Diplomarbeit-Absolventenverein/oqtane.framework
10
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Security fixes for Site Administrators to ensure proper access. Improvements to User and Role management components. Fix logic in CreateUser so that it does not prevent Administrators from creating users.

Browse Source
This commit is contained in:
Shaun Walker
2020-04-21 15:16:12 -04:00
parent 72995cd8fa
commit ab5257cea2
15 changed files with 910 additions and 592 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Oqtane.Server/Controllers/SiteController.cs
View File

@ -70,7 +70,7 @@ namespace Oqtane.Controllers
// PUT api/<controller>/5
[HttpPut("{id}")]
[Authorize(Roles = Constants.HostRole)]
[Authorize(Roles = Constants.AdminRole)]
public Site Put(int id, [FromBody] Site site)
{
if (ModelState.IsValid)

4
Oqtane.Server/Controllers/TenantController.cs
View File

@ -23,7 +23,7 @@ namespace Oqtane.Controllers
// GET: api/<controller>
[HttpGet]
[Authorize(Roles = Constants.HostRole)]
[Authorize(Roles = Constants.AdminRole)]
public IEnumerable<Tenant> Get()
{
return _tenants.GetTenants();
@ -31,7 +31,7 @@ namespace Oqtane.Controllers
// GET api/<controller>/5
[HttpGet("{id}")]
[Authorize(Roles = Constants.HostRole)]
[Authorize(Roles = Constants.AdminRole)]
public Tenant Get(int id)
{
return _tenants.GetTenant(id);

8
Oqtane.Server/Controllers/UserController.cs
View File

@ -93,14 +93,14 @@ namespace Oqtane.Controllers
bool verified;
bool allowregistration;
if (user.Username == Constants.HostUser)
if (user.Username == Constants.HostUser || User.IsInRole(Constants.AdminRole))
{
verified = true;
allowregistration = true;
}
else
{
verified = User.IsInRole(Constants.AdminRole); // only users created by administrators are verified
{
verified = false;
allowregistration = _sites.GetSite(user.SiteId).AllowRegistration;
}
@ -308,7 +308,7 @@ namespace Oqtane.Controllers
public async Task Logout([FromBody] User user)
{
await HttpContext.SignOutAsync(IdentityConstants.ApplicationScheme);
_logger.Log(LogLevel.Information, this, LogFunction.Security, "User Logout {Username}", user.Username);
_logger.Log(LogLevel.Information, this, LogFunction.Security, "User Logout {Username}", (user != null) ? user.Username : "");
}
// POST api/<controller>/verify