Diplomarbeit-Absolventenverein/oqtane.framework
10
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Add support for IsPublic to all Setting types, enable Url Mapping for internal links

Browse Source
This commit is contained in:
Shaun Walker
2021-12-18 10:35:22 -05:00
parent e22606ae79
commit 6a2ff369ea
15 changed files with 329 additions and 259 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Oqtane.Server/Controllers/ModuleController.cs
View File

@ -75,6 +75,7 @@ namespace Oqtane.Controllers
module.ModuleDefinition = moduledefinitions.Find(item => item.ModuleDefinitionName == module.ModuleDefinitionName);
module.Settings = settings.Where(item => item.EntityId == pagemodule.ModuleId)
.Where(item => item.IsPublic || _userPermissions.IsAuthorized(User, PermissionNames.Edit, pagemodule.Module.Permissions))
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
modules.Add(module);
@ -101,7 +102,8 @@ namespace Oqtane.Controllers
List<ModuleDefinition> moduledefinitions = _moduleDefinitions.GetModuleDefinitions(module.SiteId).ToList();
module.ModuleDefinition = moduledefinitions.Find(item => item.ModuleDefinitionName == module.ModuleDefinitionName);
module.Settings = _settings.GetSettings(EntityNames.Module, id)
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
.Where(item => item.IsPublic || _userPermissions.IsAuthorized(User, PermissionNames.Edit, module.Permissions))
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
return module;
}
else

28
Oqtane.Server/Controllers/PageController.cs
View File

@ -57,6 +57,7 @@ namespace Oqtane.Controllers
if (_userPermissions.IsAuthorized(User, PermissionNames.View, page.Permissions))
{
page.Settings = settings.Where(item => item.EntityId == page.PageId)
.Where(item => item.IsPublic || _userPermissions.IsAuthorized(User, PermissionNames.Edit, page.Permissions))
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
pages.Add(page);
}
@ -85,15 +86,16 @@ namespace Oqtane.Controllers
{
page = _pages.GetPage(id, int.Parse(userid));
}
if (_userPermissions.IsAuthorized(User,PermissionNames.View, page.Permissions))
if (page != null && page.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User,PermissionNames.View, page.Permissions))
{
page.Settings = _settings.GetSettings(EntityNames.Page, page.PageId)
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
.Where(item => item.IsPublic || _userPermissions.IsAuthorized(User, PermissionNames.Edit, page.Permissions))
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
return page;
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Get Attempt {Page}", page);
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Get Attempt {PageId} {UserId}", id, userid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
@ -104,24 +106,16 @@ namespace Oqtane.Controllers
public Page Get(string path, int siteid)
{
Page page = _pages.GetPage(WebUtility.UrlDecode(path), siteid);
if (page != null && page.SiteId == _alias.SiteId)
if (page != null && page.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, PermissionNames.View, page.Permissions))
{
if (_userPermissions.IsAuthorized(User,PermissionNames.View, page.Permissions))
{
page.Settings = _settings.GetSettings(EntityNames.Page, page.PageId)
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
return page;
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Get Attempt {Page}", page);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
page.Settings = _settings.GetSettings(EntityNames.Page, page.PageId)
.Where(item => item.IsPublic || _userPermissions.IsAuthorized(User, PermissionNames.Edit, page.Permissions))
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
return page;
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Get Attempt {Path} for Site {SiteId}", path, siteid);
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Get Attempt {SiteId} {Path}", siteid, path);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}

105
Oqtane.Server/Controllers/SettingController.cs
View File

@ -20,6 +20,7 @@ namespace Oqtane.Controllers
private readonly ISyncManager _syncManager;
private readonly ILogManager _logger;
private readonly Alias _alias;
private readonly string _visitorCookie;
public SettingController(ISettingRepository settings, IPageModuleRepository pageModules, IUserPermissions userPermissions, ITenantManager tenantManager, ISyncManager syncManager, ILogManager logger)
{
@ -29,39 +30,25 @@ namespace Oqtane.Controllers
_syncManager = syncManager;
_logger = logger;
_alias = tenantManager.GetAlias();
_visitorCookie = "APP_VISITOR_" + _alias.SiteId.ToString();
}
// GET: api/<controller>
[HttpGet]
public IEnumerable<Setting> Get(string entityName, int entityid)
public IEnumerable<Setting> Get(string entityName, int entityId)
{
List<Setting> settings = new List<Setting>();
if (IsAuthorized(entityName, entityid, PermissionNames.View))
if (IsAuthorized(entityName, entityId, PermissionNames.View))
{
settings = _settings.GetSettings(entityName, entityid).ToList();
// ispublic filter
switch (entityName)
settings = _settings.GetSettings(entityName, entityId).ToList();
if (FilterPublic(entityName, entityId))
{
case EntityNames.Tenant:
case EntityNames.ModuleDefinition:
case EntityNames.Host:
if (!User.IsInRole(RoleNames.Host))
{
settings = settings.Where(item => item.IsPublic).ToList();
}
break;
case EntityNames.Site:
if (!User.IsInRole(RoleNames.Admin))
{
settings = settings.Where(item => item.IsPublic).ToList();
}
break;
settings = settings.Where(item => item.IsPublic).ToList();
}
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityName, entityid);
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityName, entityId);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
return settings;
@ -74,30 +61,15 @@ namespace Oqtane.Controllers
Setting setting = _settings.GetSetting(entityName, id);
if (IsAuthorized(setting.EntityName, setting.EntityId, PermissionNames.View))
{
// ispublic filter
switch (entityName)
if (FilterPublic(entityName, id) && !setting.IsPublic)
{
case EntityNames.Tenant:
case EntityNames.ModuleDefinition:
case EntityNames.Host:
if (!User.IsInRole(RoleNames.Host) && !setting.IsPublic)
{
setting = null;
}
break;
case EntityNames.Site:
if (!User.IsInRole(RoleNames.Admin) && !setting.IsPublic)
{
setting = null;
}
break;
setting = null;
}
return setting;
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Setting {Setting}", setting);
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Setting {EntityName} {SettingId}", entityName, id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
@ -204,20 +176,67 @@ namespace Oqtane.Controllers
}
break;
case EntityNames.Visitor:
var visitorCookie = "APP_VISITOR_" + _alias.SiteId.ToString();
if (int.TryParse(Request.Cookies[visitorCookie], out int visitorId))
authorized = User.IsInRole(RoleNames.Admin);
if (!authorized)
{
authorized = (visitorId == entityId);
if (int.TryParse(Request.Cookies[_visitorCookie], out int visitorId))
{
authorized = (visitorId == entityId);
}
}
break;
default: // custom entity
if (permissionName == PermissionNames.Edit)
{
authorized = User.IsInRole(RoleNames.Admin);
}
else
{
authorized = User.IsInRole(RoleNames.Admin);
authorized = true;
}
break;
}
return authorized;
}
private bool FilterPublic(string entityName, int entityId)
{
bool filter = false;
switch (entityName)
{
case EntityNames.Tenant:
case EntityNames.ModuleDefinition:
case EntityNames.Host:
filter = !User.IsInRole(RoleNames.Host);
break;
case EntityNames.Site:
filter = !User.IsInRole(RoleNames.Admin);
break;
case EntityNames.Page:
case EntityNames.Module:
case EntityNames.Folder:
filter = !_userPermissions.IsAuthorized(User, entityName, entityId, PermissionNames.Edit);
break;
case EntityNames.User:
filter = !User.IsInRole(RoleNames.Admin) && _userPermissions.GetUser(User).UserId != entityId;
break;
case EntityNames.Visitor:
if (!User.IsInRole(RoleNames.Admin))
{
filter = true;
if (int.TryParse(Request.Cookies[_visitorCookie], out int visitorId))
{
filter = (visitorId != entityId);
}
}
break;
default: // custom entity
filter = !User.IsInRole(RoleNames.Admin);
break;
}
return filter;
}
private void AddSyncEvent(string EntityName)
{
switch (EntityName)

9
Oqtane.Server/Controllers/SiteController.cs
View File

@ -44,12 +44,9 @@ namespace Oqtane.Controllers
var site = _sites.GetSite(id);
if (site.SiteId == _alias.SiteId)
{
var settings = _settings.GetSettings(EntityNames.Site, site.SiteId);
if (!User.IsInRole(RoleNames.Admin))
{
settings = settings.Where(item => item.IsPublic);
}
site.Settings = settings.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
site.Settings = _settings.GetSettings(EntityNames.Site, site.SiteId)
.Where(item => item.IsPublic || User.IsInRole(RoleNames.Admin))
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
return site;
}
else

19
Oqtane.Server/Controllers/UrlMappingController.cs
View File

@ -48,7 +48,7 @@ namespace Oqtane.Controllers
public UrlMapping Get(int id)
{
var urlMapping = _urlMappings.GetUrlMapping(id);
if (urlMapping != null && (urlMapping.SiteId == _alias.SiteId))
if (urlMapping != null && urlMapping.SiteId == _alias.SiteId)
{
return urlMapping;
}
@ -60,6 +60,23 @@ namespace Oqtane.Controllers
}
}
// GET api/<controller>/url/x?url=y
[HttpGet("url/{siteid}")]
public UrlMapping Get(int siteid, string url)
{
var urlMapping = _urlMappings.GetUrlMapping(siteid, WebUtility.UrlDecode(url));
if (urlMapping != null && urlMapping.SiteId == _alias.SiteId)
{
return urlMapping;
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized UrlMapping Get Attempt {SiteId} {Url}", siteid, url);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
}
// POST api/<controller>
[HttpPost]
[Authorize(Roles = RoleNames.Admin)]

15
Oqtane.Server/Controllers/VisitorController.cs
View File

@ -47,15 +47,14 @@ namespace Oqtane.Controllers
[HttpGet("{id}")]
public Visitor Get(int id)
{
bool authorized;
var visitorCookie = "APP_VISITOR_" + _alias.SiteId.ToString();
if (int.TryParse(Request.Cookies[visitorCookie], out int visitorId))
bool authorized = User.IsInRole(RoleNames.Admin);
if (!authorized)
{
authorized = (visitorId == id);
}
else
{
authorized = User.IsInRole(RoleNames.Admin);
var visitorCookie = "APP_VISITOR_" + _alias.SiteId.ToString();
if (int.TryParse(Request.Cookies[visitorCookie], out int visitorId))
{
authorized = (visitorId == id);
}
}
var visitor = _visitors.GetVisitor(id);

30
Oqtane.Server/Migrations/Tenant/03000201_UpdateSettingIsPublic.cs Normal file
View File

@ -0,0 +1,30 @@
using Microsoft.EntityFrameworkCore.Infrastructure;
using Microsoft.EntityFrameworkCore.Migrations;
using Oqtane.Databases.Interfaces;
using Oqtane.Migrations.EntityBuilders;
using Oqtane.Repository;
using Oqtane.Shared;
namespace Oqtane.Migrations.Tenant
{
[DbContext(typeof(TenantDBContext))]
[Migration("Tenant.03.00.02.01")]
public class UpdateSettingIsPublic : MultiDatabaseMigration
{
public UpdateSettingIsPublic(IDatabase database) : base(database)
{
}
protected override void Up(MigrationBuilder migrationBuilder)
{
var settingEntityBuilder = new SettingEntityBuilder(migrationBuilder, ActiveDatabase);
settingEntityBuilder.UpdateColumn("IsPublic", "1", "bool", "SettingName NOT LIKE 'SMTP%'");
}
protected override void Down(MigrationBuilder migrationBuilder)
{
var settingEntityBuilder = new SettingEntityBuilder(migrationBuilder, ActiveDatabase);
settingEntityBuilder.UpdateColumn("IsPublic", "0", "bool", "SettingName NOT LIKE 'SMTP%'");
}
}
}

25
Oqtane.Server/Pages/_Host.cshtml.cs
View File

@ -130,30 +130,9 @@ namespace Oqtane.Pages
// page does not exist
var url = route.SiteUrl + "/" + route.PagePath;
var urlMapping = _urlMappings.GetUrlMapping(site.SiteId, url);
if (urlMapping == null)
if (urlMapping != null && !string.IsNullOrEmpty(urlMapping.MappedUrl))
{
if (site.CaptureBrokenUrls)
{
urlMapping = new UrlMapping();
urlMapping.SiteId = site.SiteId;
urlMapping.Url = url;
urlMapping.MappedUrl = "";
urlMapping.Requests = 1;
urlMapping.CreatedOn = DateTime.UtcNow;
urlMapping.RequestedOn = DateTime.UtcNow;
_urlMappings.AddUrlMapping(urlMapping);
}
}
else
{
urlMapping.Requests += 1;
urlMapping.RequestedOn = DateTime.UtcNow;
_urlMappings.UpdateUrlMapping(urlMapping);
if (!string.IsNullOrEmpty(urlMapping.MappedUrl))
{
return RedirectPermanent(urlMapping.MappedUrl);
}
return RedirectPermanent(urlMapping.MappedUrl);
}
}
}

30
Oqtane.Server/Repository/UrlMappingRepository.cs
View File

@ -9,12 +9,14 @@ namespace Oqtane.Repository
public class UrlMappingRepository : IUrlMappingRepository
{
private TenantDBContext _db;
private readonly ISiteRepository _sites;
public UrlMappingRepository(TenantDBContext context)
public UrlMappingRepository(TenantDBContext context, ISiteRepository sites)
{
_db = context;
_sites = sites;
}
public IEnumerable<UrlMapping> GetUrlMappings(int siteId, bool isMapped)
{
if (isMapped)
@ -60,7 +62,29 @@ namespace Oqtane.Repository
public UrlMapping GetUrlMapping(int siteId, string url)
{
return _db.UrlMapping.Where(item => item.SiteId == siteId && item.Url == url).FirstOrDefault();
var urlMapping = _db.UrlMapping.Where(item => item.SiteId == siteId && item.Url == url).FirstOrDefault();
if (urlMapping == null)
{
var site = _sites.GetSite(siteId);
if (site.CaptureBrokenUrls)
{
urlMapping = new UrlMapping();
urlMapping.SiteId = siteId;
urlMapping.Url = url;
urlMapping.MappedUrl = "";
urlMapping.Requests = 1;
urlMapping.CreatedOn = DateTime.UtcNow;
urlMapping.RequestedOn = DateTime.UtcNow;
urlMapping = AddUrlMapping(urlMapping);
}
}
else
{
urlMapping.Requests += 1;
urlMapping.RequestedOn = DateTime.UtcNow;
urlMapping = UpdateUrlMapping(urlMapping);
}
return urlMapping;
}
public void DeleteUrlMapping(int urlMappingId)