Diplomarbeit-Absolventenverein/oqtane.framework
10
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Improve validation and error handling in Controller methods

Browse Source
This commit is contained in:
Shaun Walker
2021-06-07 15:29:08 -04:00
parent 54cd360bb5
commit 82c05a841f
38 changed files with 922 additions and 435 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
Oqtane.Server/Controllers/LogController.cs
View File

@ -5,6 +5,8 @@ using Microsoft.AspNetCore.Authorization;
using Oqtane.Infrastructure;
using Oqtane.Repository;
using Oqtane.Shared;
using Oqtane.Enums;
using System.Net;
namespace Oqtane.Controllers
{
@ -14,11 +16,13 @@ namespace Oqtane.Controllers
{
private readonly ILogManager _logger;
private readonly ILogRepository _logs;
private readonly Alias _alias;
public LogController(ILogManager logger, ILogRepository logs)
public LogController(ILogManager logger, ILogRepository logs, ITenantManager tenantManager)
{
_logger = logger;
_logs = logs;
_alias = tenantManager.GetAlias();
}
// GET: api/<controller>?siteid=x&level=y&function=z&rows=50
@ -26,7 +30,18 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Admin)]
public IEnumerable<Log> Get(string siteid, string level, string function, string rows)
{
return _logs.GetLogs(int.Parse(siteid), level, function, int.Parse(rows));
int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{
return _logs.GetLogs(SiteId, level, function, int.Parse(rows));
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Log Get Attempt {SiteId}", siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
}
// GET api/<controller>/5
@ -34,17 +49,32 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Admin)]
public Log Get(int id)
{
return _logs.GetLog(id);
var log = _logs.GetLog(id);
if (log != null && log.SiteId == _alias.SiteId)
{
return log;
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Log Get Attempt {LogId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
}
// POST api/<controller>
[HttpPost]
public void Post([FromBody] Log log)
{
if (ModelState.IsValid)
if (ModelState.IsValid && log.SiteId == _alias.SiteId)
{
_logger.Log(log);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Log Post Attempt {Log}", log);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
}
}
}