kocoded/oqtane.framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Scope permissions by SiteId to support entity level authorization as well as improve caching and performance. Optimize GetTenant to use existing cache.

Browse Source
This commit is contained in:
Shaun Walker 2022-11-07 18:16:32 -05:00
parent 2aa6eb90e2
commit 6182b96d16
19 changed files with 103 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Oqtane.Server/Controllers/FileController.cs
View File

@ -137,8 +137,8 @@ namespace Oqtane.Controllers
{
var File = _files.GetFile(file.FileId, false);
if (ModelState.IsValid && file.Folder.SiteId == _alias.SiteId && File != null // ensure file exists
&& _userPermissions.IsAuthorized(User, EntityNames.Folder, File.FolderId, PermissionNames.Edit) // ensure user had edit rights to original folder
&& _userPermissions.IsAuthorized(User, EntityNames.Folder, file.FolderId, PermissionNames.Edit)) // ensure user has edit rights to new folder
&& _userPermissions.IsAuthorized(User, file.Folder.SiteId, EntityNames.Folder, File.FolderId, PermissionNames.Edit) // ensure user had edit rights to original folder
&& _userPermissions.IsAuthorized(User, file.Folder.SiteId, EntityNames.Folder, file.FolderId, PermissionNames.Edit)) // ensure user has edit rights to new folder
{
if (File.Name != file.Name || File.FolderId != file.FolderId)
{
@ -180,7 +180,7 @@ namespace Oqtane.Controllers
public void Delete(int id)
{
Models.File file = _files.GetFile(id);
if (file != null && file.Folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Folder, file.Folder.FolderId, PermissionNames.Edit))
if (file != null && file.Folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, file.Folder.SiteId, EntityNames.Folder, file.Folder.FolderId, PermissionNames.Edit))
{
string filepath = _files.GetFilePath(file);
if (System.IO.File.Exists(filepath))

6
Oqtane.Server/Controllers/FolderController.cs
View File

@ -157,7 +157,7 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)]
public Folder Put(int id, [FromBody] Folder folder)
{
if (ModelState.IsValid && folder.SiteId == _alias.SiteId && _folders.GetFolder(folder.FolderId, false) != null && _userPermissions.IsAuthorized(User, EntityNames.Folder, folder.FolderId, PermissionNames.Edit))
if (ModelState.IsValid && folder.SiteId == _alias.SiteId && _folders.GetFolder(folder.FolderId, false) != null && _userPermissions.IsAuthorized(User, folder.SiteId, EntityNames.Folder, folder.FolderId, PermissionNames.Edit))
{
if (folder.IsPathValid())
{
@ -199,7 +199,7 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)]
public void Put(int siteid, int folderid, int? parentid)
{
if (siteid == _alias.SiteId && _folders.GetFolder(folderid, false) != null && _userPermissions.IsAuthorized(User, EntityNames.Folder, folderid, PermissionNames.Edit))
if (siteid == _alias.SiteId && _folders.GetFolder(folderid, false) != null && _userPermissions.IsAuthorized(User, siteid, EntityNames.Folder, folderid, PermissionNames.Edit))
{
int order = 1;
List<Folder> folders = _folders.GetFolders(siteid).ToList();
@ -228,7 +228,7 @@ namespace Oqtane.Controllers
public void Delete(int id)
{
var folder = _folders.GetFolder(id, false);
if (folder != null && folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Folder, id, PermissionNames.Edit))
if (folder != null && folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, folder.SiteId, EntityNames.Folder, id, PermissionNames.Edit))
{
if (Directory.Exists(_folders.GetFolderPath(folder)))
{

10
Oqtane.Server/Controllers/ModuleController.cs
View File

@ -121,7 +121,7 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)]
public Module Post([FromBody] Module module)
{
if (ModelState.IsValid && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Page, module.PageId, PermissionNames.Edit))
if (ModelState.IsValid && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, module.SiteId, EntityNames.Page, module.PageId, PermissionNames.Edit))
{
module = _modules.AddModule(module);
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Module, module.ModuleId, SyncEventActions.Create);
@ -144,7 +144,7 @@ namespace Oqtane.Controllers
{
var _module = _modules.GetModule(module.ModuleId, false);
if (ModelState.IsValid && module.SiteId == _alias.SiteId && _module != null && _userPermissions.IsAuthorized(User, EntityNames.Module, module.ModuleId, PermissionNames.Edit))
if (ModelState.IsValid && module.SiteId == _alias.SiteId && _module != null && _userPermissions.IsAuthorized(User, module.SiteId, EntityNames.Module, module.ModuleId, PermissionNames.Edit))
{
module = _modules.UpdateModule(module);
@ -194,7 +194,7 @@ namespace Oqtane.Controllers
public void Delete(int id)
{
var module = _modules.GetModule(id);
if (module != null && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Module, module.ModuleId, PermissionNames.Edit))
if (module != null && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, module.SiteId, EntityNames.Module, module.ModuleId, PermissionNames.Edit))
{
_modules.DeleteModule(id);
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Module, module.ModuleId, SyncEventActions.Delete);
@ -215,7 +215,7 @@ namespace Oqtane.Controllers
{
string content = "";
var module = _modules.GetModule(moduleid);
if (module != null && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Page, pageid, PermissionNames.Edit))
if (module != null && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, module.SiteId, EntityNames.Page, pageid, PermissionNames.Edit))
{
content = _modules.ExportModule(moduleid);
if (!string.IsNullOrEmpty(content))
@ -242,7 +242,7 @@ namespace Oqtane.Controllers
{
bool success = false;
var module = _modules.GetModule(moduleid);
if (ModelState.IsValid && module != null && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Page, pageid, PermissionNames.Edit))
if (ModelState.IsValid && module != null && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, module.SiteId, EntityNames.Page, pageid, PermissionNames.Edit))
{
success = _modules.ImportModule(moduleid, content);
if (success)

10
Oqtane.Server/Controllers/PageController.cs
View File

@ -253,10 +253,10 @@ namespace Oqtane.Controllers
// get current page
var currentPage = _pages.GetPage(page.PageId, false);
if (ModelState.IsValid && page.SiteId == _alias.SiteId && currentPage != null && _userPermissions.IsAuthorized(User, EntityNames.Page, page.PageId, PermissionNames.Edit))
if (ModelState.IsValid && page.SiteId == _alias.SiteId && currentPage != null && _userPermissions.IsAuthorized(User, page.SiteId, EntityNames.Page, page.PageId, PermissionNames.Edit))
{
// get current page permissions
var currentPermissions = _permissionRepository.GetPermissions(EntityNames.Page, page.PageId).ToList();
var currentPermissions = _permissionRepository.GetPermissions(page.SiteId, EntityNames.Page, page.PageId).ToList();
page = _pages.UpdatePage(page);
@ -283,7 +283,7 @@ namespace Oqtane.Controllers
{
foreach (PageModule pageModule in _pageModules.GetPageModules(page.PageId, "").ToList())
{
var modulePermissions = _permissionRepository.GetPermissions(EntityNames.Module, pageModule.Module.ModuleId).ToList();
var modulePermissions = _permissionRepository.GetPermissions(pageModule.Module.SiteId, EntityNames.Module, pageModule.Module.ModuleId).ToList();
// permissions added
foreach(Permission permission in added)
{
@ -346,7 +346,7 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)]
public void Put(int siteid, int pageid, int? parentid)
{
if (siteid == _alias.SiteId && siteid == _alias.SiteId && _pages.GetPage(pageid, false) != null && _userPermissions.IsAuthorized(User, EntityNames.Page, pageid, PermissionNames.Edit))
if (siteid == _alias.SiteId && siteid == _alias.SiteId && _pages.GetPage(pageid, false) != null && _userPermissions.IsAuthorized(User, siteid, EntityNames.Page, pageid, PermissionNames.Edit))
{
int order = 1;
List<Page> pages = _pages.GetPages(siteid).ToList();
@ -377,7 +377,7 @@ namespace Oqtane.Controllers
public void Delete(int id)
{
Page page = _pages.GetPage(id);
if (page != null && page.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Page, page.PageId, PermissionNames.Edit))
if (page != null && page.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, page.SiteId, EntityNames.Page, page.PageId, PermissionNames.Edit))
{
_pages.DeletePage(page.PageId);
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Page, page.PageId, SyncEventActions.Delete);

8
Oqtane.Server/Controllers/PageModuleController.cs
View File

@ -73,7 +73,7 @@ namespace Oqtane.Controllers
public PageModule Post([FromBody] PageModule pageModule)
{
var page = _pages.GetPage(pageModule.PageId);
if (ModelState.IsValid && page != null && page.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Page, pageModule.PageId, PermissionNames.Edit))
if (ModelState.IsValid && page != null && page.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, page.SiteId, EntityNames.Page, pageModule.PageId, PermissionNames.Edit))
{
pageModule = _pageModules.AddPageModule(pageModule);
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.PageModule, pageModule.PageModuleId, SyncEventActions.Create);
@ -95,7 +95,7 @@ namespace Oqtane.Controllers
public PageModule Put(int id, [FromBody] PageModule pageModule)
{
var page = _pages.GetPage(pageModule.PageId);
if (ModelState.IsValid && page != null && page.SiteId == _alias.SiteId && _pageModules.GetPageModule(pageModule.PageModuleId, false) != null && _userPermissions.IsAuthorized(User, EntityNames.Page, pageModule.PageId, PermissionNames.Edit))
if (ModelState.IsValid && page != null && page.SiteId == _alias.SiteId && _pageModules.GetPageModule(pageModule.PageModuleId, false) != null && _userPermissions.IsAuthorized(User, page.SiteId, EntityNames.Page, pageModule.PageId, PermissionNames.Edit))
{
pageModule = _pageModules.UpdatePageModule(pageModule);
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.PageModule, pageModule.PageModuleId, SyncEventActions.Update);
@ -117,7 +117,7 @@ namespace Oqtane.Controllers
public void Put(int pageid, string pane)
{
var page = _pages.GetPage(pageid);
if (page != null && page.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Page, pageid, PermissionNames.Edit))
if (page != null && page.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, page.SiteId, EntityNames.Page, pageid, PermissionNames.Edit))
{
int order = 1;
List<PageModule> pagemodules = _pageModules.GetPageModules(pageid, pane).OrderBy(item => item.Order).ToList();
@ -147,7 +147,7 @@ namespace Oqtane.Controllers
public void Delete(int id)
{
PageModule pagemodule = _pageModules.GetPageModule(id);
if (pagemodule != null && pagemodule.Module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Page, pagemodule.PageId, PermissionNames.Edit))
if (pagemodule != null && pagemodule.Module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, pagemodule.Module.SiteId, EntityNames.Page, pagemodule.PageId, PermissionNames.Edit))
{
_pageModules.DeletePageModule(id);
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.PageModule, pagemodule.PageModuleId, SyncEventActions.Delete);

8
Oqtane.Server/Controllers/SettingController.cs
View File

@ -206,7 +206,7 @@ namespace Oqtane.Controllers
case EntityNames.Page:
case EntityNames.Module:
case EntityNames.Folder:
authorized = _userPermissions.IsAuthorized(User, entityName, entityId, permissionName);
authorized = _userPermissions.IsAuthorized(User, _alias.SiteId, entityName, entityId, permissionName);
break;
case EntityNames.User:
authorized = true;
@ -228,7 +228,7 @@ namespace Oqtane.Controllers
default: // custom entity
if (permissionName == PermissionNames.Edit)
{
authorized = User.IsInRole(RoleNames.Admin) || _userPermissions.IsAuthorized(User, entityName, entityId, permissionName);
authorized = User.IsInRole(RoleNames.Admin) || _userPermissions.IsAuthorized(User, _alias.SiteId, entityName, entityId, permissionName);
}
else
{
@ -255,7 +255,7 @@ namespace Oqtane.Controllers
case EntityNames.Page:
case EntityNames.Module:
case EntityNames.Folder:
filter = !_userPermissions.IsAuthorized(User, entityName, entityId, PermissionNames.Edit);
filter = !_userPermissions.IsAuthorized(User, _alias.SiteId, entityName, entityId, PermissionNames.Edit);
break;
case EntityNames.User:
filter = !User.IsInRole(RoleNames.Admin) && _userPermissions.GetUser(User).UserId != entityId;
@ -271,7 +271,7 @@ namespace Oqtane.Controllers
}
break;
default: // custom entity
filter = !User.IsInRole(RoleNames.Admin) && !_userPermissions.IsAuthorized(User, entityName, entityId, PermissionNames.Edit);
filter = !User.IsInRole(RoleNames.Admin) && !_userPermissions.IsAuthorized(User, _alias.SiteId, entityName, entityId, PermissionNames.Edit);
break;
}
return filter;

3
Oqtane.Server/Infrastructure/TenantManager.cs
View File

@ -72,8 +72,7 @@ namespace Oqtane.Infrastructure
var alias = _siteState?.Alias;
if (alias != null)
{
// return tenant details
return _tenantRepository.GetTenants().ToList().FirstOrDefault(item => item.TenantId == alias.TenantId);
return _tenantRepository.GetTenant(alias.TenantId);
}
return null;
}

8
Oqtane.Server/Repository/FileRepository.cs
View File

@ -28,9 +28,9 @@ namespace Oqtane.Repository
public IEnumerable<File> GetFiles(int folderId)
{
IEnumerable<Permission> permissions = _permissions.GetPermissions(EntityNames.Folder, folderId).ToList();
IEnumerable<File> files = _db.File.Where(item => item.FolderId == folderId).Include(item => item.Folder);
var alias = _tenants.GetAlias();
IEnumerable<Permission> permissions = _permissions.GetPermissions(alias.SiteId, EntityNames.Folder, folderId).ToList();
IEnumerable<File> files = _db.File.Where(item => item.FolderId == folderId).Include(item => item.Folder);
foreach (File file in files)
{
file.Folder.Permissions = permissions.EncodePermissions();
@ -76,7 +76,7 @@ namespace Oqtane.Repository
}
if (file != null)
{
IEnumerable<Permission> permissions = _permissions.GetPermissions(EntityNames.Folder, file.FolderId).ToList();
IEnumerable<Permission> permissions = _permissions.GetPermissions(file.Folder.SiteId, EntityNames.Folder, file.FolderId).ToList();
file.Folder.Permissions = permissions.EncodePermissions();
file.Url = GetFileUrl(file, _tenants.GetAlias());
}
@ -93,7 +93,7 @@ namespace Oqtane.Repository
if (file != null)
{
IEnumerable<Permission> permissions = _permissions.GetPermissions(EntityNames.Folder, file.FolderId).ToList();
IEnumerable<Permission> permissions = _permissions.GetPermissions(file.Folder.SiteId, EntityNames.Folder, file.FolderId).ToList();
file.Folder.Permissions = permissions.EncodePermissions();
file.Url = GetFileUrl(file, _tenants.GetAlias());
}

4
Oqtane.Server/Repository/FolderRepository.cs
View File

@ -69,7 +69,7 @@ namespace Oqtane.Repository
}
if (folder != null)
{
folder.Permissions = _permissions.GetPermissionString(EntityNames.Folder, folder.FolderId);
folder.Permissions = _permissions.GetPermissions(folder.SiteId, EntityNames.Folder, folder.FolderId)?.EncodePermissions();
}
return folder;
}
@ -79,7 +79,7 @@ namespace Oqtane.Repository
Folder folder = _db.Folder.Where(item => item.SiteId == siteId && item.Path == path).FirstOrDefault();
if (folder != null)
{
folder.Permissions = _permissions.GetPermissionString(EntityNames.Folder, folder.FolderId);
folder.Permissions = _permissions.GetPermissions(folder.SiteId, EntityNames.Folder, folder.FolderId)?.EncodePermissions();
}
return folder;
}

1
Oqtane.Server/Repository/Interfaces/IModuleDefinitionRepository.cs
View File

@ -8,7 +8,6 @@ namespace Oqtane.Repository
IEnumerable<ModuleDefinition> GetModuleDefinitions();
IEnumerable<ModuleDefinition> GetModuleDefinitions(int siteId);
ModuleDefinition GetModuleDefinition(int moduleDefinitionId, int siteId);
ModuleDefinition GetModuleDefinition(int moduleDefinitionId, bool tracking);
void UpdateModuleDefinition(ModuleDefinition moduleDefinition);
void DeleteModuleDefinition(int moduleDefinitionId);
}

11
Oqtane.Server/Repository/Interfaces/IPermissionRepository.cs
View File

@ -8,13 +8,10 @@ namespace Oqtane.Repository
public interface IPermissionRepository
{
IEnumerable<Permission> GetPermissions(int siteId, string entityName);
IEnumerable<Permission> GetPermissions(string entityName, int entityId);
IEnumerable<Permission> GetPermissions(string entityName, int entityId, string permissionName);
string GetPermissionString(int siteId, string entityName);
string GetPermissionString(string entityName, int entityId);
string GetPermissionString(string entityName, int entityId, string permissionName);
IEnumerable<Permission> GetPermissions(int siteId, string entityName, string permissionName);
IEnumerable<Permission> GetPermissions(int siteId, string entityName, int entityId);
IEnumerable<Permission> GetPermissions(int siteId, string entityName, int entityId, string permissionName);
Permission AddPermission(Permission permission);
Permission UpdatePermission(Permission permission);
void UpdatePermissions(int siteId, string entityName, int entityId, string permissionStrings);

18
Oqtane.Server/Repository/ModuleDefinitionRepository.cs
View File

@ -42,24 +42,6 @@ namespace Oqtane.Repository
return moduledefinitions.Find(item => item.ModuleDefinitionId == moduleDefinitionId);
}
public ModuleDefinition GetModuleDefinition(int moduleDefinitionId, bool tracking)
{
ModuleDefinition moduledefinition;
if (tracking)
{
moduledefinition = _db.ModuleDefinition.Find(moduleDefinitionId);
}
else
{
moduledefinition = _db.ModuleDefinition.AsNoTracking().FirstOrDefault(item => item.ModuleDefinitionId == moduleDefinitionId);
}
if (moduledefinition != null)
{
moduledefinition.Permissions = _permissions.GetPermissionString(EntityNames.ModuleDefinition, moduledefinition.ModuleDefinitionId);
}
return moduledefinition;
}
public void UpdateModuleDefinition(ModuleDefinition moduleDefinition)
{
_db.Entry(moduleDefinition).State = EntityState.Modified;

3
Oqtane.Server/Repository/ModuleRepository.cs
View File

@ -4,6 +4,7 @@ using System.Linq;
using System.Text.Json;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.DependencyInjection;
using Oqtane.Extensions;
using Oqtane.Models;
using Oqtane.Modules;
using Oqtane.Shared;
@ -67,7 +68,7 @@ namespace Oqtane.Repository
}
if (module != null)
{
module.Permissions = _permissions.GetPermissionString(EntityNames.Module, module.ModuleId);
module.Permissions = _permissions.GetPermissions(module.SiteId, EntityNames.Module, module.ModuleId)?.EncodePermissions();
}
return module;
}

4
Oqtane.Server/Repository/PageModuleRepository.cs
View File

@ -89,7 +89,7 @@ namespace Oqtane.Repository
}
if (pagemodule != null)
{
pagemodule.Module.Permissions = _permissions.GetPermissionString(EntityNames.Module, pagemodule.ModuleId);
pagemodule.Module.Permissions = _permissions.GetPermissions(pagemodule.Module.SiteId, EntityNames.Module, pagemodule.ModuleId)?.EncodePermissions();
}
return pagemodule;
}
@ -100,7 +100,7 @@ namespace Oqtane.Repository
.SingleOrDefault(item => item.PageId == pageId && item.ModuleId == moduleId);
if (pagemodule != null)
{
pagemodule.Module.Permissions = _permissions.GetPermissionString(EntityNames.Module, pagemodule.ModuleId);
pagemodule.Module.Permissions = _permissions.GetPermissions(pagemodule.Module.SiteId, EntityNames.Module, pagemodule.ModuleId)?.EncodePermissions();
}
return pagemodule;
}

6
Oqtane.Server/Repository/PageRepository.cs
View File

@ -66,7 +66,7 @@ namespace Oqtane.Repository
}
if (page != null)
{
page.Permissions = _permissions.GetPermissionString(EntityNames.Page, page.PageId);
page.Permissions = _permissions.GetPermissions(page.SiteId, EntityNames.Page, page.PageId)?.EncodePermissions();
}
return page;
}
@ -81,7 +81,7 @@ namespace Oqtane.Repository
{
page = personalized;
}
page.Permissions = _permissions.GetPermissionString(EntityNames.Page, page.PageId);
page.Permissions = _permissions.GetPermissions(page.SiteId, EntityNames.Page, page.PageId)?.EncodePermissions();
}
return page;
}
@ -91,7 +91,7 @@ namespace Oqtane.Repository
Page page = _db.Page.FirstOrDefault(item => item.Path == path && item.SiteId == siteId);
if (page != null)
{
page.Permissions = _permissions.GetPermissionString(EntityNames.Page, page.PageId);
page.Permissions = _permissions.GetPermissions(page.SiteId, EntityNames.Page, page.PageId)?.EncodePermissions();
}
return page;
}

59
Oqtane.Server/Repository/PermissionRepository.cs
View File

@ -4,7 +4,6 @@ using System.Linq;
using System.Text;
using System.Text.Json;
using Microsoft.EntityFrameworkCore;
using Oqtane.Extensions;
using Oqtane.Models;
using Microsoft.Extensions.Caching.Memory;
using Oqtane.Infrastructure;
@ -29,58 +28,44 @@ namespace Oqtane.Repository
public IEnumerable<Permission> GetPermissions(int siteId, string entityName)
{
var alias = _siteState?.Alias;
if (alias != null && alias.SiteId != -1)
if (alias != null)
{
return _cache.GetOrCreate($"permissions:{alias.SiteKey}:{entityName}", entry =>
return _cache.GetOrCreate($"permissions:{alias.TenantId}:{siteId}:{entityName}", entry =>
{
entry.SlidingExpiration = TimeSpan.FromMinutes(30);
return _db.Permission.Where(item => item.SiteId == alias.SiteId)
return _db.Permission.Where(item => item.SiteId == siteId)
.Where(item => item.EntityName == entityName)
.Include(item => item.Role).ToList(); // eager load roles
});
}
else
{
return _db.Permission.Where(item => item.SiteId == siteId || siteId == -1)
.Where(item => item.EntityName == entityName)
.Include(item => item.Role).ToList(); // eager load roles
}
return null;
}
public IEnumerable<Permission> GetPermissions(string entityName, int entityId)
public IEnumerable<Permission> GetPermissions(int siteId, string entityName, string permissionName)
{
var permissions = GetPermissions(-1, entityName);
var permissions = GetPermissions(siteId, entityName);
return permissions.Where(item => item.PermissionName == permissionName);
}
public IEnumerable<Permission> GetPermissions(int siteId, string entityName, int entityId)
{
var permissions = GetPermissions(siteId, entityName);
return permissions.Where(item => item.EntityId == entityId);
}
public IEnumerable<Permission> GetPermissions(string entityName, int entityId, string permissionName)
public IEnumerable<Permission> GetPermissions(int siteId, string entityName, int entityId, string permissionName)
{
var permissions = GetPermissions(-1, entityName);
var permissions = GetPermissions(siteId, entityName);
return permissions.Where(item => item.EntityId == entityId)
.Where(item => item.PermissionName == permissionName);
}
public string GetPermissionString(int siteId, string entityName)
{
return GetPermissions(siteId, entityName)?.EncodePermissions();
}
public string GetPermissionString(string entityName, int entityId)
{
return GetPermissions(entityName, entityId)?.EncodePermissions();
}
public string GetPermissionString(string entityName, int entityId, string permissionName)
{
return GetPermissions(entityName, entityId, permissionName)?.EncodePermissions();
}
public Permission AddPermission(Permission permission)
{
_db.Permission.Add(permission);
_db.SaveChanges();
ClearCache(permission.EntityName);
ClearCache(permission.SiteId, permission.EntityName);
return permission;
}
@ -88,7 +73,7 @@ namespace Oqtane.Repository
{
_db.Entry(permission).State = EntityState.Modified;
_db.SaveChanges();
ClearCache(permission.EntityName);
ClearCache(permission.SiteId, permission.EntityName);
return permission;
}
@ -110,7 +95,7 @@ namespace Oqtane.Repository
_db.Permission.Add(permission);
}
_db.SaveChanges();
ClearCache(entityName);
ClearCache(siteId, entityName);
}
public Permission GetPermission(int permissionId)
@ -123,7 +108,7 @@ namespace Oqtane.Repository
Permission permission = _db.Permission.Find(permissionId);
_db.Permission.Remove(permission);
_db.SaveChanges();
ClearCache(permission.EntityName);
ClearCache(permission.SiteId, permission.EntityName);
}
public void DeletePermissions(int siteId, string entityName, int entityId)
@ -137,15 +122,15 @@ namespace Oqtane.Repository
_db.Permission.Remove(permission);
}
_db.SaveChanges();
ClearCache(entityName);
ClearCache(siteId, entityName);
}
private void ClearCache(string entityName)
private void ClearCache(int siteId, string entityName)
{
var alias = _siteState?.Alias;
if (alias != null && alias.SiteId != -1)
if (alias != null)
{
_cache.Remove($"permissions:{alias.SiteKey}:{entityName}");
_cache.Remove($"permissions:{alias.TenantId}:{siteId}:{entityName}");
}
}

4
Oqtane.Server/Repository/TenantRepository.cs
View File

@ -1,4 +1,4 @@
using System;
using System;
using System.Collections.Generic;
using System.Linq;
using Microsoft.EntityFrameworkCore;
@ -53,7 +53,7 @@ namespace Oqtane.Repository
public Tenant GetTenant(int tenantId)
{
return _db.Tenant.Find(tenantId);
return GetTenants().FirstOrDefault(item => item.TenantId == tenantId);
}
public void DeleteTenant(int tenantId)

32
Oqtane.Server/Security/PermissionHandler.cs
View File

@ -2,6 +2,7 @@ using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Oqtane.Enums;
using Oqtane.Extensions;
using Oqtane.Infrastructure;
using Oqtane.Shared;
@ -9,24 +10,30 @@ namespace Oqtane.Security
{
public class PermissionHandler : AuthorizationHandler<PermissionRequirement>
{
private readonly IHttpContextAccessor _httpContextAccessor;
private readonly IHttpContextAccessor _accessor;
private readonly IUserPermissions _userPermissions;
private readonly ILogManager _logger;
public PermissionHandler(IHttpContextAccessor httpContextAccessor, IUserPermissions userPermissions, ILogManager logger)
public PermissionHandler(IHttpContextAccessor accessor, IUserPermissions userPermissions, ILogManager logger)
{
_httpContextAccessor = httpContextAccessor;
_accessor = accessor;
_userPermissions = userPermissions;
_logger = logger;
}
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionRequirement requirement)
{
// permission is scoped based on entitynames and ids passed as querystring parameters
var ctx = _httpContextAccessor.HttpContext;
// permission is scoped based on entity name and in some cases entity id
var ctx = _accessor.HttpContext;
if (ctx != null)
{
// get entityid based on a parameter format of auth{entityname}id (ie. authmoduleid )
int siteId = -1;
if (ctx.GetAlias() != null)
{
siteId = ctx.GetAlias().SiteId;
}
// get entityid from querystring based on a parameter format of auth{entityname}id (ie. authmoduleid )
int entityId = -1;
if (ctx.Request.Query.ContainsKey("auth" + requirement.EntityName.ToLower() + "id"))
{
@ -36,7 +43,7 @@ namespace Oqtane.Security
}
}
// legacy support
// legacy support for deprecated CreateAuthorizationPolicyUrl(string url, int entityId)
if (entityId == -1)
{
if (ctx.Request.Query.ContainsKey("entityid"))
@ -49,13 +56,20 @@ namespace Oqtane.Security
}
// validate permissions
if (entityId != -1 && _userPermissions.IsAuthorized(context.User, requirement.EntityName, entityId, requirement.PermissionName))
if (_userPermissions.IsAuthorized(context.User, siteId, requirement.EntityName, entityId, requirement.PermissionName))
{
context.Succeed(requirement);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "User {User} Does Not Have {PermissionName} Permission For {EntityName}:{EntityId}", context.User, requirement.PermissionName, requirement.EntityName, entityId);
if (entityId == -1)
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "User {User} Does Not Have {PermissionName} Permission For {EntityName} Entity", context.User.Identity.Name, requirement.PermissionName, requirement.EntityName);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "User {User} Does Not Have {PermissionName} Permission For {EntityName} Entity With ID {EntityId}", context.User.Identity.Name, requirement.PermissionName, requirement.EntityName, entityId);
}
}
}
return Task.CompletedTask;

17
Oqtane.Server/Security/UserPermissions.cs
View File

@ -3,15 +3,20 @@ using Oqtane.Models;
using System.Linq;
using System.Security.Claims;
using Oqtane.Repository;
using Oqtane.Extensions;
using System;
namespace Oqtane.Security
{
public interface IUserPermissions
{
bool IsAuthorized(ClaimsPrincipal user, string entityName, int entityId, string permissionName);
bool IsAuthorized(ClaimsPrincipal user, int siteId, string entityName, int entityId, string permissionName);
bool IsAuthorized(ClaimsPrincipal user, string permissionName, string permissions);
User GetUser(ClaimsPrincipal user);
User GetUser();
[Obsolete("IsAuthorized(ClaimsPrincipal principal, string entityName, int entityId, string permissionName) is deprecated. Use IsAuthorized(ClaimsPrincipal principal, int siteId, string entityName, int entityId, string permissionName) instead.", false)]
bool IsAuthorized(ClaimsPrincipal user, string entityName, int entityId, string permissionName);
}
public class UserPermissions : IUserPermissions
@ -25,9 +30,9 @@ namespace Oqtane.Security
_accessor = accessor;
}
public bool IsAuthorized(ClaimsPrincipal principal, string entityName, int entityId, string permissionName)
public bool IsAuthorized(ClaimsPrincipal principal, int siteId, string entityName, int entityId, string permissionName)
{
return IsAuthorized(principal, permissionName, _permissions.GetPermissionString(entityName, entityId, permissionName));
return IsAuthorized(principal, permissionName, _permissions.GetPermissions(siteId, entityName, entityId, permissionName)?.EncodePermissions());
}
public bool IsAuthorized(ClaimsPrincipal principal, string permissionName, string permissions)
@ -73,5 +78,11 @@ namespace Oqtane.Security
return null;
}
}
// deprecated
public bool IsAuthorized(ClaimsPrincipal principal, string entityName, int entityId, string permissionName)
{
return IsAuthorized(principal, permissionName, _permissions.GetPermissions(_accessor.HttpContext.GetAlias().SiteId, entityName, entityId, permissionName)?.EncodePermissions());
}
}
}