WebSVN – SmartDukaan – Diff – /trunk/profitmandi-fofo/src/main/java/com/spice/profitmandi/web/controller/BeatPlanController.java

 	};
 	@Autowired
 	private CsService csService;
 	@Autowired
 	private AuthRepository authRepository;
+	// Emails that bypass hierarchy and role gates — single source of truth.
+	private static final Set<String> SUPER_ADMIN_EMAILS = new HashSet<>(Arrays.asList(
+			"tarun.verma@smartdukaan.com"
+	));
 	@Autowired
+	private com.spice.profitmandi.service.AuthService authService;
+	@Autowired
-	private FofoStoreRepository fofoStoreRepository;
+	private com.spice.profitmandi.dao.repository.cs.PositionRepository positionRepository;
 	@Autowired
 	private RetailerService retailerService;
 	@Autowired
 	private BeatRepository beatRepository;
 	@Autowired
 	private com.spice.profitmandi.service.GeocodingService geocodingService;
 	@Autowired
 	private CookiesProcessor cookiesProcessor;
 	@Autowired
 	private ResponseSender responseSender;
+	@Autowired
+	private FofoStoreRepository fofoStoreRepository;
 	@GetMapping(value = "/beatPlan")
-	public String beatPlan(HttpServletRequest request, Model model) {
+	public String beatPlan(HttpServletRequest request, Model model) throws ProfitMandiBusinessException {
-		EscalationType[] escalationTypes = EscalationType.values();
-		model.addAttribute("escalationTypes", escalationTypes);
+		model.addAttribute("escalationTypes", visibleLevelsFor(request));
 		return "beat-plan";
+	}
-	@GetMapping(value = "/beatPlanWindow")
-	public String beatPlanWindow(HttpServletRequest request, Model model) {
-		EscalationType[] escalationTypes = EscalationType.values();
-		model.addAttribute("escalationTypes", escalationTypes);
-		return "beat-plan-window";
-	}
 	@Autowired
 	private com.spice.profitmandi.dao.repository.dtr.LeadLiveLocationRepository leadLiveLocationRepositoryAuto;
 	@Autowired
 	private com.spice.profitmandi.dao.repository.dtr.LeadActivityRepository leadActivityRepositoryAuto;
 	@Autowired
 		result.put("dtrUserId", dtrUserId);
 		result.put("message", created.size() + " visit tasks assigned to " + au.getFirstName() + " " + au.getLastName());
 		return responseSender.ok(result);
+	}
-	// ====================== BASE LOCATION MANAGEMENT ======================
-	// Inline page that lets Sales L3+ pick a user and set their base (home)
-	// location via map. Reads use the existing /beatPlan/getBaseLocation, writes
-	// go through the L3+-guarded endpoint below.
-	@GetMapping(value = "/beatPlan/baseLocationPage")
+	@GetMapping(value = "/beatPlanWindow")
-	public String baseLocationPage(HttpServletRequest request, Model model) {
+	public String beatPlanWindow(HttpServletRequest request, Model model) throws ProfitMandiBusinessException {
-		EscalationType[] escalationTypes = EscalationType.values();
-		model.addAttribute("escalationTypes", escalationTypes);
+		model.addAttribute("escalationTypes", visibleLevelsFor(request));
-		return "beat-plan-base-location";
+		return "beat-plan-window";
+	}
 	// Helpers for XLSX bulk upload
 	private static String readCell(org.apache.poi.ss.usermodel.Cell cell) {
 		if (cell == null) return null;
 		result.put("authUserId", authUserId);
 		result.put("beats", hits);
 		return responseSender.ok(result);
+	}
-	// ====================== DAY VIEW ======================
+	// ====================== BASE LOCATION MANAGEMENT ======================
-	// Inline page (loaded into dashboard #main-content): tabular list of all beats
+	// Inline page that lets Sales L3+ pick a user and set their base (home)
-	// scheduled in a date range across all users. Each row has a View button that
+	// location via map. Reads use the existing /beatPlan/getBaseLocation, writes
-	// opens that user's calendar in a modal.
+	// go through the L3+-guarded endpoint below.
-	@GetMapping(value = "/beatPlan/dayView")
+	@GetMapping(value = "/beatPlan/baseLocationPage")
-	public String beatPlanDayView(HttpServletRequest request, Model model) {
+	public String baseLocationPage(HttpServletRequest request, Model model) throws ProfitMandiBusinessException {
-		EscalationType[] escalationTypes = EscalationType.values();
-		model.addAttribute("escalationTypes", escalationTypes);
+		model.addAttribute("escalationTypes", visibleLevelsFor(request));
-		return "beat-plan-day-view";
+		return "beat-plan-base-location";
+	}
 	// Tabular JSON: one row per (beat, scheduled date) in [startDate, endDate].
 	@GetMapping(value = "/beatPlan/scheduledList")
 	public ResponseEntity<?> scheduledList(
 		Map<String, Object> result = new HashMap<>();
 		result.put("beats", out);
 		return responseSender.ok(result);
+	}
-	@GetMapping(value = "/beatPlan/getAuthUsers")
+	// ====================== DAY VIEW ======================
-	public ResponseEntity<?> getAuthUsers(
-			@RequestParam int categoryId,
-			@RequestParam EscalationType escalationType) {
+	// Inline page (loaded into dashboard #main-content): tabular list of all beats
-		List<AuthUser> authUsers = csService.getAuthUserByCategoryId(categoryId, escalationType);
+	// scheduled in a date range across all users. Each row has a View button that
-		List<Map<String, Object>> result = authUsers.stream()
+	// opens that user's calendar in a modal.
-				.filter(au -> au.getActive())
-				.map(au -> {
-					Map<String, Object> map = new HashMap<>();
+	@GetMapping(value = "/beatPlan/dayView")
-					map.put("id", au.getId());
-					map.put("name", au.getFirstName() + " " + au.getLastName());
+	public String beatPlanDayView(HttpServletRequest request, Model model) throws ProfitMandiBusinessException {
-					return map;
-				})
-				.collect(Collectors.toList());
+		model.addAttribute("escalationTypes", visibleLevelsFor(request));
-		return responseSender.ok(result);
+		return "beat-plan-day-view";
+	}
 	// Returns visits for a beat.
 	// - Partner stops (beat_route) belong to the beat template — always returned.
 	// - Lead stops (lead_route) belong to a specific run — returned ONLY when planDate
 		result.put("status", true);
 		result.put("message", "Base location removed");
 		return responseSender.ok(result);
+	}
+	@GetMapping(value = "/beatPlan/getAuthUsers")
+	public ResponseEntity<?> getAuthUsers(
+			HttpServletRequest request,
+			@RequestParam int categoryId,
+			@RequestParam EscalationType escalationType) throws ProfitMandiBusinessException {
-	// Shared permission check for base-location admin actions.
+		// Hierarchy filter: a manager only sees users in their downline
+		// (themselves + every reportee under them, recursively). Super-admin
+		// emails bypass the filter and see everyone. Downline is computed by
+		// AuthService.getAllReportees (existing recursive walker).
+		LoginDetails ld = cookiesProcessor.getCookiesObject(request);
+		AuthUser me = (ld != null) ? authRepository.selectByEmailOrMobile(ld.getEmailId()) : null;
+		final Set<Integer> visible;
+		if (me == null || isSuperAdmin(me)) {
+			visible = null; // null = no filter
+		} else {
+			visible = new HashSet<>(authService.getAllReportees(me.getId()));
+			visible.add(me.getId()); // include self
+		}
+		List<AuthUser> authUsers = csService.getAuthUserByCategoryId(categoryId, escalationType);
-	private boolean isBaseLocationManager(AuthUser me) {
+		List<Map<String, Object>> result = authUsers.stream()
+				.filter(au -> au.getActive())
+				.filter(au -> visible == null || visible.contains(au.getId()))
+				.map(au -> {
-		Set<String> baseLocationAllowList = new HashSet<>(Arrays.asList(
+					Map<String, Object> map = new HashMap<>();
-				"tarun.verma@smartdukaan.com"
+					map.put("id", au.getId());
+					map.put("name", au.getFirstName() + " " + au.getLastName());
+					return map;
-		));
+				})
+				.collect(Collectors.toList());
+		return responseSender.ok(result);
+	}
+	private boolean isSuperAdmin(AuthUser me) {
 		String myEmail = me.getEmailId() != null ? me.getEmailId().toLowerCase() : "";
-		if (baseLocationAllowList.contains(myEmail)) return true;
+		return SUPER_ADMIN_EMAILS.contains(myEmail);
+	}
+	// Returns the user's highest escalation level across all positions.
+	// Mirrors OrderController.getSalesEscalationLevel but category-agnostic.
+	private EscalationType getHighestEscalation(int authUserId) {
+		EscalationType highest = null;
+		List<com.spice.profitmandi.dao.entity.cs.Position> positions = positionRepository.selectPositionByAuthId(authUserId);
+		for (com.spice.profitmandi.dao.entity.cs.Position p : positions) {
+			if (highest == null || p.getEscalationType().isGreaterThanEqualTo(highest)) {
+				highest = p.getEscalationType();
+			}
+		}
+		return highest;
+	}
+	// Returns the escalation levels a user can manage — strictly below their own.
+	// L3 → [L1, L2]; L4 → [L1, L2, L3]; Final → all levels. Super-admin → all levels.
+	private List<EscalationType> getVisibleEscalationLevels(AuthUser me) {
+		if (isSuperAdmin(me)) return EscalationType.escalations;
+		EscalationType mine = getHighestEscalation(me.getId());
+		if (mine == null) return java.util.Collections.emptyList();
+		List<EscalationType> below = new ArrayList<>();
+		for (EscalationType e : EscalationType.escalations) {
+			if (mine.isGreaterThanEqualTo(e) && !e.equals(mine)) below.add(e);
+		}
+		return below;
+	}
+	private List<EscalationType> visibleLevelsFor(HttpServletRequest request) throws ProfitMandiBusinessException {
+		LoginDetails ld = cookiesProcessor.getCookiesObject(request);
+		AuthUser me = (ld != null) ? authRepository.selectByEmailOrMobile(ld.getEmailId()) : null;
+		return me == null ? java.util.Collections.emptyList() : getVisibleEscalationLevels(me);
+	}
+	// Shared permission check for base-location admin actions: Sales L3+ OR super-admin.
+	private boolean isBaseLocationManager(AuthUser me) {
+		if (isSuperAdmin(me)) return true;
 		return csService.getAuthUserIds(
 						com.spice.profitmandi.common.model.ProfitMandiConstants.TICKET_CATEGORY_SALES,
 						Arrays.asList(EscalationType.L3, EscalationType.L4))
 				.stream().anyMatch(u -> u.getId() == me.getId());
+	}

Subversion Repositories SmartDukaan

(root)/trunk/profitmandi-fofo/src/main/java/com/spice/profitmandi/web/controller/BeatPlanController.java – Rev 36681 → 36686