Scope permissions by SiteId to support entity level authorization as well as improve caching and performance. Optimize GetTenant to use existing cache.

2022-11-07 18:16:32 -05:00
parent 2aa6eb90e2
commit 6182b96d16
19 changed files with 103 additions and 115 deletions
--- a/Oqtane.Server/Controllers/FileController.cs
+++ b/Oqtane.Server/Controllers/FileController.cs
@ -137,8 +137,8 @@ namespace Oqtane.Controllers
        {
            var File = _files.GetFile(file.FileId, false);
            if (ModelState.IsValid && file.Folder.SiteId == _alias.SiteId && File != null // ensure file exists
-                && _userPermissions.IsAuthorized(User, EntityNames.Folder, File.FolderId, PermissionNames.Edit) // ensure user had edit rights to original folder
-                && _userPermissions.IsAuthorized(User, EntityNames.Folder, file.FolderId, PermissionNames.Edit)) // ensure user has edit rights to new folder
+                && _userPermissions.IsAuthorized(User, file.Folder.SiteId, EntityNames.Folder, File.FolderId, PermissionNames.Edit) // ensure user had edit rights to original folder
+                && _userPermissions.IsAuthorized(User, file.Folder.SiteId, EntityNames.Folder, file.FolderId, PermissionNames.Edit)) // ensure user has edit rights to new folder
            {
                if (File.Name != file.Name || File.FolderId != file.FolderId)
                {
@ -180,7 +180,7 @@ namespace Oqtane.Controllers
        public void Delete(int id)
        {
            Models.File file = _files.GetFile(id);
-            if (file != null && file.Folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Folder, file.Folder.FolderId, PermissionNames.Edit))
+            if (file != null && file.Folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, file.Folder.SiteId, EntityNames.Folder, file.Folder.FolderId, PermissionNames.Edit))
            {
                string filepath = _files.GetFilePath(file);
                if (System.IO.File.Exists(filepath))