updates

2025-12-07 01:28:03 +02:00
parent 5a8ca3c475
commit 876af48145
31 changed files with 914 additions and 110 deletions
--- a/Backend/src/hotel_services/routes/guest_request_routes.py
+++ b/Backend/src/hotel_services/routes/guest_request_routes.py
@@ -46,7 +46,7 @@ async def get_guest_requests(
    priority: Optional[str] = Query(None),
    page: int = Query(1, ge=1),
    limit: int = Query(20, ge=1, le=100),
-    current_user: User = Depends(authorize_roles('admin', 'staff', 'housekeeping')),
+    current_user: User = Depends(get_current_user),
    db: Session = Depends(get_db)
 ):
    """Get guest requests with filtering"""
@@ -57,17 +57,22 @@ async def get_guest_requests(
            joinedload(GuestRequest.guest)
        )
        
-        # Check if user is housekeeping - they can only see requests assigned to them or unassigned
+        # Check user role to determine access level
        role = db.query(Role).filter(Role.id == current_user.role_id).first()
-        is_housekeeping = role and role.name == 'housekeeping'
+        role_name = role.name if role else 'customer'
        
-        if is_housekeeping:
+        # Customers can only see their own requests
+        if role_name == 'customer':
+            query = query.filter(GuestRequest.user_id == current_user.id)
+        # Housekeeping can only see requests assigned to them or unassigned
+        elif role_name == 'housekeeping':
            query = query.filter(
                or_(
                    GuestRequest.assigned_to == current_user.id,
                    GuestRequest.assigned_to.is_(None)
                )
            )
+        # Admin and staff can see all requests (no additional filter needed)
        
        if status:
            query = query.filter(GuestRequest.status == status)
@@ -379,7 +384,7 @@ async def update_guest_request(
@router.get('/{request_id}')
 async def get_guest_request(
    request_id: int,
-    current_user: User = Depends(authorize_roles('admin', 'staff', 'housekeeping')),
+    current_user: User = Depends(get_current_user),
    db: Session = Depends(get_db)
 ):
    """Get a single guest request"""
@@ -397,10 +402,17 @@ async def get_guest_request(
        
        # Check permissions
        role = db.query(Role).filter(Role.id == current_user.role_id).first()
-        is_housekeeping = role and role.name == 'housekeeping'
+        role_name = role.name if role else 'customer'
        
-        if is_housekeeping and request.assigned_to and request.assigned_to != current_user.id:
-            raise HTTPException(status_code=403, detail='You can only view requests assigned to you')
+        # Customers can only view their own requests
+        if role_name == 'customer':
+            if request.user_id != current_user.id:
+                raise HTTPException(status_code=403, detail='You can only view your own requests')
+        # Housekeeping can only view requests assigned to them or unassigned
+        elif role_name == 'housekeeping':
+            if request.assigned_to and request.assigned_to != current_user.id:
+                raise HTTPException(status_code=403, detail='You can only view requests assigned to you')
+        # Admin and staff can view all requests (no additional check needed)
        
        return {
            'status': 'success',