Diplomarbeit-Absolventenverein/oqtane.framework-not-mirrored
Archived
9
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix #4946 - allow administrators to access user roles via API

Browse Source
This commit is contained in:
sbwalker 2024-12-23 09:26:50 -05:00
parent f2cb34cc35
commit 1a925221b7
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Oqtane.Server/Controllers/UserRoleController.cs
View File

@ -42,7 +42,7 @@ namespace Oqtane.Controllers
int UserId = -1; int UserId = -1;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId && (userid != null && int.TryParse(userid, out UserId) || rolename != null)) if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId && (userid != null && int.TryParse(userid, out UserId) || rolename != null))
{ {
if (IsAuthorized(UserId, rolename)) if (IsAuthorized(UserId, rolename, SiteId))
{ {
var userroles = _userRoles.GetUserRoles(SiteId).ToList(); var userroles = _userRoles.GetUserRoles(SiteId).ToList();
if (UserId != -1) if (UserId != -1)
@ -82,7 +82,7 @@ namespace Oqtane.Controllers
public UserRole Get(int id) public UserRole Get(int id)
{ {
var userrole = _userRoles.GetUserRole(id); var userrole = _userRoles.GetUserRole(id);
if (userrole != null && SiteValid(userrole.Role.SiteId) && IsAuthorized(userrole.UserId, userrole.Role.Name)) if (userrole != null && SiteValid(userrole.Role.SiteId) && IsAuthorized(userrole.UserId, userrole.Role.Name, userrole.Role.SiteId ?? -1))
{ {
return Filter(userrole, _userPermissions.GetUser().UserId); return Filter(userrole, _userPermissions.GetUser().UserId);
} }
@ -101,17 +101,21 @@ namespace Oqtane.Controllers
} }
} }
private bool IsAuthorized(int userId, string roleName) private bool IsAuthorized(int userId, string roleName, int siteId)
{ {
bool authorized = true; bool authorized = true;
if (userId != -1) if (userId != -1)
{ {
authorized = _userPermissions.GetUser(User).UserId == userId; authorized = (_userPermissions.GetUser(User).UserId == userId);
} }
if (authorized && !string.IsNullOrEmpty(roleName)) if (authorized && !string.IsNullOrEmpty(roleName))
{ {
authorized = User.IsInRole(roleName); authorized = User.IsInRole(roleName);
} }
if (!authorized)
{
authorized = _userPermissions.IsAuthorized(User, siteId, EntityNames.UserRole, -1, PermissionNames.Write, RoleNames.Admin);
}
return authorized; return authorized;
} }