limit management of user settings to host users

2025-12-15 11:16:37 -05:00
parent c539f41ebf
commit f5f00c51c1
2 changed files with 430 additions and 436 deletions
--- a/Oqtane.Client/Modules/Admin/Users/Index.razor
+++ b/Oqtane.Client/Modules/Admin/Users/Index.razor
@@ -60,41 +60,25 @@ else
                </Row>
            </Pager>
        </TabPanel>
-        <TabPanel Name="Settings" Heading="Settings" ResourceKey="Settings" Security="SecurityAccessLevel.Admin">
+        <TabPanel Name="Settings" Heading="Settings" ResourceKey="Settings" Security="SecurityAccessLevel.Host">
            <div class="container">
                <Section Name="User" Heading="User Settings" ResourceKey="UserSettings">
                    <div class="row mb-1 align-items-center">
-                        <Label Class="col-sm-3" For="allowregistration" HelpText="Do you want anonymous visitors to be able to register for an account on the site" ResourceKey="AllowRegistration">Allow User Registration?</Label>
+                        <Label Class="col-sm-3" For="allowsitelogin" HelpText="Do you want to allow users to sign in using a username and password that is managed locally on this site? Note that you should only disable this option if you have already successfully configured an alternative login method, or else you may lock yourself out of the site." ResourceKey="AllowSiteLogin">Allow Local Login?</Label>
                        <div class="col-sm-9">
-                            <select id="allowregistration" class="form-select" @bind="@_allowregistration">
+                            <select id="allowsitelogin" class="form-select" @bind="@_allowsitelogin">
                                <option value="true">@SharedLocalizer["Yes"]</option>
                                <option value="false">@SharedLocalizer["No"]</option>
                            </select>
                        </div>
                    </div>
                    @if (UserSecurity.IsAuthorized(PageState.User, RoleNames.Host))
                    {
                        @if (_allowregistration == "true")
                        {
                    <div class="row mb-1 align-items-center">
-                                <Label Class="col-sm-3" For="registerurl" HelpText="Optionally provide a custom registration url" ResourceKey="RegisterUrl">Register Url:</Label>
+                        <Label Class="col-sm-3" For="twofactor" HelpText="Do you want users to use two factor authentication? Note that you should use the Disabled option until you have successfully verified that the Notification Job in Scheduled Jobs is enabled and your SMTP options in Site Settings are configured or else you will lock yourself out." ResourceKey="TwoFactor">Use 2FA?</Label>
                        <div class="col-sm-9">
-                                    <input id="registerurl" class="form-control" @bind="@_registerurl" />
+                            <select id="twofactor" class="form-select" @bind="@_twofactor">
-                                </div>
+                                <option value="false">@Localizer["Disabled"]</option>
-                            </div>
+                                <option value="true">@Localizer["Optional"]</option>
-                        }
+                                <option value="required">@Localizer["Required"]</option>
                        <div class="row mb-1 align-items-center">
                            <Label Class="col-sm-3" For="profileurl" HelpText="Optionally provide a custom profile url" ResourceKey="ProfileUrl">Profile Url:</Label>
                            <div class="col-sm-9">
                                <input id="profileurl" class="form-control" @bind="@_profileurl" />
                            </div>
                        </div>
                        <div class="row mb-1 align-items-center">
                            <Label Class="col-sm-3" For="requireconfirmedemail" HelpText="Do you want to require registered users to verify their email address before they are allowed to log in?" ResourceKey="RequireConfirmedEmail">Require Verified Email?</Label>
                            <div class="col-sm-9">
                                <select id="requireconfirmedemail" class="form-select" @bind="@_requireconfirmedemail">
                                    <option value="true">@SharedLocalizer["Yes"]</option>
                                    <option value="false">@SharedLocalizer["No"]</option>
                            </select>
                        </div>
                    </div>
@@ -117,15 +101,38 @@ else
                        </div>
                    </div>
                    <div class="row mb-1 align-items-center">
-                            <Label Class="col-sm-3" For="twofactor" HelpText="Do you want users to use two factor authentication? Note that you should use the Disabled option until you have successfully verified that the Notification Job in Scheduled Jobs is enabled and your SMTP options in Site Settings are configured or else you will lock yourself out." ResourceKey="TwoFactor">Two Factor Authentication?</Label>
+                        <Label Class="col-sm-3" For="allowregistration" HelpText="Do you want anonymous visitors to be able to register for an account on the site" ResourceKey="AllowRegistration">Allow User Registration?</Label>
                        <div class="col-sm-9">
-                                <select id="twofactor" class="form-select" @bind="@_twofactor">
+                            <select id="allowregistration" class="form-select" @bind="@_allowregistration">
-                                    <option value="false">@Localizer["Disabled"]</option>
+                                <option value="true">@SharedLocalizer["Yes"]</option>
-                                    <option value="true">@Localizer["Optional"]</option>
+                                <option value="false">@SharedLocalizer["No"]</option>
                                    <option value="required">@Localizer["Required"]</option>
                            </select>
                        </div>
                    </div>
                    @if (_allowregistration == "true")
                    {
                        <div class="row mb-1 align-items-center">
                            <Label Class="col-sm-3" For="registerurl" HelpText="Optionally provide a custom registration url" ResourceKey="RegisterUrl">Register Url:</Label>
                            <div class="col-sm-9">
                                <input id="registerurl" class="form-control" @bind="@_registerurl" />
                            </div>
                        </div>
                    }
                    <div class="row mb-1 align-items-center">
                        <Label Class="col-sm-3" For="requireconfirmedemail" HelpText="Do you want to require registered users to verify their email address before they are allowed to log in?" ResourceKey="RequireConfirmedEmail">Require Verified Email?</Label>
                        <div class="col-sm-9">
                            <select id="requireconfirmedemail" class="form-select" @bind="@_requireconfirmedemail">
                                <option value="true">@SharedLocalizer["Yes"]</option>
                                <option value="false">@SharedLocalizer["No"]</option>
                            </select>
                        </div>
                    </div>
                    <div class="row mb-1 align-items-center">
                        <Label Class="col-sm-3" For="profileurl" HelpText="Optionally provide a custom profile url" ResourceKey="ProfileUrl">Profile Url:</Label>
                        <div class="col-sm-9">
                            <input id="profileurl" class="form-control" @bind="@_profileurl" />
                        </div>
                    </div>
                    <div class="row mb-1 align-items-center">
                        <Label Class="col-sm-3" For="cookiename" HelpText="You can choose to use a custom authentication cookie name for each site. However please be aware that if you want to share an authentication cookie between sites on the same domain they need to use a consistent cookie name. Also be aware that changing the authentication cookie name will logout all current users." ResourceKey="CookieName">Cookie Name:</Label>
                        <div class="col-sm-9">
@@ -162,10 +169,7 @@ else
                            </select>
                        </div>
                    </div>
                    }
                </Section>
                @if (UserSecurity.IsAuthorized(PageState.User, RoleNames.Host))
                {
                <Section Name="Password" Heading="Password Settings" ResourceKey="PasswordSettings">
                    <div class="row mb-1 align-items-center">
                        <Label Class="col-sm-3" For="minimumlength" HelpText="The Minimum Length For A Password" ResourceKey="RequiredLength">Minimum Length:</Label>
@@ -490,15 +494,6 @@ else
                                    </select>
                                </div>
                            </div>
                                <div class="row mb-1 align-items-center">
                                    <Label Class="col-sm-3" For="allowsitelogin" HelpText="Do you want to allow users to sign in using a username and password that is managed locally on this site? Note that you should only disable this option if you have already sucessfully configured an external login provider, or else you may lock yourself out of the site." ResourceKey="AllowSiteLogin">Allow Local Login?</Label>
                                    <div class="col-sm-9">
                                        <select id="allowsitelogin" class="form-select" @bind="@_allowsitelogin">
                                            <option value="true">@SharedLocalizer["Yes"]</option>
                                            <option value="false">@SharedLocalizer["No"]</option>
                                        </select>
                                    </div>
                                </div>
                        }
                    }
                </Section>
@@ -540,7 +535,6 @@ else
                        </div>
                    </div>					
                </Section>
                }
            </div>
            <br />
            <button type="button" class="btn btn-success" @onclick="SaveSiteSettings">@SharedLocalizer["Save"]</button>
@@ -553,13 +547,14 @@ else
    private string _deleted = "false";
    private int _page = 1;
-    private string _allowregistration;
+    private string _allowsitelogin;
-    private string _registerurl;
+    private string _twofactor;
    private string _profileurl;
    private string _requireconfirmedemail;
    private string _loginlink;
    private string _passkeys;
-    private string _twofactor;
+    private string _allowregistration;
    private string _registerurl;
    private string _requireconfirmedemail;
    private string _profileurl;
    private string _cookiename;
    private string _cookiedomain;
    private string _cookieexpiration;
@@ -609,7 +604,6 @@ else
    private string _createusers;
    private string _verifyusers;
    private string _allowhostrole;
    private string _allowsitelogin;
    private string _secret;
    private string _secrettype = "password";
@@ -633,12 +627,13 @@ else
        if (UserSecurity.IsAuthorized(PageState.User, RoleNames.Host))
        {
-            _registerurl = SettingService.GetSetting(settings, "LoginOptions:RegisterUrl", "");
+            _allowsitelogin = SettingService.GetSetting(settings, "LoginOptions:AllowSiteLogin", "true");
-            _profileurl = SettingService.GetSetting(settings, "LoginOptions:ProfileUrl", "");
+            _twofactor = SettingService.GetSetting(settings, "LoginOptions:TwoFactor", "false");
            _requireconfirmedemail = SettingService.GetSetting(settings, "LoginOptions:RequireConfirmedEmail", "true");
            _loginlink = SettingService.GetSetting(settings, "LoginOptions:LoginLink", "false");
            _passkeys = SettingService.GetSetting(settings, "LoginOptions:Passkeys", "false");
-            _twofactor = SettingService.GetSetting(settings, "LoginOptions:TwoFactor", "false");
+            _registerurl = SettingService.GetSetting(settings, "LoginOptions:RegisterUrl", "");
            _requireconfirmedemail = SettingService.GetSetting(settings, "LoginOptions:RequireConfirmedEmail", "true");
            _profileurl = SettingService.GetSetting(settings, "LoginOptions:ProfileUrl", "");
            _cookiename = SettingService.GetSetting(settings, "LoginOptions:CookieName", ".AspNetCore.Identity.Application");
            _cookiedomain = SettingService.GetSetting(settings, "LoginOptions:CookieDomain", "");
            _cookieexpiration = SettingService.GetSetting(settings, "LoginOptions:CookieExpiration", "");
@@ -700,7 +695,6 @@ else
        _createusers = SettingService.GetSetting(settings, "ExternalLogin:CreateUsers", "true");
        _verifyusers = SettingService.GetSetting(settings, "ExternalLogin:VerifyUsers", "true");
        _allowhostrole = SettingService.GetSetting(settings, "ExternalLogin:AllowHostRole", "false");
        _allowsitelogin = SettingService.GetSetting(settings, "LoginOptions:AllowSiteLogin", "true");
    }
    private async Task LoadUsersAsync()
@@ -764,6 +758,8 @@ else
    private async Task SaveSiteSettings()
    {
        try
        {
            if (UserSecurity.IsAuthorized(PageState.User, RoleNames.Host))
            {
                var site = PageState.Site;
                site.AllowRegistration = bool.Parse(_allowregistration);
@@ -771,14 +767,13 @@ else
                var settings = await SettingService.GetSiteSettingsAsync(site.SiteId);
-            if (UserSecurity.IsAuthorized(PageState.User, RoleNames.Host))
+                settings = SettingService.SetSetting(settings, "LoginOptions:AllowSiteLogin", _allowsitelogin, false);
-            {
+                settings = SettingService.SetSetting(settings, "LoginOptions:TwoFactor", _twofactor, false);
                settings = SettingService.SetSetting(settings, "LoginOptions:RegisterUrl", _registerurl, false);
                settings = SettingService.SetSetting(settings, "LoginOptions:ProfileUrl", _profileurl, false);
                settings = SettingService.SetSetting(settings, "LoginOptions:RequireConfirmedEmail", _requireconfirmedemail, false);
                settings = SettingService.SetSetting(settings, "LoginOptions:LoginLink", _loginlink, false);
                settings = SettingService.SetSetting(settings, "LoginOptions:Passkeys", _passkeys, false);
-                settings = SettingService.SetSetting(settings, "LoginOptions:TwoFactor", _twofactor, false);
+                settings = SettingService.SetSetting(settings, "LoginOptions:RegisterUrl", _registerurl, false);
                settings = SettingService.SetSetting(settings, "LoginOptions:RequireConfirmedEmail", _requireconfirmedemail, false);
                settings = SettingService.SetSetting(settings, "LoginOptions:ProfileUrl", _profileurl, false);
                settings = SettingService.SetSetting(settings, "LoginOptions:CookieName", _cookiename, true);
                settings = SettingService.SetSetting(settings, "LoginOptions:CookieDomain", _cookiedomain, true);
                settings = SettingService.SetSetting(settings, "LoginOptions:CookieExpiration", _cookieexpiration, true);
@@ -824,16 +819,15 @@ else
                settings = SettingService.SetSetting(settings, "ExternalLogin:CreateUsers", _createusers, true);
                settings = SettingService.SetSetting(settings, "ExternalLogin:VerifyUsers", _verifyusers, true);
                settings = SettingService.SetSetting(settings, "ExternalLogin:AllowHostRole", _allowhostrole, true);
                settings = SettingService.SetSetting(settings, "LoginOptions:AllowSiteLogin", _allowsitelogin, false);
                settings = SettingService.SetSetting(settings, "JwtOptions:Secret", _secret, true);
                settings = SettingService.SetSetting(settings, "JwtOptions:Issuer", _issuer, true);
                settings = SettingService.SetSetting(settings, "JwtOptions:Audience", _audience, true);
                settings = SettingService.SetSetting(settings, "JwtOptions:Lifetime", _lifetime, true);
            }
                await SettingService.UpdateSiteSettingsAsync(settings, site.SiteId);
                await SettingService.ClearSiteSettingsCacheAsync();
            }
            if (!string.IsNullOrEmpty(_secret))
            {
--- a/Oqtane.Client/Resources/Modules/Admin/Users/Index.resx
+++ b/Oqtane.Client/Resources/Modules/Admin/Users/Index.resx
@@ -217,7 +217,7 @@
    <value>Unique Characters:</value>
  </data>
  <data name="AllowSiteLogin.HelpText" xml:space="preserve">
-    <value>Do you want to allow users to sign in using a username and password that is managed locally on this site? Note that you should only disable this option if you have already sucessfully configured an external login provider, or else you may lock yourself out of the site.</value>
+    <value>Do you want to allow users to sign in using a username and password that is managed locally on this site? Note that you should only disable this option if you have already successfully configured an alternate login method, or else you may lock yourself out of the site.</value>
  </data>
  <data name="AllowSiteLogin.Text" xml:space="preserve">
    <value>Allow Local Login?</value>
@@ -370,7 +370,7 @@
    <value>Do you want users to use two factor authentication? Note that you should use the Disabled option until you have successfully verified that the Notification Job in Scheduled Jobs is enabled and your SMTP options in Site Settings are configured or else you will lock yourself out.</value>
  </data>
  <data name="TwoFactor.Text" xml:space="preserve">
-    <value>Two Factor Authentication?</value>
+    <value>Use 2FA?</value>
  </data>
  <data name="RequireConfirmedEmail.HelpText" xml:space="preserve">
    <value>Do you want to require registered users to verify their email address before they are allowed to log in?</value>