From 1d8ef79373191a6b656e0df46aaac710aae899c4 Mon Sep 17 00:00:00 2001
From: harid <harid_pr61@live.rmutl.com>
Date: Fri, 6 Feb 2026 10:18:47 +0700
Subject: [PATCH] =?UTF-8?q?api=20=E0=B8=AD=E0=B8=B1=E0=B8=9E=E0=B9=80?=
 =?UTF-8?q?=E0=B8=94=E0=B8=97=E0=B8=AA=E0=B8=96=E0=B8=B2=E0=B8=99=E0=B8=B0?=
 =?UTF-8?q?=E0=B9=80=E0=B8=9B=E0=B9=87=E0=B8=99=E0=B8=9A=E0=B8=A3=E0=B8=A3?=
 =?UTF-8?q?=E0=B8=88=E0=B8=B8=20=E0=B9=80=E0=B8=9B=E0=B8=A5=E0=B8=B5?=
 =?UTF-8?q?=E0=B9=88=E0=B8=A2=E0=B8=99=E0=B8=AA=E0=B8=B4=E0=B8=97=E0=B8=98?=
 =?UTF-8?q?=E0=B8=B4=E0=B9=8C=E0=B8=88=E0=B8=B2=E0=B8=81=20super=5Fadmin?=
 =?UTF-8?q?=20=E0=B9=80=E0=B8=9B=E0=B9=87=E0=B8=99=20owner?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../Controllers/PlacementController.cs            | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/BMA.EHR.Placement.Service/Controllers/PlacementController.cs b/BMA.EHR.Placement.Service/Controllers/PlacementController.cs
index 1a9260ef..51a09094 100644
--- a/BMA.EHR.Placement.Service/Controllers/PlacementController.cs
+++ b/BMA.EHR.Placement.Service/Controllers/PlacementController.cs
@@ -64,7 +64,7 @@ namespace BMA.EHR.Placement.Service.Controllers
         private string? UserId => _httpContextAccessor?.HttpContext?.User?.FindFirst(ClaimTypes.NameIdentifier)?.Value;
         private string? FullName => _httpContextAccessor?.HttpContext?.User?.FindFirst("name")?.Value;
         private string? token => _httpContextAccessor.HttpContext.Request.Headers["Authorization"];
-        private bool isSuperAdmin => _httpContextAccessor?.HttpContext?.User?.IsInRole("SUPER_ADMIN") ?? false;
+        //private bool isSuperAdmin => _httpContextAccessor?.HttpContext?.User?.IsInRole("SUPER_ADMIN") ?? false;
 
         #endregion
 
@@ -867,8 +867,17 @@ namespace BMA.EHR.Placement.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> PersonUpdateStatus([FromBody] PersonUpdateStatusRequest req)
         {
-            if (isSuperAdmin == false)
-                return Success();
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_PLACEMENT_PASS");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
+            string role = jsonData["result"]?.ToString();
+            if (role != "OWNER")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
 
             var person = await _context.PlacementProfiles
                             .FirstOrDefaultAsync(x => x.Id == req.PersonalId);