Add support for IsPublic to all Setting types, enable Url Mapping for internal links
This commit is contained in:
Shaun Walker
@ -75,6 +75,7 @@ namespace Oqtane.Controllers
|
||||
|
||||
module.ModuleDefinition = moduledefinitions.Find(item => item.ModuleDefinitionName == module.ModuleDefinitionName);
|
||||
module.Settings = settings.Where(item => item.EntityId == pagemodule.ModuleId)
|
||||
.Where(item => item.IsPublic || _userPermissions.IsAuthorized(User, PermissionNames.Edit, pagemodule.Module.Permissions))
|
||||
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
|
||||
|
||||
modules.Add(module);
|
||||
@ -101,7 +102,8 @@ namespace Oqtane.Controllers
|
||||
List<ModuleDefinition> moduledefinitions = _moduleDefinitions.GetModuleDefinitions(module.SiteId).ToList();
|
||||
module.ModuleDefinition = moduledefinitions.Find(item => item.ModuleDefinitionName == module.ModuleDefinitionName);
|
||||
module.Settings = _settings.GetSettings(EntityNames.Module, id)
|
||||
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
|
||||
.Where(item => item.IsPublic || _userPermissions.IsAuthorized(User, PermissionNames.Edit, module.Permissions))
|
||||
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
|
||||
return module;
|
||||
}
|
||||
else
|
||||
|
||||
@ -57,6 +57,7 @@ namespace Oqtane.Controllers
|
||||
if (_userPermissions.IsAuthorized(User, PermissionNames.View, page.Permissions))
|
||||
{
|
||||
page.Settings = settings.Where(item => item.EntityId == page.PageId)
|
||||
.Where(item => item.IsPublic || _userPermissions.IsAuthorized(User, PermissionNames.Edit, page.Permissions))
|
||||
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
|
||||
pages.Add(page);
|
||||
}
|
||||
@ -85,15 +86,16 @@ namespace Oqtane.Controllers
|
||||
{
|
||||
page = _pages.GetPage(id, int.Parse(userid));
|
||||
}
|
||||
if (_userPermissions.IsAuthorized(User,PermissionNames.View, page.Permissions))
|
||||
if (page != null && page.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User,PermissionNames.View, page.Permissions))
|
||||
{
|
||||
page.Settings = _settings.GetSettings(EntityNames.Page, page.PageId)
|
||||
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
|
||||
.Where(item => item.IsPublic || _userPermissions.IsAuthorized(User, PermissionNames.Edit, page.Permissions))
|
||||
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
|
||||
return page;
|
||||
}
|
||||
else
|
||||
{
|
||||
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Get Attempt {Page}", page);
|
||||
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Get Attempt {PageId} {UserId}", id, userid);
|
||||
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
|
||||
return null;
|
||||
}
|
||||
@ -104,24 +106,16 @@ namespace Oqtane.Controllers
|
||||
public Page Get(string path, int siteid)
|
||||
{
|
||||
Page page = _pages.GetPage(WebUtility.UrlDecode(path), siteid);
|
||||
if (page != null && page.SiteId == _alias.SiteId)
|
||||
if (page != null && page.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, PermissionNames.View, page.Permissions))
|
||||
{
|
||||
if (_userPermissions.IsAuthorized(User,PermissionNames.View, page.Permissions))
|
||||
{
|
||||
page.Settings = _settings.GetSettings(EntityNames.Page, page.PageId)
|
||||
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
|
||||
return page;
|
||||
}
|
||||
else
|
||||
{
|
||||
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Get Attempt {Page}", page);
|
||||
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
|
||||
return null;
|
||||
}
|
||||
page.Settings = _settings.GetSettings(EntityNames.Page, page.PageId)
|
||||
.Where(item => item.IsPublic || _userPermissions.IsAuthorized(User, PermissionNames.Edit, page.Permissions))
|
||||
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
|
||||
return page;
|
||||
}
|
||||
else
|
||||
{
|
||||
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Get Attempt {Path} for Site {SiteId}", path, siteid);
|
||||
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Get Attempt {SiteId} {Path}", siteid, path);
|
||||
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
|
||||
return null;
|
||||
}
|
||||
|
||||
@ -20,6 +20,7 @@ namespace Oqtane.Controllers
|
||||
private readonly ISyncManager _syncManager;
|
||||
private readonly ILogManager _logger;
|
||||
private readonly Alias _alias;
|
||||
private readonly string _visitorCookie;
|
||||
|
||||
public SettingController(ISettingRepository settings, IPageModuleRepository pageModules, IUserPermissions userPermissions, ITenantManager tenantManager, ISyncManager syncManager, ILogManager logger)
|
||||
{
|
||||
@ -29,39 +30,25 @@ namespace Oqtane.Controllers
|
||||
_syncManager = syncManager;
|
||||
_logger = logger;
|
||||
_alias = tenantManager.GetAlias();
|
||||
_visitorCookie = "APP_VISITOR_" + _alias.SiteId.ToString();
|
||||
}
|
||||
|
||||
// GET: api/<controller>
|
||||
[HttpGet]
|
||||
public IEnumerable<Setting> Get(string entityName, int entityid)
|
||||
public IEnumerable<Setting> Get(string entityName, int entityId)
|
||||
{
|
||||
List<Setting> settings = new List<Setting>();
|
||||
if (IsAuthorized(entityName, entityid, PermissionNames.View))
|
||||
if (IsAuthorized(entityName, entityId, PermissionNames.View))
|
||||
{
|
||||
settings = _settings.GetSettings(entityName, entityid).ToList();
|
||||
|
||||
// ispublic filter
|
||||
switch (entityName)
|
||||
settings = _settings.GetSettings(entityName, entityId).ToList();
|
||||
if (FilterPublic(entityName, entityId))
|
||||
{
|
||||
case EntityNames.Tenant:
|
||||
case EntityNames.ModuleDefinition:
|
||||
case EntityNames.Host:
|
||||
if (!User.IsInRole(RoleNames.Host))
|
||||
{
|
||||
settings = settings.Where(item => item.IsPublic).ToList();
|
||||
}
|
||||
break;
|
||||
case EntityNames.Site:
|
||||
if (!User.IsInRole(RoleNames.Admin))
|
||||
{
|
||||
settings = settings.Where(item => item.IsPublic).ToList();
|
||||
}
|
||||
break;
|
||||
settings = settings.Where(item => item.IsPublic).ToList();
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityName, entityid);
|
||||
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityName, entityId);
|
||||
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
|
||||
}
|
||||
return settings;
|
||||
@ -74,30 +61,15 @@ namespace Oqtane.Controllers
|
||||
Setting setting = _settings.GetSetting(entityName, id);
|
||||
if (IsAuthorized(setting.EntityName, setting.EntityId, PermissionNames.View))
|
||||
{
|
||||
// ispublic filter
|
||||
switch (entityName)
|
||||
if (FilterPublic(entityName, id) && !setting.IsPublic)
|
||||
{
|
||||
case EntityNames.Tenant:
|
||||
case EntityNames.ModuleDefinition:
|
||||
case EntityNames.Host:
|
||||
if (!User.IsInRole(RoleNames.Host) && !setting.IsPublic)
|
||||
{
|
||||
setting = null;
|
||||
}
|
||||
break;
|
||||
case EntityNames.Site:
|
||||
if (!User.IsInRole(RoleNames.Admin) && !setting.IsPublic)
|
||||
{
|
||||
setting = null;
|
||||
}
|
||||
break;
|
||||
setting = null;
|
||||
}
|
||||
|
||||
return setting;
|
||||
}
|
||||
else
|
||||
{
|
||||
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Setting {Setting}", setting);
|
||||
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Setting {EntityName} {SettingId}", entityName, id);
|
||||
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
|
||||
return null;
|
||||
}
|
||||
@ -204,20 +176,67 @@ namespace Oqtane.Controllers
|
||||
}
|
||||
break;
|
||||
case EntityNames.Visitor:
|
||||
var visitorCookie = "APP_VISITOR_" + _alias.SiteId.ToString();
|
||||
if (int.TryParse(Request.Cookies[visitorCookie], out int visitorId))
|
||||
authorized = User.IsInRole(RoleNames.Admin);
|
||||
if (!authorized)
|
||||
{
|
||||
authorized = (visitorId == entityId);
|
||||
if (int.TryParse(Request.Cookies[_visitorCookie], out int visitorId))
|
||||
{
|
||||
authorized = (visitorId == entityId);
|
||||
}
|
||||
}
|
||||
break;
|
||||
default: // custom entity
|
||||
if (permissionName == PermissionNames.Edit)
|
||||
{
|
||||
authorized = User.IsInRole(RoleNames.Admin);
|
||||
}
|
||||
else
|
||||
{
|
||||
authorized = User.IsInRole(RoleNames.Admin);
|
||||
authorized = true;
|
||||
}
|
||||
break;
|
||||
}
|
||||
return authorized;
|
||||
}
|
||||
|
||||
private bool FilterPublic(string entityName, int entityId)
|
||||
{
|
||||
bool filter = false;
|
||||
switch (entityName)
|
||||
{
|
||||
case EntityNames.Tenant:
|
||||
case EntityNames.ModuleDefinition:
|
||||
case EntityNames.Host:
|
||||
filter = !User.IsInRole(RoleNames.Host);
|
||||
break;
|
||||
case EntityNames.Site:
|
||||
filter = !User.IsInRole(RoleNames.Admin);
|
||||
break;
|
||||
case EntityNames.Page:
|
||||
case EntityNames.Module:
|
||||
case EntityNames.Folder:
|
||||
filter = !_userPermissions.IsAuthorized(User, entityName, entityId, PermissionNames.Edit);
|
||||
break;
|
||||
case EntityNames.User:
|
||||
filter = !User.IsInRole(RoleNames.Admin) && _userPermissions.GetUser(User).UserId != entityId;
|
||||
break;
|
||||
case EntityNames.Visitor:
|
||||
if (!User.IsInRole(RoleNames.Admin))
|
||||
{
|
||||
filter = true;
|
||||
if (int.TryParse(Request.Cookies[_visitorCookie], out int visitorId))
|
||||
{
|
||||
filter = (visitorId != entityId);
|
||||
}
|
||||
}
|
||||
break;
|
||||
default: // custom entity
|
||||
filter = !User.IsInRole(RoleNames.Admin);
|
||||
break;
|
||||
}
|
||||
return filter;
|
||||
}
|
||||
|
||||
private void AddSyncEvent(string EntityName)
|
||||
{
|
||||
switch (EntityName)
|
||||
|
||||
@ -44,12 +44,9 @@ namespace Oqtane.Controllers
|
||||
var site = _sites.GetSite(id);
|
||||
if (site.SiteId == _alias.SiteId)
|
||||
{
|
||||
var settings = _settings.GetSettings(EntityNames.Site, site.SiteId);
|
||||
if (!User.IsInRole(RoleNames.Admin))
|
||||
{
|
||||
settings = settings.Where(item => item.IsPublic);
|
||||
}
|
||||
site.Settings = settings.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
|
||||
site.Settings = _settings.GetSettings(EntityNames.Site, site.SiteId)
|
||||
.Where(item => item.IsPublic || User.IsInRole(RoleNames.Admin))
|
||||
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
|
||||
return site;
|
||||
}
|
||||
else
|
||||
|
||||
@ -48,7 +48,7 @@ namespace Oqtane.Controllers
|
||||
public UrlMapping Get(int id)
|
||||
{
|
||||
var urlMapping = _urlMappings.GetUrlMapping(id);
|
||||
if (urlMapping != null && (urlMapping.SiteId == _alias.SiteId))
|
||||
if (urlMapping != null && urlMapping.SiteId == _alias.SiteId)
|
||||
{
|
||||
return urlMapping;
|
||||
}
|
||||
@ -60,6 +60,23 @@ namespace Oqtane.Controllers
|
||||
}
|
||||
}
|
||||
|
||||
// GET api/<controller>/url/x?url=y
|
||||
[HttpGet("url/{siteid}")]
|
||||
public UrlMapping Get(int siteid, string url)
|
||||
{
|
||||
var urlMapping = _urlMappings.GetUrlMapping(siteid, WebUtility.UrlDecode(url));
|
||||
if (urlMapping != null && urlMapping.SiteId == _alias.SiteId)
|
||||
{
|
||||
return urlMapping;
|
||||
}
|
||||
else
|
||||
{
|
||||
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized UrlMapping Get Attempt {SiteId} {Url}", siteid, url);
|
||||
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
// POST api/<controller>
|
||||
[HttpPost]
|
||||
[Authorize(Roles = RoleNames.Admin)]
|
||||
|
||||
@ -47,15 +47,14 @@ namespace Oqtane.Controllers
|
||||
[HttpGet("{id}")]
|
||||
public Visitor Get(int id)
|
||||
{
|
||||
bool authorized;
|
||||
var visitorCookie = "APP_VISITOR_" + _alias.SiteId.ToString();
|
||||
if (int.TryParse(Request.Cookies[visitorCookie], out int visitorId))
|
||||
bool authorized = User.IsInRole(RoleNames.Admin);
|
||||
if (!authorized)
|
||||
{
|
||||
authorized = (visitorId == id);
|
||||
}
|
||||
else
|
||||
{
|
||||
authorized = User.IsInRole(RoleNames.Admin);
|
||||
var visitorCookie = "APP_VISITOR_" + _alias.SiteId.ToString();
|
||||
if (int.TryParse(Request.Cookies[visitorCookie], out int visitorId))
|
||||
{
|
||||
authorized = (visitorId == id);
|
||||
}
|
||||
}
|
||||
|
||||
var visitor = _visitors.GetVisitor(id);
|
||||
|
||||
Reference in New Issue
Block a user