducesResponseType(typeof(ErrorResponseDto), StatusCodes.Status400BadRequest)]
     public async Task<IActionResult> ValidateBulkPods(
@@ -218,7 +218,7 @@ public async Task<IActionResult> DeleteOpeningBalance(
     }
 
     [HttpPost("transactions/{crateTransactionId:int}/pods")]
-    [Authorize(Roles = "Admin,Manager,Merchandiser,Operator,Driver")]
+    [Authorize(Roles = "Admin,Manager,Merchandiser,PodOperator,Operator,Driver")]
     [RequestSizeLimit(20 * 1024 * 1024)]
     [ProducesResponseType(typeof(CratePodSubmissionDto), StatusCodes.Status200OK)]
     public async Task<IActionResult> UploadCratePod(
diff --git a/ShopInventory/Controllers/InventoryTransferController.cs b/ShopInventory/Controllers/InventoryTransferController.cs
@@ -23,6 +23,7 @@ namespace ShopInventory.Controllers;
 public class InventoryTransferController(IMediator mediator) : ApiControllerBase
 {
     [HttpPost]
+    [Authorize(Roles = "Admin,StockController,DepotController")]
     [ProducesResponseType(typeof(InventoryTransferCreatedResponseDto), StatusCodes.Status201Created)]
     [ProducesResponseType(typeof(InventoryTransferCreatedResponseDto), StatusCodes.Status202Accepted)]
     [ProducesResponseType(typeof(ErrorResponseDto), StatusCodes.Status400BadRequest)]
@@ -94,6 +95,7 @@ public async Task<IActionResult> GetInventoryTransferByDocEntry(int docEntry, Ca
     #region Transfer Request Endpoints
 
     [HttpPost("request")]
+    [Authorize(Roles = "Admin,StockController,DepotController")]
     [ProducesResponseType(typeof(TransferRequestCreatedResponseDto), StatusCodes.Status201Created)]
     [ProducesResponseType(typeof(ErrorResponseDto), StatusCodes.Status400BadRequest)]
     public async Task<IActionResult> CreateTransferRequest(
@@ -106,6 +108,7 @@ public async Task<IActionResult> CreateTransferRequest(
     }
 
     [HttpPost("request/{docEntry:int}/convert")]
+    [Authorize(Roles = "Admin,StockController,DepotController")]
     [ProducesResponseType(typeof(TransferRequestConvertedResponseDto), StatusCodes.Status201Created)]
     public async Task<IActionResult> ConvertTransferRequestToTransfer(int docEntry, CancellationToken cancellationToken)
     {
@@ -116,6 +119,7 @@ public async Task<IActionResult> ConvertTransferRequestToTransfer(int docEntry,
     }
 
     [HttpPost("request/{docEntry:int}/close")]
+    [Authorize(Roles = "Admin,StockController,DepotController")]
     [ProducesResponseType(StatusCodes.Status200OK)]
     public async Task<IActionResult> CloseTransferRequest(int docEntry, CancellationToken cancellationToken)
     {
diff --git a/ShopInventory/Controllers/InvoiceController.cs b/ShopInventory/Controllers/InvoiceController.cs
@@ -104,7 +104,7 @@ public async Task<IActionResult> GetInvoiceByDocNum(
         int docNum,
         CancellationToken cancellationToken = default)
     {
-        var restrictToAssignedCustomers = User.IsInRole("Driver") || User.IsInRole("PodOperator") || User.IsInRole("Operator");
+        var restrictToAssignedCustomers = User.IsInRole("Driver") || User.IsInRole("Operator");
         var result = await mediator.Send(
             new GetInvoiceByDocNumQuery(
                 docNum,
@@ -170,7 +170,7 @@ public async Task<IActionResult> GetInvoicesByCustomer(
         [FromQuery] int? page = null,
         [FromQuery] int? pageSize = null)
     {
-        var restrictToAssignedCustomers = User.IsInRole("Driver") || User.IsInRole("PodOperator");
+        var restrictToAssignedCustomers = User.IsInRole("Driver");
         var result = await mediator.Send(
             new GetInvoicesByCustomerQuery(
                 cardCode,
@@ -248,7 +248,7 @@ public async Task<IActionResult> UploadPod(
     }
 
     [HttpPost("{docEntry:int}/crate-pod")]
-    [Authorize(Roles = "Admin,Manager,Merchandiser,Operator,Driver")]
+    [Authorize(Roles = "Admin,Manager,Merchandiser,PodOperator,Operator,Driver")]
     [ProducesResponseType(typeof(CratePodSubmissionDto), StatusCodes.Status200OK)]
     [ProducesResponseType(typeof(ErrorResponseDto), StatusCodes.Status400BadRequest)]
     [RequestSizeLimit(20 * 1024 * 1024)]
diff --git a/ShopInventory/Controllers/UserManagementController.cs b/ShopInventory/Controllers/UserManagementController.cs
@@ -51,7 +51,7 @@ public async Task<IActionResult> GetUser(Guid id, CancellationToken cancellation
     }
 
     [HttpPost]
-    [RequirePermission(Permission.CreateUsers)]
+    [RequirePermission(Permission.CreateUsers, Permission.CreateMerchandiserAccounts)]
     public async Task<IActionResult> CreateUser([FromBody] CreateUserDetailRequest request, CancellationToken cancellationToken)
     {
         var result = await mediator.Send(new CreateUserCommand(request), cancellationToken);
@@ -61,15 +61,15 @@ public async Task<IActionResult> CreateUser([FromBody] CreateUserDetailRequest r
     }
 
     [HttpGet("merchandisers")]
-    [RequirePermission(Permission.CreateUsers)]
+    [RequirePermission(Permission.CreateMerchandiserAccounts)]
     public async Task<IActionResult> GetManagedMerchandiserAccounts(CancellationToken cancellationToken)
     {
         var result = await mediator.Send(new GetManagedMerchandiserAccountsQuery(), cancellationToken);
         return result.Match(value => Ok(value), errors => Problem(errors));
     }
 
     [HttpPut("merchandisers/{id:guid}/assigned-customers")]
-    [RequirePermission(Permission.CreateUsers)]
+    [RequirePermission(Permission.CreateMerchandiserAccounts)]
     public async Task<IActionResult> UpdateMerchandiserAssignedCustomers(
         Guid id,
         [FromBody] UpdateMerchandiserAssignedCustomersRequest request,
diff --git a/ShopInventory/Features/Crates/Commands/UploadCratePod/UploadCratePodHandler.cs b/ShopInventory/Features/Crates/Commands/UploadCratePod/UploadCratePodHandler.cs
@@ -196,6 +196,14 @@ await auditService.LogAsync(
                 return CrateTrackingConstants.SubmissionRoleMerchandiser;
             }
 
+            if (string.Equals(currentRole, "Admin", StringComparison.OrdinalIgnoreCase) ||
+                string.Equals(currentRole, "Manager", StringComparison.OrdinalIgnoreCase) ||
+                string.Equals(currentRole, "PodOperator", StringComparison.OrdinalIgnoreCase) ||
+                string.Equals(currentRole, "Operator", StringComparison.OrdinalIgnoreCase))
+            {
+                return CrateTrackingConstants.SubmissionRoleDriver;
+            }
+
             return null;
         }
 
diff --git a/ShopInventory/Features/Crates/Queries/ValidateBulkCratePods/ValidateBulkCratePodsHandler.cs b/ShopInventory/Features/Crates/Queries/ValidateBulkCratePods/ValidateBulkCratePodsHandler.cs
@@ -225,6 +225,7 @@ private static bool CanUpload(
     {
         if (string.Equals(currentUserRole, "Admin", StringComparison.OrdinalIgnoreCase) ||
             string.Equals(currentUserRole, "Manager", StringComparison.OrdinalIgnoreCase) ||
+            string.Equals(currentUserRole, "PodOperator", StringComparison.OrdinalIgnoreCase) ||
             string.Equals(currentUserRole, "Operator", StringComparison.OrdinalIgnoreCase))
         {
             return true;
@@ -290,6 +291,7 @@ existingSubmission is not null &&
 
             if (string.Equals(currentRole, "Admin", StringComparison.OrdinalIgnoreCase) ||
                 string.Equals(currentRole, "Manager", StringComparison.OrdinalIgnoreCase) ||
+                string.Equals(currentRole, "PodOperator", StringComparison.OrdinalIgnoreCase) ||
                 string.Equals(currentRole, "Operator", StringComparison.OrdinalIgnoreCase))
             {
                 return CrateTrackingConstants.SubmissionRoleDriver;
diff --git a/ShopInventory/Models/Permission.cs b/ShopInventory/Models/Permission.cs
@@ -67,6 +67,7 @@ public static class Permissions
     // Users & Admin
     public const string ViewUsers = "users.view";
     public const string CreateUsers = "users.create";
+    public const string CreateMerchandiserAccounts = "users.create_merchandiser_accounts";
     public const string EditUsers = "users.edit";
     public const string DeleteUsers = "users.delete";
     public const string ManageRoles = "users.manage_roles";
@@ -189,6 +190,7 @@ public static Dictionary<string, List<PermissionInfo>> GetAllPermissionsGrouped(
             {
                 new(ViewUsers, "View Users", "View user accounts"),
                 new(CreateUsers, "Create Users", "Create new user accounts"),
+                new(CreateMerchandiserAccounts, "Create Merchandiser Accounts", "Create merchandiser user accounts (for SalesRep role)"),
                 new(EditUsers, "Edit Users", "Modify user accounts"),
                 new(DeleteUsers, "Delete Users", "Delete user accounts"),
                 new(ManageRoles, "Manage Roles", "Assign roles to users"),
@@ -356,7 +358,7 @@ public static List<string> GetDefaultPermissionsForRole(string role)
             ApplicationRoles.SalesRep => new List<string>
             {
                 ViewDashboard,
-                CreateUsers,
+                CreateMerchandiserAccounts,
                 ViewSalesOrders, CreateSalesOrders, EditSalesOrders, ApproveSalesOrders, PostSalesOrdersToSAP,
                 ViewTimesheets, ManageTimesheets
             },
@@ -436,6 +438,7 @@ public static class Permission
     // Users & Admin
     public const string ViewUsers = Permissions.ViewUsers;
     public const string CreateUsers = Permissions.CreateUsers;
+    public const string CreateMerchandiserAccounts = Permissions.CreateMerchandiserAccounts;
     public const string EditUsers = Permissions.EditUsers;
     public const string DeleteUsers = Permissions.DeleteUsers;
     public const string ManageRoles = Permissions.ManageRoles;
diff --git a/ShopInventory/Services/UserManagementService.cs b/ShopInventory/Services/UserManagementService.cs
@@ -578,6 +578,7 @@ private static string GetPermissionDescription(string permission)
             Permission.DeleteCustomers => "Delete customers",
             Permission.ViewUsers => "View user accounts",
             Permission.CreateUsers => "Create new user accounts",
+            Permission.CreateMerchandiserAccounts => "Create merchandiser user accounts",
             Permission.EditUsers => "Edit user accounts",
             Permission.DeleteUsers => "Delete user accounts",
             Permission.ManageUserRoles => "Assign roles to users",

Original file line number	Diff line number	Diff line change
`@@ -174,7 +174,7 @@`
`174`	`174`	`@onclick="() => DownloadAttachmentAsync(attachment)">`
`175`	`175`	`Download`
`176`	`176`	`</button>`
`177`		`- @if (canSubmitPods)`
	`177`	`+ @if (canDeleteCratePods)`
`178`	`178`	`{`
`179`	`179`	`<button type="button" class="crpod-attachment-action crpod-attachment-action-delete"`
`180`	`180`	`@onclick="() => BeginDeleteAttachment(pod, attachment)">`
Original file line number	Diff line number	Diff line change
`@@ -552,6 +552,11 @@ protected async Task CloseAttachmentViewerAsync()`
`552`	`552`
`553`	`553`	`protected void BeginDeleteAttachment(CratePodSubmissionDto pod, DocumentAttachmentDto attachment)`
`554`	`554`	`{`
	`555`	`+ if (!canDeleteCratePods)`
	`556`	`+ {`
	`557`	`+ return;`
	`558`	`+ }`
	`559`	`+`
`555`	`560`	`podToDelete = pod;`
`556`	`561`	`attachmentToDelete = attachment;`
`557`	`562`	`attachmentDeleteContext = $"{GetPodReferenceLabel(pod)} {pod.SubmissionRole} submission";`
`@@ -568,7 +573,7 @@ protected void CancelDeleteAttachment()`
`568`	`573`
`569`	`574`	`protected async Task DeletePodAsync()`
`570`	`575`	`{`
`571`		`- if (podToDelete is null \|\| isDeletingAttachment)`
	`576`	`+ if (!canDeleteCratePods \|\| podToDelete is null \|\| isDeletingAttachment)`
`572`	`577`	`{`
`573`	`578`	`return;`
`574`	`579`	`}`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ namespace ShopInventory.Controllers;`
`23`	`23`	`public class InventoryTransferController(IMediator mediator) : ApiControllerBase`
`24`	`24`	`{`
`25`	`25`	`[HttpPost]`
	`26`	`+ [Authorize(Roles = "Admin,StockController,DepotController")]`
`26`	`27`	`[ProducesResponseType(typeof(InventoryTransferCreatedResponseDto), StatusCodes.Status201Created)]`
`27`	`28`	`[ProducesResponseType(typeof(InventoryTransferCreatedResponseDto), StatusCodes.Status202Accepted)]`
`28`	`29`	`[ProducesResponseType(typeof(ErrorResponseDto), StatusCodes.Status400BadRequest)]`
`@@ -94,6 +95,7 @@ public async Task<IActionResult> GetInventoryTransferByDocEntry(int docEntry, Ca`
`94`	`95`	`#region Transfer Request Endpoints`
`95`	`96`
`96`	`97`	`[HttpPost("request")]`
	`98`	`+ [Authorize(Roles = "Admin,StockController,DepotController")]`
`97`	`99`	`[ProducesResponseType(typeof(TransferRequestCreatedResponseDto), StatusCodes.Status201Created)]`
`98`	`100`	`[ProducesResponseType(typeof(ErrorResponseDto), StatusCodes.Status400BadRequest)]`
`99`	`101`	`public async Task<IActionResult> CreateTransferRequest(`
`@@ -106,6 +108,7 @@ public async Task<IActionResult> CreateTransferRequest(`
`106`	`108`	`}`
`107`	`109`
`108`	`110`	`[HttpPost("request/{docEntry:int}/convert")]`
	`111`	`+ [Authorize(Roles = "Admin,StockController,DepotController")]`
`109`	`112`	`[ProducesResponseType(typeof(TransferRequestConvertedResponseDto), StatusCodes.Status201Created)]`
`110`	`113`	`public async Task<IActionResult> ConvertTransferRequestToTransfer(int docEntry, CancellationToken cancellationToken)`
`111`	`114`	`{`
`@@ -116,6 +119,7 @@ public async Task<IActionResult> ConvertTransferRequestToTransfer(int docEntry,`
`116`	`119`	`}`
`117`	`120`
`118`	`121`	`[HttpPost("request/{docEntry:int}/close")]`
	`122`	`+ [Authorize(Roles = "Admin,StockController,DepotController")]`
`119`	`123`	`[ProducesResponseType(StatusCodes.Status200OK)]`
`120`	`124`	`public async Task<IActionResult> CloseTransferRequest(int docEntry, CancellationToken cancellationToken)`
`121`	`125`	`{`
Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ public async Task<IActionResult> GetUser(Guid id, CancellationToken cancellation`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`[HttpPost]`
`54`		`- [RequirePermission(Permission.CreateUsers)]`
	`54`	`+ [RequirePermission(Permission.CreateUsers, Permission.CreateMerchandiserAccounts)]`
`55`	`55`	`public async Task<IActionResult> CreateUser([FromBody] CreateUserDetailRequest request, CancellationToken cancellationToken)`
`56`	`56`	`{`
`57`	`57`	`var result = await mediator.Send(new CreateUserCommand(request), cancellationToken);`
`@@ -61,15 +61,15 @@ public async Task<IActionResult> CreateUser([FromBody] CreateUserDetailRequest r`
`61`	`61`	`}`
`62`	`62`
`63`	`63`	`[HttpGet("merchandisers")]`
`64`		`- [RequirePermission(Permission.CreateUsers)]`
	`64`	`+ [RequirePermission(Permission.CreateMerchandiserAccounts)]`
`65`	`65`	`public async Task<IActionResult> GetManagedMerchandiserAccounts(CancellationToken cancellationToken)`
`66`	`66`	`{`
`67`	`67`	`var result = await mediator.Send(new GetManagedMerchandiserAccountsQuery(), cancellationToken);`
`68`	`68`	`return result.Match(value => Ok(value), errors => Problem(errors));`
`69`	`69`	`}`
`70`	`70`
`71`	`71`	`[HttpPut("merchandisers/{id:guid}/assigned-customers")]`
`72`		`- [RequirePermission(Permission.CreateUsers)]`
	`72`	`+ [RequirePermission(Permission.CreateMerchandiserAccounts)]`
`73`	`73`	`public async Task<IActionResult> UpdateMerchandiserAssignedCustomers(`
`74`	`74`	`Guid id,`
`75`	`75`	`[FromBody] UpdateMerchandiserAssignedCustomersRequest request,`