fix(auth): allow project managers to list assignable users (role=User only) for task assignment

Diogo-Ferraz · Diogo-Ferraz · commit a13792d94c7d · 2026-02-24T21:23:24.000+01:00
diff --git a/src/TaskManagement.Auth/Features/Users/UsersController.cs b/src/TaskManagement.Auth/Features/Users/UsersController.cs
@@ -54,12 +54,12 @@ public UsersController(
         /// <returns>A paged list of users.</returns>
         [Authorize(
             AuthenticationSchemes = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme,
-            Roles = Roles.Administrator)]
+            Roles = $"{Roles.Administrator},{Roles.ProjectManager}")]
         [EnableRateLimiting(RateLimitingPolicies.AdminUserManagement)]
         [HttpGet]
         [SwaggerOperation(
-            Summary = "List users (admin)",
-            Description = "Returns a paged admin-only list of users with optional filters.")]
+            Summary = "List users (admin/project manager)",
+            Description = "Returns a paged list of users with optional filters. Project managers are restricted to role=User queries.")]
         [ProducesResponseType(typeof(UserListResponse), StatusCodes.Status200OK)]
         [ProducesResponseType(StatusCodes.Status400BadRequest)]
         [ProducesResponseType(StatusCodes.Status401Unauthorized)]
@@ -75,6 +75,17 @@ public async Task<ActionResult<UserListResponse>> GetUsers(
             [FromQuery] int? take,
             CancellationToken cancellationToken)
         {
+            var isAdmin = User.IsInRole(Roles.Administrator);
+            if (!isAdmin)
+            {
+                // Project managers can only list assignable contributors.
+                var requestedRole = role?.Trim();
+                if (!string.Equals(requestedRole, Roles.User, StringComparison.Ordinal))
+                {
+                    return StatusCode(StatusCodes.Status403Forbidden);
+                }
+            }
+
             var now = DateTimeOffset.UtcNow;
             var query = _userManager.Users.AsNoTracking();
 
diff --git a/tests/TaskManagement.Auth.Tests/IntegrationTests/Features/Users/UsersEndpointTests.cs b/tests/TaskManagement.Auth.Tests/IntegrationTests/Features/Users/UsersEndpointTests.cs
@@ -176,6 +176,36 @@ public async Task GetUsers_WithSearch_ShouldReturnMatchingUsers()
             response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
         }
 
+        [Fact]
+        public async Task GetUsers_WhenProjectManagerAndRoleUser_ShouldReturnMatchingUsers()
+        {
+            await EnsureUserHasRoleAsync(TestData.User.Email, Roles.ProjectManager);
+            var userRoleEmail = $"assignable-{Guid.NewGuid():N}@example.com";
+            await EnsureUserWithRoleAsync(userRoleEmail, Roles.User);
+
+            var token = await GetAccessTokenAsync();
+            _client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
+
+            var response = await _client.GetAsync($"/api/users?role={Roles.User}&page=1&pageSize=25");
+            response.StatusCode.Should().Be(HttpStatusCode.OK);
+
+            var list = await response.Content.ReadFromJsonAsync<UserListResponse>();
+            list.Should().NotBeNull();
+            list!.Items.Should().NotBeEmpty();
+            list.Items.Should().OnlyContain(u => u.Roles.Contains(Roles.User));
+        }
+
+        [Fact]
+        public async Task GetUsers_WhenProjectManagerWithoutRoleFilter_ShouldReturnForbidden()
+        {
+            await EnsureUserHasRoleAsync(TestData.User.Email, Roles.ProjectManager);
+            var token = await GetAccessTokenAsync();
+            _client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
+
+            var response = await _client.GetAsync("/api/users?page=1&pageSize=25");
+            response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
+        }
+
         [Fact]
         public async Task GetUsers_WithSearch_WhenAdmin_ShouldReturnMatchingUsers()
         {
@@ -531,6 +561,40 @@ private async Task<string> GetAdminAccessTokenAsync(string adminEmail, string ad
             return await GetAccessTokenAsync(adminEmail, adminPassword);
         }
 
+        private async Task EnsureUserWithRoleAsync(string email, string role, string password = "StrongPassword@123")
+        {
+            using var scope = _factory.Services.CreateScope();
+            var userManager = scope.ServiceProvider.GetRequiredService<UserManager<ApplicationUser>>();
+            var roleManager = scope.ServiceProvider.GetRequiredService<RoleManager<IdentityRole>>();
+
+            if (!await roleManager.RoleExistsAsync(role))
+            {
+                await roleManager.CreateAsync(new IdentityRole(role));
+            }
+
+            var user = await userManager.FindByEmailAsync(email);
+            if (user == null)
+            {
+                user = new ApplicationUser
+                {
+                    UserName = email,
+                    Email = email,
+                    EmailConfirmed = true
+                };
+                var createResult = await userManager.CreateAsync(user, password);
+                createResult.Succeeded.Should().BeTrue();
+            }
+
+            if (!await userManager.IsInRoleAsync(user, role))
+            {
+                var addRoleResult = await userManager.AddToRoleAsync(user, role);
+                addRoleResult.Succeeded.Should().BeTrue();
+            }
+        }
+
+        private Task EnsureUserHasRoleAsync(string email, string role)
+            => EnsureUserWithRoleAsync(email, role);
+
         private static async Task<HttpResponseMessage> InitiateAuthorizationRequest(
             HttpClient client,
             AuthorizationParameters parameters)
