add support for API permissions at the UI layer - including ability to delegate user, role, profile management

2023-01-09 11:38:25 -05:00
parent 1616f94b86
commit e136972cd7
50 changed files with 628 additions and 799 deletions
--- a/Oqtane.Client/Modules/Controls/PermissionGrid.razor
+++ b/Oqtane.Client/Modules/Controls/PermissionGrid.razor
@ -17,8 +17,8 @@
                        <th scope="col">@Localizer["Role"]</th>
                        @foreach (PermissionString permission in _permissions)
                        {
-                            <th style="text-align: center; width: 1px;">@Localizer[permission.PermissionName]</th>
-                        }
+							<th style="text-align: center; width: 1px;">@((MarkupString)GetPermissionName(permission).Replace(" ", "<br />"))</th>
+						}
                    </tr>
                    @foreach (Role role in _roles)
                    {
@ -28,7 +28,7 @@
                            {
                                var p = permission;
                                <td style="text-align: center;">
-                                    <TriStateCheckBox Value=@GetPermissionValue(p.Permissions, role.Name) Disabled=@GetPermissionDisabled(role.Name) OnChange="@(e => PermissionChanged(e, p.PermissionName, role.Name))" />
+									<TriStateCheckBox Value=@GetPermissionValue(p.Permissions, role.Name) Disabled="@GetPermissionDisabled(p.EntityName, p.PermissionName, role.Name)" OnChange="@(e => PermissionChanged(e, p.EntityName, p.PermissionName, role.Name))" />
                                </td>
                            }
                        </tr>
@ -66,7 +66,7 @@
                                {
                                    var p = permission;
                                    <td style="text-align: center; width: 1px;">
-                                        <TriStateCheckBox Value=@GetPermissionValue(p.Permissions, userid) Disabled=false OnChange="@(e => PermissionChanged(e, p.PermissionName, userid))" />
+										<TriStateCheckBox Value=@GetPermissionValue(p.Permissions, userid) Disabled="@GetPermissionDisabled(p.EntityName, p.PermissionName, "")" OnChange="@(e => PermissionChanged(e, p.EntityName, p.PermissionName, userid))" />
                                    </td>
                                }
                            </tr>
@ -129,10 +129,25 @@

 		_permissions = new List<PermissionString>();

-		foreach (string permissionname in _permissionnames.Split(new char[] { ',' }, StringSplitOptions.RemoveEmptyEntries))
+		foreach (string permissionname in _permissionnames.Split(',', StringSplitOptions.RemoveEmptyEntries))
 		{
-			// initialize with admin role
-			_permissions.Add(new PermissionString { PermissionName = permissionname, Permissions = RoleNames.Admin });
+			// permission names can be in the form of "EntityName:PermissionName:Roles"
+			if (permissionname.Contains(":"))
+			{
+				var segments = permissionname.Split(':');
+				if (segments.Length == 3)
+				{
+					if (!segments[2].Contains(RoleNames.Admin))
+					{
+						segments[2] = RoleNames.Admin + ";" + segments[2]; // ensure admin access
+					}
+					_permissions.Add(new PermissionString { EntityName = segments[0], PermissionName = segments[1], Permissions = segments[2] });
+				}
+			}
+			else
+			{
+				_permissions.Add(new PermissionString { EntityName = EntityName, PermissionName = permissionname, Permissions = RoleNames.Admin });
+			}
 		}

 		if (!string.IsNullOrEmpty(Permissions))
@ -140,14 +155,15 @@
 			// populate permissions
 			foreach (PermissionString permissionstring in UserSecurity.GetPermissionStrings(Permissions))
 			{
-				if (_permissions.Find(item => item.PermissionName == permissionstring.PermissionName) != null)
+				int index = _permissions.FindIndex(item => item.EntityName == permissionstring.EntityName && item.PermissionName == permissionstring.PermissionName);
+				if (index != -1)
 				{
-					_permissions[_permissions.FindIndex(item => item.PermissionName == permissionstring.PermissionName)].Permissions = permissionstring.Permissions;
+					_permissions[index].Permissions = permissionstring.Permissions;
 				}

 				if (permissionstring.Permissions.Contains("["))
 				{
-					foreach (string user in permissionstring.Permissions.Split(new char[] { '[' }, StringSplitOptions.RemoveEmptyEntries))
+					foreach (string user in permissionstring.Permissions.Split('[', StringSplitOptions.RemoveEmptyEntries))
 					{
 						if (user.Contains("]"))
 						{
@ -163,6 +179,16 @@
 		}
 	}

+	private string GetPermissionName(PermissionString permission)
+	{
+		var permissionname = Localizer[permission.PermissionName].ToString();
+		if (!string.IsNullOrEmpty(EntityName))
+		{
+			permissionname += " " + Localizer[permission.EntityName].ToString();
+		}
+		return permissionname;
+	}
+
 	private bool? GetPermissionValue(string permissions, string securityKey)
 	{
 		if ((";" + permissions + ";").Contains(";" + "!" + securityKey + ";"))
@ -182,8 +208,24 @@
 		}
 	}

-	private bool GetPermissionDisabled(string roleName)
-		=> (roleName == RoleNames.Admin && !UserSecurity.IsAuthorized(PageState.User, RoleNames.Host)) ? true : false;
+	private bool GetPermissionDisabled(string entityName, string permissionName, string roleName)
+	{
+		if (roleName == RoleNames.Admin && !UserSecurity.IsAuthorized(PageState.User, RoleNames.Host))
+		{
+			return true;
+		}
+		else
+		{
+			if (entityName != EntityName && !UserSecurity.IsAuthorized(PageState.User, RoleNames.Admin))
+			{
+				return true;
+			}
+			else
+			{
+				return false;
+			}
+		}
+	}

 	private async Task<Dictionary<string, string>> GetUsers(string filter)
 	{
@ -209,14 +251,15 @@
 		_user.Clear();
 	}

-	private void PermissionChanged(bool? value, string permissionName, string securityId)
+	private void PermissionChanged(bool? value, string entityName, string permissionName, string securityId)
 	{
 		var selected = value;
-		var permission = _permissions.Find(item => item.PermissionName == permissionName);
-		if (permission != null)
+		int index = _permissions.FindIndex(item => item.EntityName == entityName && item.PermissionName == permissionName);
+		if (index != -1)
 		{
-			var ids = permission.Permissions.Split(';').ToList();
+			var permission = _permissions[index];

+			var ids = permission.Permissions.Split(';').ToList();
 			ids.Remove(securityId); // remove grant permission
 			ids.Remove("!" + securityId); // remove deny permission

@ -232,7 +275,7 @@
 					break; // permission not specified
 			}

-			_permissions[_permissions.FindIndex(item => item.PermissionName == permissionName)].Permissions = string.Join(";", ids.ToArray());
+			_permissions[index].Permissions = string.Join(";", ids.ToArray());
 		}
 	}

@ -245,9 +288,9 @@
 	private void ValidatePermissions()
 	{
 		PermissionString permission;
-		for (int i = 0; i < _permissions.Count; i++)
+		for (int index = 0; index < _permissions.Count; index++)
 		{
-			permission = _permissions[i];
+			permission = _permissions[index];
 			List<string> ids = permission.Permissions.Split(';', StringSplitOptions.RemoveEmptyEntries).ToList();
 			ids.Remove("!" + RoleNames.Everyone); // remove deny all users
 			ids.Remove("!" + RoleNames.Unauthenticated); // remove deny unauthenticated
@ -263,7 +306,7 @@
 				}
 			}
 			permission.Permissions = string.Join(";", ids.ToArray());
-            _permissions[i] = permission;
+            _permissions[index] = permission;
        }
    }
 }