Merge pull request #5201 from sbwalker/dev

include external login support for host role
2025-03-26 17:11:52 -04:00 · 2025-03-26 17:11:52 -04:00 · 1770c1ee11
commit 1770c1ee11
parent f0c27c83f1 a57fbea0cc
3 changed files with 24 additions and 2 deletions
--- a/Oqtane.Client/Modules/Admin/Users/Index.razor
+++ b/Oqtane.Client/Modules/Admin/Users/Index.razor
@ -421,6 +421,18 @@ else
                                    </select>
                                </div>
                            </div>
+                            @if (UserSecurity.IsAuthorized(PageState.User, RoleNames.Host))
+                            {
+                                <div class="row mb-1 align-items-center">
+                                    <Label Class="col-sm-3" For="allowhostrole" HelpText="Indicate if host roles are supported from the identity provider. Please use caution with this option as it allows the host user to administrate every site within your installation." ResourceKey="AllowHostRole">Allow Host Role?</Label>
+                                    <div class="col-sm-9">
+                                        <select id="allowhostrole" class="form-select" @bind="@_allowhostrole" required>
+                                            <option value="true">@SharedLocalizer["Yes"]</option>
+                                            <option value="false">@SharedLocalizer["No"]</option>
+                                        </select>
+                                    </div>
+                                </div>
+                            }
                        }
                    </Section>
                    <Section Name="Token" Heading="Token Settings" ResourceKey="TokenSettings">
@ -520,6 +532,7 @@ else
    private string _domainfilter;
    private string _createusers;
    private string _verifyusers;
+    private string _allowhostrole;

    private string _secret;
    private string _secrettype = "password";
@ -602,6 +615,7 @@ else
        _domainfilter = SettingService.GetSetting(settings, "ExternalLogin:DomainFilter", "");
        _createusers = SettingService.GetSetting(settings, "ExternalLogin:CreateUsers", "true");
        _verifyusers = SettingService.GetSetting(settings, "ExternalLogin:VerifyUsers", "true");
+        _allowhostrole = SettingService.GetSetting(settings, "ExternalLogin:AllowHostRole", "false");
    }

    private async Task LoadUsersAsync(bool load)
@ -705,6 +719,7 @@ else
                settings = SettingService.SetSetting(settings, "ExternalLogin:DomainFilter", _domainfilter, true);
                settings = SettingService.SetSetting(settings, "ExternalLogin:CreateUsers", _createusers, true);
                settings = SettingService.SetSetting(settings, "ExternalLogin:VerifyUsers", _verifyusers, true);
+                settings = SettingService.SetSetting(settings, "ExternalLogin:AllowHostRole", _allowhostrole, true);

                settings = SettingService.SetSetting(settings, "JwtOptions:Secret", _secret, true);
                settings = SettingService.SetSetting(settings, "JwtOptions:Issuer", _issuer, true);
--- a/Oqtane.Client/Resources/Modules/Admin/Users/Index.resx
+++ b/Oqtane.Client/Resources/Modules/Admin/Users/Index.resx
@ -513,4 +513,10 @@
  <data name="LogoutEverywhere.HelpText" xml:space="preserve">
    <value>Do you want users to be logged out of every active session on any device, or only their current session?</value>
  </data>
+  <data name="AllowHostRole.Text" xml:space="preserve">
+    <value>Allow Host Role?</value>
+  </data>
+  <data name="AllowHostRole.HelpText" xml:space="preserve">
+    <value>Indicate if host roles are supported from the identity provider. Please use caution with this option as it allows the host user to administrate every site within your installation.</value>
+  </data>
 </root>
--- a/Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs
+++ b/Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs
@ -532,8 +532,9 @@ namespace Oqtane.Extensions
                        // external roles
                        if (claimsPrincipal.Claims.Any(item => item.Type == httpContext.GetSiteSettings().GetValue("ExternalLogin:RoleClaimType", "")))
                        {
-                            var _roles = httpContext.RequestServices.GetRequiredService<IRoleRepository>();                            
-                            var roles = _roles.GetRoles(user.SiteId).ToList(); // global roles excluded ie. host users cannot be added/deleted
+                            var _roles = httpContext.RequestServices.GetRequiredService<IRoleRepository>();
+                            var allowhostrole = bool.Parse(httpContext.GetSiteSettings().GetValue("ExternalLogin:AllowHostRole", "false"));
+                            var roles = _roles.GetRoles(user.SiteId, allowhostrole).ToList();

                            var mappings = httpContext.GetSiteSettings().GetValue("ExternalLogin:RoleClaimMappings", "").Split(',');
                            foreach (var claim in claimsPrincipal.Claims.Where(item => item.Type == httpContext.GetSiteSettings().GetValue("ExternalLogin:RoleClaimType", "")))