Diplomarbeit-Absolventenverein/oqtane.framework
10
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

adjust permissions for new settings

Browse Source
This commit is contained in:
Shaun Walker
2021-12-10 10:20:03 -05:00
parent 2f34bf69e3
commit e95b49ba8f
1 changed files with 46 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
Oqtane.Server/Controllers/SettingController.cs
View File

@ -33,20 +33,35 @@ namespace Oqtane.Controllers
// GET: api/<controller> // GET: api/<controller>
[HttpGet] [HttpGet]
public IEnumerable<Setting> Get(string entityname, int entityid) public IEnumerable<Setting> Get(string entityName, int entityid)
{ {
List<Setting> settings = new List<Setting>(); List<Setting> settings = new List<Setting>();
if (IsAuthorized(entityname, entityid, PermissionNames.View)) if (IsAuthorized(entityName, entityid, PermissionNames.View))
{ {
settings = _settings.GetSettings(entityname, entityid).ToList(); settings = _settings.GetSettings(entityName, entityid).ToList();
if (entityname == EntityNames.Site && !User.IsInRole(RoleNames.Admin))
// ispublic filter
switch (entityName)
{ {
settings = settings.Where(item => item.IsPublic).ToList(); case EntityNames.Tenant:
case EntityNames.ModuleDefinition:
case EntityNames.Host:
if (!User.IsInRole(RoleNames.Host))
{
settings = settings.Where(item => item.IsPublic).ToList();
}
break;
case EntityNames.Site:
if (!User.IsInRole(RoleNames.Admin))
{
settings = settings.Where(item => item.IsPublic).ToList();
}
break;
} }
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityname, entityid); _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityName, entityid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
} }
return settings; return settings;
@ -59,10 +74,25 @@ namespace Oqtane.Controllers
Setting setting = _settings.GetSetting(entityName, id); Setting setting = _settings.GetSetting(entityName, id);
if (IsAuthorized(setting.EntityName, setting.EntityId, PermissionNames.View)) if (IsAuthorized(setting.EntityName, setting.EntityId, PermissionNames.View))
{ {
if (setting.EntityName == EntityNames.Site && !User.IsInRole(RoleNames.Admin) && !setting.IsPublic) // ispublic filter
switch (entityName)
{ {
setting = null; case EntityNames.Tenant:
case EntityNames.ModuleDefinition:
case EntityNames.Host:
if (!User.IsInRole(RoleNames.Host) && !setting.IsPublic)
{
setting = null;
}
break;
case EntityNames.Site:
if (!User.IsInRole(RoleNames.Admin) && !setting.IsPublic)
{
setting = null;
}
break;
} }
return setting; return setting;
} }
else else
@ -142,7 +172,14 @@ namespace Oqtane.Controllers
case EntityNames.Tenant: case EntityNames.Tenant:
case EntityNames.ModuleDefinition: case EntityNames.ModuleDefinition:
case EntityNames.Host: case EntityNames.Host:
authorized = User.IsInRole(RoleNames.Host); if (permissionName == PermissionNames.Edit)
{
authorized = User.IsInRole(RoleNames.Host);
}
else
{
authorized = true;
}
break; break;
case EntityNames.Site: case EntityNames.Site:
if (permissionName == PermissionNames.Edit) if (permissionName == PermissionNames.Edit)