Diplomarbeit-Absolventenverein/oqtane.framework
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improvements for #2229 - relax userrole restrictions

Browse Source
This commit is contained in:
Shaun Walker 2022-06-08 15:46:36 -04:00
parent 79c8126c4a
commit a822482172
1 changed files with 16 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
Oqtane.Server/Controllers/UserRoleController.cs
View File

@ -39,32 +39,24 @@ namespace Oqtane.Controllers
public IEnumerable<UserRole> Get(string siteid, string userid = null, string rolename = null) public IEnumerable<UserRole> Get(string siteid, string userid = null, string rolename = null)
{ {
int SiteId; int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId) if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId && (userid != null || rolename != null))
{ {
int UserId = (int.TryParse(userid, out UserId)) ? UserId : -1; var userroles = _userRoles.GetUserRoles(SiteId).ToList();
if (User.IsInRole(RoleNames.Admin) || ((userid == null || _userPermissions.GetUser().UserId == UserId) && (rolename == null || (User.IsInRole(rolename) && rolename != RoleNames.Registered)))) if (userid != null)
{ {
var userroles = _userRoles.GetUserRoles(SiteId).ToList(); int UserId = int.TryParse(userid, out UserId) ? UserId : -1;
if (userid != null) userroles = userroles.Where(item => item.UserId == UserId).ToList();
{
userroles = userroles.Where(item => item.UserId == UserId).ToList();
}
if (rolename != null)
{
userroles = userroles.Where(item => item.Role.Name == rolename).ToList();
}
for (int i = 0; i < userroles.Count(); i++)
{
userroles[i] = Filter(userroles[i]);
}
return userroles.OrderBy(u => u.User.DisplayName);
} }
else if (rolename != null)
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized UserRole Get Attempt For Site {SiteId} User {UserId} Role {RoleName}", siteid, userid, rolename); userroles = userroles.Where(item => item.Role.Name == rolename).ToList();
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
} }
var user = _userPermissions.GetUser();
for (int i = 0; i < userroles.Count(); i++)
{
userroles[i] = Filter(userroles[i], user.UserId);
}
return userroles.OrderBy(u => u.User.DisplayName);
} }
else else
{ {
@ -82,16 +74,7 @@ namespace Oqtane.Controllers
var userrole = _userRoles.GetUserRole(id); var userrole = _userRoles.GetUserRole(id);
if (userrole != null && SiteValid(userrole.Role.SiteId)) if (userrole != null && SiteValid(userrole.Role.SiteId))
{ {
if (User.IsInRole(RoleNames.Admin) || User.Identity.Name?.ToLower() != userrole.User.Username.ToLower() || User.IsInRole(userrole.Role.Name)) return Filter(userrole, _userPermissions.GetUser().UserId);
{
return Filter(userrole);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized User Role Get Attempt {UserRoleId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
} }
else else
{ {
@ -101,7 +84,7 @@ namespace Oqtane.Controllers
} }
} }
private UserRole Filter(UserRole userrole) private UserRole Filter(UserRole userrole, int userid)
{ {
if (userrole != null) if (userrole != null)
{ {
@ -110,7 +93,7 @@ namespace Oqtane.Controllers
userrole.User.TwoFactorCode = ""; userrole.User.TwoFactorCode = "";
userrole.User.TwoFactorExpiry = null; userrole.User.TwoFactorExpiry = null;
if (!User.IsInRole(RoleNames.Admin) && User.Identity.Name?.ToLower() != userrole.User.Username.ToLower()) if (!User.IsInRole(RoleNames.Admin) && userid != userrole.User.UserId)
{ {
userrole.User.Email = ""; userrole.User.Email = "";
userrole.User.PhotoFileId = null; userrole.User.PhotoFileId = null;