Permission-based authorization utilizing Policies

Oqtane.Server/Modules/HtmlText/Controllers/HtmlTextController.cs

@@ -1,8 +1,8 @@
-using System.Collections.Generic;
-using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Authorization;
 using Oqtane.Shared.Modules.HtmlText.Models;
 using Oqtane.Server.Modules.HtmlText.Repository;
+using Microsoft.AspNetCore.Http;
 
 namespace Oqtane.Server.Modules.HtmlText.Controllers
 {
@@ -10,25 +10,36 @@ namespace Oqtane.Server.Modules.HtmlText.Controllers
     public class HtmlTextController : Controller
     {
         private IHtmlTextRepository htmltext;
+        private int EntityId = -1; // passed as a querystring parameter for authorization and used for validation
 
-        public HtmlTextController(IHtmlTextRepository HtmlText)
+        public HtmlTextController(IHtmlTextRepository HtmlText, IHttpContextAccessor HttpContextAccessor)
         {
             htmltext = HtmlText;
+            if (HttpContextAccessor.HttpContext.Request.Query.ContainsKey("entityid"))
+            {
+                EntityId = int.Parse(HttpContextAccessor.HttpContext.Request.Query["entityid"]);
+            }
         }
 
         // GET api/<controller>/5
         [HttpGet("{id}")]
+        [Authorize(Policy = "ViewModule")]
         public HtmlTextInfo Get(int id)
         {
-            return htmltext.GetHtmlText(id);
+            HtmlTextInfo HtmlText = null;
+            if (EntityId == id)
+            {
+               HtmlText = htmltext.GetHtmlText(id);
+            }
+            return HtmlText;
         }
 
         // POST api/<controller>
         [HttpPost]
-        [Authorize]
+        [Authorize(Policy = "EditModule")]
         public HtmlTextInfo Post([FromBody] HtmlTextInfo HtmlText)
         {
-            if (ModelState.IsValid)
+            if (ModelState.IsValid && HtmlText.ModuleId == EntityId)
             {
                 HtmlText = htmltext.AddHtmlText(HtmlText);
             }
@@ -37,10 +48,10 @@ namespace Oqtane.Server.Modules.HtmlText.Controllers
 
         // PUT api/<controller>/5
         [HttpPut("{id}")]
-        [Authorize]
+        [Authorize(Policy = "EditModule")]
         public HtmlTextInfo Put(int id, [FromBody] HtmlTextInfo HtmlText)
         {
-            if (ModelState.IsValid)
+            if (ModelState.IsValid && HtmlText.ModuleId == EntityId)
             {
                 HtmlText = htmltext.UpdateHtmlText(HtmlText);
             }
@@ -49,10 +60,13 @@ namespace Oqtane.Server.Modules.HtmlText.Controllers
 
         // DELETE api/<controller>/5
         [HttpDelete("{id}")]
-        [Authorize]
+        [Authorize(Policy = "EditModule")]
         public void Delete(int id)
         {
-            htmltext.DeleteHtmlText(id);
+            if (id == EntityId)
+            {
+                htmltext.DeleteHtmlText(id);
+            }
         }
     }
 }

Oqtane.Server/Modules/HtmlText/Repository/HtmlTextRepository.cs

@@ -56,11 +56,11 @@ namespace Oqtane.Server.Modules.HtmlText.Repository
             }
         }
 
-        public void DeleteHtmlText(int HtmlTextId)
+        public void DeleteHtmlText(int ModuleId)
         {
             try
             {
-                HtmlTextInfo HtmlText = db.HtmlText.Find(HtmlTextId);
+                HtmlTextInfo HtmlText = db.HtmlText.Where(item => item.ModuleId == ModuleId).FirstOrDefault();
                 db.HtmlText.Remove(HtmlText);
                 db.SaveChanges();
             }

Oqtane.Server/Modules/HtmlText/Repository/IHtmlTextRepository.cs

@@ -8,6 +8,6 @@ namespace Oqtane.Server.Modules.HtmlText.Repository
         HtmlTextInfo GetHtmlText(int ModuleId);
         HtmlTextInfo AddHtmlText(HtmlTextInfo HtmlText);
         HtmlTextInfo UpdateHtmlText(HtmlTextInfo HtmlText);
-        void DeleteHtmlText(int HtmlTextId);
+        void DeleteHtmlText(int ModuleId);
     }
 }