Enhance tab authorization with role and permission checks #5872

Add RoleName and PermissionName parameters to TabPanel for fine-grained tab visibility control. Update IsAuthorized logic in TabStrip to prioritize Host/Admin access, then check SecurityAccessLevel, and additionally require specified roles or permissions if provided. Removes redundant Admin/Host checks from the switch statement for clarity.

Oqtane.Client/Modules/Controls/TabPanel.razor

@@ -30,6 +30,12 @@ else
     [Parameter]
     public SecurityAccessLevel? Security { get; set; } // optional - can be used to specify SecurityAccessLevel
 
+    [Parameter]
+    public string RoleName { get; set; } // optional - can be used to specify Role allowed to view this tab
+
+    [Parameter]
+    public string PermissionName { get; set; } // optional - can be used to specify Permission allowed to view this tab
+
     protected override void OnParametersSet()
     {
         base.OnParametersSet();

Oqtane.Client/Modules/Controls/TabStrip.razor

@@ -84,12 +84,31 @@
         }
     }
 
+    /// <summary>
+    /// Determines if a tab should be visible based on user permissions.
+    /// Authorization hierarchy:
+    /// 1. Host and Admin roles ALWAYS have access (bypass all checks)
+    /// 2. Check standard SecurityAccessLevel (View, Edit, etc.)
+    /// 3. If RoleName specified AND user is not Admin/Host, check RoleName
+    /// 4. If PermissionName specified AND user is not Admin/Host, check PermissionName
+    /// </summary>
+    /// <param name="tabPanel">The tab panel to check authorization for</param>
+    /// <returns>True if user is authorized to see this tab, false otherwise</returns>
     private bool IsAuthorized(TabPanel tabPanel)
     {
+        // Step 1: Host and Admin bypass all restrictions
+        if (UserSecurity.IsAuthorized(PageState.User, RoleNames.Host) ||
+            UserSecurity.IsAuthorized(PageState.User, RoleNames.Admin))
+        {
+            return true;
+        }
+
         var authorized = false;
+
+        // Step 2: Check standard SecurityAccessLevel
         switch (tabPanel.Security)
         {
-            case null: // security not specified - assume SecurityAccessLevel.Anonymous
+            case null:
                 authorized = true;
                 break;
             case SecurityAccessLevel.Anonymous:
@@ -101,13 +120,20 @@
             case SecurityAccessLevel.Edit:
                 authorized = UserSecurity.IsAuthorized(PageState.User, PermissionNames.Edit, ModuleState.PermissionList);
                 break;
-            case SecurityAccessLevel.Admin:
-                authorized = UserSecurity.IsAuthorized(PageState.User, RoleNames.Admin);
-                break;
-            case SecurityAccessLevel.Host:
-                authorized = UserSecurity.IsAuthorized(PageState.User, RoleNames.Host);
-                break;
         }
+
+        // Step 3: Check RoleName if provided (additional requirement)
+        if (authorized && !string.IsNullOrEmpty(tabPanel.RoleName))
+        {
+            authorized = UserSecurity.IsAuthorized(PageState.User, tabPanel.RoleName);
+        }
+
+        // Step 4: Check PermissionName if provided (additional requirement)
+        if (authorized && !string.IsNullOrEmpty(tabPanel.PermissionName))
+        {
+            authorized = UserSecurity.IsAuthorized(PageState.User, tabPanel.PermissionName, ModuleState.PermissionList);
+        }
+
         return authorized;
     }
 }