PSTW_CentralizeSystem/Areas/IT/Controllers/ApprovalDashboardController.cs

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
using PSTW_CentralSystem.DBContext;
using PSTW_CentralSystem.Models;

namespace PSTW_CentralSystem.Areas.IT.Controllers
{
    [Area("IT")]
    [Authorize]
    public class ApprovalDashboardController : Controller
    {
        private readonly CentralSystemContext _db;
        private readonly UserManager<UserModel> _userManager;

        public ApprovalDashboardController(CentralSystemContext db, UserManager<UserModel> userManager)
        {
            _db = db;
            _userManager = userManager;
        }

        // ===== helpers =====
        private int GetCurrentUserId() => int.Parse(_userManager.GetUserId(User)!);

        private async Task<bool> IsItTeamAsync(int userId) =>
            await _db.ItTeamMembers.AnyAsync(t => t.UserId == userId);

        private async Task<bool> IsApproverInAnyFlowAsync(int userId) =>
            await _db.ItApprovalFlows.AnyAsync(f =>
                f.HodUserId == userId ||
                f.GroupItHodUserId == userId ||
                f.FinHodUserId == userId ||
                f.MgmtUserId == userId);

        private async Task<bool> IsRequestFormManagerAsync(int userId) =>
            await _db.RequestFormManagers.AnyAsync(m => m.UserId == userId);

        // ===== routes =====

        // Approval is only available for approvers and IT team members
        public async Task<IActionResult> Approval()
        {
            var uid = GetCurrentUserId();

            var isAllowed = await IsItTeamAsync(uid) || await IsApproverInAnyFlowAsync(uid);
            if (!isAllowed) return Forbid(); // or: return View("AccessDenied");

            return View(); // ~/Areas/IT/Views/ApprovalDashboard/Approval.cshtml
        }

        // Assignings (Admin) is only available for Request Form Managers
        public async Task<IActionResult> Admin()
        {
            var uid = GetCurrentUserId();

            var isManager = await IsRequestFormManagerAsync(uid);
            if (!isManager) return Forbid(); // or: return View("AccessDenied");

            return View(); // ~/Areas/IT/Views/ApprovalDashboard/Admin.cshtml
        }

        // Open to any authenticated user
        public IActionResult Create() => View();      // ~/Areas/IT/Views/ApprovalDashboard/Create.cshtml
        public IActionResult MyRequests() => View();  // ~/Areas/IT/Views/ApprovalDashboard/MyRequests.cshtml

        // Use the same gate as Approval (reviewing a specific request)
        public IActionResult RequestReview(int statusId)
        {
            ViewBag.StatusId = statusId;
            return View(); // ~/Areas/IT/Views/ApprovalDashboard/RequestReview.cshtml
        }

        // Leave these open unless you want extra guards
        public IActionResult SectionB() => View();
        public IActionResult Edit() => View();
        public IActionResult SectionBEdit() => View();
    }
}