diff --git a/Oqtane.Server/Components/App.razor b/Oqtane.Server/Components/App.razor index 570e4426..638c8031 100644 --- a/Oqtane.Server/Components/App.razor +++ b/Oqtane.Server/Components/App.razor @@ -345,6 +345,7 @@ DateTime expiry = DateTime.MinValue; if (visitorCookieValue != null && visitorCookieValue.Contains("|")) { + // visitor cookies contain the visitor id and an expiry date separated by a pipe symbol var values = visitorCookieValue.Split('|'); int.TryParse(values[0], out _visitorId); DateTime.TryParseExact(values[1], "M/d/yyyy hh:mm:ss tt", CultureInfo.InvariantCulture, DateTimeStyles.None, out expiry); diff --git a/Oqtane.Server/Controllers/SettingController.cs b/Oqtane.Server/Controllers/SettingController.cs index fd8708c1..3c67887b 100644 --- a/Oqtane.Server/Controllers/SettingController.cs +++ b/Oqtane.Server/Controllers/SettingController.cs @@ -70,7 +70,6 @@ namespace Oqtane.Controllers _identityOptionsMonitorCache = identityOptionsMonitorCache; _logger = logger; _alias = tenantManager.GetAlias(); - _visitorCookie = Constants.VisitorCookiePrefix + _alias.SiteId.ToString(); } // GET: api/ @@ -299,11 +298,8 @@ namespace Oqtane.Controllers authorized = User.IsInRole(RoleNames.Admin); if (!authorized) { - // a visitor may have cookies disabled - if (int.TryParse(Request.Cookies[_visitorCookie], out int visitorId)) - { - authorized = (visitorId == entityId); - } + var visitorCookieName = Constants.VisitorCookiePrefix + _alias.SiteId.ToString(); + authorized = (entityId == GetVisitorCookieId(Request.Cookies[visitorCookieName])); } break; default: // custom entity @@ -344,11 +340,8 @@ namespace Oqtane.Controllers case EntityNames.Visitor: if (!User.IsInRole(RoleNames.Admin)) { - filter = true; - if (int.TryParse(Request.Cookies[_visitorCookie], out int visitorId)) - { - filter = (visitorId != entityId); - } + var visitorCookieName = Constants.VisitorCookiePrefix + _alias.SiteId.ToString(); + filter = (entityId != GetVisitorCookieId(Request.Cookies[visitorCookieName])); } break; default: // custom entity @@ -358,6 +351,13 @@ namespace Oqtane.Controllers return filter; } + private int GetVisitorCookieId(string visitorCookie) + { + // visitor cookies contain the visitor id and an expiry date separated by a pipe symbol + visitorCookie = (visitorCookie.Contains("|")) ? visitorCookie.Split('|')[0] : visitorCookie; + return (int.TryParse(visitorCookie, out int visitorId)) ? visitorId : -1; + } + private void AddSyncEvent(string EntityName, int EntityId, int SettingId, string Action) { _syncManager.AddSyncEvent(_alias, EntityName + "Setting", SettingId, Action); diff --git a/Oqtane.Server/Controllers/VisitorController.cs b/Oqtane.Server/Controllers/VisitorController.cs index 66ba447c..e0074452 100644 --- a/Oqtane.Server/Controllers/VisitorController.cs +++ b/Oqtane.Server/Controllers/VisitorController.cs @@ -51,11 +51,8 @@ namespace Oqtane.Controllers bool authorized = User.IsInRole(RoleNames.Admin); if (!authorized) { - var visitorCookie = Constants.VisitorCookiePrefix + _alias.SiteId.ToString(); - if (int.TryParse(Request.Cookies[visitorCookie], out int visitorId)) - { - authorized = (visitorId == id); - } + var visitorCookieName = Constants.VisitorCookiePrefix + _alias.SiteId.ToString(); + authorized = (id == GetVisitorCookieId(Request.Cookies[visitorCookieName])); } var visitor = _visitors.GetVisitor(id); @@ -77,5 +74,12 @@ namespace Oqtane.Controllers return null; } } + + private int GetVisitorCookieId(string visitorCookie) + { + // visitor cookies contain the visitor id and an expiry date separated by a pipe symbol + visitorCookie = (visitorCookie.Contains("|")) ? visitorCookie.Split('|')[0] : visitorCookie; + return (int.TryParse(visitorCookie, out int visitorId)) ? visitorId : -1; + } } }