From e62268af2e3ba72fd2eed121c8284d61d2cb3931 Mon Sep 17 00:00:00 2001
From: Leigh Pointer <leigh-pointer@users.noreply.github.com>
Date: Sat, 13 Dec 2025 21:56:05 +0100
Subject: [PATCH] Update TabStrip.razor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The authorization flow is:
•	Host tabs: Only Host (Admin blocked by Step 1)
•	Everything else: Admin bypasses, others check permissions
---
 Oqtane.Client/Modules/Controls/TabStrip.razor | 21 +++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/Oqtane.Client/Modules/Controls/TabStrip.razor b/Oqtane.Client/Modules/Controls/TabStrip.razor
index 8fc5b2c7..a8402d86 100644
--- a/Oqtane.Client/Modules/Controls/TabStrip.razor
+++ b/Oqtane.Client/Modules/Controls/TabStrip.razor
@@ -96,16 +96,22 @@
     /// <returns>True if user is authorized to see this tab, false otherwise</returns>
     private bool IsAuthorized(TabPanel tabPanel)
     {
-        // Step 1: Host and Admin bypass all restrictions
-        if (UserSecurity.IsAuthorized(PageState.User, RoleNames.Host) ||
-            UserSecurity.IsAuthorized(PageState.User, RoleNames.Admin))
+        // Step 1: Check for Host-only restriction
+        if (tabPanel.Security == SecurityAccessLevel.Host)
+        {
+            // Only Host users can access Host-level security tabs (Admin users are excluded)
+            return UserSecurity.IsAuthorized(PageState.User, RoleNames.Host);
+        }
+
+        // Step 2: Admin bypass all other restrictions
+        if (UserSecurity.IsAuthorized(PageState.User, RoleNames.Admin))
         {
             return true;
         }
 
         var authorized = false;
 
-        // Step 2: Check standard SecurityAccessLevel
+        // Step 3: Check standard SecurityAccessLevel
         switch (tabPanel.Security)
         {
             case null:
@@ -120,15 +126,18 @@
             case SecurityAccessLevel.Edit:
                 authorized = UserSecurity.IsAuthorized(PageState.User, PermissionNames.Edit, ModuleState.PermissionList);
                 break;
+            case SecurityAccessLevel.Host:
+                authorized = UserSecurity.IsAuthorized(PageState.User, RoleNames.Host);
+                break;
         }
 
-        // Step 3: Check RoleName if provided (additional requirement)
+        // Step 4: Check RoleName if provided (additional requirement)
         if (authorized && !string.IsNullOrEmpty(tabPanel.RoleName))
         {
             authorized = UserSecurity.IsAuthorized(PageState.User, tabPanel.RoleName);
         }
 
-        // Step 4: Check PermissionName if provided (additional requirement)
+        // Step 5: Check PermissionName if provided (additional requirement)
         if (authorized && !string.IsNullOrEmpty(tabPanel.PermissionName))
         {
             authorized = UserSecurity.IsAuthorized(PageState.User, tabPanel.PermissionName, ModuleState.PermissionList);