restrict user data leakage
This commit is contained in:
Shaun Walker
@ -57,7 +57,7 @@ namespace Oqtane.Controllers
|
||||
user.SiteId = int.Parse(siteid);
|
||||
user.Roles = GetUserRoles(user.UserId, user.SiteId);
|
||||
}
|
||||
return user;
|
||||
return Filter(user);
|
||||
}
|
||||
|
||||
// GET api/<controller>/name/x?siteid=x
|
||||
@ -70,6 +70,29 @@ namespace Oqtane.Controllers
|
||||
user.SiteId = int.Parse(siteid);
|
||||
user.Roles = GetUserRoles(user.UserId, user.SiteId);
|
||||
}
|
||||
return Filter(user);
|
||||
}
|
||||
|
||||
private User Filter(User user)
|
||||
{
|
||||
if (user != null && !User.IsInRole(Constants.AdminRole) && User.Identity.Name != user.Username)
|
||||
{
|
||||
user.DisplayName = "";
|
||||
user.Email = "";
|
||||
user.PhotoFileId = null;
|
||||
user.LastLoginOn = DateTime.MinValue;
|
||||
user.LastIPAddress = "";
|
||||
user.Roles = "";
|
||||
user.CreatedBy = "";
|
||||
user.CreatedOn = DateTime.MinValue;
|
||||
user.ModifiedBy = "";
|
||||
user.ModifiedOn = DateTime.MinValue;
|
||||
user.DeletedBy = "";
|
||||
user.DeletedOn = DateTime.MinValue;
|
||||
user.IsDeleted = false;
|
||||
user.Password = "";
|
||||
user.IsAuthenticated = false;
|
||||
}
|
||||
return user;
|
||||
}
|
||||
|
||||
|
||||
@ -25,9 +25,9 @@ namespace Oqtane.Controllers
|
||||
_logger = logger;
|
||||
}
|
||||
|
||||
// GET: api/<controller>?userid=x
|
||||
// GET: api/<controller>?siteid=x
|
||||
[HttpGet]
|
||||
[Authorize]
|
||||
[Authorize(Roles = Constants.AdminRole)]
|
||||
public IEnumerable<UserRole> Get(string siteid)
|
||||
{
|
||||
return _userRoles.GetUserRoles(int.Parse(siteid));
|
||||
@ -35,7 +35,7 @@ namespace Oqtane.Controllers
|
||||
|
||||
// GET api/<controller>/5
|
||||
[HttpGet("{id}")]
|
||||
[Authorize]
|
||||
[Authorize(Roles = Constants.AdminRole)]
|
||||
public UserRole Get(int id)
|
||||
{
|
||||
return _userRoles.GetUserRole(id);
|
||||
|
||||
@ -69,7 +69,7 @@ namespace Oqtane.Infrastructure
|
||||
mailMessage.Subject = notification.Subject;
|
||||
if (notification.FromUserId != null)
|
||||
{
|
||||
mailMessage.Body = "From: " + notification.FromUser.DisplayName + "<" + notification.FromUser.Email + ">" + "\n";
|
||||
mailMessage.Body = "From: " + notification.FromDisplayName + "<" + notification.FromEmail + ">" + "\n";
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -78,8 +78,8 @@ namespace Oqtane.Infrastructure
|
||||
mailMessage.Body += "Sent: " + notification.CreatedOn + "\n";
|
||||
if (notification.ToUserId != null)
|
||||
{
|
||||
mailMessage.To.Add(new MailAddress(notification.ToUser.Email, notification.ToUser.DisplayName));
|
||||
mailMessage.Body += "To: " + notification.ToUser.DisplayName + "<" + notification.ToUser.Email + ">" + "\n";
|
||||
mailMessage.To.Add(new MailAddress(notification.ToEmail, notification.ToDisplayName));
|
||||
mailMessage.Body += "To: " + notification.ToDisplayName + "<" + notification.ToEmail + ">" + "\n";
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
@ -21,8 +21,6 @@ namespace Oqtane.Repository
|
||||
return _db.Notification
|
||||
.Where(item => item.SiteId == siteId)
|
||||
.Where(item => item.IsDelivered == false)
|
||||
.Include(item => item.FromUser)
|
||||
.Include(item => item.ToUser)
|
||||
.ToList();
|
||||
}
|
||||
|
||||
@ -30,8 +28,6 @@ namespace Oqtane.Repository
|
||||
.Where(item => item.SiteId == siteId)
|
||||
.Where(item => item.ToUserId == toUserId || toUserId == -1)
|
||||
.Where(item => item.FromUserId == fromUserId || fromUserId == -1)
|
||||
.Include(item => item.FromUser)
|
||||
.Include(item => item.ToUser)
|
||||
.ToList();
|
||||
}
|
||||
|
||||
|
||||
@ -31,3 +31,9 @@ CREATE UNIQUE NONCLUSTERED INDEX IX_File ON [dbo].[File]
|
||||
[Name]
|
||||
) ON [PRIMARY]
|
||||
GO
|
||||
|
||||
ALTER TABLE [dbo].[Notification] ADD
|
||||
[FromDisplayName] [nvarchar](50) NULL,
|
||||
[FromEmail] [nvarchar](256) NULL,
|
||||
[ToDisplayName] [nvarchar](50) NULL
|
||||
GO
|
||||
|
||||
Reference in New Issue
Block a user