kocoded/oqtane.framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

improve notification add and update methods

Browse Source
This commit is contained in:
sbwalker 2025-02-10 09:50:21 -05:00
parent 60faacd7d0
commit 324e985247
1 changed files with 38 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
Oqtane.Server/Controllers/NotificationController.cs
View File

@ -155,7 +155,7 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public Notification Post([FromBody] Notification notification) public Notification Post([FromBody] Notification notification)
{ {
if (ModelState.IsValid && notification.SiteId == _alias.SiteId && IsAuthorized(notification.FromUserId)) if (ModelState.IsValid && notification.SiteId == _alias.SiteId && (IsAuthorized(notification.FromUserId) || (notification.FromUserId == null && User.IsInRole(RoleNames.Admin))))
{ {
if (!User.IsInRole(RoleNames.Admin)) if (!User.IsInRole(RoleNames.Admin))
{ {
@ -181,17 +181,45 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public Notification Put(int id, [FromBody] Notification notification) public Notification Put(int id, [FromBody] Notification notification)
{ {
if (ModelState.IsValid && notification.SiteId == _alias.SiteId && notification.NotificationId == id && _notifications.GetNotification(notification.NotificationId, false) != null && (IsAuthorized(notification.FromUserId) || IsAuthorized(notification.ToUserId))) if (ModelState.IsValid && notification.SiteId == _alias.SiteId && notification.NotificationId == id && _notifications.GetNotification(notification.NotificationId, false) != null)
{ {
if (!User.IsInRole(RoleNames.Admin) && notification.FromUserId != null) bool update = false;
if (IsAuthorized(notification.FromUserId))
{ {
// content must be HTML encoded for non-admins to prevent HTML injection // notification belongs to current authenticated user - update is allowed
notification.Subject = WebUtility.HtmlEncode(notification.Subject); if (!User.IsInRole(RoleNames.Admin))
notification.Body = WebUtility.HtmlEncode(notification.Body); {
// content must be HTML encoded for non-admins to prevent HTML injection
notification.Subject = WebUtility.HtmlEncode(notification.Subject);
notification.Body = WebUtility.HtmlEncode(notification.Body);
}
update = true;
}
else
{
if (IsAuthorized(notification.ToUserId))
{
// notification was sent to current authenticated user - only isread and isdeleted properties can be updated
var isread = notification.IsRead;
var isdeleted = notification.IsDeleted;
notification = _notifications.GetNotification(notification.NotificationId);
notification.IsRead = isread;
notification.IsDeleted = isdeleted;
update = true;
}
}
if (update)
{
notification = _notifications.UpdateNotification(notification);
_syncManager.AddSyncEvent(_alias, EntityNames.Notification, notification.NotificationId, SyncEventActions.Update);
_logger.Log(LogLevel.Information, this, LogFunction.Update, "Notification Updated {NotificationId}", notification.NotificationId);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Notification Put Attempt {Notification}", notification);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
notification = null;
} }
notification = _notifications.UpdateNotification(notification);
_syncManager.AddSyncEvent(_alias, EntityNames.Notification, notification.NotificationId, SyncEventActions.Update);
_logger.Log(LogLevel.Information, this, LogFunction.Update, "Notification Updated {NotificationId}", notification.NotificationId);
} }
else else
{ {
@ -223,7 +251,7 @@ namespace Oqtane.Controllers
private bool IsAuthorized(int? userid) private bool IsAuthorized(int? userid)
{ {
bool authorized = User.IsInRole(RoleNames.Admin); bool authorized = false;
if (userid != null) if (userid != null)
{ {
authorized = (_userPermissions.GetUser(User).UserId == userid); authorized = (_userPermissions.GetUser(User).UserId == userid);