sakakun
diff --git a/‎BHD-ServerManager/API/Controllers/AdminController.cs‎
Lines changed: 11 additions & 0 deletions b/‎BHD-ServerManager/API/Controllers/AdminController.cs‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎BHD-ServerManager/API/Controllers/BanController.cs‎
Lines changed: 14 additions & 2 deletions b/‎BHD-ServerManager/API/Controllers/BanController.cs‎
Lines changed: 14 additions & 2 deletions
diff --git a/‎BHD-ServerManager/API/Controllers/ChatController.cs‎
Lines changed: 4 additions & 0 deletions b/‎BHD-ServerManager/API/Controllers/ChatController.cs‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎BHD-ServerManager/API/Controllers/FileSystemController.cs‎
Lines changed: 11 additions & 0 deletions b/‎BHD-ServerManager/API/Controllers/FileSystemController.cs‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎BHD-ServerManager/API/Controllers/GamePlayController.cs‎
Lines changed: 23 additions & 1 deletion b/‎BHD-ServerManager/API/Controllers/GamePlayController.cs‎
Lines changed: 23 additions & 1 deletion
diff --git a/‎BHD-ServerManager/API/Controllers/MapPlaylistController.cs‎
Lines changed: 32 additions & 0 deletions b/‎BHD-ServerManager/API/Controllers/MapPlaylistController.cs‎
Lines changed: 32 additions & 0 deletions
@@ -14,6 +14,8 @@ public class AdminController : ControllerBase
     [HttpPost("create")]
     public ActionResult<AdminCommandResult> CreateUser([FromBody] CreateUserRequest request)
     {
+        if(!HasPermission("users")) return Forbid();
+
         var result = adminInstanceManager.CreateUser(request);
         CommonCore.instanceAdmin!.ForceUIUpdate = true;
         return Ok(new AdminCommandResult
@@ -26,6 +28,7 @@ public ActionResult<AdminCommandResult> CreateUser([FromBody] CreateUserRequest
     [HttpPost("update")]
     public ActionResult<AdminCommandResult> UpdateUser([FromBody] UpdateUserRequest request)
     {
+        if(!HasPermission("users")) return Forbid();
         var result = adminInstanceManager.UpdateUser(request);
         CommonCore.instanceAdmin!.ForceUIUpdate = true;
         return Ok(new AdminCommandResult
@@ -38,6 +41,7 @@ public ActionResult<AdminCommandResult> UpdateUser([FromBody] UpdateUserRequest
     [HttpPost("delete")]
     public ActionResult<AdminCommandResult> DeleteUser([FromBody] DeleteUserRequest request)
     {
+        if(!HasPermission("users")) return Forbid();
         var result = adminInstanceManager.DeleteUser(request.UserID);
         CommonCore.instanceAdmin!.ForceUIUpdate = true;
         return Ok(new AdminCommandResult
@@ -46,4 +50,11 @@ public ActionResult<AdminCommandResult> DeleteUser([FromBody] DeleteUserRequest
             Message = result.Message
         });
     }
+
+    private bool HasPermission(string permission)
+    {
+        var permissions = User.FindAll("permission").Select(c => c.Value).ToList();
+        return permissions.Contains(permission);
+    }
+
 }
@@ -12,7 +12,8 @@ public class BanController : ControllerBase
     [HttpPost("save-blacklist")]
     public ActionResult<BanRecordSaveResult> SaveBlacklistRecord([FromBody] BanRecordSaveRequest req)
     {
-        
+        if (!HasPermission("bans")) return Forbid();
+
         IPAddress? ip = null;
         if (req.IsIP && !string.IsNullOrWhiteSpace(req.IPAddress))
         {
@@ -88,6 +89,8 @@ public ActionResult<BanRecordSaveResult> SaveBlacklistRecord([FromBody] BanRecor
     [HttpPost("delete-blacklist")]
     public ActionResult<CommandResult> DeleteBlacklistRecord([FromBody] DeleteBanRecordRequest req)
     {
+        if (!HasPermission("bans")) return Forbid();
+
         if (req == null || req.RecordID <= 0)
             return BadRequest(new CommandResult { Success = false, Message = "Invalid request." });
 
@@ -107,7 +110,8 @@ public ActionResult<CommandResult> DeleteBlacklistRecord([FromBody] DeleteBanRec
     [HttpPost("save-whitelist")]
     public ActionResult<BanRecordSaveResult> SaveWhitelistRecord([FromBody] BanRecordSaveRequest req)
     {
-        
+        if (!HasPermission("bans")) return Forbid();
+
         IPAddress? ip = null;
         if (req.IsIP && !string.IsNullOrWhiteSpace(req.IPAddress))
         {
@@ -183,6 +187,8 @@ public ActionResult<BanRecordSaveResult> SaveWhitelistRecord([FromBody] BanRecor
     [HttpPost("delete-whitelist")]
     public ActionResult<CommandResult> DeleteWhitelistRecord([FromBody] DeleteBanRecordRequest req)
     {
+        if (!HasPermission("bans")) return Forbid();
+
         if (req == null || req.RecordID <= 0)
             return BadRequest(new CommandResult { Success = false, Message = "Invalid request." });
 
@@ -199,4 +205,10 @@ public ActionResult<CommandResult> DeleteWhitelistRecord([FromBody] DeleteBanRec
         return Ok(new CommandResult { Success = true, Message = "Record deleted." });
     }
 
+    private bool HasPermission(string permission)
+    {
+        var permissions = User.FindAll("permission").Select(c => c.Value).ToList();
+        return permissions.Contains(permission);
+    }
+
 }
@@ -22,27 +22,31 @@ public ActionResult<CommandResult> SendMessage([FromBody] SendChatCommand comman
     [HttpPost("auto/add")]
     public ActionResult<CommandResult> AddAutoMessage([FromBody] AutoMessageRequest request)
     {
+        if (!HasPermission("chat")) return Forbid();
         var result = chatInstanceManager.AddAutoMessage(request.Message!, request.Interval);
         return Ok(new CommandResult { Success = result.Success, Message = result.Message });
     }
 
     [HttpPost("auto/remove")]
     public ActionResult<CommandResult> RemoveAutoMessage([FromBody] RemoveMessageRequest request)
     {
+        if (!HasPermission("chat")) return Forbid();
         var result = chatInstanceManager.RemoveAutoMessage(int.Parse(request.Id!));
         return Ok(new CommandResult { Success = result.Success, Message = result.Message });
     }
 
     [HttpPost("slap/add")]
     public ActionResult<CommandResult> AddSlapMessage([FromBody] SlapMessageRequest request)
     {
+        if (!HasPermission("chat")) return Forbid();
         var result = chatInstanceManager.AddSlapMessage(request.Message!);
         return Ok(new CommandResult { Success = result.Success, Message = result.Message });
     }
 
     [HttpPost("slap/remove")]
     public ActionResult<CommandResult> RemoveSlapMessage([FromBody] RemoveMessageRequest request)
     {
+        if (!HasPermission("chat")) return Forbid();
         var result = chatInstanceManager.RemoveSlapMessage(int.Parse(request.Id!));
         return Ok(new CommandResult { Success = result.Success, Message = result.Message });
     }
 
@@ -15,6 +15,7 @@ public class FileSystemController : ControllerBase
     [HttpGet("drives")]
     public ActionResult<DirectoryListingResponse> GetDrives()
     {
+        if(!HasPermission("profile")) return Forbid();
         try
         {
             var drives = DriveInfo.GetDrives()
@@ -47,6 +48,8 @@ public ActionResult<DirectoryListingResponse> GetDrives()
     [HttpPost("list")]
     public ActionResult<DirectoryListingResponse> GetDirectoryListing([FromBody] DirectoryListingRequest request)
     {
+        if(!HasPermission("profile")) return Forbid();
+
         try
         {
             // Default to drives if no path specified
@@ -166,6 +169,8 @@ public ActionResult<DirectoryListingResponse> GetDirectoryListing([FromBody] Dir
     [HttpPost("validate-path")]
     public ActionResult<CommandResult> ValidatePath([FromBody] DirectoryListingRequest request)
     {
+        if(!HasPermission("profile")) return Forbid();
+
         try
         {
             if (string.IsNullOrWhiteSpace(request.Path))
@@ -193,5 +198,11 @@ public ActionResult<CommandResult> ValidatePath([FromBody] DirectoryListingReque
                 Message = $"Error validating path: {ex.Message}"
             });
         }
+
+    }
+    private bool HasPermission(string permission)
+    {
+        var permissions = User.FindAll("permission").Select(c => c.Value).ToList();
+        return permissions.Contains(permission);
     }
 }
@@ -19,6 +19,8 @@ public class GamePlayController : ControllerBase
     [HttpGet("settings")]
     public ActionResult<GamePlaySettingsResponse> GetSettings()
     {
+        if(!HasPermission("gameplay")) return Forbid();
+
         var result = theInstanceManager.LoadGamePlaySettings();
 
         if (!result.Success)
@@ -47,6 +49,8 @@ public ActionResult<GamePlaySettingsResponse> GetSettings()
     [HttpPost("settings")]
     public ActionResult<CommandResult> SaveSettings([FromBody] GamePlaySettingsRequest request)
     {
+        if(!HasPermission("gameplay")) return Forbid();
+
         // Convert DTO to GamePlaySettings
         var options = new ServerOptions(
             request.Options.AutoBalance, request.Options.ShowTracers,
@@ -112,6 +116,8 @@ public ActionResult<CommandResult> SaveSettings([FromBody] GamePlaySettingsReque
     [HttpPost("validate")]
     public ActionResult<ValidationResult> ValidateSettings([FromBody] GamePlaySettingsRequest request)
     {
+        if(!HasPermission("gameplay")) return Forbid();
+
         // For gameplay, basic validation can be done here
         var errors = new List<string>();
 
@@ -232,6 +238,8 @@ private void TriggerServerUIReload()
     [HttpPost("update-server")]
     public ActionResult<CommandResult> UpdateGameServer()
     {
+        if(!HasPermission("gameplay")) return Forbid();
+
         try
         {
             // Check if server is running
@@ -269,6 +277,8 @@ public ActionResult<CommandResult> UpdateGameServer()
     [HttpPost("lock-lobby")]
     public ActionResult<CommandResult> LockLobby()
     {
+        if(!HasPermission("gameplay")) return Forbid();
+
         try
         {
             // Check if server is running
@@ -306,6 +316,8 @@ public ActionResult<CommandResult> LockLobby()
     [HttpGet("export")]
     public ActionResult<GamePlaySettingsExportResponse> ExportSettings()
     {
+        if(!HasPermission("gameplay")) return Forbid();
+
         try
         {
             var result = theInstanceManager.LoadGamePlaySettings();
@@ -394,6 +406,8 @@ public ActionResult<GamePlaySettingsExportResponse> ExportSettings()
     [HttpPost("import")]
     public ActionResult<CommandResult> ImportSettings([FromBody] GamePlaySettingsImportRequest request)
     {
+        if(!HasPermission("gameplay")) return Forbid();
+
         try
         {
             // Deserialize JSON
@@ -449,6 +463,8 @@ public ActionResult<CommandResult> ImportSettings([FromBody] GamePlaySettingsImp
     [HttpPost("start-server")]
     public ActionResult<CommandResult> StartServer()
     {
+        if(!HasPermission("gameplay")) return Forbid();
+
         try
         {
             var instance = CommonCore.theInstance;
@@ -523,6 +539,8 @@ public ActionResult<CommandResult> StartServer()
     [HttpPost("stop-server")]
     public ActionResult<CommandResult> StopServer()
     {
+        if(!HasPermission("gameplay")) return Forbid();
+
         try
         {
             var instance = CommonCore.theInstance;
@@ -565,5 +583,9 @@ public ActionResult<CommandResult> StopServer()
             });
         }
     }
-
+    private bool HasPermission(string permission)
+    {
+        var permissions = User.FindAll("permission").Select(c => c.Value).ToList();
+        return permissions.Contains(permission);
+    }
 }
@@ -4,6 +4,7 @@
 using HawkSyncShared.DTOs;
 using BHD_ServerManager.Classes.InstanceManagers;
 using HawkSyncShared.Instances;
+using HawkSyncShared.SupportClasses;
 
 namespace BHD_ServerManager.API.Controllers;
 
@@ -15,6 +16,8 @@ public class MapPlaylistController : ControllerBase
     [HttpGet("available-maps")]
     public ActionResult<List<MapDTO>> GetAvailableMaps()
     {
+        if(!HasPermission("maps")) return Forbid();
+
         var result = mapInstanceManager.LoadAvailableMaps();
         var allMaps = result.DefaultMaps.Concat(result.CustomMaps)
             .Select(m => new MapDTO
@@ -31,6 +34,8 @@ public ActionResult<List<MapDTO>> GetAvailableMaps()
     [HttpGet("playlists")]
     public ActionResult<AllPlaylistsDTO> GetAllPlaylists()
     {
+        if(!HasPermission("maps")) return Forbid();
+
         var instance = CommonCore.instanceMaps!;
         var dto = new AllPlaylistsDTO
         {
@@ -54,6 +59,8 @@ public ActionResult<AllPlaylistsDTO> GetAllPlaylists()
     [HttpGet("playlist/{id}")]
     public ActionResult<PlaylistDTO> GetPlaylist(int id)
     {
+        if(!HasPermission("maps")) return Forbid();
+
         var (success, maps, error) = mapInstanceManager.GetPlaylistMaps(id);
         if (!success)
             return BadRequest(new PlaylistCommandResult { Success = false, Message = error });
@@ -75,6 +82,8 @@ public ActionResult<PlaylistDTO> GetPlaylist(int id)
     [HttpPost("playlist/save")]
     public ActionResult<PlaylistCommandResult> SavePlaylist([FromBody] PlaylistDTO playlist)
     {
+        if(!HasPermission("maps")) return Forbid();
+
         var maps = playlist.Maps.Select(m => new HawkSyncShared.ObjectClasses.mapFileInfo
         {
             MapID = m.MapID,
@@ -100,6 +109,8 @@ public ActionResult<PlaylistCommandResult> SavePlaylist([FromBody] PlaylistDTO p
     [HttpPost("playlist/set-active")]
     public ActionResult<PlaylistCommandResult> SetActivePlaylist([FromBody] PlaylistDTO playlist)
     {
+        if(!HasPermission("maps")) return Forbid();
+
         var saveResult = mapInstanceManager.SavePlaylist(playlist.PlaylistID, playlist.Maps.Select(m => new HawkSyncShared.ObjectClasses.mapFileInfo
         {
             MapID = m.MapID,
@@ -124,6 +135,8 @@ public ActionResult<PlaylistCommandResult> SetActivePlaylist([FromBody] Playlist
     [HttpPost("playlist/import")]
     public ActionResult<PlaylistCommandResult> ImportPlaylist([FromBody] PlaylistDTO playlist)
     {
+        if(!HasPermission("maps")) return Forbid();
+
         // Overwrite playlist with imported maps
         var result = mapInstanceManager.SavePlaylist(playlist.PlaylistID, playlist.Maps.Select(m => new HawkSyncShared.ObjectClasses.mapFileInfo
         {
@@ -147,6 +160,8 @@ public ActionResult<PlaylistCommandResult> ImportPlaylist([FromBody] PlaylistDTO
     [HttpGet("playlist/export/{id}")]
     public ActionResult<PlaylistDTO> ExportPlaylist(int id)
     {
+        if(!HasPermission("maps")) return Forbid();
+
         var (success, maps, error) = mapInstanceManager.GetPlaylistMaps(id);
         if (!success)
             return BadRequest(new PlaylistCommandResult { Success = false, Message = error });
@@ -169,27 +184,35 @@ public ActionResult<PlaylistDTO> ExportPlaylist(int id)
     [HttpPost("server/skip-map")]
     public ActionResult<PlaylistCommandResult> SkipMap()
     {
+        if(!HasPermission("maps")) return Forbid();
+
         var result = mapInstanceManager.SkipMap();
         return Ok(new PlaylistCommandResult { Success = result.Success, Message = result.Message });
     }
 
     [HttpPost("server/score-map")]
     public ActionResult<PlaylistCommandResult> ScoreMap()
     {
+        if(!HasPermission("maps")) return Forbid();
+
         var result = mapInstanceManager.ScoreMap();
         return Ok(new PlaylistCommandResult { Success = result.Success, Message = result.Message });
     }
 
     [HttpPost("server/play-next")]
     public ActionResult<PlaylistCommandResult> PlayNext([FromBody] int mapIndex)
     {
+        if(!HasPermission("maps")) return Forbid();
+
         var result = mapInstanceManager.SetNextMap(mapIndex);
         return Ok(new PlaylistCommandResult { Success = result.Success, Message = result.Message });
     }
 
     [HttpPost("refresh-available-maps")]
     public ActionResult<List<MapDTO>> RefreshAvailableMaps()
     {
+        if(!HasPermission("maps")) return Forbid();
+
         var result = mapInstanceManager.LoadAvailableMaps();
         var allMaps = result.DefaultMaps.Concat(result.CustomMaps)
             .Select(m => new MapDTO
@@ -216,4 +239,13 @@ private void TriggerServerUIReload()
         }
     }
 
+    private bool HasPermission(string permission)
+    {
+        var permissions = User.FindAll("permission").Select(c => c.Value).ToList();
+        AppDebug.Log("MapPlaylistController", $"Checking user permissions, {permission} from user { User.Identity!.Name}");
+        AppDebug.Log("MapPlaylistController", $"User permissions: {string.Join(", ", permissions)}");
+        AppDebug.Log("MapPlaylistController", $"Has Permission: {permissions.Contains(permission).ToString()}");
+        return permissions.Contains(permission);
+    }
+
 }
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,8 @@ public class BanController : ControllerBase`
`12`	`12`	`[HttpPost("save-blacklist")]`
`13`	`13`	`public ActionResult<BanRecordSaveResult> SaveBlacklistRecord([FromBody] BanRecordSaveRequest req)`
`14`	`14`	`{`
`15`		`-`
	`15`	`+ if (!HasPermission("bans")) return Forbid();`
	`16`	`+`
`16`	`17`	`IPAddress? ip = null;`
`17`	`18`	`if (req.IsIP && !string.IsNullOrWhiteSpace(req.IPAddress))`
`18`	`19`	`{`
`@@ -88,6 +89,8 @@ public ActionResult<BanRecordSaveResult> SaveBlacklistRecord([FromBody] BanRecor`
`88`	`89`	`[HttpPost("delete-blacklist")]`
`89`	`90`	`public ActionResult<CommandResult> DeleteBlacklistRecord([FromBody] DeleteBanRecordRequest req)`
`90`	`91`	`{`
	`92`	`+ if (!HasPermission("bans")) return Forbid();`
	`93`	`+`
`91`	`94`	`if (req == null \|\| req.RecordID <= 0)`
`92`	`95`	`return BadRequest(new CommandResult { Success = false, Message = "Invalid request." });`
`93`	`96`
`@@ -107,7 +110,8 @@ public ActionResult<CommandResult> DeleteBlacklistRecord([FromBody] DeleteBanRec`
`107`	`110`	`[HttpPost("save-whitelist")]`
`108`	`111`	`public ActionResult<BanRecordSaveResult> SaveWhitelistRecord([FromBody] BanRecordSaveRequest req)`
`109`	`112`	`{`
`110`		`-`
	`113`	`+ if (!HasPermission("bans")) return Forbid();`
	`114`	`+`
`111`	`115`	`IPAddress? ip = null;`
`112`	`116`	`if (req.IsIP && !string.IsNullOrWhiteSpace(req.IPAddress))`
`113`	`117`	`{`
`@@ -183,6 +187,8 @@ public ActionResult<BanRecordSaveResult> SaveWhitelistRecord([FromBody] BanRecor`
`183`	`187`	`[HttpPost("delete-whitelist")]`
`184`	`188`	`public ActionResult<CommandResult> DeleteWhitelistRecord([FromBody] DeleteBanRecordRequest req)`
`185`	`189`	`{`
	`190`	`+ if (!HasPermission("bans")) return Forbid();`
	`191`	`+`
`186`	`192`	`if (req == null \|\| req.RecordID <= 0)`
`187`	`193`	`return BadRequest(new CommandResult { Success = false, Message = "Invalid request." });`
`188`	`194`
`@@ -199,4 +205,10 @@ public ActionResult<CommandResult> DeleteWhitelistRecord([FromBody] DeleteBanRec`
`199`	`205`	`return Ok(new CommandResult { Success = true, Message = "Record deleted." });`
`200`	`206`	`}`
`201`	`207`
	`208`	`+ private bool HasPermission(string permission)`
	`209`	`+ {`
	`210`	`+ var permissions = User.FindAll("permission").Select(c => c.Value).ToList();`
	`211`	`+ return permissions.Contains(permission);`
	`212`	`+ }`
	`213`	`+`
`202`	`214`	`}`
Original file line number	Diff line number	Diff line change
`@@ -22,27 +22,31 @@ public ActionResult<CommandResult> SendMessage([FromBody] SendChatCommand comman`
`22`	`22`	`[HttpPost("auto/add")]`
`23`	`23`	`public ActionResult<CommandResult> AddAutoMessage([FromBody] AutoMessageRequest request)`
`24`	`24`	`{`
	`25`	`+ if (!HasPermission("chat")) return Forbid();`
`25`	`26`	`var result = chatInstanceManager.AddAutoMessage(request.Message!, request.Interval);`
`26`	`27`	`return Ok(new CommandResult { Success = result.Success, Message = result.Message });`
`27`	`28`	`}`
`28`	`29`
`29`	`30`	`[HttpPost("auto/remove")]`
`30`	`31`	`public ActionResult<CommandResult> RemoveAutoMessage([FromBody] RemoveMessageRequest request)`
`31`	`32`	`{`
	`33`	`+ if (!HasPermission("chat")) return Forbid();`
`32`	`34`	`var result = chatInstanceManager.RemoveAutoMessage(int.Parse(request.Id!));`
`33`	`35`	`return Ok(new CommandResult { Success = result.Success, Message = result.Message });`
`34`	`36`	`}`
`35`	`37`
`36`	`38`	`[HttpPost("slap/add")]`
`37`	`39`	`public ActionResult<CommandResult> AddSlapMessage([FromBody] SlapMessageRequest request)`
`38`	`40`	`{`
	`41`	`+ if (!HasPermission("chat")) return Forbid();`
`39`	`42`	`var result = chatInstanceManager.AddSlapMessage(request.Message!);`
`40`	`43`	`return Ok(new CommandResult { Success = result.Success, Message = result.Message });`
`41`	`44`	`}`
`42`	`45`
`43`	`46`	`[HttpPost("slap/remove")]`
`44`	`47`	`public ActionResult<CommandResult> RemoveSlapMessage([FromBody] RemoveMessageRequest request)`
`45`	`48`	`{`
	`49`	`+ if (!HasPermission("chat")) return Forbid();`
`46`	`50`	`var result = chatInstanceManager.RemoveSlapMessage(int.Parse(request.Id!));`
`47`	`51`	`return Ok(new CommandResult { Success = result.Success, Message = result.Message });`
`48`	`52`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@ public class FileSystemController : ControllerBase`
`15`	`15`	`[HttpGet("drives")]`
`16`	`16`	`public ActionResult<DirectoryListingResponse> GetDrives()`
`17`	`17`	`{`
	`18`	`+ if(!HasPermission("profile")) return Forbid();`
`18`	`19`	`try`
`19`	`20`	`{`
`20`	`21`	`var drives = DriveInfo.GetDrives()`
`@@ -47,6 +48,8 @@ public ActionResult<DirectoryListingResponse> GetDrives()`
`47`	`48`	`[HttpPost("list")]`
`48`	`49`	`public ActionResult<DirectoryListingResponse> GetDirectoryListing([FromBody] DirectoryListingRequest request)`
`49`	`50`	`{`
	`51`	`+ if(!HasPermission("profile")) return Forbid();`
	`52`	`+`
`50`	`53`	`try`
`51`	`54`	`{`
`52`	`55`	`// Default to drives if no path specified`
`@@ -166,6 +169,8 @@ public ActionResult<DirectoryListingResponse> GetDirectoryListing([FromBody] Dir`
`166`	`169`	`[HttpPost("validate-path")]`
`167`	`170`	`public ActionResult<CommandResult> ValidatePath([FromBody] DirectoryListingRequest request)`
`168`	`171`	`{`
	`172`	`+ if(!HasPermission("profile")) return Forbid();`
	`173`	`+`
`169`	`174`	`try`
`170`	`175`	`{`
`171`	`176`	`if (string.IsNullOrWhiteSpace(request.Path))`
`@@ -193,5 +198,11 @@ public ActionResult<CommandResult> ValidatePath([FromBody] DirectoryListingReque`
`193`	`198`	`Message = $"Error validating path: {ex.Message}"`
`194`	`199`	`});`
`195`	`200`	`}`
	`201`	`+`
	`202`	`+ }`
	`203`	`+ private bool HasPermission(string permission)`
	`204`	`+ {`
	`205`	`+ var permissions = User.FindAll("permission").Select(c => c.Value).ToList();`
	`206`	`+ return permissions.Contains(permission);`
`196`	`207`	`}`
`197`	`208`	`}`
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,8 @@ public class GamePlayController : ControllerBase`
`19`	`19`	`[HttpGet("settings")]`
`20`	`20`	`public ActionResult<GamePlaySettingsResponse> GetSettings()`
`21`	`21`	`{`
	`22`	`+ if(!HasPermission("gameplay")) return Forbid();`
	`23`	`+`
`22`	`24`	`var result = theInstanceManager.LoadGamePlaySettings();`
`23`	`25`
`24`	`26`	`if (!result.Success)`
`@@ -47,6 +49,8 @@ public ActionResult<GamePlaySettingsResponse> GetSettings()`
`47`	`49`	`[HttpPost("settings")]`
`48`	`50`	`public ActionResult<CommandResult> SaveSettings([FromBody] GamePlaySettingsRequest request)`
`49`	`51`	`{`
	`52`	`+ if(!HasPermission("gameplay")) return Forbid();`
	`53`	`+`
`50`	`54`	`// Convert DTO to GamePlaySettings`
`51`	`55`	`var options = new ServerOptions(`
`52`	`56`	`request.Options.AutoBalance, request.Options.ShowTracers,`
`@@ -112,6 +116,8 @@ public ActionResult<CommandResult> SaveSettings([FromBody] GamePlaySettingsReque`
`112`	`116`	`[HttpPost("validate")]`
`113`	`117`	`public ActionResult<ValidationResult> ValidateSettings([FromBody] GamePlaySettingsRequest request)`
`114`	`118`	`{`
	`119`	`+ if(!HasPermission("gameplay")) return Forbid();`
	`120`	`+`
`115`	`121`	`// For gameplay, basic validation can be done here`
`116`	`122`	`var errors = new List<string>();`
`117`	`123`
`@@ -232,6 +238,8 @@ private void TriggerServerUIReload()`
`232`	`238`	`[HttpPost("update-server")]`
`233`	`239`	`public ActionResult<CommandResult> UpdateGameServer()`
`234`	`240`	`{`
	`241`	`+ if(!HasPermission("gameplay")) return Forbid();`
	`242`	`+`
`235`	`243`	`try`
`236`	`244`	`{`
`237`	`245`	`// Check if server is running`
`@@ -269,6 +277,8 @@ public ActionResult<CommandResult> UpdateGameServer()`
`269`	`277`	`[HttpPost("lock-lobby")]`
`270`	`278`	`public ActionResult<CommandResult> LockLobby()`
`271`	`279`	`{`
	`280`	`+ if(!HasPermission("gameplay")) return Forbid();`
	`281`	`+`
`272`	`282`	`try`
`273`	`283`	`{`
`274`	`284`	`// Check if server is running`
`@@ -306,6 +316,8 @@ public ActionResult<CommandResult> LockLobby()`
`306`	`316`	`[HttpGet("export")]`
`307`	`317`	`public ActionResult<GamePlaySettingsExportResponse> ExportSettings()`
`308`	`318`	`{`
	`319`	`+ if(!HasPermission("gameplay")) return Forbid();`
	`320`	`+`
`309`	`321`	`try`
`310`	`322`	`{`
`311`	`323`	`var result = theInstanceManager.LoadGamePlaySettings();`
`@@ -394,6 +406,8 @@ public ActionResult<GamePlaySettingsExportResponse> ExportSettings()`
`394`	`406`	`[HttpPost("import")]`
`395`	`407`	`public ActionResult<CommandResult> ImportSettings([FromBody] GamePlaySettingsImportRequest request)`
`396`	`408`	`{`
	`409`	`+ if(!HasPermission("gameplay")) return Forbid();`
	`410`	`+`
`397`	`411`	`try`
`398`	`412`	`{`
`399`	`413`	`// Deserialize JSON`
`@@ -449,6 +463,8 @@ public ActionResult<CommandResult> ImportSettings([FromBody] GamePlaySettingsImp`
`449`	`463`	`[HttpPost("start-server")]`
`450`	`464`	`public ActionResult<CommandResult> StartServer()`
`451`	`465`	`{`
	`466`	`+ if(!HasPermission("gameplay")) return Forbid();`
	`467`	`+`
`452`	`468`	`try`
`453`	`469`	`{`
`454`	`470`	`var instance = CommonCore.theInstance;`
`@@ -523,6 +539,8 @@ public ActionResult<CommandResult> StartServer()`
`523`	`539`	`[HttpPost("stop-server")]`
`524`	`540`	`public ActionResult<CommandResult> StopServer()`
`525`	`541`	`{`
	`542`	`+ if(!HasPermission("gameplay")) return Forbid();`
	`543`	`+`
`526`	`544`	`try`
`527`	`545`	`{`
`528`	`546`	`var instance = CommonCore.theInstance;`
`@@ -565,5 +583,9 @@ public ActionResult<CommandResult> StopServer()`
`565`	`583`	`});`
`566`	`584`	`}`
`567`	`585`	`}`
`568`		`-`
	`586`	`+ private bool HasPermission(string permission)`
	`587`	`+ {`
	`588`	`+ var permissions = User.FindAll("permission").Select(c => c.Value).ToList();`
	`589`	`+ return permissions.Contains(permission);`
	`590`	`+ }`
`569`	`591`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@`
`4`	`4`	`using HawkSyncShared.DTOs;`
`5`	`5`	`using BHD_ServerManager.Classes.InstanceManagers;`
`6`	`6`	`using HawkSyncShared.Instances;`
	`7`	`+using HawkSyncShared.SupportClasses;`
`7`	`8`
`8`	`9`	`namespace BHD_ServerManager.API.Controllers;`
`9`	`10`
`@@ -15,6 +16,8 @@ public class MapPlaylistController : ControllerBase`
`15`	`16`	`[HttpGet("available-maps")]`
`16`	`17`	`public ActionResult<List<MapDTO>> GetAvailableMaps()`
`17`	`18`	`{`
	`19`	`+ if(!HasPermission("maps")) return Forbid();`
	`20`	`+`
`18`	`21`	`var result = mapInstanceManager.LoadAvailableMaps();`
`19`	`22`	`var allMaps = result.DefaultMaps.Concat(result.CustomMaps)`
`20`	`23`	`.Select(m => new MapDTO`
`@@ -31,6 +34,8 @@ public ActionResult<List<MapDTO>> GetAvailableMaps()`
`31`	`34`	`[HttpGet("playlists")]`
`32`	`35`	`public ActionResult<AllPlaylistsDTO> GetAllPlaylists()`
`33`	`36`	`{`
	`37`	`+ if(!HasPermission("maps")) return Forbid();`
	`38`	`+`
`34`	`39`	`var instance = CommonCore.instanceMaps!;`
`35`	`40`	`var dto = new AllPlaylistsDTO`
`36`	`41`	`{`
`@@ -54,6 +59,8 @@ public ActionResult<AllPlaylistsDTO> GetAllPlaylists()`
`54`	`59`	`[HttpGet("playlist/{id}")]`
`55`	`60`	`public ActionResult<PlaylistDTO> GetPlaylist(int id)`
`56`	`61`	`{`
	`62`	`+ if(!HasPermission("maps")) return Forbid();`
	`63`	`+`
`57`	`64`	`var (success, maps, error) = mapInstanceManager.GetPlaylistMaps(id);`
`58`	`65`	`if (!success)`
`59`	`66`	`return BadRequest(new PlaylistCommandResult { Success = false, Message = error });`
`@@ -75,6 +82,8 @@ public ActionResult<PlaylistDTO> GetPlaylist(int id)`
`75`	`82`	`[HttpPost("playlist/save")]`
`76`	`83`	`public ActionResult<PlaylistCommandResult> SavePlaylist([FromBody] PlaylistDTO playlist)`
`77`	`84`	`{`
	`85`	`+ if(!HasPermission("maps")) return Forbid();`
	`86`	`+`
`78`	`87`	`var maps = playlist.Maps.Select(m => new HawkSyncShared.ObjectClasses.mapFileInfo`
`79`	`88`	`{`
`80`	`89`	`MapID = m.MapID,`
`@@ -100,6 +109,8 @@ public ActionResult<PlaylistCommandResult> SavePlaylist([FromBody] PlaylistDTO p`
`100`	`109`	`[HttpPost("playlist/set-active")]`
`101`	`110`	`public ActionResult<PlaylistCommandResult> SetActivePlaylist([FromBody] PlaylistDTO playlist)`
`102`	`111`	`{`
	`112`	`+ if(!HasPermission("maps")) return Forbid();`
	`113`	`+`
`103`	`114`	`var saveResult = mapInstanceManager.SavePlaylist(playlist.PlaylistID, playlist.Maps.Select(m => new HawkSyncShared.ObjectClasses.mapFileInfo`
`104`	`115`	`{`
`105`	`116`	`MapID = m.MapID,`
`@@ -124,6 +135,8 @@ public ActionResult<PlaylistCommandResult> SetActivePlaylist([FromBody] Playlist`
`124`	`135`	`[HttpPost("playlist/import")]`
`125`	`136`	`public ActionResult<PlaylistCommandResult> ImportPlaylist([FromBody] PlaylistDTO playlist)`
`126`	`137`	`{`
	`138`	`+ if(!HasPermission("maps")) return Forbid();`
	`139`	`+`
`127`	`140`	`// Overwrite playlist with imported maps`
`128`	`141`	`var result = mapInstanceManager.SavePlaylist(playlist.PlaylistID, playlist.Maps.Select(m => new HawkSyncShared.ObjectClasses.mapFileInfo`
`129`	`142`	`{`
`@@ -147,6 +160,8 @@ public ActionResult<PlaylistCommandResult> ImportPlaylist([FromBody] PlaylistDTO`
`147`	`160`	`[HttpGet("playlist/export/{id}")]`
`148`	`161`	`public ActionResult<PlaylistDTO> ExportPlaylist(int id)`
`149`	`162`	`{`
	`163`	`+ if(!HasPermission("maps")) return Forbid();`
	`164`	`+`
`150`	`165`	`var (success, maps, error) = mapInstanceManager.GetPlaylistMaps(id);`
`151`	`166`	`if (!success)`
`152`	`167`	`return BadRequest(new PlaylistCommandResult { Success = false, Message = error });`
`@@ -169,27 +184,35 @@ public ActionResult<PlaylistDTO> ExportPlaylist(int id)`
`169`	`184`	`[HttpPost("server/skip-map")]`
`170`	`185`	`public ActionResult<PlaylistCommandResult> SkipMap()`
`171`	`186`	`{`
	`187`	`+ if(!HasPermission("maps")) return Forbid();`
	`188`	`+`
`172`	`189`	`var result = mapInstanceManager.SkipMap();`
`173`	`190`	`return Ok(new PlaylistCommandResult { Success = result.Success, Message = result.Message });`
`174`	`191`	`}`
`175`	`192`
`176`	`193`	`[HttpPost("server/score-map")]`
`177`	`194`	`public ActionResult<PlaylistCommandResult> ScoreMap()`
`178`	`195`	`{`
	`196`	`+ if(!HasPermission("maps")) return Forbid();`
	`197`	`+`
`179`	`198`	`var result = mapInstanceManager.ScoreMap();`
`180`	`199`	`return Ok(new PlaylistCommandResult { Success = result.Success, Message = result.Message });`
`181`	`200`	`}`
`182`	`201`
`183`	`202`	`[HttpPost("server/play-next")]`
`184`	`203`	`public ActionResult<PlaylistCommandResult> PlayNext([FromBody] int mapIndex)`
`185`	`204`	`{`
	`205`	`+ if(!HasPermission("maps")) return Forbid();`
	`206`	`+`
`186`	`207`	`var result = mapInstanceManager.SetNextMap(mapIndex);`
`187`	`208`	`return Ok(new PlaylistCommandResult { Success = result.Success, Message = result.Message });`
`188`	`209`	`}`
`189`	`210`
`190`	`211`	`[HttpPost("refresh-available-maps")]`
`191`	`212`	`public ActionResult<List<MapDTO>> RefreshAvailableMaps()`
`192`	`213`	`{`
	`214`	`+ if(!HasPermission("maps")) return Forbid();`
	`215`	`+`
`193`	`216`	`var result = mapInstanceManager.LoadAvailableMaps();`
`194`	`217`	`var allMaps = result.DefaultMaps.Concat(result.CustomMaps)`
`195`	`218`	`.Select(m => new MapDTO`
`@@ -216,4 +239,13 @@ private void TriggerServerUIReload()`
`216`	`239`	`}`
`217`	`240`	`}`
`218`	`241`
	`242`	`+ private bool HasPermission(string permission)`
	`243`	`+ {`
	`244`	`+ var permissions = User.FindAll("permission").Select(c => c.Value).ToList();`
	`245`	`+ AppDebug.Log("MapPlaylistController", $"Checking user permissions, {permission} from user { User.Identity!.Name}");`
	`246`	`+ AppDebug.Log("MapPlaylistController", $"User permissions: {string.Join(", ", permissions)}");`
	`247`	`+ AppDebug.Log("MapPlaylistController", $"Has Permission: {permissions.Contains(permission).ToString()}");`
	`248`	`+ return permissions.Contains(permission);`
	`249`	`+ }`
	`250`	`+`
`219`	`251`	`}`