Add granular permission checks to controllers

Replaced generic [Authorize] attribute with [PermissionAuthorize] to enforce action-specific permissions for Products and ProductCategories controllers. This ensures actions like View, Create, Edit, and Delete are secured with distinct permission requirements.

Author: kelvink96

Controllers/ProductCategoriesController.cs

@@ -1,14 +1,16 @@
-using AdminHubApi.Dtos.ProductCategory;
+using AdminHubApi.Constants;
+using AdminHubApi.Dtos.ProductCategory;
 using AdminHubApi.Entities;
 using AdminHubApi.Interfaces;
+using AdminHubApi.Security;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
 namespace AdminHubApi.Controllers;
 
 [ApiController]
 [Route("api/product-categories")]
-[Authorize]
+[PermissionAuthorize(Permissions.ProductCategories.View)]
 public class ProductCategoriesController : ControllerBase
 {
     private readonly IProductCategoryService _productCategoryService;
@@ -43,6 +45,7 @@ public async Task<ActionResult<ProductCategory>> GetCategory(Guid id)
     }
 
     [HttpPost]
+    [PermissionAuthorize(Permissions.ProductCategories.Create)]
     public async Task<ActionResult<ProductCategory>> CreateCategory(CreateProductCategoryDto productCategoryDto)
     {
         var productCategory = new ProductCategory
@@ -67,6 +70,7 @@ public async Task<ActionResult<ProductCategory>> CreateCategory(CreateProductCat
     }
 
     [HttpPut("{id}")]
+    [PermissionAuthorize(Permissions.ProductCategories.Edit)]
     public async Task<IActionResult> UpdateCategory(Guid id, UpdateProductCategoryDto updateProductCategoryDto)
     {
         var productCategoryResponse = await _productCategoryService.GetByIdAsync(id);
@@ -89,6 +93,7 @@ public async Task<IActionResult> UpdateCategory(Guid id, UpdateProductCategoryDt
     }
 
     [HttpDelete("{id}")]
+    [PermissionAuthorize(Permissions.ProductCategories.Delete)]
     public async Task<IActionResult> DeleteCategory(Guid id)
     {
         var productCategoryResponse = await _productCategoryService.GetByIdAsync(id);

Controllers/ProductsController.cs

@@ -1,13 +1,16 @@
-using AdminHubApi.Dtos.Products;
+using AdminHubApi.Constants;
+using AdminHubApi.Dtos.Products;
 using AdminHubApi.Entities;
 using AdminHubApi.Interfaces;
+using AdminHubApi.Security;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
 namespace AdminHubApi.Controllers;
 
 [ApiController]
 [Route("/api/products")]
+[PermissionAuthorize(Permissions.Products.View)]
 public class ProductsController : ControllerBase
 {
     private readonly IProductService _productService;
@@ -41,6 +44,7 @@ public async Task<ActionResult<ProductDto>> GetProductById(Guid id)
     }
 
     [HttpPost]
+    [PermissionAuthorize(Permissions.Products.Create)]
     public async Task<ActionResult> CreateProduct(CreateProductDto createProductDto)
     {
         var product = new Product
@@ -70,7 +74,7 @@ public async Task<ActionResult> CreateProduct(CreateProductDto createProductDto)
     }
 
     [HttpPut("{id}")]
-    [Authorize]
+    [PermissionAuthorize(Permissions.Products.Edit)]
     public async Task<IActionResult> UpdateProduct(Guid id, UpdateProductDto updateProductDto)
     {
         var productResponse = await _productService.GetByIdAsync(id);
@@ -92,7 +96,7 @@ public async Task<IActionResult> UpdateProduct(Guid id, UpdateProductDto updateP
     }
 
     [HttpDelete("{id}")]
-    [Authorize]
+    [PermissionAuthorize(Permissions.Products.Delete)]
     public async Task<IActionResult> DeleteProduct(Guid id)
     {
         var productResponse = await _productService.GetByIdAsync(id);