Diplomarbeit-Absolventenverein/oqtane.framework
10
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

authorization changes

Browse Source
This commit is contained in:
Shaun Walker
2020-02-17 19:48:26 -05:00
parent 2fa7f852d5
commit 066c616eca
44 changed files with 880 additions and 529 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
Oqtane.Server/Controllers/AliasController.cs
View File

@ -5,6 +5,8 @@ using Oqtane.Repository;
using Oqtane.Models;
using Oqtane.Shared;
using Oqtane.Infrastructure;
using System.Linq;
using System;
namespace Oqtane.Controllers
{
@ -22,6 +24,7 @@ namespace Oqtane.Controllers
// GET: api/<controller>
[HttpGet]
[Authorize(Roles = Constants.AdminRole)]
public IEnumerable<Alias> Get()
{
return Aliases.GetAliases();
@ -29,11 +32,32 @@ namespace Oqtane.Controllers
// GET api/<controller>/5
[HttpGet("{id}")]
[Authorize(Roles = Constants.AdminRole)]
public Alias Get(int id)
{
return Aliases.GetAlias(id);
}
// GET api/<controller>/name/localhost:12345
[HttpGet("name/{name}")]
public Alias Get(string name)
{
List<Alias> aliases = Aliases.GetAliases().ToList();
Alias alias = null;
alias = aliases.Where(item => item.Name == name).FirstOrDefault();
if (alias == null && name.Contains("/"))
{
// lookup alias without folder name
alias = aliases.Where(item => item.Name == name.Substring(name.IndexOf("/") + 1)).FirstOrDefault();
}
if (alias == null && aliases.Count > 0)
{
// use first alias if name does not exist
alias = aliases.FirstOrDefault();
}
return alias;
}
// POST api/<controller>
[HttpPost]
[Authorize(Roles = Constants.AdminRole)]

38
Oqtane.Server/Controllers/FileController.cs
View File

@ -72,7 +72,17 @@ namespace Oqtane.Controllers
[HttpGet("{id}")]
public Models.File Get(int id)
{
return Files.GetFile(id);
Models.File file = Files.GetFile(id);
if (UserPermissions.IsAuthorized(User, "View", file.Folder.Permissions))
{
return file;
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access File {File}", file);
HttpContext.Response.StatusCode = 401;
return null;
}
}
// PUT api/<controller>/5
@ -85,6 +95,12 @@ namespace Oqtane.Controllers
File = Files.UpdateFile(File);
logger.Log(LogLevel.Information, this, LogFunction.Update, "File Updated {File}", File);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update File {File}", File);
HttpContext.Response.StatusCode = 401;
File = null;
}
return File;
}
@ -105,6 +121,11 @@ namespace Oqtane.Controllers
}
logger.Log(LogLevel.Information, this, LogFunction.Delete, "File Deleted {File}", File);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete File {FileId}", id);
HttpContext.Response.StatusCode = 401;
}
}
// GET api/<controller>/upload?url=x&folderid=y
@ -130,6 +151,12 @@ namespace Oqtane.Controllers
logger.Log(LogLevel.Error, this, LogFunction.Create, "File Could Not Be Downloaded From Url {Url}", url);
}
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Download File {Url} {FolderId}", url, folderid);
HttpContext.Response.StatusCode = 401;
file = null;
}
return file;
}
@ -170,6 +197,11 @@ namespace Oqtane.Controllers
Files.AddFile(new Models.File { Name = upload, FolderId = folderid, Extension = fileinfo.Extension.Replace(".", ""), Size = (int)fileinfo.Length });
}
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Upload File {Folder} {File}", folder, file);
HttpContext.Response.StatusCode = 401;
}
}
}
@ -293,7 +325,9 @@ namespace Oqtane.Controllers
}
else
{
return NotFound();
logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access File {FileId}", id);
HttpContext.Response.StatusCode = 401;
return null;
}
}

73
Oqtane.Server/Controllers/FolderController.cs
View File

@ -28,21 +28,32 @@ namespace Oqtane.Controllers
[HttpGet]
public IEnumerable<Folder> Get(string siteid)
{
if (siteid == "")
List<Folder> folders = new List<Folder>();
foreach(Folder folder in Folders.GetFolders(int.Parse(siteid)))
{
return Folders.GetFolders();
}
else
{
return Folders.GetFolders(int.Parse(siteid));
if (UserPermissions.IsAuthorized(User, "Browse", folder.Permissions))
{
folders.Add(folder);
}
}
return folders;
}
// GET api/<controller>/5
[HttpGet("{id}")]
public Folder Get(int id)
{
return Folders.GetFolder(id);
Folder folder = Folders.GetFolder(id);
if (UserPermissions.IsAuthorized(User, "Browse", folder.Permissions))
{
return folder;
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Folder {Folder}", folder);
HttpContext.Response.StatusCode = 401;
return null;
}
}
// POST api/<controller>
@ -50,16 +61,33 @@ namespace Oqtane.Controllers
[Authorize(Roles = Constants.RegisteredRole)]
public Folder Post([FromBody] Folder Folder)
{
if (ModelState.IsValid && UserPermissions.IsAuthorized(User, "Edit", Folder.Permissions))
if (ModelState.IsValid)
{
Folder.Path = "";
if (string.IsNullOrEmpty(Folder.Path) && Folder.ParentId != null)
string permissions;
if (Folder.ParentId != null)
{
Folder parent = Folders.GetFolder(Folder.ParentId.Value);
Folder.Path = parent.Path + Folder.Name + "\\";
permissions = Folders.GetFolder(Folder.ParentId.Value).Permissions;
}
else
{
permissions = UserSecurity.SetPermissionStrings(new List<PermissionString> { new PermissionString { PermissionName = "Edit", Permissions = Constants.AdminRole } });
}
if (UserPermissions.IsAuthorized(User, "Edit", permissions))
{
if (string.IsNullOrEmpty(Folder.Path) && Folder.ParentId != null)
{
Folder parent = Folders.GetFolder(Folder.ParentId.Value);
Folder.Path = parent.Path + Folder.Name + "\\";
}
Folder = Folders.AddFolder(Folder);
logger.Log(LogLevel.Information, this, LogFunction.Create, "Folder Added {Folder}", Folder);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Folder {Folder}", Folder);
HttpContext.Response.StatusCode = 401;
Folder = null;
}
Folder = Folders.AddFolder(Folder);
logger.Log(LogLevel.Information, this, LogFunction.Create, "Folder Added {Folder}", Folder);
}
return Folder;
}
@ -71,7 +99,6 @@ namespace Oqtane.Controllers
{
if (ModelState.IsValid && UserPermissions.IsAuthorized(User, "Folder", Folder.FolderId, "Edit"))
{
Folder.Path = "";
if (string.IsNullOrEmpty(Folder.Path) && Folder.ParentId != null)
{
Folder parent = Folders.GetFolder(Folder.ParentId.Value);
@ -80,6 +107,12 @@ namespace Oqtane.Controllers
Folder = Folders.UpdateFolder(Folder);
logger.Log(LogLevel.Information, this, LogFunction.Update, "Folder Updated {Folder}", Folder);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Folder {Folder}", Folder);
HttpContext.Response.StatusCode = 401;
Folder = null;
}
return Folder;
}
@ -103,6 +136,11 @@ namespace Oqtane.Controllers
}
logger.Log(LogLevel.Information, this, LogFunction.Update, "Folder Order Updated {SiteId} {FolderId} {ParentId}", siteid, folderid, parentid);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Folder Order {SiteId} {FolderId} {ParentId}", siteid, folderid, parentid);
HttpContext.Response.StatusCode = 401;
}
}
// DELETE api/<controller>/5
@ -115,6 +153,11 @@ namespace Oqtane.Controllers
Folders.DeleteFolder(id);
logger.Log(LogLevel.Information, this, LogFunction.Delete, "Folder Deleted {FolderId}", id);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Folder {FolderId}", id);
HttpContext.Response.StatusCode = 401;
}
}
}
}

2
Oqtane.Server/Controllers/InstallationController.cs
View File

@ -269,7 +269,7 @@ namespace Oqtane.Controllers
var result = dbUpgrade.PerformUpgrade();
if (!result.Successful)
{
// TODO: log result.Error.Message;
// TODO: log result.Error.Message - problem is logger is not available here
}
}
}

2
Oqtane.Server/Controllers/JobController.cs
View File

@ -27,6 +27,7 @@ namespace Oqtane.Controllers
// GET: api/<controller>
[HttpGet]
[Authorize(Roles = Constants.HostRole)]
public IEnumerable<Job> Get()
{
return Jobs.GetJobs();
@ -34,6 +35,7 @@ namespace Oqtane.Controllers
// GET api/<controller>/5
[HttpGet("{id}")]
[Authorize(Roles = Constants.HostRole)]
public Job Get(int id)
{
return Jobs.GetJob(id);

179
Oqtane.Server/Controllers/ModuleController.cs
View File

@ -6,10 +6,6 @@ using Oqtane.Models;
using Oqtane.Shared;
using System.Linq;
using System.Reflection;
using System;
using Oqtane.Modules;
using Microsoft.Extensions.DependencyInjection;
using System.Text.Json;
using Oqtane.Infrastructure;
using Oqtane.Security;
@ -21,16 +17,14 @@ namespace Oqtane.Controllers
private readonly IModuleRepository Modules;
private readonly IPageModuleRepository PageModules;
private readonly IModuleDefinitionRepository ModuleDefinitions;
private readonly IServiceProvider ServiceProvider;
private readonly IUserPermissions UserPermissions;
private readonly ILogManager logger;
public ModuleController(IModuleRepository Modules, IPageModuleRepository PageModules, IModuleDefinitionRepository ModuleDefinitions, IServiceProvider ServiceProvider, IUserPermissions UserPermissions, ILogManager logger)
public ModuleController(IModuleRepository Modules, IPageModuleRepository PageModules, IModuleDefinitionRepository ModuleDefinitions, IUserPermissions UserPermissions, ILogManager logger)
{
this.Modules = Modules;
this.PageModules = PageModules;
this.ModuleDefinitions = ModuleDefinitions;
this.ServiceProvider = ServiceProvider;
this.UserPermissions = UserPermissions;
this.logger = logger;
}
@ -39,36 +33,55 @@ namespace Oqtane.Controllers
[HttpGet]
public IEnumerable<Models.Module> Get(string siteid)
{
List<Models.Module> modulelist = new List<Models.Module>();
List<ModuleDefinition> moduledefinitions = ModuleDefinitions.GetModuleDefinitions(int.Parse(siteid)).ToList();
List<Models.Module> modules = new List<Models.Module>();
foreach (PageModule pagemodule in PageModules.GetPageModules(int.Parse(siteid)))
{
Models.Module module = new Models.Module();
module.SiteId = pagemodule.Module.SiteId;
module.ModuleDefinitionName = pagemodule.Module.ModuleDefinitionName;
module.Permissions = pagemodule.Module.Permissions;
module.CreatedBy = pagemodule.Module.CreatedBy;
module.CreatedOn = pagemodule.Module.CreatedOn;
module.ModifiedBy = pagemodule.Module.ModifiedBy;
module.ModifiedOn = pagemodule.Module.ModifiedOn;
module.IsDeleted = pagemodule.IsDeleted;
if (UserPermissions.IsAuthorized(User, "View", pagemodule.Module.Permissions))
{
Models.Module module = new Models.Module();
module.SiteId = pagemodule.Module.SiteId;
module.ModuleDefinitionName = pagemodule.Module.ModuleDefinitionName;
module.Permissions = pagemodule.Module.Permissions;
module.CreatedBy = pagemodule.Module.CreatedBy;
module.CreatedOn = pagemodule.Module.CreatedOn;
module.ModifiedBy = pagemodule.Module.ModifiedBy;
module.ModifiedOn = pagemodule.Module.ModifiedOn;
module.IsDeleted = pagemodule.IsDeleted;
module.PageModuleId = pagemodule.PageModuleId;
module.ModuleId = pagemodule.ModuleId;
module.PageId = pagemodule.PageId;
module.Title = pagemodule.Title;
module.Pane = pagemodule.Pane;
module.Order = pagemodule.Order;
module.ContainerType = pagemodule.ContainerType;
modulelist.Add(module);
module.PageModuleId = pagemodule.PageModuleId;
module.ModuleId = pagemodule.ModuleId;
module.PageId = pagemodule.PageId;
module.Title = pagemodule.Title;
module.Pane = pagemodule.Pane;
module.Order = pagemodule.Order;
module.ContainerType = pagemodule.ContainerType;
module.ModuleDefinition = moduledefinitions.Find(item => item.ModuleDefinitionName == module.ModuleDefinitionName);
modules.Add(module);
}
}
return modulelist;
return modules;
}
// GET api/<controller>/5
[HttpGet("{id}")]
public Models.Module Get(int id)
{
return Modules.GetModule(id);
Models.Module module = Modules.GetModule(id);
if (UserPermissions.IsAuthorized(User, "View", module.Permissions))
{
List<ModuleDefinition> moduledefinitions = ModuleDefinitions.GetModuleDefinitions(module.SiteId).ToList();
module.ModuleDefinition = moduledefinitions.Find(item => item.ModuleDefinitionName == module.ModuleDefinitionName);
return module;
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Module {Module}", module);
HttpContext.Response.StatusCode = 401;
return null;
}
}
// POST api/<controller>
@ -76,11 +89,17 @@ namespace Oqtane.Controllers
[Authorize(Roles = Constants.RegisteredRole)]
public Models.Module Post([FromBody] Models.Module Module)
{
if (ModelState.IsValid && UserPermissions.IsAuthorized(User, "Edit", Module.Permissions))
if (ModelState.IsValid && UserPermissions.IsAuthorized(User, "Page", Module.PageId, "Edit"))
{
Module = Modules.AddModule(Module);
logger.Log(LogLevel.Information, this, LogFunction.Create, "Module Added {Module}", Module);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Module {Module}", Module);
HttpContext.Response.StatusCode = 401;
Module = null;
}
return Module;
}
@ -94,6 +113,12 @@ namespace Oqtane.Controllers
Module = Modules.UpdateModule(Module);
logger.Log(LogLevel.Information, this, LogFunction.Update, "Module Updated {Module}", Module);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Module {Module}", Module);
HttpContext.Response.StatusCode = 401;
Module = null;
}
return Module;
}
@ -107,6 +132,11 @@ namespace Oqtane.Controllers
Modules.DeleteModule(id);
logger.Log(LogLevel.Information, this, LogFunction.Delete, "Module Deleted {ModuleId}", id);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Module {ModuleId}", id);
HttpContext.Response.StatusCode = 401;
}
}
// GET api/<controller>/export?moduleid=x
@ -115,48 +145,14 @@ namespace Oqtane.Controllers
public string Export(int moduleid)
{
string content = "";
if (UserPermissions.IsAuthorized(User, "Module", moduleid, "View"))
if (UserPermissions.IsAuthorized(User, "Module", moduleid, "Edit"))
{
try
{
Models.Module module = Modules.GetModule(moduleid);
if (module != null)
{
List<ModuleDefinition> moduledefinitions = ModuleDefinitions.GetModuleDefinitions(module.SiteId).ToList();
ModuleDefinition moduledefinition = moduledefinitions.Where(item => item.ModuleDefinitionName == module.ModuleDefinitionName).FirstOrDefault();
if (moduledefinition != null)
{
ModuleContent modulecontent = new ModuleContent();
modulecontent.ModuleDefinitionName = moduledefinition.ModuleDefinitionName;
modulecontent.Version = moduledefinition.Version;
modulecontent.Content = "";
if (moduledefinition.ServerAssemblyName != "")
{
Assembly assembly = AppDomain.CurrentDomain.GetAssemblies()
.Where(item => item.FullName.StartsWith(moduledefinition.ServerAssemblyName)).FirstOrDefault();
if (assembly != null)
{
Type moduletype = assembly.GetTypes()
.Where(item => item.Namespace != null)
.Where(item => item.Namespace.StartsWith(moduledefinition.ModuleDefinitionName.Substring(0, moduledefinition.ModuleDefinitionName.IndexOf(","))))
.Where(item => item.GetInterfaces().Contains(typeof(IPortable))).FirstOrDefault();
if (moduletype != null)
{
var moduleobject = ActivatorUtilities.CreateInstance(ServiceProvider, moduletype);
modulecontent.Content = ((IPortable)moduleobject).ExportModule(module);
}
}
}
content = JsonSerializer.Serialize(modulecontent);
logger.Log(LogLevel.Information, this, LogFunction.Read, "Module Content Exported {ModuleId}", moduleid);
}
}
}
catch
{
// error occurred during export
}
content = Modules.ExportModule(moduleid);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Other, "User Not Authorized To Export Module {ModuleId}", moduleid);
HttpContext.Response.StatusCode = 401;
}
return content;
}
@ -169,45 +165,12 @@ namespace Oqtane.Controllers
bool success = false;
if (ModelState.IsValid && UserPermissions.IsAuthorized(User, "Module", moduleid, "Edit"))
{
try
{
Models.Module module = Modules.GetModule(moduleid);
if (module != null)
{
List<ModuleDefinition> moduledefinitions = ModuleDefinitions.GetModuleDefinitions(module.SiteId).ToList();
ModuleDefinition moduledefinition = moduledefinitions.Where(item => item.ModuleDefinitionName == module.ModuleDefinitionName).FirstOrDefault();
if (moduledefinition != null)
{
ModuleContent modulecontent = JsonSerializer.Deserialize<ModuleContent>(Content);
if (modulecontent.ModuleDefinitionName == moduledefinition.ModuleDefinitionName)
{
if (moduledefinition.ServerAssemblyName != "")
{
Assembly assembly = AppDomain.CurrentDomain.GetAssemblies()
.Where(item => item.FullName.StartsWith(moduledefinition.ServerAssemblyName)).FirstOrDefault();
if (assembly != null)
{
Type moduletype = assembly.GetTypes()
.Where(item => item.Namespace != null)
.Where(item => item.Namespace.StartsWith(moduledefinition.ModuleDefinitionName.Substring(0, moduledefinition.ModuleDefinitionName.IndexOf(","))))
.Where(item => item.GetInterfaces().Contains(typeof(IPortable))).FirstOrDefault();
if (moduletype != null)
{
var moduleobject = ActivatorUtilities.CreateInstance(ServiceProvider, moduletype);
((IPortable)moduleobject).ImportModule(module, modulecontent.Content, modulecontent.Version);
success = true;
logger.Log(LogLevel.Information, this, LogFunction.Update, "Module Content Imported {ModuleId}", moduleid);
}
}
}
}
}
}
}
catch
{
// error occurred during import
}
success = Modules.ImportModule(moduleid, Content);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Other, "User Not Authorized To Import Module {ModuleId}", moduleid);
HttpContext.Response.StatusCode = 401;
}
return success;
}

34
Oqtane.Server/Controllers/ModuleDefinitionController.cs
View File

@ -9,6 +9,7 @@ using System.IO;
using System.Reflection;
using System.Linq;
using Microsoft.AspNetCore.Hosting;
using Oqtane.Security;
namespace Oqtane.Controllers
{
@ -16,13 +17,15 @@ namespace Oqtane.Controllers
public class ModuleDefinitionController : Controller
{
private readonly IModuleDefinitionRepository ModuleDefinitions;
private readonly IUserPermissions UserPermissions;
private readonly IInstallationManager InstallationManager;
private readonly IWebHostEnvironment environment;
private readonly ILogManager logger;
public ModuleDefinitionController(IModuleDefinitionRepository ModuleDefinitions, IInstallationManager InstallationManager, IWebHostEnvironment environment, ILogManager logger)
public ModuleDefinitionController(IModuleDefinitionRepository ModuleDefinitions, IUserPermissions UserPermissions, IInstallationManager InstallationManager, IWebHostEnvironment environment, ILogManager logger)
{
this.ModuleDefinitions = ModuleDefinitions;
this.UserPermissions = UserPermissions;
this.InstallationManager = InstallationManager;
this.environment = environment;
this.logger = logger;
@ -32,9 +35,35 @@ namespace Oqtane.Controllers
[HttpGet]
public IEnumerable<ModuleDefinition> Get(int siteid)
{
return ModuleDefinitions.GetModuleDefinitions(siteid);
List<ModuleDefinition> moduledefinitions = new List<ModuleDefinition>();
foreach(ModuleDefinition moduledefinition in ModuleDefinitions.GetModuleDefinitions(siteid))
{
if (UserPermissions.IsAuthorized(User, "Utilize", moduledefinition.Permissions))
{
moduledefinitions.Add(moduledefinition);
}
}
return moduledefinitions;
}
// GET api/<controller>/5?siteid=x
[HttpGet("{id}")]
public ModuleDefinition Get(int id, string siteid)
{
ModuleDefinition moduledefinition = ModuleDefinitions.GetModuleDefinition(id, int.Parse(siteid));
if (UserPermissions.IsAuthorized(User, "Utilize", moduledefinition.Permissions))
{
return moduledefinition;
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access ModuleDefinition {ModuleDefinition}", moduledefinition);
HttpContext.Response.StatusCode = 401;
return null;
}
}
// GET api/<controller>/filename
[HttpGet("{filename}")]
public IActionResult Get(string assemblyname)
@ -93,5 +122,6 @@ namespace Oqtane.Controllers
InstallationManager.RestartApplication();
}
}
}
}

137
Oqtane.Server/Controllers/PageController.cs
View File

@ -14,12 +14,16 @@ namespace Oqtane.Controllers
public class PageController : Controller
{
private readonly IPageRepository Pages;
private readonly IModuleRepository Modules;
private readonly IPageModuleRepository PageModules;
private readonly IUserPermissions UserPermissions;
private readonly ILogManager logger;
public PageController(IPageRepository Pages, IUserPermissions UserPermissions, ILogManager logger)
public PageController(IPageRepository Pages, IModuleRepository Modules, IPageModuleRepository PageModules, IUserPermissions UserPermissions, ILogManager logger)
{
this.Pages = Pages;
this.Modules = Modules;
this.PageModules = PageModules;
this.UserPermissions = UserPermissions;
this.logger = logger;
}
@ -28,27 +32,39 @@ namespace Oqtane.Controllers
[HttpGet]
public IEnumerable<Page> Get(string siteid)
{
if (siteid == "")
List<Page> pages = new List<Page>();
foreach (Page page in Pages.GetPages(int.Parse(siteid)))
{
return Pages.GetPages();
}
else
{
return Pages.GetPages(int.Parse(siteid));
if (UserPermissions.IsAuthorized(User, "View", page.Permissions))
{
pages.Add(page);
}
}
return pages;
}
// GET api/<controller>/5?userid=x
[HttpGet("{id}")]
public Page Get(int id, string userid)
{
Page page;
if (string.IsNullOrEmpty(userid))
{
return Pages.GetPage(id);
page = Pages.GetPage(id);
}
else
{
return Pages.GetPage(id, int.Parse(userid));
page = Pages.GetPage(id, int.Parse(userid));
}
if (UserPermissions.IsAuthorized(User, "View", page.Permissions))
{
return page;
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Page {Page}", page);
HttpContext.Response.StatusCode = 401;
return null;
}
}
@ -57,14 +73,95 @@ namespace Oqtane.Controllers
[Authorize(Roles = Constants.RegisteredRole)]
public Page Post([FromBody] Page Page)
{
if (ModelState.IsValid && UserPermissions.IsAuthorized(User, "Edit", Page.Permissions))
if (ModelState.IsValid)
{
Page = Pages.AddPage(Page);
logger.Log(LogLevel.Information, this, LogFunction.Create, "Page Added {Page}", Page);
string permissions;
if (Page.ParentId != null)
{
permissions = Pages.GetPage(Page.ParentId.Value).Permissions;
}
else
{
permissions = UserSecurity.SetPermissionStrings(new List<PermissionString> { new PermissionString { PermissionName = "Edit", Permissions = Constants.AdminRole } });
}
if (UserPermissions.IsAuthorized(User, "Edit", permissions))
{
Page = Pages.AddPage(Page);
logger.Log(LogLevel.Information, this, LogFunction.Create, "Page Added {Page}", Page);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Page {Page}", Page);
HttpContext.Response.StatusCode = 401;
Page = null;
}
}
return Page;
}
// POST api/<controller>/5?userid=x
[HttpPost("{id}")]
[Authorize(Roles = Constants.RegisteredRole)]
public Page Post(int id, string userid)
{
Page page = null;
Page parent = Pages.GetPage(id);
if (parent != null && parent.IsPersonalizable && !string.IsNullOrEmpty(userid))
{
page = new Page();
page.SiteId = parent.SiteId;
page.Name = parent.Name;
page.Path = parent.Path;
page.ParentId = parent.PageId;
page.Order = 0;
page.IsNavigation = false;
page.EditMode = false;
page.ThemeType = parent.ThemeType;
page.LayoutType = parent.LayoutType;
page.Icon = parent.Icon;
List<PermissionString> permissions = new List<PermissionString>();
permissions.Add(new PermissionString { PermissionName = "View", Permissions = "[" + userid + "]" });
permissions.Add(new PermissionString { PermissionName = "Edit", Permissions = "[" + userid + "]" });
page.Permissions = UserSecurity.SetPermissionStrings(permissions);
page.IsPersonalizable = false;
page.UserId = int.Parse(userid);
page = Pages.AddPage(page);
// copy modules
List<PageModule> pagemodules = PageModules.GetPageModules(page.SiteId).ToList();
foreach (PageModule pm in pagemodules.Where(item => item.PageId == parent.PageId && !item.IsDeleted))
{
Module module = new Module();
module.SiteId = page.SiteId;
module.PageId = page.PageId;
module.ModuleDefinitionName = pm.Module.ModuleDefinitionName;
permissions = new List<PermissionString>();
permissions.Add(new PermissionString { PermissionName = "View", Permissions = "[" + userid + "]" });
permissions.Add(new PermissionString { PermissionName = "Edit", Permissions = "[" + userid + "]" });
module.Permissions = UserSecurity.SetPermissionStrings(permissions);
module = Modules.AddModule(module);
string content = Modules.ExportModule(pm.ModuleId);
if (content != "")
{
Modules.ImportModule(module.ModuleId, content);
}
PageModule pagemodule = new PageModule();
pagemodule.PageId = page.PageId;
pagemodule.ModuleId = module.ModuleId;
pagemodule.Title = pm.Title;
pagemodule.Pane = pm.Pane;
pagemodule.Order = pm.Order;
pagemodule.ContainerType = pm.ContainerType;
PageModules.AddPageModule(pagemodule);
}
}
return page;
}
// PUT api/<controller>/5
[HttpPut("{id}")]
[Authorize(Roles = Constants.RegisteredRole)]
@ -75,6 +172,12 @@ namespace Oqtane.Controllers
Page = Pages.UpdatePage(Page);
logger.Log(LogLevel.Information, this, LogFunction.Update, "Page Updated {Page}", Page);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Page {Page}", Page);
HttpContext.Response.StatusCode = 401;
Page = null;
}
return Page;
}
@ -98,6 +201,11 @@ namespace Oqtane.Controllers
}
logger.Log(LogLevel.Information, this, LogFunction.Update, "Page Order Updated {SiteId} {PageId} {ParentId}", siteid, pageid, parentid);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Page Order {SiteId} {PageId} {ParentId}", siteid, pageid, parentid);
HttpContext.Response.StatusCode = 401;
}
}
// DELETE api/<controller>/5
@ -110,6 +218,11 @@ namespace Oqtane.Controllers
Pages.DeletePage(id);
logger.Log(LogLevel.Information, this, LogFunction.Delete, "Page Deleted {PageId}", id);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Page {PageId}", id);
HttpContext.Response.StatusCode = 401;
}
}
}
}

52
Oqtane.Server/Controllers/PageModuleController.cs
View File

@ -14,12 +14,14 @@ namespace Oqtane.Controllers
public class PageModuleController : Controller
{
private readonly IPageModuleRepository PageModules;
private readonly IModuleRepository Modules;
private readonly IUserPermissions UserPermissions;
private readonly ILogManager logger;
public PageModuleController(IPageModuleRepository PageModules, IUserPermissions UserPermissions, ILogManager logger)
public PageModuleController(IPageModuleRepository PageModules, IModuleRepository Modules, IUserPermissions UserPermissions, ILogManager logger)
{
this.PageModules = PageModules;
this.Modules = Modules;
this.UserPermissions = UserPermissions;
this.logger = logger;
}
@ -28,14 +30,34 @@ namespace Oqtane.Controllers
[HttpGet("{id}")]
public PageModule Get(int id)
{
return PageModules.GetPageModule(id);
PageModule pagemodule = PageModules.GetPageModule(id);
if (UserPermissions.IsAuthorized(User, "View", pagemodule.Module.Permissions))
{
return pagemodule;
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access PageModule {PageModule}", pagemodule);
HttpContext.Response.StatusCode = 401;
return null;
}
}
// GET: api/<controller>/pageid/moduleid
[HttpGet("{pageid}/{moduleid}")]
public PageModule Get(int pageid, int moduleid)
{
return PageModules.GetPageModule(pageid, moduleid);
PageModule pagemodule = PageModules.GetPageModule(pageid, moduleid);
if (UserPermissions.IsAuthorized(User, "View", pagemodule.Module.Permissions))
{
return pagemodule;
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access PageModule {PageModule}", pagemodule);
HttpContext.Response.StatusCode = 401;
return null;
}
}
// POST api/<controller>
@ -48,6 +70,12 @@ namespace Oqtane.Controllers
PageModule = PageModules.AddPageModule(PageModule);
logger.Log(LogLevel.Information, this, LogFunction.Create, "Page Module Added {PageModule}", PageModule);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add PageModule {PageModule}", PageModule);
HttpContext.Response.StatusCode = 401;
PageModule = null;
}
return PageModule;
}
@ -56,11 +84,17 @@ namespace Oqtane.Controllers
[Authorize(Roles = Constants.RegisteredRole)]
public PageModule Put(int id, [FromBody] PageModule PageModule)
{
if (ModelState.IsValid && UserPermissions.IsAuthorized(User, "Page", PageModule.PageId, "Edit"))
if (ModelState.IsValid && UserPermissions.IsAuthorized(User, "Module", PageModule.ModuleId, "Edit"))
{
PageModule = PageModules.UpdatePageModule(PageModule);
logger.Log(LogLevel.Information, this, LogFunction.Update, "Page Module Updated {PageModule}", PageModule);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update PageModule {PageModule}", PageModule);
HttpContext.Response.StatusCode = 401;
PageModule = null;
}
return PageModule;
}
@ -84,6 +118,11 @@ namespace Oqtane.Controllers
}
logger.Log(LogLevel.Information, this, LogFunction.Update, "Page Module Order Updated {PageId} {Pane}", pageid, pane);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Page Module Order {PageId} {Pane}", pageid, pane);
HttpContext.Response.StatusCode = 401;
}
}
// DELETE api/<controller>/5
@ -97,6 +136,11 @@ namespace Oqtane.Controllers
PageModules.DeletePageModule(id);
logger.Log(LogLevel.Information, this, LogFunction.Delete, "Page Module Deleted {PageModuleId}", id);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete PageModule {PageModuleId}", id);
HttpContext.Response.StatusCode = 401;
}
}
}
}

72
Oqtane.Server/Controllers/PermissionController.cs
View File

@ -1,72 +0,0 @@
using System.Collections.Generic;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Authorization;
using Oqtane.Repository;
using Oqtane.Models;
using Oqtane.Shared;
using Oqtane.Infrastructure;
namespace Oqtane.Controllers
{
[Route("{site}/api/[controller]")]
public class PermissionController : Controller
{
private readonly IPermissionRepository Permissions;
private readonly ILogManager logger;
public PermissionController(IPermissionRepository Permissions, ILogManager logger)
{
this.Permissions = Permissions;
this.logger = logger;
}
// GET: api/<controller>
[HttpGet]
public IEnumerable<Permission> Get(string entityname, int entityid, string permissionname)
{
return Permissions.GetPermissions(entityname, entityid, permissionname);
}
// GET api/<controller>/5
[HttpGet("{id}")]
public Permission Get(int id)
{
return Permissions.GetPermission(id);
}
// POST api/<controller>
[HttpPost]
[Authorize(Roles = Constants.AdminRole)]
public Permission Post([FromBody] Permission Permission)
{
if (ModelState.IsValid)
{
Permission = Permissions.AddPermission(Permission);
logger.Log(LogLevel.Information, this, LogFunction.Create, "Permission Added {Permission}", Permission);
}
return Permission;
}
// PUT api/<controller>/5
[HttpPut("{id}")]
[Authorize(Roles = Constants.AdminRole)]
public Permission Put(int id, [FromBody] Permission Permission)
{
if (ModelState.IsValid)
{
Permission = Permissions.UpdatePermission(Permission);
logger.Log(LogLevel.Information, this, LogFunction.Update, "Permission Updated {Permission}", Permission);
}
return Permission;
}
// DELETE api/<controller>/5
[HttpDelete("{id}")]
[Authorize(Roles = Constants.AdminRole)]
public void Delete(int id)
{
Permissions.DeletePermission(id);
logger.Log(LogLevel.Information, this, LogFunction.Delete, "Permission Deleted {PermissionId}", id);
}
}
}

2
Oqtane.Server/Controllers/RoleController.cs
View File

@ -22,6 +22,7 @@ namespace Oqtane.Controllers
// GET: api/<controller>?siteid=x
[HttpGet]
[Authorize(Roles = Constants.RegisteredRole)]
public IEnumerable<Role> Get(string siteid)
{
return Roles.GetRoles(int.Parse(siteid));
@ -29,6 +30,7 @@ namespace Oqtane.Controllers
// GET api/<controller>/5
[HttpGet("{id}")]
[Authorize(Roles = Constants.RegisteredRole)]
public Role Get(int id)
{
return Roles.GetRole(id);

91
Oqtane.Server/Controllers/SettingController.cs
View File

@ -1,11 +1,13 @@
using System.Collections.Generic;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Authorization;
using Oqtane.Repository;
using Oqtane.Models;
using Oqtane.Shared;
using Oqtane.Security;
using Oqtane.Infrastructure;
using System.Linq;
using System.Security.Claims;
using Microsoft.AspNetCore.Http;
namespace Oqtane.Controllers
{
@ -13,13 +15,17 @@ namespace Oqtane.Controllers
public class SettingController : Controller
{
private readonly ISettingRepository Settings;
private readonly IPageModuleRepository PageModules;
private readonly IUserPermissions UserPermissions;
private readonly IHttpContextAccessor Accessor;
private readonly ILogManager logger;
public SettingController(ISettingRepository Settings, IUserPermissions UserPermissions, ILogManager logger)
public SettingController(ISettingRepository Settings, IPageModuleRepository PageModules, IUserPermissions UserPermissions, IHttpContextAccessor Accessor, ILogManager logger)
{
this.Settings = Settings;
this.PageModules = PageModules;
this.UserPermissions = UserPermissions;
this.Accessor = Accessor;
this.logger = logger;
}
@ -27,62 +33,117 @@ namespace Oqtane.Controllers
[HttpGet]
public IEnumerable<Setting> Get(string entityname, int entityid)
{
return Settings.GetSettings(entityname, entityid);
List<Setting> settings = new List<Setting>();
if (IsAuthorized(entityname, entityid, "View"))
{
settings = Settings.GetSettings(entityname, entityid).ToList();
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityname, entityid);
HttpContext.Response.StatusCode = 401;
}
return settings;
}
// GET api/<controller>/5
[HttpGet("{id}")]
public Setting Get(int id)
{
return Settings.GetSetting(id);
Setting setting = Settings.GetSetting(id);
if (IsAuthorized(setting.EntityName, setting.EntityId, "View"))
{
return setting;
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Setting {Setting}", setting);
HttpContext.Response.StatusCode = 401;
return null;
}
}
// POST api/<controller>
[HttpPost]
[Authorize]
public Setting Post([FromBody] Setting Setting)
{
if (ModelState.IsValid && IsAuthorized(Setting.EntityName, Setting.EntityId))
if (ModelState.IsValid && IsAuthorized(Setting.EntityName, Setting.EntityId, "Edit"))
{
Setting = Settings.AddSetting(Setting);
logger.Log(LogLevel.Information, this, LogFunction.Create, "Setting Added {Setting}", Setting);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Setting {Setting}", Setting);
HttpContext.Response.StatusCode = 401;
Setting = null;
}
return Setting;
}
// PUT api/<controller>/5
[HttpPut("{id}")]
[Authorize]
public Setting Put(int id, [FromBody] Setting Setting)
{
if (ModelState.IsValid && IsAuthorized(Setting.EntityName, Setting.EntityId))
if (ModelState.IsValid && IsAuthorized(Setting.EntityName, Setting.EntityId, "Edit"))
{
Setting = Settings.UpdateSetting(Setting);
logger.Log(LogLevel.Information, this, LogFunction.Update, "Setting Updated {Setting}", Setting);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Setting {Setting}", Setting);
HttpContext.Response.StatusCode = 401;
Setting = null;
}
return Setting;
}
// DELETE api/<controller>/5
[HttpDelete("{id}")]
[Authorize(Roles = Constants.AdminRole)]
public void Delete(int id)
{
Settings.DeleteSetting(id);
logger.Log(LogLevel.Information, this, LogFunction.Delete, "Setting Deleted {SettingId}", id);
Setting setting = Settings.GetSetting(id);
if (IsAuthorized(setting.EntityName, setting.EntityId, "Edit"))
{
Settings.DeleteSetting(id);
logger.Log(LogLevel.Information, this, LogFunction.Delete, "Setting Deleted {Setting}", setting);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Setting {Setting}", setting);
HttpContext.Response.StatusCode = 401;
}
}
private bool IsAuthorized(string EntityName, int EntityId)
private bool IsAuthorized(string EntityName, int EntityId, string PermissionName)
{
bool authorized = false;
if (EntityName == "PageModule")
{
EntityName = "Module";
EntityId = PageModules.GetPageModule(EntityId).ModuleId;
}
switch (EntityName)
{
case "Module":
authorized = UserPermissions.IsAuthorized(User, EntityName, EntityId, "Edit");
case "Host":
authorized = User.IsInRole(Constants.HostRole);
break;
default:
case "Site":
authorized = User.IsInRole(Constants.AdminRole);
break;
case "Page":
case "Module":
case "Folder":
authorized = UserPermissions.IsAuthorized(User, EntityName, EntityId, PermissionName);
break;
case "User":
authorized = true;
if (PermissionName == "Edit")
{
authorized = User.IsInRole(Constants.AdminRole) || (int.Parse(Accessor.HttpContext.User.FindFirst(ClaimTypes.PrimarySid).Value) == EntityId);
}
break;
}
return authorized;
}

1
Oqtane.Server/Controllers/SiteController.cs
View File

@ -29,6 +29,7 @@ namespace Oqtane.Controllers
// GET: api/<controller>
[HttpGet]
[Authorize(Roles = Constants.HostRole)]
public IEnumerable<Site> Get()
{
return Sites.GetSites();

1
Oqtane.Server/Controllers/ThemeController.cs
View File

@ -30,6 +30,7 @@ namespace Oqtane.Controllers
// GET: api/<controller>
[HttpGet]
[Authorize(Roles = Constants.RegisteredRole)]
public IEnumerable<Theme> Get()
{
return Themes.GetThemes();

26
Oqtane.Server/Controllers/UserController.cs
View File

@ -44,6 +44,7 @@ namespace Oqtane.Controllers
// GET api/<controller>/5?siteid=x
[HttpGet("{id}")]
[Authorize]
public User Get(int id, string siteid)
{
User user = Users.GetUser(id);
@ -172,18 +173,27 @@ namespace Oqtane.Controllers
{
if (ModelState.IsValid)
{
if (User.Password != "")
if (base.User.IsInRole(Constants.AdminRole) || base.User.Identity.Name == User.Username)
{
IdentityUser identityuser = await IdentityUserManager.FindByNameAsync(User.Username);
if (identityuser != null)
if (User.Password != "")
{
identityuser.PasswordHash = IdentityUserManager.PasswordHasher.HashPassword(identityuser, User.Password);
await IdentityUserManager.UpdateAsync(identityuser);
IdentityUser identityuser = await IdentityUserManager.FindByNameAsync(User.Username);
if (identityuser != null)
{
identityuser.PasswordHash = IdentityUserManager.PasswordHasher.HashPassword(identityuser, User.Password);
await IdentityUserManager.UpdateAsync(identityuser);
}
}
User = Users.UpdateUser(User);
User.Password = ""; // remove sensitive information
logger.Log(LogLevel.Information, this, LogFunction.Update, "User Updated {User}", User);
}
else
{
logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update User {User}", User);
HttpContext.Response.StatusCode = 401;
User = null;
}
User = Users.UpdateUser(User);
User.Password = ""; // remove sensitive information
logger.Log(LogLevel.Information, this, LogFunction.Update, "User Updated {User}", User);
}
return User;
}

2
Oqtane.Server/Controllers/UserRoleController.cs
View File

@ -22,6 +22,7 @@ namespace Oqtane.Controllers
// GET: api/<controller>?userid=x
[HttpGet]
[Authorize]
public IEnumerable<UserRole> Get(string siteid)
{
return UserRoles.GetUserRoles(int.Parse(siteid));
@ -29,6 +30,7 @@ namespace Oqtane.Controllers
// GET api/<controller>/5
[HttpGet("{id}")]
[Authorize]
public UserRole Get(int id)
{
return UserRoles.GetUserRole(id);