fix #4600 - filter user settings in API layer

2024-09-11 17:21:12 -04:00 · 2024-09-11 17:21:12 -04:00 · 044cee30a5
commit 044cee30a5
parent bbe85def23
2 changed files with 46 additions and 23 deletions
--- a/Oqtane.Server/Controllers/UserController.cs
+++ b/Oqtane.Server/Controllers/UserController.cs
@ -28,9 +28,10 @@ namespace Oqtane.Controllers
        private readonly IUserPermissions _userPermissions;
        private readonly IJwtManager _jwtManager;
        private readonly IFileRepository _files;
+        private readonly ISettingRepository _settings;
        private readonly ILogManager _logger;

-        public UserController(IUserRepository users, ITenantManager tenantManager, IUserManager userManager, ISiteRepository sites, IUserPermissions userPermissions, IJwtManager jwtManager, IFileRepository files, ILogManager logger)
+        public UserController(IUserRepository users, ITenantManager tenantManager, IUserManager userManager, ISiteRepository sites, IUserPermissions userPermissions, IJwtManager jwtManager, IFileRepository files, ISettingRepository settings, ILogManager logger)
        {
            _users = users;
            _tenantManager = tenantManager;
@ -39,6 +40,7 @@ namespace Oqtane.Controllers
            _userPermissions = userPermissions;
            _jwtManager = jwtManager;
            _files = files;
+            _settings = settings;
            _logger = logger;
        }

@ -110,31 +112,54 @@ namespace Oqtane.Controllers

        private User Filter(User user)
        {
+            // clone object to avoid mutating cache 
+            User filtered = null;
+
            if (user != null)
            {
-                user.Password = "";
-                user.IsAuthenticated = false;
-                user.TwoFactorCode = "";
-                user.TwoFactorExpiry = null;
+                filtered = new User();

-                if (!_userPermissions.IsAuthorized(User, user.SiteId, EntityNames.User, -1, PermissionNames.Write, RoleNames.Admin) && User.Identity.Name?.ToLower() != user.Username.ToLower())
+                // public properties
+                filtered.UserId = user.UserId;
+                filtered.Username = user.Username;
+                filtered.DisplayName = user.DisplayName;
+                filtered.Password = "";
+                filtered.TwoFactorCode = "";
+
+                // include private properties if authenticated user is accessing their own user account os is an administrator
+                if (_userPermissions.IsAuthorized(User, user.SiteId, EntityNames.User, -1, PermissionNames.Write, RoleNames.Admin) || _userPermissions.GetUser(User).UserId == user.UserId)
                {
-                    user.Email = "";
-                    user.PhotoFileId = null;
-                    user.LastLoginOn = DateTime.MinValue;
-                    user.LastIPAddress = "";
-                    user.Roles = "";
-                    user.CreatedBy = "";
-                    user.CreatedOn = DateTime.MinValue;
-                    user.ModifiedBy = "";
-                    user.ModifiedOn = DateTime.MinValue;
-                    user.DeletedBy = "";
-                    user.DeletedOn = DateTime.MinValue;
-                    user.IsDeleted = false;
-                    user.TwoFactorRequired = false;
+                    filtered.Email = user.Email;
+                    filtered.PhotoFileId = user.PhotoFileId;
+                    filtered.LastLoginOn = user.LastLoginOn;
+                    filtered.LastIPAddress = user.LastIPAddress;
+                    filtered.TwoFactorRequired = false;
+                    filtered.Roles = user.Roles;
+                    filtered.CreatedBy = user.CreatedBy;
+                    filtered.CreatedOn = user.CreatedOn;
+                    filtered.ModifiedBy = user.ModifiedBy;
+                    filtered.ModifiedOn = user.ModifiedOn;
+                    filtered.DeletedBy = user.DeletedBy;
+                    filtered.DeletedOn = user.DeletedOn;
+                    filtered.IsDeleted = user.IsDeleted;
+                }
+
+                // if authenticated user is accessing their own user account
+                if (_userPermissions.GetUser(User).UserId == user.UserId)
+                {
+                    // include all settings
+                    filtered.Settings = user.Settings;
+                }
+                else
+                {
+                    // include only public settings
+                    filtered.Settings = _settings.GetSettings(EntityNames.User, user.UserId)
+                        .Where(item => !item.IsPrivate)
+                        .ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
                }
            }
-            return user;
+
+            return filtered;
        }

        // POST api/<controller>
--- a/Oqtane.Server/Managers/UserManager.cs
+++ b/Oqtane.Server/Managers/UserManager.cs
@ -12,7 +12,6 @@ using Oqtane.Enums;
 using Oqtane.Infrastructure;
 using Oqtane.Models;
 using Oqtane.Repository;
-using Oqtane.Security;
 using Oqtane.Shared;

 namespace Oqtane.Managers
@ -65,8 +64,7 @@ namespace Oqtane.Managers
                {
                    user.SiteId = siteid;
                    user.Roles = GetUserRoles(user.UserId, user.SiteId);
-                    List<Setting> settings = _settings.GetSettings(EntityNames.User, user.UserId).ToList();
-                    user.Settings = settings.Where(item => !item.IsPrivate || user.UserId == user.UserId)
+                    user.Settings = _settings.GetSettings(EntityNames.User, user.UserId)
                        .ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
                }
                return user;