Improve validation and error handling in Controller methods

2021-06-07 15:29:08 -04:00
parent 54cd360bb5
commit 82c05a841f
38 changed files with 922 additions and 435 deletions
--- a/Oqtane.Server/Controllers/RoleController.cs
+++ b/Oqtane.Server/Controllers/RoleController.cs
@ -6,6 +6,7 @@ using Oqtane.Models;
 using Oqtane.Shared;
 using Oqtane.Infrastructure;
 using Oqtane.Repository;
+using System.Net;

 namespace Oqtane.Controllers
 {
@ -14,31 +15,53 @@ namespace Oqtane.Controllers
    {
        private readonly IRoleRepository _roles;
        private readonly ILogManager _logger;
+        private readonly Alias _alias;

-        public RoleController(IRoleRepository roles, ILogManager logger)
+        public RoleController(IRoleRepository roles, ILogManager logger, ITenantManager tenantManager)
        {
            _roles = roles;
            _logger = logger;
+            _alias = tenantManager.GetAlias();
        }

        // GET: api/<controller>?siteid=x&global=true/false
        [HttpGet]
-        [Authorize(Roles = RoleNames.Registered)]
+        [Authorize(Roles = RoleNames.Admin)]
        public IEnumerable<Role> Get(string siteid, string global)
        {
-            if (string.IsNullOrEmpty(global))
+            int SiteId;
+            if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
            {
-                global = "False";
+                if (string.IsNullOrEmpty(global))
+                {
+                    global = "False";
+                }
+                return _roles.GetRoles(SiteId, bool.Parse(global));
+            }
+            else
+            {
+                _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Role Get Attempt {SiteId}", siteid);
+                HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                return null;
            }
-            return _roles.GetRoles(int.Parse(siteid), bool.Parse(global));
        }

        // GET api/<controller>/5
        [HttpGet("{id}")]
-        [Authorize(Roles = RoleNames.Registered)]
+        [Authorize(Roles = RoleNames.Admin)]
        public Role Get(int id)
        {
-            return _roles.GetRole(id);
+            var role = _roles.GetRole(id);
+            if (role != null && role.SiteId == _alias.SiteId)
+            {
+                return role;
+            }
+            else
+            { 
+                _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Role Get Attempt {RoleId}", id);
+                HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                return null;
+            }
        }

        // POST api/<controller>
@ -46,11 +69,17 @@ namespace Oqtane.Controllers
        [Authorize(Roles = RoleNames.Admin)]
        public Role Post([FromBody] Role role)
        {
-            if (ModelState.IsValid)
+            if (ModelState.IsValid && role.SiteId == _alias.SiteId)
            {
                role = _roles.AddRole(role);
                _logger.Log(LogLevel.Information, this, LogFunction.Create, "Role Added {Role}", role);
            }
+            else
+            {
+                _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Role Post Attempt {Role}", role);
+                HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                role = null;
+            }
            return role;
        }

@ -59,11 +88,17 @@ namespace Oqtane.Controllers
        [Authorize(Roles = RoleNames.Admin)]
        public Role Put(int id, [FromBody] Role role)
        {
-            if (ModelState.IsValid)
+            if (ModelState.IsValid && role.SiteId == _alias.SiteId && _roles.GetRole(role.RoleId, false) != null)
            {
                role = _roles.UpdateRole(role);
                _logger.Log(LogLevel.Information, this, LogFunction.Update, "Role Updated {Role}", role);
            }
+            else
+            {
+                _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Role Put Attempt {Role}", role);
+                HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                role = null;
+            }
            return role;
        }

@ -73,11 +108,16 @@ namespace Oqtane.Controllers
        public void Delete(int id)
        {
            var role = _roles.GetRole(id);
-            if (!role.IsSystem)
+            if (role != null && !role.IsSystem && role.SiteId == _alias.SiteId)
            {
                _roles.DeleteRole(id);
                _logger.Log(LogLevel.Information, this, LogFunction.Delete, "Role Deleted {RoleId}", id);
            }
+            else
+            {
+                _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Role Delete Attempt {RoleId}", id);
+                HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+            }
        }
    }
 }