using System; using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Authorization; using System.Collections.Generic; using System.Linq; using Microsoft.AspNetCore.Http; using Oqtane.Shared; using Oqtane.Enums; using Oqtane.Infrastructure; using SZUAbsolventenverein.Module.HallOfFame.Services; using Oqtane.Controllers; using System.Net; using System.Threading.Tasks; using System.IO; using Microsoft.AspNetCore.Hosting; namespace SZUAbsolventenverein.Module.HallOfFame.Controllers { [Route(ControllerRoutes.ApiRoute)] public class HallOfFameController : ModuleControllerBase { private readonly IHallOfFameService _HallOfFameService; private readonly IWebHostEnvironment _environment; public HallOfFameController(IHallOfFameService HallOfFameService, ILogManager logger, IHttpContextAccessor accessor, IWebHostEnvironment environment) : base(logger, accessor) { _HallOfFameService = HallOfFameService; _environment = environment; } // GET: api/?moduleid=x // GET: api/?moduleid=x [HttpGet] [Authorize(Policy = PolicyNames.ViewModule)] public async Task> Get(string moduleid) { int ModuleId; if (int.TryParse(moduleid, out ModuleId) && IsAuthorizedEntityId(EntityNames.Module, ModuleId)) { var list = await _HallOfFameService.GetHallOfFamesAsync(ModuleId); if (User.IsInRole(RoleNames.Admin) || User.IsInRole(RoleNames.Host)) { return list; } return list.Where(item => item.Status == "Published"); } else { _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized HallOfFame Get Attempt {ModuleId}", moduleid); HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; return null; } } // GET api//5 [HttpGet("{id}/{moduleid}")] [Authorize(Policy = PolicyNames.ViewModule)] public async Task Get(int id, int moduleid) { Models.HallOfFame HallOfFame = await _HallOfFameService.GetHallOfFameAsync(id, moduleid); if (HallOfFame != null && IsAuthorizedEntityId(EntityNames.Module, HallOfFame.ModuleId)) { return HallOfFame; } else { _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized HallOfFame Get Attempt {HallOfFameId} {ModuleId}", id, moduleid); HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; return null; } } // GET api//user/5?moduleid=x [HttpGet("user/{userid}")] [Authorize(Policy = PolicyNames.ViewModule)] public async Task GetByUserId(int userid, string moduleid) { int ModuleId; if (int.TryParse(moduleid, out ModuleId) && IsAuthorizedEntityId(EntityNames.Module, ModuleId)) { var list = await _HallOfFameService.GetHallOfFamesAsync(ModuleId); return list.FirstOrDefault(item => item.UserId == userid); } else { _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized HallOfFame GetByUserId Attempt {UserId} {ModuleId}", userid, moduleid); HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; return null; } } // POST api/ [HttpPost] [Authorize(Policy = PolicyNames.EditModule)] public async Task Post([FromBody] Models.HallOfFame HallOfFame) { if (ModelState.IsValid && IsAuthorizedEntityId(EntityNames.Module, HallOfFame.ModuleId)) { // Enforce one entry per user var allEntries = await _HallOfFameService.GetHallOfFamesAsync(HallOfFame.ModuleId); if (allEntries.Any(e => e.UserId == HallOfFame.UserId)) { _logger.Log(LogLevel.Error, this, LogFunction.Security, "User {UserId} already has a Hall of Fame entry.", HallOfFame.UserId); HttpContext.Response.StatusCode = (int)HttpStatusCode.BadRequest; return null; } HallOfFame = await _HallOfFameService.AddHallOfFameAsync(HallOfFame); } else { _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized HallOfFame Post Attempt {HallOfFame}", HallOfFame); HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; HallOfFame = null; } return HallOfFame; } // PUT api//5 [HttpPut("{id}")] [Authorize(Policy = PolicyNames.EditModule)] public async Task Put(int id, [FromBody] Models.HallOfFame HallOfFame) { if (ModelState.IsValid && HallOfFame.HallOfFameId == id && IsAuthorizedEntityId(EntityNames.Module, HallOfFame.ModuleId)) { var existing = await _HallOfFameService.GetHallOfFameAsync(id, HallOfFame.ModuleId); if (existing != null && existing.UserId == HallOfFame.UserId) { HallOfFame = await _HallOfFameService.UpdateHallOfFameAsync(HallOfFame); } else { _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized HallOfFame Put Attempt by User {UserId} for Entry {HallOfFameId}", HallOfFame.UserId, id); HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; HallOfFame = null; } } else { _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized HallOfFame Put Attempt {HallOfFame}", HallOfFame); HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; HallOfFame = null; } return HallOfFame; } // PUT api//report/5 [HttpPut("report/{id}")] [Authorize(Policy = PolicyNames.ViewModule)] public async Task Report(int id, [FromQuery] string reason) { Models.HallOfFame HallOfFame = await _HallOfFameService.GetHallOfFameAsync(id, -1); if (HallOfFame != null && IsAuthorizedEntityId(EntityNames.Module, HallOfFame.ModuleId)) { await _HallOfFameService.ReportAsync(id, HallOfFame.ModuleId, reason); } } // GET api//reports/5?moduleid=x [HttpGet("reports/{id}")] [Authorize(Policy = PolicyNames.EditModule)] public async Task> GetReports(int id, string moduleid) { int ModuleId; if (int.TryParse(moduleid, out ModuleId) && IsAuthorizedEntityId(EntityNames.Module, ModuleId)) { return await _HallOfFameService.GetHallOfFameReportsAsync(id, ModuleId); } else { _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized HallOfFame GetReports Attempt {HallOfFameId} {ModuleId}", id, moduleid); HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; return null; } } // DELETE api//report/5/x [HttpDelete("report/{id}/{moduleid}")] [Authorize(Policy = PolicyNames.EditModule)] public async Task DeleteReport(int id, int moduleid) { if (IsAuthorizedEntityId(EntityNames.Module, moduleid)) { await _HallOfFameService.DeleteHallOfFameReportAsync(id, moduleid); } } [HttpDelete("{id}/{moduleid}")] [Authorize(Policy = PolicyNames.EditModule)] public async Task Delete(int id, int moduleid) { Models.HallOfFame HallOfFame = await _HallOfFameService.GetHallOfFameAsync(id, moduleid); if (HallOfFame != null && IsAuthorizedEntityId(EntityNames.Module, HallOfFame.ModuleId)) { await _HallOfFameService.DeleteHallOfFameAsync(id, HallOfFame.ModuleId); } else { _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized HallOfFame Delete Attempt {HallOfFameId} {ModuleId}", id, moduleid); HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; } } [HttpPost("upload")] [Authorize(Policy = PolicyNames.EditModule)] public async Task Upload(IFormFile file) { if (file == null || file.Length == 0) return BadRequest("Keine Datei ausgewählt."); var extension = Path.GetExtension(file.FileName).ToLower(); if (extension != ".jpg" && extension != ".jpeg" && extension != ".png") { return BadRequest("Nur JPG und PNG Dateien sind erlaubt."); } var folder = Path.Combine(_environment.WebRootPath, "Content", "HallOfFame"); if (!Directory.Exists(folder)) { Directory.CreateDirectory(folder); } var fileName = Guid.NewGuid().ToString() + extension; var path = Path.Combine(folder, fileName); using (var stream = new FileStream(path, FileMode.Create)) { await file.CopyToAsync(stream); } return Ok(new { url = "/Content/HallOfFame/" + fileName }); } } }