Namespace KadicAuth.Application.Roles.Validation

Classes

Blocks non-SA callers from assigning platform-scoped permission codes to a tenant role. The check is atomic: any single platform-scoped code in the payload rejects the entire assignment.

Why: the SA endpoints that create/update tenants, plans, modules, etc. are gated by [RequirePlatformAdmin] at the controller layer. Without this guard, a malicious tenant admin could still assign those permission strings to a tenant role and have them surface in a user's claim set — cosmetically harmless because the controller layer still rejects, but it would mask role integrity and confuse auditors. This guard makes the write-side reject the assignment up front.

Table of Contents

Namespace KadicAuth.Application.Roles.Validation

Classes