Improve validation and error handling in Controller methods

2021-06-07 15:29:08 -04:00
parent 54cd360bb5
commit 82c05a841f
38 changed files with 922 additions and 435 deletions
--- a/Oqtane.Server/Controllers/SiteController.cs
+++ b/Oqtane.Server/Controllers/SiteController.cs
@ -7,6 +7,7 @@ using System.Linq;
 using Oqtane.Enums;
 using Oqtane.Infrastructure;
 using Oqtane.Repository;
+using System.Net;

 namespace Oqtane.Controllers
 {
@ -38,7 +39,17 @@ namespace Oqtane.Controllers
        [HttpGet("{id}")]
        public Site Get(int id)
        {
-            return _sites.GetSite(id);
+            var site = _sites.GetSite(id);
+            if (site.SiteId == _alias.SiteId)
+            {
+                return site;
+            }
+            else
+            {
+                _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Site Get Attempt {SiteId}", id);
+                HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                return null;
+            }
        }

        // POST api/<controller>
@ -72,12 +83,18 @@ namespace Oqtane.Controllers
        [Authorize(Roles = RoleNames.Admin)]
        public Site Put(int id, [FromBody] Site site)
        {
-            if (ModelState.IsValid)
+            if (ModelState.IsValid && site.SiteId == _alias.SiteId && site.TenantId == _alias.TenantId && _sites.GetSite(site.SiteId, false) != null)
            {
                site = _sites.UpdateSite(site);
                _syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, site.SiteId);
                _logger.Log(site.SiteId, LogLevel.Information, this, LogFunction.Update, "Site Updated {Site}", site);
            }
+            else
+            {
+                _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Site Put Attempt {Site}", site);
+                HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                site = null;
+            }
            return site;
        }

@ -86,8 +103,17 @@ namespace Oqtane.Controllers
        [Authorize(Roles = RoleNames.Host)]
        public void Delete(int id)
        {
-            _sites.DeleteSite(id);
-            _logger.Log(id, LogLevel.Information, this, LogFunction.Delete, "Site Deleted {SiteId}", id);
+            var site = _sites.GetSite(id);
+            if (site != null && site.SiteId == _alias.SiteId)
+            {
+                _sites.DeleteSite(id);
+                _logger.Log(id, LogLevel.Information, this, LogFunction.Delete, "Site Deleted {SiteId}", id);
+            }
+            else
+            {
+                _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Site Delete Attempt {SiteId}", id);
+                HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+            }
        }
    }
 }