Diplomarbeit-Absolventenverein/oqtane.framework
10
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Improve validation and error handling in Controller methods

Browse Source
This commit is contained in:
Shaun Walker
2021-06-07 15:29:08 -04:00
parent 54cd360bb5
commit 82c05a841f
38 changed files with 922 additions and 435 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
Oqtane.Server/Controllers/ProfileController.cs
View File

@ -6,6 +6,7 @@ using Oqtane.Models;
using Oqtane.Shared;
using Oqtane.Infrastructure;
using Oqtane.Repository;
using System.Net;
namespace Oqtane.Controllers
{
@ -14,25 +15,47 @@ namespace Oqtane.Controllers
{
private readonly IProfileRepository _profiles;
private readonly ILogManager _logger;
private readonly Alias _alias;
public ProfileController(IProfileRepository profiles, ILogManager logger)
public ProfileController(IProfileRepository profiles, ILogManager logger, ITenantManager tenantManager)
{
_profiles = profiles;
_logger = logger;
}
_alias = tenantManager.GetAlias();
}
// GET: api/<controller>?siteid=x
[HttpGet]
// GET: api/<controller>?siteid=x
[HttpGet]
public IEnumerable<Profile> Get(string siteid)
{
return _profiles.GetProfiles(int.Parse(siteid));
int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{
return _profiles.GetProfiles(SiteId);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Profile Get Attempt {SiteId}", siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
}
// GET api/<controller>/5
[HttpGet("{id}")]
public Profile Get(int id)
{
return _profiles.GetProfile(id);
var profile = _profiles.GetProfile(id);
if (profile != null && profile.SiteId == _alias.SiteId)
{
return profile;
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Profile Get Attempt {ProfileId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
}
// POST api/<controller>
@ -40,11 +63,17 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Admin)]
public Profile Post([FromBody] Profile profile)
{
if (ModelState.IsValid)
if (ModelState.IsValid && profile.SiteId == _alias.SiteId)
{
profile = _profiles.AddProfile(profile);
_logger.Log(LogLevel.Information, this, LogFunction.Create, "Profile Added {Profile}", profile);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Profile Post Attempt {Profile}", profile);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
profile = null;
}
return profile;
}
@ -53,11 +82,17 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Admin)]
public Profile Put(int id, [FromBody] Profile profile)
{
if (ModelState.IsValid)
if (ModelState.IsValid && profile.SiteId == _alias.SiteId && _profiles.GetProfile(profile.ProfileId, false) != null)
{
profile = _profiles.UpdateProfile(profile);
_logger.Log(LogLevel.Information, this, LogFunction.Update, "Profile Updated {Profile}", profile);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Profile Put Attempt {Profile}", profile);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
profile = null;
}
return profile;
}
@ -66,8 +101,17 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Admin)]
public void Delete(int id)
{
_profiles.DeleteProfile(id);
_logger.Log(LogLevel.Information, this, LogFunction.Delete, "Profile Deleted {ProfileId}", id);
var profile = _profiles.GetProfile(id);
if (profile != null && profile.SiteId == _alias.SiteId)
{
_profiles.DeleteProfile(id);
_logger.Log(LogLevel.Information, this, LogFunction.Delete, "Profile Deleted {ProfileId}", id);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Profile Delete Attempt {ProfileId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
}
}
}