Improve validation and error handling in Controller methods

2021-06-07 15:29:08 -04:00
parent 54cd360bb5
commit 82c05a841f
38 changed files with 922 additions and 435 deletions
--- a/Oqtane.Server/Controllers/LanguageController.cs
+++ b/Oqtane.Server/Controllers/LanguageController.cs
@ -1,4 +1,5 @@
 using System.Collections.Generic;
+using System.Net;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Oqtane.Enums;
@ -14,28 +15,62 @@ namespace Oqtane.Controllers
    {
        private readonly ILanguageRepository _languages;
        private readonly ILogManager _logger;
+        private readonly Alias _alias;

-        public LanguageController(ILanguageRepository language, ILogManager logger)
+        public LanguageController(ILanguageRepository language, ILogManager logger, ITenantManager tenantManager)
        {
            _languages = language;
            _logger = logger;
+            _alias = tenantManager.GetAlias();
        }

        [HttpGet]
-        public IEnumerable<Language> Get(string siteid) => _languages.GetLanguages(int.Parse(siteid));
+        public IEnumerable<Language> Get(string siteid)
+        {
+            int SiteId;
+            if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
+            {
+                return _languages.GetLanguages(SiteId);
+            }
+            else
+            {
+                _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Language Get Attempt {SiteId}", siteid);
+                HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                return null;
+            }
+        }

        [HttpGet("{id}")]
-        public Language Get(int id) => _languages.GetLanguage(id);
+        public Language Get(int id)
+        {
+            var language = _languages.GetLanguage(id);
+            if (language != null && language.SiteId == _alias.SiteId)
+            {
+                return language;
+            }
+            else
+            {
+                _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Language Get Attempt {LanguageId}", id);
+                HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                return null;
+            }
+        }

        [HttpPost]
        [Authorize(Roles = RoleNames.Admin)]
        public Language Post([FromBody] Language language)
        {
-            if (ModelState.IsValid)
+            if (ModelState.IsValid && language.SiteId == _alias.SiteId)
            {
                language = _languages.AddLanguage(language);
                _logger.Log(LogLevel.Information, this, LogFunction.Create, "Language Added {Language}", language);
            }
+            else
+            {
+                _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Language Post Attempt {Language}", language);
+                HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                language = null;
+            }
            return language;
        }

@ -43,8 +78,18 @@ namespace Oqtane.Controllers
        [Authorize(Roles = RoleNames.Admin)]
        public void Delete(int id)
        {
-            _languages.DeleteLanguage(id);
-            _logger.Log(LogLevel.Information, this, LogFunction.Delete, "Language Deleted {LanguageId}", id);
+            var language = _languages.GetLanguage(id);
+            if (language != null && language.SiteId == _alias.SiteId)
+            {
+                _languages.DeleteLanguage(id);
+                _logger.Log(LogLevel.Information, this, LogFunction.Delete, "Language Deleted {LanguageId}", id);
+            }
+            else
+            {
+                _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Language Delete Attempt {LanguageId}", id);
+                HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+            }
+
        }
    }
 }