fix: Correct HallOfFame add and update operations to require View permission instead of Edit.

2026-02-26 16:56:50 +01:00
parent bfa8ff158c
commit 16cb602d3a
2 changed files with 12 additions and 12 deletions
--- a/Server/Controllers/HallOfFameController.cs
+++ b/Server/Controllers/HallOfFameController.cs
@@ -63,7 +63,7 @@ namespace SZUAbsolventenverein.Module.HallOfFame.Controllers
                return HallOfFame;
            }
            else
-            { 
+            {
                _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized HallOfFame Get Attempt {HallOfFameId} {ModuleId}", id, moduleid);
                HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
                return null;
@@ -76,7 +76,7 @@ namespace SZUAbsolventenverein.Module.HallOfFame.Controllers
        public async Task<Models.HallOfFame> GetByUserId(int userid, string moduleid)
        {
            int ModuleId;
-             if (int.TryParse(moduleid, out ModuleId) && IsAuthorizedEntityId(EntityNames.Module, ModuleId))
+            if (int.TryParse(moduleid, out ModuleId) && IsAuthorizedEntityId(EntityNames.Module, ModuleId))
            {
                var list = await _HallOfFameService.GetHallOfFamesAsync(ModuleId);
                return list.FirstOrDefault(item => item.UserId == userid);
@@ -91,7 +91,7 @@ namespace SZUAbsolventenverein.Module.HallOfFame.Controllers

        // POST api/<controller>
        [HttpPost]
-        [Authorize(Policy = PolicyNames.EditModule)]
+        [Authorize(Policy = PolicyNames.ViewModule)]
        public async Task<Models.HallOfFame> Post([FromBody] Models.HallOfFame HallOfFame)
        {
            if (ModelState.IsValid && IsAuthorizedEntityId(EntityNames.Module, HallOfFame.ModuleId))
@@ -101,8 +101,8 @@ namespace SZUAbsolventenverein.Module.HallOfFame.Controllers
                if (allEntries.Any(e => e.UserId == HallOfFame.UserId))
                {
                    _logger.Log(LogLevel.Error, this, LogFunction.Security, "User {UserId} already has a Hall of Fame entry.", HallOfFame.UserId);
-                     HttpContext.Response.StatusCode = (int)HttpStatusCode.BadRequest;
-                     return null;
+                    HttpContext.Response.StatusCode = (int)HttpStatusCode.BadRequest;
+                    return null;
                }

                HallOfFame = await _HallOfFameService.AddHallOfFameAsync(HallOfFame);
@@ -118,7 +118,7 @@ namespace SZUAbsolventenverein.Module.HallOfFame.Controllers

        // PUT api/<controller>/5
        [HttpPut("{id}")]
-        [Authorize(Policy = PolicyNames.EditModule)]
+        [Authorize(Policy = PolicyNames.ViewModule)]
        public async Task<Models.HallOfFame> Put(int id, [FromBody] Models.HallOfFame HallOfFame)
        {
            if (ModelState.IsValid && HallOfFame.HallOfFameId == id && IsAuthorizedEntityId(EntityNames.Module, HallOfFame.ModuleId))
@@ -126,13 +126,13 @@ namespace SZUAbsolventenverein.Module.HallOfFame.Controllers
                var existing = await _HallOfFameService.GetHallOfFameAsync(id, HallOfFame.ModuleId);
                if (existing != null && existing.UserId == HallOfFame.UserId)
                {
-                     HallOfFame = await _HallOfFameService.UpdateHallOfFameAsync(HallOfFame);
+                    HallOfFame = await _HallOfFameService.UpdateHallOfFameAsync(HallOfFame);
                }
                else
                {
-                     _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized HallOfFame Put Attempt by User {UserId} for Entry {HallOfFameId}", HallOfFame.UserId, id);
-                     HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
-                     HallOfFame = null;
+                    _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized HallOfFame Put Attempt by User {UserId} for Entry {HallOfFameId}", HallOfFame.UserId, id);
+                    HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                    HallOfFame = null;
                }
            }
            else
--- a/Server/Services/HallOfFameService.cs
+++ b/Server/Services/HallOfFameService.cs
@@ -76,7 +76,7 @@ namespace SZUAbsolventenverein.Module.HallOfFame.Services

        public Task<Models.HallOfFame> AddHallOfFameAsync(Models.HallOfFame HallOfFame)
        {
-            if (_userPermissions.IsAuthorized(_accessor.HttpContext.User, _alias.SiteId, EntityNames.Module, HallOfFame.ModuleId, PermissionNames.Edit))
+            if (_userPermissions.IsAuthorized(_accessor.HttpContext.User, _alias.SiteId, EntityNames.Module, HallOfFame.ModuleId, PermissionNames.View))
            {
                HallOfFame = _HallOfFameRepository.AddHallOfFame(HallOfFame);
                _logger.Log(LogLevel.Information, this, LogFunction.Create, "HallOfFame Added {HallOfFame}", HallOfFame);
@@ -91,7 +91,7 @@ namespace SZUAbsolventenverein.Module.HallOfFame.Services

        public Task<Models.HallOfFame> UpdateHallOfFameAsync(Models.HallOfFame HallOfFame)
        {
-            if (_userPermissions.IsAuthorized(_accessor.HttpContext.User, _alias.SiteId, EntityNames.Module, HallOfFame.ModuleId, PermissionNames.Edit))
+            if (_userPermissions.IsAuthorized(_accessor.HttpContext.User, _alias.SiteId, EntityNames.Module, HallOfFame.ModuleId, PermissionNames.View))
            {
                HallOfFame = _HallOfFameRepository.UpdateHallOfFame(HallOfFame);
                _logger.Log(LogLevel.Information, this, LogFunction.Update, "HallOfFame Updated {HallOfFame}", HallOfFame);