further optimization of permissions - removed reference to Role to reduce API payload and minimize information disclosure

2023-03-10 08:28:37 -05:00
parent 78adb24a75
commit ef4e99b3a7
7 changed files with 58 additions and 51 deletions
--- a/Oqtane.Client/Modules/Controls/PermissionGrid.razor
+++ b/Oqtane.Client/Modules/Controls/PermissionGrid.razor
@ -167,7 +167,7 @@
 							_permissions.Add(new Permission(ModuleState.SiteId, segments[0], segments[1], role, null, true));
 						}
 						// ensure admin access
-						if (!_permissions.Any(item => item.EntityName == segments[0] && item.PermissionName == segments[1] && item.Role.Name == RoleNames.Admin))
+						if (!_permissions.Any(item => item.EntityName == segments[0] && item.PermissionName == segments[1] && item.RoleName == RoleNames.Admin))
 						{
 							_permissions.Add(new Permission(ModuleState.SiteId, segments[0], segments[1], RoleNames.Admin, null, true));
 						}
@ -203,7 +203,7 @@
 		bool? isauthorized = null;
 		if (roleName != "")
 		{
-			var permission = _permissions.FirstOrDefault(item => item.EntityName == GetEntityName(permissionName) && item.PermissionName == GetPermissionName(permissionName) && item.Role.Name == roleName);
+			var permission = _permissions.FirstOrDefault(item => item.EntityName == GetEntityName(permissionName) && item.PermissionName == GetPermissionName(permissionName) && item.RoleName == roleName);
 			if (permission != null)
 			{
 				isauthorized = permission.IsAuthorized;
@ -243,7 +243,7 @@
 	{
 		if (roleName != "")
 		{
-			var permission = _permissions.FirstOrDefault(item => item.EntityName == GetEntityName(permissionName) && item.PermissionName == GetPermissionName(permissionName) && item.Role.Name == roleName);
+			var permission = _permissions.FirstOrDefault(item => item.EntityName == GetEntityName(permissionName) && item.PermissionName == GetPermissionName(permissionName) && item.RoleName == roleName);
 			if (permission != null)
 			{
 				_permissions.Remove(permission);
@ -307,7 +307,7 @@
 	{
 		// remove deny all users, unauthenticated, and registered users
 		var permissions = _permissions.Where(item => !item.IsAuthorized && 
-			(item.Role.Name == RoleNames.Everyone || item.Role.Name == RoleNames.Unauthenticated || item.Role.Name == RoleNames.Registered)).ToList();
+			(item.RoleName == RoleNames.Everyone || item.RoleName == RoleNames.Unauthenticated || item.RoleName == RoleNames.Registered)).ToList();
 		foreach (var permission in permissions)
 		{
 			_permissions.Remove(permission);
@ -316,7 +316,7 @@
 		{
 			// remove deny administrators and host users
 			permissions = _permissions.Where(item => !item.IsAuthorized &&
-				(item.Role.Name == RoleNames.Admin || item.Role.Name == RoleNames.Host)).ToList();
+				(item.RoleName == RoleNames.Admin || item.RoleName == RoleNames.Host)).ToList();
 			foreach (var permission in permissions)
 			{
 				_permissions.Remove(permission);
@ -325,7 +325,7 @@
 			{
 				// add administrators role if neither host or administrator is assigned
 				if (!_permissions.Any(item => item.EntityName == GetEntityName(permissionname) && item.PermissionName == GetPermissionName(permissionname) &&
-					(item.Role.Name == RoleNames.Admin || item.Role.Name == RoleNames.Host)))
+					(item.RoleName == RoleNames.Admin || item.RoleName == RoleNames.Host)))
 				{
 					_permissions.Add(new Permission(ModuleState.SiteId, GetEntityName(permissionname), GetPermissionName(permissionname), RoleNames.Admin, null, true));
 				}
--- a/Oqtane.Client/Themes/Controls/Container/ModuleActionsBase.cs
+++ b/Oqtane.Client/Themes/Controls/Container/ModuleActionsBase.cs
@ -137,11 +137,11 @@ namespace Oqtane.Themes.Controls
        private async Task<string> Publish(string url, PageModule pagemodule)
        {
            var permissions = pagemodule.Module.PermissionList;
-            if (!permissions.Any(item => item.PermissionName == PermissionNames.View && item.Role.Name == RoleNames.Everyone))
+            if (!permissions.Any(item => item.PermissionName == PermissionNames.View && item.RoleName == RoleNames.Everyone))
            {
                permissions.Add(new Permission(ModuleState.SiteId, EntityNames.Page, pagemodule.PageId, PermissionNames.View, RoleNames.Everyone, null, true));
            }
-            if (!permissions.Any(item => item.PermissionName == PermissionNames.View && item.Role.Name == RoleNames.Registered))
+            if (!permissions.Any(item => item.PermissionName == PermissionNames.View && item.RoleName == RoleNames.Registered))
            {
                permissions.Add(new Permission(ModuleState.SiteId, EntityNames.Page, pagemodule.PageId, PermissionNames.View, RoleNames.Registered, null, true));
            }
@ -153,13 +153,13 @@ namespace Oqtane.Themes.Controls
        private async Task<string> Unpublish(string url, PageModule pagemodule)
        {
            var permissions = pagemodule.Module.PermissionList;
-            if (permissions.Any(item => item.PermissionName == PermissionNames.View && item.Role.Name == RoleNames.Everyone))
+            if (permissions.Any(item => item.PermissionName == PermissionNames.View && item.RoleName == RoleNames.Everyone))
            {
-                permissions.Remove(permissions.First(item => item.PermissionName == PermissionNames.View && item.Role.Name == RoleNames.Everyone));
+                permissions.Remove(permissions.First(item => item.PermissionName == PermissionNames.View && item.RoleName == RoleNames.Everyone));
            }
-            if (permissions.Any(item => item.PermissionName == PermissionNames.View && item.Role.Name == RoleNames.Registered))
+            if (permissions.Any(item => item.PermissionName == PermissionNames.View && item.RoleName == RoleNames.Registered))
            {
-                permissions.Remove(permissions.First(item => item.PermissionName == PermissionNames.View && item.Role.Name == RoleNames.Registered));
+                permissions.Remove(permissions.First(item => item.PermissionName == PermissionNames.View && item.RoleName == RoleNames.Registered));
            }
            pagemodule.Module.PermissionList = permissions;
            await ModuleService.UpdateModuleAsync(pagemodule.Module);
--- a/Oqtane.Client/Themes/Controls/Theme/ControlPanel.razor
+++ b/Oqtane.Client/Themes/Controls/Theme/ControlPanel.razor
@ -537,11 +537,11 @@
 		if (UserSecurity.IsAuthorized(PageState.User, PermissionNames.Edit, PageState.Page.PermissionList))
 		{
 			var permissions = PageState.Page.PermissionList;
-            if (!permissions.Any(item => item.PermissionName == PermissionNames.View && item.Role.Name == RoleNames.Everyone))
+            if (!permissions.Any(item => item.PermissionName == PermissionNames.View && item.RoleName == RoleNames.Everyone))
            {
 				permissions.Add(new Permission(PageState.Site.SiteId, EntityNames.Page, PageState.Page.PageId, PermissionNames.View, RoleNames.Everyone, null, true));
            }
-            if (!permissions.Any(item => item.PermissionName == PermissionNames.View && item.Role.Name == RoleNames.Registered))
+            if (!permissions.Any(item => item.PermissionName == PermissionNames.View && item.RoleName == RoleNames.Registered))
            {
 				permissions.Add(new Permission(PageState.Site.SiteId, EntityNames.Page, PageState.Page.PageId, PermissionNames.View, RoleNames.Registered, null, true));
            }