Permission-based authorization utilizing Policies

2019-08-27 17:14:41 -04:00
parent f037898c6e
commit 3ce7f1a227
54 changed files with 1104 additions and 388 deletions
--- a/Oqtane.Server/Modules/HtmlText/Controllers/HtmlTextController.cs
+++ b/Oqtane.Server/Modules/HtmlText/Controllers/HtmlTextController.cs
@ -1,8 +1,8 @@
-using System.Collections.Generic;
-using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Authorization;
 using Oqtane.Shared.Modules.HtmlText.Models;
 using Oqtane.Server.Modules.HtmlText.Repository;
+using Microsoft.AspNetCore.Http;

 namespace Oqtane.Server.Modules.HtmlText.Controllers
 {
@ -10,25 +10,36 @@ namespace Oqtane.Server.Modules.HtmlText.Controllers
    public class HtmlTextController : Controller
    {
        private IHtmlTextRepository htmltext;
+        private int EntityId = -1; // passed as a querystring parameter for authorization and used for validation

-        public HtmlTextController(IHtmlTextRepository HtmlText)
+        public HtmlTextController(IHtmlTextRepository HtmlText, IHttpContextAccessor HttpContextAccessor)
        {
            htmltext = HtmlText;
+            if (HttpContextAccessor.HttpContext.Request.Query.ContainsKey("entityid"))
+            {
+                EntityId = int.Parse(HttpContextAccessor.HttpContext.Request.Query["entityid"]);
+            }
        }

        // GET api/<controller>/5
        [HttpGet("{id}")]
+        [Authorize(Policy = "ViewModule")]
        public HtmlTextInfo Get(int id)
        {
-            return htmltext.GetHtmlText(id);
+            HtmlTextInfo HtmlText = null;
+            if (EntityId == id)
+            {
+               HtmlText = htmltext.GetHtmlText(id);
+            }
+            return HtmlText;
        }

        // POST api/<controller>
        [HttpPost]
-        [Authorize]
+        [Authorize(Policy = "EditModule")]
        public HtmlTextInfo Post([FromBody] HtmlTextInfo HtmlText)
        {
-            if (ModelState.IsValid)
+            if (ModelState.IsValid && HtmlText.ModuleId == EntityId)
            {
                HtmlText = htmltext.AddHtmlText(HtmlText);
            }
@ -37,10 +48,10 @@ namespace Oqtane.Server.Modules.HtmlText.Controllers

        // PUT api/<controller>/5
        [HttpPut("{id}")]
-        [Authorize]
+        [Authorize(Policy = "EditModule")]
        public HtmlTextInfo Put(int id, [FromBody] HtmlTextInfo HtmlText)
        {
-            if (ModelState.IsValid)
+            if (ModelState.IsValid && HtmlText.ModuleId == EntityId)
            {
                HtmlText = htmltext.UpdateHtmlText(HtmlText);
            }
@ -49,10 +60,13 @@ namespace Oqtane.Server.Modules.HtmlText.Controllers

        // DELETE api/<controller>/5
        [HttpDelete("{id}")]
-        [Authorize]
+        [Authorize(Policy = "EditModule")]
        public void Delete(int id)
        {
-            htmltext.DeleteHtmlText(id);
+            if (id == EntityId)
+            {
+                htmltext.DeleteHtmlText(id);
+            }
        }
    }
 }