microservices/LocationsApi/Controllers/LocationsController.cs

@@ -2,6 +2,7 @@ using LocationsApi.Models;
 using LocationsApi.Services;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using System.Security.Claims;
 
 namespace LocationsApi.Controllers;
 
@@ -23,8 +24,13 @@ public class LocationsController : ControllerBase
         if (string.IsNullOrWhiteSpace(req.Name))
             return BadRequest("Name required");
 
+        var userId = User.FindFirstValue(ClaimTypes.NameIdentifier);
+        if (string.IsNullOrWhiteSpace(userId))
+            return Unauthorized();
+
         var location = new Location
         {
+            OwnerUserId = userId,
             Name = req.Name.Trim(),
             CreatedUtc = DateTime.UtcNow
         };
@@ -34,10 +40,14 @@ public class LocationsController : ControllerBase
     }
 
     [HttpGet]
-    [Authorize(Roles = "SUPER")]
+    [Authorize(Roles = "USER,SUPER")]
     public async Task<IActionResult> ListMine()
     {
-        var locations = await _locations.GetAllAsync();
+        var userId = User.FindFirstValue(ClaimTypes.NameIdentifier);
+        if (string.IsNullOrWhiteSpace(userId))
+            return Unauthorized();
+
+        var locations = await _locations.GetForOwnerAsync(userId);
         return Ok(locations);
     }
 
@@ -45,7 +55,12 @@ public class LocationsController : ControllerBase
     [Authorize(Roles = "SUPER")]
     public async Task<IActionResult> Delete(string id)
     {
-        var deleted = await _locations.DeleteAsync(id);
+        var userId = User.FindFirstValue(ClaimTypes.NameIdentifier);
+        if (string.IsNullOrWhiteSpace(userId))
+            return Unauthorized();
+
+        var allowAnyOwner = User.IsInRole("SUPER");
+        var deleted = await _locations.DeleteForOwnerAsync(id, userId, allowAnyOwner);
         if (!deleted)
             return NotFound();
 

microservices/LocationsApi/DOCUMENTS.md

@@ -22,6 +22,7 @@ Stored documents (MongoDB)
   ```json
   {
     "id": "string (ObjectId)",
+    "ownerUserId": "string",
     "name": "string",
     "createdUtc": "string (ISO-8601 datetime)"
   }

microservices/LocationsApi/Models/Location.cs

@@ -9,6 +9,8 @@ public class Location
     [BsonRepresentation(BsonType.ObjectId)]
     public string? Id { get; set; }
 
+    public string OwnerUserId { get; set; } = string.Empty;
+
     public string Name { get; set; } = string.Empty;
 
     public DateTime CreatedUtc { get; set; } = DateTime.UtcNow;

microservices/LocationsApi/README.md

@@ -5,6 +5,6 @@ See `DOCUMENTS.md` for request payloads and stored document shapes.
 
 ## Endpoints
 - `POST /api/locations` Create a location (SUPER only).
-- `GET /api/locations` List all locations (SUPER only).
+- `GET /api/locations` List locations for the current user.
 - `DELETE /api/locations/{id}` Delete a location (SUPER only).
 - `PUT /api/locations/{id}` Update a location name (SUPER only).

microservices/LocationsApi/Services/LocationStore.cs

@@ -15,16 +15,26 @@ public class LocationStore
         var db = client.GetDatabase(dbName);
         _col = db.GetCollection<Location>("Locations");
 
+        var ownerIndex = Builders<Location>.IndexKeys.Ascending(l => l.OwnerUserId);
+        _col.Indexes.CreateOne(new CreateIndexModel<Location>(ownerIndex));
     }
 
     public Task CreateAsync(Location location) => _col.InsertOneAsync(location);
 
-    public Task<List<Location>> GetAllAsync() =>
-        _col.Find(Builders<Location>.Filter.Empty).ToListAsync();
+    public Task<List<Location>> GetForOwnerAsync(string ownerUserId) =>
+        _col.Find(l => l.OwnerUserId == ownerUserId).ToListAsync();
 
-    public async Task<bool> DeleteAsync(string id)
+    public async Task<bool> DeleteForOwnerAsync(string id, string ownerUserId, bool allowAnyOwner)
     {
         var filter = Builders<Location>.Filter.Eq(l => l.Id, id);
+        if (!allowAnyOwner)
+        {
+            filter = Builders<Location>.Filter.And(
+                filter,
+                Builders<Location>.Filter.Eq(l => l.OwnerUserId, ownerUserId)
+            );
+        }
+
         var result = await _col.DeleteOneAsync(filter);
         return result.DeletedCount > 0;
     }