Update TabStrip.razor

The authorization flow is: • Host tabs: Only Host (Admin blocked by Step 1) • Everything else: Admin bypasses, others check permissions
2025-12-13 21:56:05 +01:00
parent 01ad99b925
commit e62268af2e
1 changed files with 15 additions and 6 deletions
--- a/Oqtane.Client/Modules/Controls/TabStrip.razor
+++ b/Oqtane.Client/Modules/Controls/TabStrip.razor
@@ -96,16 +96,22 @@
    /// <returns>True if user is authorized to see this tab, false otherwise</returns>
    private bool IsAuthorized(TabPanel tabPanel)
    {
-        // Step 1: Host and Admin bypass all restrictions
+        // Step 1: Check for Host-only restriction
-        if (UserSecurity.IsAuthorized(PageState.User, RoleNames.Host) ||
+        if (tabPanel.Security == SecurityAccessLevel.Host)
-            UserSecurity.IsAuthorized(PageState.User, RoleNames.Admin))
+        {
            // Only Host users can access Host-level security tabs (Admin users are excluded)
            return UserSecurity.IsAuthorized(PageState.User, RoleNames.Host);
        }
        // Step 2: Admin bypass all other restrictions
        if (UserSecurity.IsAuthorized(PageState.User, RoleNames.Admin))
        {
            return true;
        }
        var authorized = false;
-        // Step 2: Check standard SecurityAccessLevel
+        // Step 3: Check standard SecurityAccessLevel
        switch (tabPanel.Security)
        {
            case null:
@@ -120,15 +126,18 @@
            case SecurityAccessLevel.Edit:
                authorized = UserSecurity.IsAuthorized(PageState.User, PermissionNames.Edit, ModuleState.PermissionList);
                break;
            case SecurityAccessLevel.Host:
                authorized = UserSecurity.IsAuthorized(PageState.User, RoleNames.Host);
                break;
        }
-        // Step 3: Check RoleName if provided (additional requirement)
+        // Step 4: Check RoleName if provided (additional requirement)
        if (authorized && !string.IsNullOrEmpty(tabPanel.RoleName))
        {
            authorized = UserSecurity.IsAuthorized(PageState.User, tabPanel.RoleName);
        }
-        // Step 4: Check PermissionName if provided (additional requirement)
+        // Step 5: Check PermissionName if provided (additional requirement)
        if (authorized && !string.IsNullOrEmpty(tabPanel.PermissionName))
        {
            authorized = UserSecurity.IsAuthorized(PageState.User, tabPanel.PermissionName, ModuleState.PermissionList);