restrict user data leakage

2020-06-03 19:46:47 -04:00
parent 5544d2bed3
commit 99cad13890
14 changed files with 249 additions and 115 deletions
--- a/Oqtane.Server/Controllers/UserRoleController.cs
+++ b/Oqtane.Server/Controllers/UserRoleController.cs
@ -25,9 +25,9 @@ namespace Oqtane.Controllers
            _logger = logger;
        }

-        // GET: api/<controller>?userid=x
+        // GET: api/<controller>?siteid=x
        [HttpGet]
-        [Authorize]
+        [Authorize(Roles = Constants.AdminRole)]
        public IEnumerable<UserRole> Get(string siteid)
        {
            return _userRoles.GetUserRoles(int.Parse(siteid));
@ -35,7 +35,7 @@ namespace Oqtane.Controllers
        
        // GET api/<controller>/5
        [HttpGet("{id}")]
-        [Authorize]
+        [Authorize(Roles = Constants.AdminRole)]
        public UserRole Get(int id)
        {
            return _userRoles.GetUserRole(id);