From c597c4c23489e43500557d698d7514158117a0a3 Mon Sep 17 00:00:00 2001 From: sbwalker Date: Mon, 10 Jul 2023 08:44:14 -0400 Subject: [PATCH] add API method to get File based on name, and fix permission validation for Folder --- Oqtane.Client/Services/FileService.cs | 5 +++++ .../Services/Interfaces/IFileService.cs | 10 ++++++++++ Oqtane.Server/Controllers/FileController.cs | 16 ++++++++++++++++ Oqtane.Server/Controllers/FolderController.cs | 6 +++--- 4 files changed, 34 insertions(+), 3 deletions(-) diff --git a/Oqtane.Client/Services/FileService.cs b/Oqtane.Client/Services/FileService.cs index 3fef5c6e..05d3adff 100644 --- a/Oqtane.Client/Services/FileService.cs +++ b/Oqtane.Client/Services/FileService.cs @@ -46,6 +46,11 @@ namespace Oqtane.Services return await GetJsonAsync($"{Apiurl}/{fileId}"); } + public async Task GetFileAsync(int folderId, string name) + { + return await GetJsonAsync($"{Apiurl}/name/{name}/{folderId}"); + } + public async Task AddFileAsync(File file) { return await PostJsonAsync(Apiurl, file); diff --git a/Oqtane.Client/Services/Interfaces/IFileService.cs b/Oqtane.Client/Services/Interfaces/IFileService.cs index 66553b0c..1174947f 100644 --- a/Oqtane.Client/Services/Interfaces/IFileService.cs +++ b/Oqtane.Client/Services/Interfaces/IFileService.cs @@ -1,5 +1,6 @@ using Oqtane.Models; using System.Collections.Generic; +using System.Diagnostics.CodeAnalysis; using System.Threading.Tasks; namespace Oqtane.Services @@ -33,6 +34,15 @@ namespace Oqtane.Services /// Task GetFileAsync(int fileId); + /// + /// Get a based on the and file name. + /// + /// Reference to the + /// name of the file + /// + /// + Task GetFileAsync(int folderId, string name); + /// /// Add / store a record. /// This does not contain the file contents. diff --git a/Oqtane.Server/Controllers/FileController.cs b/Oqtane.Server/Controllers/FileController.cs index 30cbab26..63f0366b 100644 --- a/Oqtane.Server/Controllers/FileController.cs +++ b/Oqtane.Server/Controllers/FileController.cs @@ -129,6 +129,22 @@ namespace Oqtane.Controllers } } + [HttpGet("name/{name}/{folderId}")] + public Models.File Get(string name, int folderId) + { + Models.File file = _files.GetFile(folderId, name); + if (file != null && file.Folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, PermissionNames.View, file.Folder.PermissionList)) + { + return file; + } + else + { + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized File Get Attempt {Name} For Folder {FolderId}", name, folderId); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + return null; + } + } + // PUT api//5 [HttpPut("{id}")] [Authorize(Roles = RoleNames.Registered)] diff --git a/Oqtane.Server/Controllers/FolderController.cs b/Oqtane.Server/Controllers/FolderController.cs index b95f97f8..18c85c35 100644 --- a/Oqtane.Server/Controllers/FolderController.cs +++ b/Oqtane.Server/Controllers/FolderController.cs @@ -43,7 +43,7 @@ namespace Oqtane.Controllers { foreach (Folder folder in _folders.GetFolders(SiteId)) { - if (_userPermissions.IsAuthorized(User, PermissionNames.Browse, folder.PermissionList)) + if (_userPermissions.IsAuthorized(User, PermissionNames.View, folder.PermissionList)) { folders.Add(folder); } @@ -64,7 +64,7 @@ namespace Oqtane.Controllers public Folder Get(int id) { Folder folder = _folders.GetFolder(id); - if (folder != null && folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, PermissionNames.Browse, folder.PermissionList)) + if (folder != null && folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, PermissionNames.View, folder.PermissionList)) { return folder; } @@ -85,7 +85,7 @@ namespace Oqtane.Controllers folderPath += "/"; } Folder folder = _folders.GetFolder(siteId, folderPath); - if (folder != null && folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, PermissionNames.Browse, folder.PermissionList)) + if (folder != null && folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, PermissionNames.View, folder.PermissionList)) { return folder; }