Merge pull request #5902 from sbwalker/dev

handle case sensitivity for entity names and permission names
2025-12-19 10:56:32 -05:00
parent 15efe75aa8 5c536aafc2
commit 5e5d91bd93
1 changed files with 25 additions and 13 deletions
--- a/Oqtane.Server/Controllers/SettingController.cs
+++ b/Oqtane.Server/Controllers/SettingController.cs
@ -90,7 +90,7 @@ namespace Oqtane.Controllers
            else
            {
                // suppress unauthorized visitor logging as it is usually caused by clients that do not support cookies or private browsing sessions
-                if (entityName != EntityNames.Visitor) 
+                if (FormatName(entityName) != EntityNames.Visitor) 
                {
                    _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings For EntityName {EntityName} And EntityId {EntityId}", entityName, entityId);
                    HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
@ -114,7 +114,7 @@ namespace Oqtane.Controllers
            }
            else
            {
-                if (setting != null && entityName != EntityNames.Visitor)
+                if (setting != null && FormatName(entityName) != EntityNames.Visitor)
                {
                    _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access SettingId {SettingId} For EntityName {EntityName} ", id, entityName);
                    HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
@ -139,7 +139,7 @@ namespace Oqtane.Controllers
            }
            else
            {
-                if (setting.EntityName != EntityNames.Visitor)
+                if (FormatName(setting.EntityName) != EntityNames.Visitor)
                {
                    _logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Setting {Setting}", setting);
                    HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
@ -161,7 +161,7 @@ namespace Oqtane.Controllers
            }
            else
            {
-                if (setting.EntityName != EntityNames.Visitor)
+                if (FormatName(setting.EntityName) != EntityNames.Visitor)
                {
                    _logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Setting {Setting}", setting);
                    HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
@ -261,7 +261,7 @@ namespace Oqtane.Controllers
            }
            else
            {
-                if (entityName != EntityNames.Visitor)
+                if (FormatName(entityName) != EntityNames.Visitor)
                {
                    _logger.Log(LogLevel.Error, this, LogFunction.Delete, "Setting Does Not Exist Or User Not Authorized To Delete Setting For EntityName {EntityName} EntityId {EntityId} SettingName {SettingName}", entityName, entityId, settingName);
                    HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
@ -282,7 +282,7 @@ namespace Oqtane.Controllers
            }
            else
            {
-                if (entityName != EntityNames.Visitor)
+                if (FormatName(entityName) != EntityNames.Visitor)
                {
                    _logger.Log(LogLevel.Error, this, LogFunction.Delete, "Setting Does Not Exist Or User Not Authorized To Delete Setting For SettingId {SettingId} For EntityName {EntityName} ", id, entityName);
                    HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
@ -408,19 +408,21 @@ namespace Oqtane.Controllers
        private bool IsAuthorized(string entityName, int entityId, string permissionName)
        {
            bool authorized = false;
+
            if (entityName == EntityNames.PageModule)
            {
                entityName = EntityNames.Module;
                entityId = _pageModules.GetPageModule(entityId).ModuleId;
            }
-            switch (entityName)
+
+            switch (FormatName(entityName))
            {
                case EntityNames.Tenant:
                case EntityNames.ModuleDefinition:
                case EntityNames.Host:
                case EntityNames.Job:
                case EntityNames.Theme:
-                    if (permissionName == PermissionNames.Edit)
+                    if (FormatName(permissionName) == PermissionNames.Edit)
                    {
                        authorized = User.IsInRole(RoleNames.Host);
                    }
@ -431,7 +433,7 @@ namespace Oqtane.Controllers
                    break;
                case EntityNames.Site:
                case EntityNames.Role:
-                    if (permissionName == PermissionNames.Edit)
+                    if (FormatName(permissionName) == PermissionNames.Edit)
                    {
                        authorized = User.IsInRole(RoleNames.Admin);
                    }
@ -458,7 +460,7 @@ namespace Oqtane.Controllers
                    break;
                default: // custom entity
                    authorized = true;
-                    if (permissionName == PermissionNames.Edit)
+                    if (FormatName(permissionName) == PermissionNames.Edit)
                    {
                        if (entityId == -1)
                        {
@ -477,7 +479,7 @@ namespace Oqtane.Controllers
        private bool FilterPrivate(string entityName, int entityId)
        {
            bool filter = false;
-            switch (entityName)
+            switch (FormatName(entityName))
            {
                case EntityNames.Tenant:
                case EntityNames.ModuleDefinition:
@ -526,9 +528,9 @@ namespace Oqtane.Controllers

        private void AddSyncEvent(string EntityName, int EntityId, int SettingId, string Action)
        {
-            _syncManager.AddSyncEvent(_alias, EntityName + "Setting", SettingId, Action);
+            _syncManager.AddSyncEvent(_alias, FormatName(EntityName) + "Setting", SettingId, Action);

-            switch (EntityName)
+            switch (FormatName(EntityName))
            {
                case EntityNames.Module:
                case EntityNames.Page:
@ -540,5 +542,15 @@ namespace Oqtane.Controllers
                    break;
            }
        }
+
+        private string FormatName(string name)
+        {
+            if (!string.IsNullOrEmpty(name))
+            {
+                // entity names and permission names are case sensitive
+                name = name.Substring(0, 1).ToUpper() + name.Substring(1).ToLower();
+            }
+            return name;
+        }
    }
 }