Scope permissions by SiteId to support entity level authorization as well as improve caching and performance. Optimize GetTenant to use existing cache.

2022-11-07 18:16:32 -05:00
parent 2aa6eb90e2
commit 6182b96d16
19 changed files with 103 additions and 115 deletions
--- a/Oqtane.Server/Controllers/ModuleController.cs
+++ b/Oqtane.Server/Controllers/ModuleController.cs
@ -121,7 +121,7 @@ namespace Oqtane.Controllers
        [Authorize(Roles = RoleNames.Registered)]
        public Module Post([FromBody] Module module)
        {
-            if (ModelState.IsValid && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Page, module.PageId, PermissionNames.Edit))
+            if (ModelState.IsValid && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, module.SiteId, EntityNames.Page, module.PageId, PermissionNames.Edit))
            {
                module = _modules.AddModule(module);
                _syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Module, module.ModuleId, SyncEventActions.Create);
@ -144,7 +144,7 @@ namespace Oqtane.Controllers
        {
            var _module = _modules.GetModule(module.ModuleId, false);

-            if (ModelState.IsValid && module.SiteId == _alias.SiteId && _module != null && _userPermissions.IsAuthorized(User, EntityNames.Module, module.ModuleId, PermissionNames.Edit))
+            if (ModelState.IsValid && module.SiteId == _alias.SiteId && _module != null && _userPermissions.IsAuthorized(User, module.SiteId, EntityNames.Module, module.ModuleId, PermissionNames.Edit))
            {
                module = _modules.UpdateModule(module);

@ -194,7 +194,7 @@ namespace Oqtane.Controllers
        public void Delete(int id)
        {
            var module = _modules.GetModule(id);
-            if (module != null && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Module, module.ModuleId, PermissionNames.Edit))
+            if (module != null && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, module.SiteId, EntityNames.Module, module.ModuleId, PermissionNames.Edit))
            {
                _modules.DeleteModule(id);
                _syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Module, module.ModuleId, SyncEventActions.Delete);
@ -215,7 +215,7 @@ namespace Oqtane.Controllers
        {
            string content = "";
            var module = _modules.GetModule(moduleid);
-            if (module != null && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Page, pageid, PermissionNames.Edit))
+            if (module != null && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, module.SiteId, EntityNames.Page, pageid, PermissionNames.Edit))
            {
                content = _modules.ExportModule(moduleid);
                if (!string.IsNullOrEmpty(content))
@ -242,7 +242,7 @@ namespace Oqtane.Controllers
        {
            bool success = false;
            var module = _modules.GetModule(moduleid);
-            if (ModelState.IsValid && module != null && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Page, pageid, PermissionNames.Edit))
+            if (ModelState.IsValid && module != null && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, module.SiteId, EntityNames.Page, pageid, PermissionNames.Edit))
            {
                success = _modules.ImportModule(moduleid, content);
                if (success)