Refactor to use named authorization policies in controllers

Replaced direct role-based [Authorize] attributes with named authorization policies (e.g., AuthPolicy.Receiver, AuthPolicy.SenderOrReceiver) in AnnotationController, DocumentController, and ReadOnlyController. Added and registered new policies in Program.cs and updated AuthPolicy constants. This centralizes and simplifies authorization management.
2026-02-03 16:20:26 +01:00
parent c6c8747d23
commit 0d2425c9cf
5 changed files with 15 additions and 7 deletions
--- a/EnvelopeGenerator.API/Controllers/AnnotationController.cs
+++ b/EnvelopeGenerator.API/Controllers/AnnotationController.cs
@@ -18,7 +18,7 @@ namespace EnvelopeGenerator.API.Controllers;
 /// <summary>
 /// Manages annotations and signature lifecycle for envelopes.
 /// </summary>
-[Authorize(Roles = Role.Receiver.FullyAuth)]
+[Authorize(Policy = AuthPolicy.Receiver)]
 [ApiController]
 [Route("api/[controller]")]
 public class AnnotationController : ControllerBase
@@ -54,7 +54,7 @@ public class AnnotationController : ControllerBase
    /// </summary>
    /// <param name="psPdfKitAnnotation">Annotation payload.</param>
    /// <param name="cancel">Cancellation token.</param>
-    [Authorize(Roles = Role.Receiver.FullyAuth)]
+    [Authorize(Policy = AuthPolicy.Receiver)]
    [HttpPost]
    [Obsolete("PSPDF Kit will no longer be used.")]
    public async Task<IActionResult> CreateOrUpdate([FromBody] PsPdfKitAnnotation? psPdfKitAnnotation = null, CancellationToken cancel = default)
@@ -87,7 +87,7 @@ public class AnnotationController : ControllerBase
    /// Rejects the document for the current receiver.
    /// </summary>
    /// <param name="reason">Optional rejection reason.</param>
-    [Authorize(Roles = Role.Receiver.FullyAuth)]
+    [Authorize(Policy = AuthPolicy.Receiver)]
    [HttpPost("reject")]
    [Obsolete("Use MediatR")]
    public async Task<IActionResult> Reject([FromBody] string? reason = null)