vietreport-admin/solution-erp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[CLAUDE] Phase1.2: CRUD Master + Permission Matrix + FE admin pages

Browse Source 
Backend:
- Domain/Master: Supplier (+ SupplierType 5 loai), Project, Department (AuditableEntity)
- Domain/Identity: MenuItem, Permission, MenuKeys const (12 menu)
- EF Configurations voi unique Code + query filter IsDeleted
- DbSets + IApplicationDbContext interface update
- Application: PagedResult + PagedRequest generic
- Application/Master CQRS CRUD 3 entity (Create/Update/Delete/Get/List voi paging search sort)
- Application/Permissions: GetMyMenuTree (union OR role, filter tree), ListMenuItems, ListPermissionsByRole, UpsertPermission (guard admin khong tu giam quyen), ListRoles
- Api/Authorization: MenuPermissionRequirement + Handler (Admin bypass, query DB)
- Program.cs: register 48 policy {menu}.{action} tu MenuKeys x Actions
- Api/Controllers: Suppliers, Projects, Departments, Menus, Roles, Permissions
- DbInitializer: seed 12 menu + admin full CRUD permissions
- Migration AddMasterData + AddPermissions

Frontend (fe-admin):
- Types: menuKeys.ts const, menu.ts (MenuNode/Role/Permission), master.ts (Supplier/Project/Department + SupplierType const-object)
- AuthContext: load menu from /menus/me, cache localStorage, refreshMenu()
- usePermission hook + PermissionGuard component (wrap button)
- UI kit them: Dialog (modal overlay), Textarea, Select
- Generic: DataTable (column config, sortable, loading, empty) + Pagination
- PageHeader component
- apiError helper extract message tu ProblemDetails
- Layout rewrite: render menu dong tu AuthContext.menu (MenuGroup collapsible + NavLink + lucide icon map)
- Pages: master/Suppliers, master/Projects, master/Departments (CRUD + search + sort + paging + Dialog form)
- Page system/Permissions: ma tran Role x MenuKey x CRUD checkbox (tick tu dong PUT upsert)
- App.tsx them 4 route moi

Bug fix:
- MenuPermissionHandler: EF expression tree khong support switch expression -> tach switch ra ngoai AnyAsync
- TS erasableSyntaxOnly khong cho enum -> SupplierType const-object pattern (typeof[keyof])

E2E verified via Vite proxy:
- GET /menus/me -> 6 root + 6 child nodes (12 menus)
- GET /roles -> 12 roles
- POST/GET/PUT/DELETE /suppliers -> full CRUD, soft delete OK
- tsc -b fe-admin pass

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
pqhuy1987
2026-04-21 11:30:14 +07:00
parent 49a5f57a50
commit 54d6c9ba52
63 changed files with 4422 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
src/Backend/SolutionErp.Api/Authorization/MenuPermissionHandler.cs Normal file
View File

@ -0,0 +1,54 @@
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;
using SolutionErp.Application.Common.Interfaces;
using SolutionErp.Domain.Identity;
namespace SolutionErp.Api.Authorization;
public class MenuPermissionHandler(
IApplicationDbContext db,
UserManager<User> userManager,
RoleManager<Role> roleManager) : AuthorizationHandler<MenuPermissionRequirement>
{
protected override async Task HandleRequirementAsync(
AuthorizationHandlerContext context, MenuPermissionRequirement req)
{
var sub = context.User.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier)?.Value
?? context.User.FindFirst("sub")?.Value;
if (!Guid.TryParse(sub, out var userId)) return;
var user = await userManager.FindByIdAsync(userId.ToString());
if (user is null || !user.IsActive) return;
var roleNames = await userManager.GetRolesAsync(user);
// Admin bypass
if (roleNames.Contains(AppRoles.Admin))
{
context.Succeed(req);
return;
}
var roleIds = new List<Guid>();
foreach (var name in roleNames)
{
var r = await roleManager.FindByNameAsync(name);
if (r is not null) roleIds.Add(r.Id);
}
var baseQuery = db.Permissions
.Where(p => roleIds.Contains(p.RoleId) && p.MenuKey == req.MenuKey);
var hasPermission = req.Action switch
{
"Read" => await baseQuery.AnyAsync(p => p.CanRead),
"Create" => await baseQuery.AnyAsync(p => p.CanCreate),
"Update" => await baseQuery.AnyAsync(p => p.CanUpdate),
"Delete" => await baseQuery.AnyAsync(p => p.CanDelete),
_ => false,
};
if (hasPermission) context.Succeed(req);
}
}

9
src/Backend/SolutionErp.Api/Authorization/MenuPermissionRequirement.cs Normal file
View File

@ -0,0 +1,9 @@
using Microsoft.AspNetCore.Authorization;
namespace SolutionErp.Api.Authorization;
public class MenuPermissionRequirement(string menuKey, string action) : IAuthorizationRequirement
{
public string MenuKey { get; } = menuKey;
public string Action { get; } = action; // "Read" | "Create" | "Update" | "Delete"
}

46
src/Backend/SolutionErp.Api/Controllers/DepartmentsController.cs Normal file
View File

@ -0,0 +1,46 @@
using MediatR;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using SolutionErp.Application.Common.Models;
using SolutionErp.Application.Master.Departments;
namespace SolutionErp.Api.Controllers;
[ApiController]
[Route("api/departments")]
[Authorize]
public class DepartmentsController(IMediator mediator) : ControllerBase
{
[HttpGet]
public async Task<ActionResult<PagedResult<DepartmentDto>>> List(
[FromQuery] int page = 1, [FromQuery] int pageSize = 20,
[FromQuery] string? search = null, [FromQuery] string? sortBy = null, [FromQuery] bool sortDesc = true,
CancellationToken ct = default)
=> Ok(await mediator.Send(new ListDepartmentsQuery { Page = page, PageSize = pageSize, Search = search, SortBy = sortBy, SortDesc = sortDesc }, ct));
[HttpGet("{id:guid}")]
public async Task<ActionResult<DepartmentDto>> Get(Guid id, CancellationToken ct)
=> Ok(await mediator.Send(new GetDepartmentQuery(id), ct));
[HttpPost]
public async Task<ActionResult<Guid>> Create([FromBody] CreateDepartmentCommand cmd, CancellationToken ct)
{
var id = await mediator.Send(cmd, ct);
return CreatedAtAction(nameof(Get), new { id }, new { id });
}
[HttpPut("{id:guid}")]
public async Task<IActionResult> Update(Guid id, [FromBody] UpdateDepartmentCommand cmd, CancellationToken ct)
{
if (id != cmd.Id) return BadRequest(new { detail = "ID không khớp" });
await mediator.Send(cmd, ct);
return NoContent();
}
[HttpDelete("{id:guid}")]
public async Task<IActionResult> Delete(Guid id, CancellationToken ct)
{
await mediator.Send(new DeleteDepartmentCommand(id), ct);
return NoContent();
}
}

22
src/Backend/SolutionErp.Api/Controllers/MenusController.cs Normal file
View File

@ -0,0 +1,22 @@
using MediatR;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using SolutionErp.Application.Permissions;
using SolutionErp.Application.Permissions.Dtos;
using SolutionErp.Application.Permissions.Queries.GetMyMenuTree;
namespace SolutionErp.Api.Controllers;
[ApiController]
[Route("api/menus")]
[Authorize]
public class MenusController(IMediator mediator) : ControllerBase
{
[HttpGet("me")]
public async Task<ActionResult<List<MenuNodeDto>>> Me(CancellationToken ct)
=> Ok(await mediator.Send(new GetMyMenuTreeQuery(), ct));
[HttpGet]
public async Task<ActionResult<List<MenuItemDto>>> List(CancellationToken ct)
=> Ok(await mediator.Send(new ListMenuItemsQuery(), ct));
}

25
src/Backend/SolutionErp.Api/Controllers/PermissionsController.cs Normal file
View File

@ -0,0 +1,25 @@
using MediatR;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using SolutionErp.Application.Permissions;
using SolutionErp.Application.Permissions.Dtos;
namespace SolutionErp.Api.Controllers;
[ApiController]
[Route("api/permissions")]
[Authorize(Policy = "Permissions.Read")]
public class PermissionsController(IMediator mediator) : ControllerBase
{
[HttpGet("by-role/{roleId:guid}")]
public async Task<ActionResult<List<PermissionDto>>> ListByRole(Guid roleId, CancellationToken ct)
=> Ok(await mediator.Send(new ListPermissionsByRoleQuery(roleId), ct));
[HttpPut]
[Authorize(Policy = "Permissions.Update")]
public async Task<IActionResult> Upsert([FromBody] UpsertPermissionCommand cmd, CancellationToken ct)
{
await mediator.Send(cmd, ct);
return NoContent();
}
}

46
src/Backend/SolutionErp.Api/Controllers/ProjectsController.cs Normal file
View File

@ -0,0 +1,46 @@
using MediatR;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using SolutionErp.Application.Common.Models;
using SolutionErp.Application.Master.Projects;
namespace SolutionErp.Api.Controllers;
[ApiController]
[Route("api/projects")]
[Authorize]
public class ProjectsController(IMediator mediator) : ControllerBase
{
[HttpGet]
public async Task<ActionResult<PagedResult<ProjectDto>>> List(
[FromQuery] int page = 1, [FromQuery] int pageSize = 20,
[FromQuery] string? search = null, [FromQuery] string? sortBy = null, [FromQuery] bool sortDesc = true,
CancellationToken ct = default)
=> Ok(await mediator.Send(new ListProjectsQuery { Page = page, PageSize = pageSize, Search = search, SortBy = sortBy, SortDesc = sortDesc }, ct));
[HttpGet("{id:guid}")]
public async Task<ActionResult<ProjectDto>> Get(Guid id, CancellationToken ct)
=> Ok(await mediator.Send(new GetProjectQuery(id), ct));
[HttpPost]
public async Task<ActionResult<Guid>> Create([FromBody] CreateProjectCommand cmd, CancellationToken ct)
{
var id = await mediator.Send(cmd, ct);
return CreatedAtAction(nameof(Get), new { id }, new { id });
}
[HttpPut("{id:guid}")]
public async Task<IActionResult> Update(Guid id, [FromBody] UpdateProjectCommand cmd, CancellationToken ct)
{
if (id != cmd.Id) return BadRequest(new { detail = "ID không khớp" });
await mediator.Send(cmd, ct);
return NoContent();
}
[HttpDelete("{id:guid}")]
public async Task<IActionResult> Delete(Guid id, CancellationToken ct)
{
await mediator.Send(new DeleteProjectCommand(id), ct);
return NoContent();
}
}

17
src/Backend/SolutionErp.Api/Controllers/RolesController.cs Normal file
View File

@ -0,0 +1,17 @@
using MediatR;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using SolutionErp.Application.Permissions;
using SolutionErp.Application.Permissions.Dtos;
namespace SolutionErp.Api.Controllers;
[ApiController]
[Route("api/roles")]
[Authorize]
public class RolesController(IMediator mediator) : ControllerBase
{
[HttpGet]
public async Task<ActionResult<List<RoleDto>>> List(CancellationToken ct)
=> Ok(await mediator.Send(new ListRolesQuery(), ct));
}

53
src/Backend/SolutionErp.Api/Controllers/SuppliersController.cs Normal file
View File

@ -0,0 +1,53 @@
using MediatR;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using SolutionErp.Application.Common.Models;
using SolutionErp.Application.Master.Suppliers.Commands.CreateSupplier;
using SolutionErp.Application.Master.Suppliers.Commands.DeleteSupplier;
using SolutionErp.Application.Master.Suppliers.Commands.UpdateSupplier;
using SolutionErp.Application.Master.Suppliers.Dtos;
using SolutionErp.Application.Master.Suppliers.Queries.GetSupplier;
using SolutionErp.Application.Master.Suppliers.Queries.ListSuppliers;
using SolutionErp.Domain.Master;
namespace SolutionErp.Api.Controllers;
[ApiController]
[Route("api/suppliers")]
[Authorize]
public class SuppliersController(IMediator mediator) : ControllerBase
{
[HttpGet]
public async Task<ActionResult<PagedResult<SupplierDto>>> List(
[FromQuery] int page = 1, [FromQuery] int pageSize = 20,
[FromQuery] string? search = null, [FromQuery] string? sortBy = null, [FromQuery] bool sortDesc = true,
[FromQuery] SupplierType? type = null,
CancellationToken ct = default)
=> Ok(await mediator.Send(new ListSuppliersQuery(type) { Page = page, PageSize = pageSize, Search = search, SortBy = sortBy, SortDesc = sortDesc }, ct));
[HttpGet("{id:guid}")]
public async Task<ActionResult<SupplierDto>> Get(Guid id, CancellationToken ct)
=> Ok(await mediator.Send(new GetSupplierQuery(id), ct));
[HttpPost]
public async Task<ActionResult<Guid>> Create([FromBody] CreateSupplierCommand cmd, CancellationToken ct)
{
var id = await mediator.Send(cmd, ct);
return CreatedAtAction(nameof(Get), new { id }, new { id });
}
[HttpPut("{id:guid}")]
public async Task<IActionResult> Update(Guid id, [FromBody] UpdateSupplierCommand cmd, CancellationToken ct)
{
if (id != cmd.Id) return BadRequest(new { detail = "ID không khớp" });
await mediator.Send(cmd, ct);
return NoContent();
}
[HttpDelete("{id:guid}")]
public async Task<IActionResult> Delete(Guid id, CancellationToken ct)
{
await mediator.Send(new DeleteSupplierCommand(id), ct);
return NoContent();
}
}

17
src/Backend/SolutionErp.Api/Program.cs
View File

@ -1,12 +1,15 @@
using System.Text;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Authorization;
using Microsoft.IdentityModel.Tokens;
using Microsoft.OpenApi.Models;
using Serilog;
using SolutionErp.Api.Authorization;
using SolutionErp.Api.Middleware;
using SolutionErp.Api.Services;
using SolutionErp.Application;
using SolutionErp.Application.Common.Interfaces;
using SolutionErp.Domain.Identity;
using SolutionErp.Infrastructure;
using SolutionErp.Infrastructure.Identity;
using SolutionErp.Infrastructure.Persistence;
@ -48,7 +51,19 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
ClockSkew = TimeSpan.FromMinutes(1),
};
});
builder.Services.AddAuthorization();
builder.Services.AddScoped<IAuthorizationHandler, MenuPermissionHandler>();
builder.Services.AddAuthorization(opts =>
{
foreach (var menu in MenuKeys.All)
{
foreach (var action in MenuKeys.Actions)
{
opts.AddPolicy($"{menu}.{action}", p =>
p.Requirements.Add(new MenuPermissionRequirement(menu, action)));
}
}
});
// ---------- CORS (2 FE dev origins) ----------
builder.Services.AddCors(opts =>