From 2645de2e9fe7f0d25c33737271a3b3d188a57aa5 Mon Sep 17 00:00:00 2001
From: Christian Werner <cwer542@gmail.com>
Date: Wed, 29 Oct 2025 20:49:31 +0100
Subject: [PATCH] filter tenents based on invokers relations

---
 .../Controllers/TenantController.cs           | 25 ++++++++++++++-----
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/src/dotnet/Suspectus.Gandalf.Palantir.Api/Controllers/TenantController.cs b/src/dotnet/Suspectus.Gandalf.Palantir.Api/Controllers/TenantController.cs
index 0dce1c5..83a81c5 100644
--- a/src/dotnet/Suspectus.Gandalf.Palantir.Api/Controllers/TenantController.cs
+++ b/src/dotnet/Suspectus.Gandalf.Palantir.Api/Controllers/TenantController.cs
@@ -2,9 +2,9 @@ using HashidsNet;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
+using Suspectus.Gandalf.Palantir.Abstractions;
 using Suspectus.Gandalf.Palantir.Data.Database;
 using Suspectus.Gandalf.Palantir.Data.Dto.Tenant;
-using Suspectus.Gandalf.Palantir.Data.Entities.Base;
 
 namespace Suspectus.Gandalf.Palantir.Api.Controllers;
 
@@ -23,14 +23,19 @@ public class TenantController : ControllerBase
     }
     
     [HttpGet]
-    public async Task<IActionResult> Get(CancellationToken cancellationToken)
+    public async Task<IActionResult> Get(InvokerContext invokerContext, CancellationToken cancellationToken)
     {
-        var tenantEntities = await _context.Tenants.ToListAsync(cancellationToken: cancellationToken);
+        var tenantEntities = await _context.Subjects
+            .Where(x => x.Id!.Value == invokerContext.Invoker!.SubjectId)
+            .SelectMany(x => x.Tenants)
+            .ToListAsync(cancellationToken);
+        
         var dtos = tenantEntities.Select(x => new TenantGridViewDto
         {
             Id = _hashids.EncodeLong(x.Id!.Value),
             Name = x.Name,
             IsMaster = x.IsMaster,
+            IsOwner = invokerContext.Invoker!.SubjectId == x.OwnerId,
             OwnerId = _hashids.EncodeLong(x.OwnerId),
             Visibility = x.Visibility
         });
@@ -38,25 +43,33 @@ public class TenantController : ControllerBase
     }
     
     [HttpGet("{idHash}")]
-    public async Task<IActionResult> Get(CancellationToken cancellationToken, string idHash)
+    public async Task<IActionResult> Get(CancellationToken cancellationToken, string idHash, InvokerContext invokerContext)
     {
         if (!_hashids.TryDecodeSingleLong(idHash, out var id))
         {
             return BadRequest();
         }
         
-        var tenant = await _context.Tenants.SingleOrDefaultAsync(x => x.Id!.Value == id, cancellationToken: cancellationToken);
-
+        var tenant = await _context.Tenants.SingleOrDefaultAsync(x => x.Id == id, cancellationToken);
+        
         if (tenant is null)
         {
             return NotFound();
         }
+        
+        var userHasRelation = await _context.TenantSubjectRelations.AnyAsync(x => x.SubjectId == invokerContext.Invoker!.SubjectId && x.TenantId == id, cancellationToken: cancellationToken);
+
+        if (!userHasRelation)
+        {
+            return Forbid();
+        }
 
         var dto = new TenantGridViewDto
         {
             Id = _hashids.EncodeLong(tenant.Id!.Value),
             Name = tenant.Name,
             IsMaster = tenant.IsMaster,
+            IsOwner = invokerContext.Invoker!.SubjectId == tenant.OwnerId,
             OwnerId = _hashids.EncodeLong(tenant.OwnerId),
             Visibility = tenant.Visibility
         };