From c34399b855e1a1193f8b6b433f846aeab073638c Mon Sep 17 00:00:00 2001
From: AdisakKanthawilang <adisak@frappet.com>
Date: Mon, 23 Sep 2024 10:04:07 +0700
Subject: [PATCH] fix bug 614 , 615

---
 .../Controllers/PlacementController.cs                    | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/BMA.EHR.Placement.Service/Controllers/PlacementController.cs b/BMA.EHR.Placement.Service/Controllers/PlacementController.cs
index 203b1604..4700c31f 100644
--- a/BMA.EHR.Placement.Service/Controllers/PlacementController.cs
+++ b/BMA.EHR.Placement.Service/Controllers/PlacementController.cs
@@ -95,7 +95,7 @@ namespace BMA.EHR.Placement.Service.Controllers
         public async Task<ActionResult<ResponseObject>> GetExam(int year)
         // public async Task<ActionResult<ResponseObject>> GetExam(int year, int page = 1, int pageSize = 10, string keyword = "")
         {
-            var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_PLACEMENT_PASS");
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_PLACEMENT_PASS");
             var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
             if (jsonData["status"]?.ToString() != "200")
             {
@@ -137,6 +137,12 @@ namespace BMA.EHR.Placement.Service.Controllers
         [HttpGet("pass/{examId:length(36)}")]
         public async Task<ActionResult<ResponseObject>> GetExamByPlacement(Guid examId)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_PLACEMENT_PASS");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             if (PlacementAdmin == true)
             {
                 var data = await _context.PlacementProfiles.Where(x => x.Placement.Id == examId).Select(x => new