Diplomarbeit-Absolventenverein/oqtane.framework
10
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Improve validation and error handling in Controller methods

Browse Source
This commit is contained in:
Shaun Walker
2021-06-07 15:29:08 -04:00
parent 54cd360bb5
commit 82c05a841f
38 changed files with 922 additions and 435 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
Oqtane.Server/Controllers/UserRoleController.cs
View File

@ -7,6 +7,7 @@ using Oqtane.Shared;
using Oqtane.Infrastructure;
using Oqtane.Repository;
using System.Linq;
using System.Net;
namespace Oqtane.Controllers
{
@ -33,7 +34,17 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Admin)]
public IEnumerable<UserRole> Get(string siteid)
{
return _userRoles.GetUserRoles(int.Parse(siteid));
int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{
return _userRoles.GetUserRoles(SiteId);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized UserRole Get Attempt {SiteId}", siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
}
// GET api/<controller>/5
@ -41,7 +52,17 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Admin)]
public UserRole Get(int id)
{
return _userRoles.GetUserRole(id);
var userrole = _userRoles.GetUserRole(id);
if (userrole != null && userrole.Role.SiteId == _alias.SiteId)
{
return userrole;
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized User Role Get Attempt {UserRoleId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
}
// POST api/<controller>
@ -50,7 +71,7 @@ namespace Oqtane.Controllers
public UserRole Post([FromBody] UserRole userRole)
{
var role = _roles.GetRole(userRole.RoleId);
if (ModelState.IsValid && (User.IsInRole(RoleNames.Host) || role.Name != RoleNames.Host))
if (ModelState.IsValid && role != null && role.SiteId == _alias.SiteId && (User.IsInRole(RoleNames.Host) || role.Name != RoleNames.Host))
{
if (role.Name == RoleNames.Host)
{
@ -64,6 +85,12 @@ namespace Oqtane.Controllers
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.User, userRole.UserId);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized UserRole Post Attempt {UserRole}", userRole);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
userRole = null;
}
return userRole;
}
@ -73,12 +100,18 @@ namespace Oqtane.Controllers
public UserRole Put(int id, [FromBody] UserRole userRole)
{
var role = _roles.GetRole(userRole.RoleId);
if (ModelState.IsValid && (User.IsInRole(RoleNames.Host) || role.Name != RoleNames.Host))
if (ModelState.IsValid && role != null && role.SiteId == _alias.SiteId && _userRoles.GetUserRole(userRole.UserRoleId, false) != null && (User.IsInRole(RoleNames.Host) || role.Name != RoleNames.Host))
{
userRole = _userRoles.UpdateUserRole(userRole);
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.User, userRole.UserId);
_logger.Log(LogLevel.Information, this, LogFunction.Update, "User Role Updated {UserRole}", userRole);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized User Role Put Attempt {UserRole}", userRole);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
userRole = null;
}
return userRole;
}
@ -88,7 +121,7 @@ namespace Oqtane.Controllers
public void Delete(int id)
{
UserRole userRole = _userRoles.GetUserRole(id);
if (User.IsInRole(RoleNames.Host) || userRole.Role.Name != RoleNames.Host)
if (userRole != null && userRole.Role.SiteId == _alias.SiteId && (User.IsInRole(RoleNames.Host) || userRole.Role.Name != RoleNames.Host))
{
_userRoles.DeleteUserRole(id);
_logger.Log(LogLevel.Information, this, LogFunction.Delete, "User Role Deleted {UserRole}", userRole);
@ -106,6 +139,11 @@ namespace Oqtane.Controllers
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.User, userRole.UserId);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized User Role Delete Attempt {UserRoleId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
}
}
}