fix #4600 - filter user settings in API layer
This commit is contained in:
sbwalker
parent
bbe85def23
commit
044cee30a5
@ -28,9 +28,10 @@ namespace Oqtane.Controllers
|
|||||||
private readonly IUserPermissions _userPermissions;
|
private readonly IUserPermissions _userPermissions;
|
||||||
private readonly IJwtManager _jwtManager;
|
private readonly IJwtManager _jwtManager;
|
||||||
private readonly IFileRepository _files;
|
private readonly IFileRepository _files;
|
||||||
|
private readonly ISettingRepository _settings;
|
||||||
private readonly ILogManager _logger;
|
private readonly ILogManager _logger;
|
||||||
|
|
||||||
public UserController(IUserRepository users, ITenantManager tenantManager, IUserManager userManager, ISiteRepository sites, IUserPermissions userPermissions, IJwtManager jwtManager, IFileRepository files, ILogManager logger)
|
public UserController(IUserRepository users, ITenantManager tenantManager, IUserManager userManager, ISiteRepository sites, IUserPermissions userPermissions, IJwtManager jwtManager, IFileRepository files, ISettingRepository settings, ILogManager logger)
|
||||||
{
|
{
|
||||||
_users = users;
|
_users = users;
|
||||||
_tenantManager = tenantManager;
|
_tenantManager = tenantManager;
|
||||||
@ -39,6 +40,7 @@ namespace Oqtane.Controllers
|
|||||||
_userPermissions = userPermissions;
|
_userPermissions = userPermissions;
|
||||||
_jwtManager = jwtManager;
|
_jwtManager = jwtManager;
|
||||||
_files = files;
|
_files = files;
|
||||||
|
_settings = settings;
|
||||||
_logger = logger;
|
_logger = logger;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -110,31 +112,54 @@ namespace Oqtane.Controllers
|
|||||||
|
|
||||||
private User Filter(User user)
|
private User Filter(User user)
|
||||||
{
|
{
|
||||||
|
// clone object to avoid mutating cache
|
||||||
|
User filtered = null;
|
||||||
|
|
||||||
if (user != null)
|
if (user != null)
|
||||||
{
|
{
|
||||||
user.Password = "";
|
filtered = new User();
|
||||||
user.IsAuthenticated = false;
|
|
||||||
user.TwoFactorCode = "";
|
|
||||||
user.TwoFactorExpiry = null;
|
|
||||||
|
|
||||||
if (!_userPermissions.IsAuthorized(User, user.SiteId, EntityNames.User, -1, PermissionNames.Write, RoleNames.Admin) && User.Identity.Name?.ToLower() != user.Username.ToLower())
|
// public properties
|
||||||
|
filtered.UserId = user.UserId;
|
||||||
|
filtered.Username = user.Username;
|
||||||
|
filtered.DisplayName = user.DisplayName;
|
||||||
|
filtered.Password = "";
|
||||||
|
filtered.TwoFactorCode = "";
|
||||||
|
|
||||||
|
// include private properties if authenticated user is accessing their own user account os is an administrator
|
||||||
|
if (_userPermissions.IsAuthorized(User, user.SiteId, EntityNames.User, -1, PermissionNames.Write, RoleNames.Admin) || _userPermissions.GetUser(User).UserId == user.UserId)
|
||||||
{
|
{
|
||||||
user.Email = "";
|
filtered.Email = user.Email;
|
||||||
user.PhotoFileId = null;
|
filtered.PhotoFileId = user.PhotoFileId;
|
||||||
user.LastLoginOn = DateTime.MinValue;
|
filtered.LastLoginOn = user.LastLoginOn;
|
||||||
user.LastIPAddress = "";
|
filtered.LastIPAddress = user.LastIPAddress;
|
||||||
user.Roles = "";
|
filtered.TwoFactorRequired = false;
|
||||||
user.CreatedBy = "";
|
filtered.Roles = user.Roles;
|
||||||
user.CreatedOn = DateTime.MinValue;
|
filtered.CreatedBy = user.CreatedBy;
|
||||||
user.ModifiedBy = "";
|
filtered.CreatedOn = user.CreatedOn;
|
||||||
user.ModifiedOn = DateTime.MinValue;
|
filtered.ModifiedBy = user.ModifiedBy;
|
||||||
user.DeletedBy = "";
|
filtered.ModifiedOn = user.ModifiedOn;
|
||||||
user.DeletedOn = DateTime.MinValue;
|
filtered.DeletedBy = user.DeletedBy;
|
||||||
user.IsDeleted = false;
|
filtered.DeletedOn = user.DeletedOn;
|
||||||
user.TwoFactorRequired = false;
|
filtered.IsDeleted = user.IsDeleted;
|
||||||
|
}
|
||||||
|
|
||||||
|
// if authenticated user is accessing their own user account
|
||||||
|
if (_userPermissions.GetUser(User).UserId == user.UserId)
|
||||||
|
{
|
||||||
|
// include all settings
|
||||||
|
filtered.Settings = user.Settings;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
// include only public settings
|
||||||
|
filtered.Settings = _settings.GetSettings(EntityNames.User, user.UserId)
|
||||||
|
.Where(item => !item.IsPrivate)
|
||||||
|
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return user;
|
|
||||||
|
return filtered;
|
||||||
}
|
}
|
||||||
|
|
||||||
// POST api/<controller>
|
// POST api/<controller>
|
||||||
|
|||||||
@ -12,7 +12,6 @@ using Oqtane.Enums;
|
|||||||
using Oqtane.Infrastructure;
|
using Oqtane.Infrastructure;
|
||||||
using Oqtane.Models;
|
using Oqtane.Models;
|
||||||
using Oqtane.Repository;
|
using Oqtane.Repository;
|
||||||
using Oqtane.Security;
|
|
||||||
using Oqtane.Shared;
|
using Oqtane.Shared;
|
||||||
|
|
||||||
namespace Oqtane.Managers
|
namespace Oqtane.Managers
|
||||||
@ -65,8 +64,7 @@ namespace Oqtane.Managers
|
|||||||
{
|
{
|
||||||
user.SiteId = siteid;
|
user.SiteId = siteid;
|
||||||
user.Roles = GetUserRoles(user.UserId, user.SiteId);
|
user.Roles = GetUserRoles(user.UserId, user.SiteId);
|
||||||
List<Setting> settings = _settings.GetSettings(EntityNames.User, user.UserId).ToList();
|
user.Settings = _settings.GetSettings(EntityNames.User, user.UserId)
|
||||||
user.Settings = settings.Where(item => !item.IsPrivate || user.UserId == user.UserId)
|
|
||||||
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
|
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
|
||||||
}
|
}
|
||||||
return user;
|
return user;
|
||||||
|
|||||||
Reference in New Issue
Block a user