add additional validation logic to Update API methods to ensure model ID matches ID parameter
This commit is contained in:
sbwalker
@ -76,7 +76,7 @@ namespace Oqtane.Controllers
|
||||
[Authorize(Roles = RoleNames.Host)]
|
||||
public Alias Put(int id, [FromBody] Alias alias)
|
||||
{
|
||||
if (ModelState.IsValid && _aliases.GetAlias(alias.AliasId, false) != null)
|
||||
if (ModelState.IsValid && alias.AliasId == id && _aliases.GetAlias(alias.AliasId, false) != null)
|
||||
{
|
||||
alias = _aliases.UpdateAlias(alias);
|
||||
_syncManager.AddSyncEvent(alias.TenantId, EntityNames.Alias, alias.AliasId, SyncEventActions.Update);
|
||||
|
||||
@ -207,7 +207,7 @@ namespace Oqtane.Controllers
|
||||
public Models.File Put(int id, [FromBody] Models.File file)
|
||||
{
|
||||
var File = _files.GetFile(file.FileId, false);
|
||||
if (ModelState.IsValid && file.Folder.SiteId == _alias.SiteId && File != null // ensure file exists
|
||||
if (ModelState.IsValid && file.Folder.SiteId == _alias.SiteId && file.FileId == id && File != null // ensure file exists
|
||||
&& _userPermissions.IsAuthorized(User, file.Folder.SiteId, EntityNames.Folder, File.FolderId, PermissionNames.Edit) // ensure user had edit rights to original folder
|
||||
&& _userPermissions.IsAuthorized(User, file.Folder.SiteId, EntityNames.Folder, file.FolderId, PermissionNames.Edit)) // ensure user has edit rights to new folder
|
||||
{
|
||||
|
||||
@ -204,7 +204,7 @@ namespace Oqtane.Controllers
|
||||
[Authorize(Roles = RoleNames.Registered)]
|
||||
public Folder Put(int id, [FromBody] Folder folder)
|
||||
{
|
||||
if (ModelState.IsValid && folder.SiteId == _alias.SiteId && _folders.GetFolder(folder.FolderId, false) != null && _userPermissions.IsAuthorized(User, folder.SiteId, EntityNames.Folder, folder.FolderId, PermissionNames.Edit))
|
||||
if (ModelState.IsValid && folder.SiteId == _alias.SiteId && folder.FolderId == id && _folders.GetFolder(folder.FolderId, false) != null && _userPermissions.IsAuthorized(User, folder.SiteId, EntityNames.Folder, folder.FolderId, PermissionNames.Edit))
|
||||
{
|
||||
if (folder.IsPathValid())
|
||||
{
|
||||
|
||||
@ -67,7 +67,7 @@ namespace Oqtane.Controllers
|
||||
[Authorize(Roles = RoleNames.Host)]
|
||||
public Job Put(int id, [FromBody] Job job)
|
||||
{
|
||||
if (ModelState.IsValid && _jobs.GetJob(job.JobId, false) != null)
|
||||
if (ModelState.IsValid && job.JobId == id && _jobs.GetJob(job.JobId, false) != null)
|
||||
{
|
||||
job = _jobs.UpdateJob(job);
|
||||
_logger.Log(LogLevel.Information, this, LogFunction.Update, "Job Updated {Job}", job);
|
||||
|
||||
@ -154,7 +154,7 @@ namespace Oqtane.Controllers
|
||||
{
|
||||
var _module = _modules.GetModule(module.ModuleId, false);
|
||||
|
||||
if (ModelState.IsValid && module.SiteId == _alias.SiteId && _module != null && _userPermissions.IsAuthorized(User, module.SiteId, EntityNames.Module, module.ModuleId, PermissionNames.Edit))
|
||||
if (ModelState.IsValid && module.SiteId == _alias.SiteId && module.ModuleId == id && _module != null && _userPermissions.IsAuthorized(User, module.SiteId, EntityNames.Module, module.ModuleId, PermissionNames.Edit))
|
||||
{
|
||||
module = _modules.UpdateModule(module);
|
||||
|
||||
|
||||
@ -167,7 +167,7 @@ namespace Oqtane.Controllers
|
||||
[Authorize(Roles = RoleNames.Admin)]
|
||||
public void Put(int id, [FromBody] ModuleDefinition moduleDefinition)
|
||||
{
|
||||
if (ModelState.IsValid && moduleDefinition.SiteId == _alias.SiteId && _moduleDefinitions.GetModuleDefinition(moduleDefinition.ModuleDefinitionId, moduleDefinition.SiteId) != null)
|
||||
if (ModelState.IsValid && moduleDefinition.SiteId == _alias.SiteId && moduleDefinition.ModuleDefinitionId == id && _moduleDefinitions.GetModuleDefinition(moduleDefinition.ModuleDefinitionId, moduleDefinition.SiteId) != null)
|
||||
{
|
||||
_moduleDefinitions.UpdateModuleDefinition(moduleDefinition);
|
||||
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.ModuleDefinition, moduleDefinition.ModuleDefinitionId, SyncEventActions.Update);
|
||||
|
||||
@ -179,7 +179,7 @@ namespace Oqtane.Controllers
|
||||
[Authorize(Roles = RoleNames.Registered)]
|
||||
public Notification Put(int id, [FromBody] Notification notification)
|
||||
{
|
||||
if (ModelState.IsValid && notification.SiteId == _alias.SiteId && _notifications.GetNotification(notification.NotificationId, false) != null && (IsAuthorized(notification.FromUserId) || IsAuthorized(notification.ToUserId)))
|
||||
if (ModelState.IsValid && notification.SiteId == _alias.SiteId && notification.NotificationId == id && _notifications.GetNotification(notification.NotificationId, false) != null && (IsAuthorized(notification.FromUserId) || IsAuthorized(notification.ToUserId)))
|
||||
{
|
||||
notification = _notifications.UpdateNotification(notification);
|
||||
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Notification, notification.NotificationId, SyncEventActions.Update);
|
||||
|
||||
@ -269,7 +269,7 @@ namespace Oqtane.Controllers
|
||||
// get current page
|
||||
var currentPage = _pages.GetPage(page.PageId, false);
|
||||
|
||||
if (ModelState.IsValid && page.SiteId == _alias.SiteId && currentPage != null && _userPermissions.IsAuthorized(User, page.SiteId, EntityNames.Page, page.PageId, PermissionNames.Edit))
|
||||
if (ModelState.IsValid && page.SiteId == _alias.SiteId && page.PageId == id && currentPage != null && _userPermissions.IsAuthorized(User, page.SiteId, EntityNames.Page, page.PageId, PermissionNames.Edit))
|
||||
{
|
||||
// get current page permissions
|
||||
var currentPermissions = _permissionRepository.GetPermissions(page.SiteId, EntityNames.Page, page.PageId).ToList();
|
||||
|
||||
@ -109,7 +109,7 @@ namespace Oqtane.Controllers
|
||||
public PageModule Put(int id, [FromBody] PageModule pageModule)
|
||||
{
|
||||
var page = _pages.GetPage(pageModule.PageId);
|
||||
if (ModelState.IsValid && page != null && page.SiteId == _alias.SiteId && _pageModules.GetPageModule(pageModule.PageModuleId, false) != null && _userPermissions.IsAuthorized(User, page.SiteId, EntityNames.Page, pageModule.PageId, PermissionNames.Edit))
|
||||
if (ModelState.IsValid && page != null && page.SiteId == _alias.SiteId && pageModule.PageModuleId == id && _pageModules.GetPageModule(pageModule.PageModuleId, false) != null && _userPermissions.IsAuthorized(User, page.SiteId, EntityNames.Page, pageModule.PageId, PermissionNames.Edit))
|
||||
{
|
||||
pageModule = _pageModules.UpdatePageModule(pageModule);
|
||||
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.PageModule, pageModule.PageModuleId, SyncEventActions.Update);
|
||||
|
||||
@ -94,7 +94,7 @@ namespace Oqtane.Controllers
|
||||
[Authorize(Policy = $"{EntityNames.Profile}:{PermissionNames.Write}:{RoleNames.Admin}")]
|
||||
public Profile Put(int id, [FromBody] Profile profile)
|
||||
{
|
||||
if (ModelState.IsValid && profile.SiteId == _alias.SiteId && _profiles.GetProfile(profile.ProfileId, false) != null)
|
||||
if (ModelState.IsValid && profile.SiteId == _alias.SiteId && profile.ProfileId == id && _profiles.GetProfile(profile.ProfileId, false) != null)
|
||||
{
|
||||
profile = _profiles.UpdateProfile(profile);
|
||||
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Profile, profile.ProfileId, SyncEventActions.Update);
|
||||
|
||||
@ -98,7 +98,7 @@ namespace Oqtane.Controllers
|
||||
[Authorize(Policy = $"{EntityNames.Role}:{PermissionNames.Write}:{RoleNames.Admin}")]
|
||||
public Role Put(int id, [FromBody] Role role)
|
||||
{
|
||||
if (ModelState.IsValid && role.SiteId == _alias.SiteId && _roles.GetRole(role.RoleId, false) != null)
|
||||
if (ModelState.IsValid && role.SiteId == _alias.SiteId && role.RoleId == id && _roles.GetRole(role.RoleId, false) != null)
|
||||
{
|
||||
role = _roles.UpdateRole(role);
|
||||
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Role, role.RoleId, SyncEventActions.Update);
|
||||
|
||||
@ -128,7 +128,7 @@ namespace Oqtane.Controllers
|
||||
[HttpPut("{id}")]
|
||||
public Setting Put(int id, [FromBody] Setting setting)
|
||||
{
|
||||
if (ModelState.IsValid && IsAuthorized(setting.EntityName, setting.EntityId, PermissionNames.Edit))
|
||||
if (ModelState.IsValid && setting.SettingId == id && IsAuthorized(setting.EntityName, setting.EntityId, PermissionNames.Edit))
|
||||
{
|
||||
setting = _settings.UpdateSetting(setting);
|
||||
AddSyncEvent(setting.EntityName, setting.SettingId, SyncEventActions.Update);
|
||||
|
||||
@ -192,7 +192,7 @@ namespace Oqtane.Controllers
|
||||
public Site Put(int id, [FromBody] Site site)
|
||||
{
|
||||
var current = _sites.GetSite(site.SiteId, false);
|
||||
if (ModelState.IsValid && site.SiteId == _alias.SiteId && site.TenantId == _alias.TenantId && current != null)
|
||||
if (ModelState.IsValid && site.SiteId == _alias.SiteId && site.TenantId == _alias.TenantId && site.SiteId == id && current != null)
|
||||
{
|
||||
site = _sites.UpdateSite(site);
|
||||
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, site.SiteId, SyncEventActions.Update);
|
||||
|
||||
@ -71,7 +71,7 @@ namespace Oqtane.Controllers
|
||||
[Authorize(Roles = RoleNames.Admin)]
|
||||
public void Put(int id, [FromBody] Theme theme)
|
||||
{
|
||||
if (ModelState.IsValid && theme.SiteId == _alias.SiteId && _themes.GetTheme(theme.ThemeId,theme.SiteId) != null)
|
||||
if (ModelState.IsValid && theme.SiteId == _alias.SiteId && theme.ThemeId == id && _themes.GetTheme(theme.ThemeId,theme.SiteId) != null)
|
||||
{
|
||||
_themes.UpdateTheme(theme);
|
||||
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Theme, theme.ThemeId, SyncEventActions.Update);
|
||||
|
||||
@ -118,7 +118,7 @@ namespace Oqtane.Controllers
|
||||
[Authorize(Roles = RoleNames.Admin)]
|
||||
public UrlMapping Put(int id, [FromBody] UrlMapping urlMapping)
|
||||
{
|
||||
if (ModelState.IsValid && urlMapping.SiteId == _alias.SiteId && _urlMappings.GetUrlMapping(urlMapping.UrlMappingId, false) != null)
|
||||
if (ModelState.IsValid && urlMapping.SiteId == _alias.SiteId && urlMapping.UrlMappingId == id && _urlMappings.GetUrlMapping(urlMapping.UrlMappingId, false) != null)
|
||||
{
|
||||
urlMapping = _urlMappings.UpdateUrlMapping(urlMapping);
|
||||
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.UrlMapping, urlMapping.UrlMappingId, SyncEventActions.Update);
|
||||
|
||||
@ -173,7 +173,7 @@ namespace Oqtane.Controllers
|
||||
[Authorize]
|
||||
public async Task<User> Put(int id, [FromBody] User user)
|
||||
{
|
||||
if (ModelState.IsValid && user.SiteId == _tenantManager.GetAlias().SiteId && _users.GetUser(user.UserId, false) != null
|
||||
if (ModelState.IsValid && user.SiteId == _tenantManager.GetAlias().SiteId && user.UserId == id && _users.GetUser(user.UserId, false) != null
|
||||
&& (_userPermissions.IsAuthorized(User, user.SiteId, EntityNames.User, -1, PermissionNames.Write, RoleNames.Admin) || User.Identity.Name == user.Username))
|
||||
{
|
||||
user = await _userManager.UpdateUser(user);
|
||||
|
||||
@ -149,7 +149,7 @@ namespace Oqtane.Controllers
|
||||
public UserRole Put(int id, [FromBody] UserRole userRole)
|
||||
{
|
||||
var role = _roles.GetRole(userRole.RoleId);
|
||||
if (ModelState.IsValid && role != null && SiteValid(role.SiteId) && RoleValid(role.Name) && _userRoles.GetUserRole(userRole.UserRoleId, false) != null)
|
||||
if (ModelState.IsValid && role != null && SiteValid(role.SiteId) && RoleValid(role.Name) && userRole.UserRoleId == id && _userRoles.GetUserRole(userRole.UserRoleId, false) != null)
|
||||
{
|
||||
userRole = _userRoles.UpdateUserRole(userRole);
|
||||
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.UserRole, userRole.UserRoleId, SyncEventActions.Update);
|
||||
|
||||
Reference in New Issue
Block a user