Merge pull request #5408 from sbwalker/dev

improve user experience of permissions grid
2025-07-22 16:12:48 -04:00
parent 3d08138686 83ba9ca73e
commit 397e0b3f71
4 changed files with 263 additions and 255 deletions
--- a/Oqtane.Client/Modules/Controls/PermissionGrid.razor
+++ b/Oqtane.Client/Modules/Controls/PermissionGrid.razor
@ -28,7 +28,7 @@
                                @foreach (var permissionname in _permissionnames)
                                {
                                    <td style="text-align: center;">
-									<TriStateCheckBox Value=@GetPermissionValue(permissionname, role.Name, -1) Disabled="@GetPermissionDisabled(permissionname, role.Name)" OnChange="@(e => PermissionChanged(e, permissionname, role.Name, -1))" />
+                                        <TriStateCheckBox Value="@GetPermissionValue(permissionname, role.Name, -1)" Disabled="@GetPermissionDisabled(permissionname, role.Name)" OnChange="@(e => PermissionChanged(e, permissionname, role.Name, -1))" />
                                    </td>
                                }
                            </tr>
@ -64,7 +64,7 @@
                                    @foreach (var permissionname in _permissionnames)
                                    {
                                        <td style="text-align: center; width: 1px;">
-										<TriStateCheckBox Value=@GetPermissionValue(permissionname, "", user.UserId) Disabled="@GetPermissionDisabled(permissionname, "")" OnChange="@(e => PermissionChanged(e, permissionname, "", user.UserId))" />
+                                            <TriStateCheckBox Value="@GetPermissionValue(permissionname, "", user.UserId)" Disabled="@GetPermissionDisabled(permissionname, "")" OnChange="@(e => PermissionChanged(e, permissionname, "", user.UserId))" />
                                        </td>
                                    }
                                </tr>
@ -119,10 +119,7 @@
        }

        _roles = await RoleService.GetRolesAsync(ModuleState.SiteId, true);
-		if (!UserSecurity.IsAuthorized(PageState.User, RoleNames.Host))
-		{
-			_roles.RemoveAll(item => item.Name == RoleNames.Host);
-		}
+        _roles.RemoveAll(item => item.Name == RoleNames.Host); // remove host role

        // get permission names
        if (string.IsNullOrEmpty(PermissionNames))
@ -222,24 +219,24 @@

    private bool GetPermissionDisabled(string permissionName, string roleName)
    {
+        var disabled = false;
+
+        // administrator role permissions can only be changed by a host
        if (roleName == RoleNames.Admin && !UserSecurity.IsAuthorized(PageState.User, RoleNames.Host))
        {
-			return true;
-		}
-		else
-		{
-			if (GetEntityName(permissionName) != EntityName && !UserSecurity.IsAuthorized(PageState.User, RoleNames.Admin))
-			{
-				return true;
-			}
-			else
-			{
-				return false;
-			}
-		}
+            disabled = true;
        }

-	private void PermissionChanged(bool? value, string permissionName, string roleName, int userId)
+        // API permissions can only be changed by an administrator
+        if (GetEntityName(permissionName) != EntityName && !UserSecurity.IsAuthorized(PageState.User, RoleNames.Admin))
+        {
+            disabled = true;
+        }
+
+        return disabled;
+    }
+
+    private bool? PermissionChanged(bool? value, string permissionName, string roleName, int userId)
    {
        if (roleName != "")
        {
@ -248,6 +245,14 @@
            {
                _permissions.Remove(permission);
            }
+
+            // system roles cannot be denied - only custom roles can be denied
+            var role = _roles.FirstOrDefault(item => item.Name == roleName);
+            if (value != null && !value.Value && role.IsSystem)
+            {
+                value = null;
+            }
+
            if (value != null)
            {
                _permissions.Add(new Permission(ModuleState.SiteId, GetEntityName(permissionName), GetPermissionName(permissionName), roleName, null, value.Value));
@ -265,6 +270,7 @@
                _permissions.Add(new Permission(ModuleState.SiteId, GetEntityName(permissionName), GetPermissionName(permissionName), null, userId, value.Value));
            }
        }
+        return value;
    }

 	private async Task<Dictionary<string, string>> GetUsers(string filter)
@ -305,29 +311,20 @@

 	private void ValidatePermissions()
 	{
-		// remove deny all users, unauthenticated, and registered users
-		var permissions = _permissions.Where(item => !item.IsAuthorized && 
-			(item.RoleName == RoleNames.Everyone || item.RoleName == RoleNames.Unauthenticated || item.RoleName == RoleNames.Registered)).ToList();
-		foreach (var permission in permissions)
-		{
-			_permissions.Remove(permission);
-		}
 		if (UserSecurity.IsAuthorized(PageState.User, RoleNames.Host))
 		{
-			// remove deny administrators and host users
-			permissions = _permissions.Where(item => !item.IsAuthorized &&
-				(item.RoleName == RoleNames.Admin || item.RoleName == RoleNames.Host)).ToList();
+            // remove host role permissions
+            var permissions = _permissions.Where(item => item.RoleName == RoleNames.Host).ToList();
            foreach (var permission in permissions)
            {
            	_permissions.Remove(permission);
            }
+            // add host role permissions if administrator role is not assigned (to prevent lockout)
            foreach (var permissionname in _permissionnames)
 			{
-				// add administrators role if neither host or administrator is assigned
-				if (!_permissions.Any(item => item.EntityName == GetEntityName(permissionname) && item.PermissionName == GetPermissionName(permissionname) &&
-					(item.RoleName == RoleNames.Admin || item.RoleName == RoleNames.Host)))
+				if (!_permissions.Any(item => item.EntityName == GetEntityName(permissionname) && item.PermissionName == GetPermissionName(permissionname) && item.RoleName == RoleNames.Admin))
 				{
-					_permissions.Add(new Permission(ModuleState.SiteId, GetEntityName(permissionname), GetPermissionName(permissionname), RoleNames.Admin, null, true));
+					_permissions.Add(new Permission(ModuleState.SiteId, GetEntityName(permissionname), GetPermissionName(permissionname), RoleNames.Host, null, true));
 				}
 			}
 		}
--- a/Oqtane.Client/Modules/Controls/TriStateCheckBox.razor
+++ b/Oqtane.Client/Modules/Controls/TriStateCheckBox.razor
@ -16,7 +16,7 @@
    public bool Disabled { get; set; }

    [Parameter]
-    public Action<bool?> OnChange { get; set; }
+    public Func<bool?, bool?> OnChange { get; set; }

    protected override void OnInitialized()
    {
@ -41,12 +41,14 @@
                    break;
            }

+            _value = OnChange(_value);
            SetImage();
-            OnChange(_value);
        }
    }

    private void SetImage()
+    {
+        if (!Disabled)
        {
            switch (_value)
            {
@ -63,6 +65,12 @@
                    _title = string.Empty;
                    break;
            }
+        }
+        else
+        {
+            _src = "images/disabled.png";
+            _title = Localizer["PermissionDisabled"];
+        }

        StateHasChanged();
    }
--- a/Oqtane.Client/Resources/Modules/Controls/TriStateCheckBox.resx
+++ b/Oqtane.Client/Resources/Modules/Controls/TriStateCheckBox.resx
@ -123,4 +123,7 @@
  <data name="PermissionDenied" xml:space="preserve">
    <value>Permission Denied</value>
  </data>
+  <data name="PermissionDisabled" xml:space="preserve">
+    <value>Permission Disabled</value>
+  </data>
 </root>
--- a/Oqtane.Server/wwwroot/images/disabled.png
+++ b/Oqtane.Server/wwwroot/images/disabled.png