kocoded/oqtane.framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Improve validation and error handling in Controller methods

Browse Source
This commit is contained in:
Shaun Walker 2021-06-07 15:29:08 -04:00
parent 54cd360bb5
commit 82c05a841f
38 changed files with 922 additions and 435 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Oqtane.Client/Modules/Admin/Files/Edit.razor
View File

@ -61,10 +61,12 @@
@if (!_isSystem) @if (!_isSystem)
{ {
<button type="button" class="btn btn-success" @onclick="SaveFolder">@Localizer["Save"]</button> <button type="button" class="btn btn-success" @onclick="SaveFolder">@Localizer["Save"]</button>
@((MarkupString)"&nbsp;")
} }
<NavLink class="btn btn-secondary" href="@NavigateUrl()">@Localizer["Cancel"]</NavLink> <NavLink class="btn btn-secondary" href="@NavigateUrl()">@Localizer["Cancel"]</NavLink>
@if (!_isSystem && PageState.QueryString.ContainsKey("id")) @if (!_isSystem && PageState.QueryString.ContainsKey("id"))
{ {
@((MarkupString)"&nbsp;")
<ActionDialog Header="Delete Folder" Message="Are You Sure You Wish To Delete This Folder?" Action="Delete" Security="SecurityAccessLevel.Admin" Class="btn btn-danger" OnClick="@(async () => await DeleteFolder())" ResourceKey="DeleteFolder" /> <ActionDialog Header="Delete Folder" Message="Are You Sure You Wish To Delete This Folder?" Action="Delete" Security="SecurityAccessLevel.Admin" Class="btn btn-danger" OnClick="@(async () => await DeleteFolder())" ResourceKey="DeleteFolder" />
} }
<br /> <br />

155
Oqtane.Server/Controllers/FileController.cs
View File

@ -30,14 +30,16 @@ namespace Oqtane.Controllers
private readonly IFolderRepository _folders; private readonly IFolderRepository _folders;
private readonly IUserPermissions _userPermissions; private readonly IUserPermissions _userPermissions;
private readonly ILogManager _logger; private readonly ILogManager _logger;
private readonly Alias _alias;
public FileController(IWebHostEnvironment environment, IFileRepository files, IFolderRepository folders, IUserPermissions userPermissions, ILogManager logger) public FileController(IWebHostEnvironment environment, IFileRepository files, IFolderRepository folders, IUserPermissions userPermissions, ILogManager logger, ITenantManager tenantManager)
{ {
_environment = environment; _environment = environment;
_files = files; _files = files;
_folders = folders; _folders = folders;
_userPermissions = userPermissions; _userPermissions = userPermissions;
_logger = logger; _logger = logger;
_alias = tenantManager.GetAlias();
} }
// GET: api/<controller>?folder=x // GET: api/<controller>?folder=x
@ -48,11 +50,17 @@ namespace Oqtane.Controllers
int folderid; int folderid;
if (int.TryParse(folder, out folderid)) if (int.TryParse(folder, out folderid))
{ {
Folder f = _folders.GetFolder(folderid); Folder Folder = _folders.GetFolder(folderid);
if (f != null && _userPermissions.IsAuthorized(User, PermissionNames.Browse, f.Permissions)) if (Folder != null && Folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, PermissionNames.Browse, Folder.Permissions))
{ {
files = _files.GetFiles(folderid).ToList(); files = _files.GetFiles(folderid).ToList();
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized File Get Attempt {FolderId}", folder);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
files = null;
}
} }
else else
{ {
@ -67,6 +75,12 @@ namespace Oqtane.Controllers
} }
} }
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized File Get Attempt {Folder}", folder);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
files = null;
}
} }
return files; return files;
@ -76,27 +90,18 @@ namespace Oqtane.Controllers
[HttpGet("{siteId}/{path}")] [HttpGet("{siteId}/{path}")]
public IEnumerable<Models.File> Get(int siteId, string path) public IEnumerable<Models.File> Get(int siteId, string path)
{ {
var folderPath = WebUtility.UrlDecode(path);
Folder folder = _folders.GetFolder(siteId, folderPath);
List<Models.File> files; List<Models.File> files;
if (folder != null)
{ Folder folder = _folders.GetFolder(siteId, WebUtility.UrlDecode(path));
if (_userPermissions.IsAuthorized(User, PermissionNames.Browse, folder.Permissions)) if (folder != null && folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, PermissionNames.Browse, folder.Permissions))
{ {
files = _files.GetFiles(folder.FolderId).ToList(); files = _files.GetFiles(folder.FolderId).ToList();
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Folder {folder}", folder); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized File Get Attempt {SiteId} {Path}", siteId, path);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null; files = null;
}
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Read, "Folder Not Found {SiteId} {Path}", siteId, path);
HttpContext.Response.StatusCode = 404;
return null;
} }
return files; return files;
@ -107,23 +112,14 @@ namespace Oqtane.Controllers
public Models.File Get(int id) public Models.File Get(int id)
{ {
Models.File file = _files.GetFile(id); Models.File file = _files.GetFile(id);
if (file != null) if (file != null && file.Folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, PermissionNames.View, file.Folder.Permissions))
{
if (_userPermissions.IsAuthorized(User, PermissionNames.View, file.Folder.Permissions))
{ {
return file; return file;
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access File {File}", file); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized File Get Attempt {FileId}", id);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Read, "File Not Found {FileId}", id);
HttpContext.Response.StatusCode = 404;
return null; return null;
} }
} }
@ -133,19 +129,17 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public Models.File Put(int id, [FromBody] Models.File file) public Models.File Put(int id, [FromBody] Models.File file)
{ {
if (ModelState.IsValid && _userPermissions.IsAuthorized(User, EntityNames.Folder, file.FolderId, PermissionNames.Edit)) var File = _files.GetFile(file.FileId, false);
if (ModelState.IsValid && File != null && File.Folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Folder, file.FolderId, PermissionNames.Edit))
{ {
file.Folder = _folders.GetFolder(file.FolderId); if (File.Name != file.Name || File.FolderId != file.FolderId)
Models.File _file = _files.GetFile(id, false);
if (_file.Name != file.Name || _file.FolderId != file.FolderId)
{ {
string folderpath = _folders.GetFolderPath(file.Folder); string folderpath = _folders.GetFolderPath(file.Folder);
if (!Directory.Exists(folderpath)) if (!Directory.Exists(folderpath))
{ {
Directory.CreateDirectory(folderpath); Directory.CreateDirectory(folderpath);
} }
System.IO.File.Move(_files.GetFilePath(File), Path.Combine(folderpath, file.Name));
System.IO.File.Move(_files.GetFilePath(_file), Path.Combine(folderpath, file.Name));
} }
file.Extension = Path.GetExtension(file.Name).ToLower().Replace(".", ""); file.Extension = Path.GetExtension(file.Name).ToLower().Replace(".", "");
@ -154,8 +148,8 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update File {File}", file); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized File Put Attempt {File}", file);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
file = null; file = null;
} }
@ -168,9 +162,7 @@ namespace Oqtane.Controllers
public void Delete(int id) public void Delete(int id)
{ {
Models.File file = _files.GetFile(id); Models.File file = _files.GetFile(id);
if (file != null) if (file != null && file.Folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Folder, file.Folder.FolderId, PermissionNames.Edit))
{
if (_userPermissions.IsAuthorized(User, EntityNames.Folder, file.Folder.FolderId, PermissionNames.Edit))
{ {
_files.DeleteFile(id); _files.DeleteFile(id);
@ -184,14 +176,8 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete File {FileId}", id); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized File Delete Attempt {FileId}", id);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Delete, "File Not Found {FileId}", id);
HttpContext.Response.StatusCode = 404;
} }
} }
@ -200,34 +186,31 @@ namespace Oqtane.Controllers
public Models.File UploadFile(string url, string folderid) public Models.File UploadFile(string url, string folderid)
{ {
Models.File file = null; Models.File file = null;
Folder folder = _folders.GetFolder(int.Parse(folderid));
if (folder == null || !_userPermissions.IsAuthorized(User, PermissionNames.Edit, folder.Permissions)) Folder folder = null;
int FolderId;
if (int.TryParse(folderid, out FolderId))
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Create, folder = _folders.GetFolder(FolderId);
"User Not Authorized To Download File {Url} {FolderId}", url, folderid);
HttpContext.Response.StatusCode = 401;
return file;
} }
if (folder != null && folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, PermissionNames.Edit, folder.Permissions))
{
string folderPath = _folders.GetFolderPath(folder); string folderPath = _folders.GetFolderPath(folder);
CreateDirectory(folderPath); CreateDirectory(folderPath);
string filename = url.Substring(url.LastIndexOf("/", StringComparison.Ordinal) + 1); string filename = url.Substring(url.LastIndexOf("/", StringComparison.Ordinal) + 1);
// check for allowable file extensions // check for allowable file extensions
if (!Constants.UploadableFiles.Split(',') if (!Constants.UploadableFiles.Split(',').Contains(Path.GetExtension(filename).ToLower().Replace(".", "")))
.Contains(Path.GetExtension(filename).ToLower().Replace(".", "")))
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Create, _logger.Log(LogLevel.Error, this, LogFunction.Create, "File Could Not Be Downloaded From Url Due To Its File Extension {Url}", url);
"File Could Not Be Downloaded From Url Due To Its File Extension {Url}", url);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Conflict; HttpContext.Response.StatusCode = (int)HttpStatusCode.Conflict;
return file; return file;
} }
if (!filename.IsPathOrFileValid()) if (!filename.IsPathOrFileValid())
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Create, _logger.Log(LogLevel.Error, this, LogFunction.Create, $"File Could Not Be Downloaded From Url Due To Its File Name Not Allowed {url}");
$"File Could Not Be Downloaded From Url Due To Its File Name Not Allowed {url}");
HttpContext.Response.StatusCode = (int)HttpStatusCode.Conflict; HttpContext.Response.StatusCode = (int)HttpStatusCode.Conflict;
return file; return file;
} }
@ -247,8 +230,13 @@ namespace Oqtane.Controllers
} }
catch catch
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Create, _logger.Log(LogLevel.Error, this, LogFunction.Create, "File Could Not Be Downloaded From Url {Url}", url);
"File Could Not Be Downloaded From Url {Url}", url); }
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized File Upload Attempt {FolderId} {Url}", folderid, url);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
} }
return file; return file;
@ -271,25 +259,25 @@ namespace Oqtane.Controllers
string folderPath = ""; string folderPath = "";
if (int.TryParse(folder, out int folderId)) int FolderId;
if (int.TryParse(folder, out FolderId))
{ {
Folder virtualFolder = _folders.GetFolder(folderId); Folder Folder = _folders.GetFolder(FolderId);
if (virtualFolder != null && if (Folder != null && Folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, PermissionNames.Edit, Folder.Permissions))
_userPermissions.IsAuthorized(User, PermissionNames.Edit, virtualFolder.Permissions))
{ {
folderPath = _folders.GetFolderPath(virtualFolder); folderPath = _folders.GetFolderPath(Folder);
} }
} }
else else
{ {
FolderId = -1;
if (User.IsInRole(RoleNames.Host)) if (User.IsInRole(RoleNames.Host))
{ {
folderPath = GetFolderPath(folder); folderPath = GetFolderPath(folder);
folderId = -1;
} }
} }
if (!String.IsNullOrEmpty(folderPath)) if (!string.IsNullOrEmpty(folderPath))
{ {
CreateDirectory(folderPath); CreateDirectory(folderPath);
using (var stream = new FileStream(Path.Combine(folderPath, file.FileName), FileMode.Create)) using (var stream = new FileStream(Path.Combine(folderPath, file.FileName), FileMode.Create))
@ -298,16 +286,15 @@ namespace Oqtane.Controllers
} }
string upload = await MergeFile(folderPath, file.FileName); string upload = await MergeFile(folderPath, file.FileName);
if (upload != "" && folderId != -1) if (upload != "" && FolderId != -1)
{ {
_files.AddFile(CreateFile(upload, folderId, Path.Combine(folderPath, upload))); _files.AddFile(CreateFile(upload, FolderId, Path.Combine(folderPath, upload)));
} }
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Create, _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized File Upload Attempt {Folder} {File}", folder, file);
"User Not Authorized To Upload File {Folder} {File}", folder, file); HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
HttpContext.Response.StatusCode = 401;
} }
} }
@ -466,9 +453,7 @@ namespace Oqtane.Controllers
private IActionResult Download(int id, bool asAttachment) private IActionResult Download(int id, bool asAttachment)
{ {
var file = _files.GetFile(id); var file = _files.GetFile(id);
if (file != null) if (file != null && file.Folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, PermissionNames.View, file.Folder.Permissions))
{
if (_userPermissions.IsAuthorized(User, PermissionNames.View, file.Folder.Permissions))
{ {
var filepath = _files.GetFilePath(file); var filepath = _files.GetFilePath(file);
if (System.IO.File.Exists(filepath)) if (System.IO.File.Exists(filepath))
@ -478,20 +463,16 @@ namespace Oqtane.Controllers
: PhysicalFile(filepath, file.GetMimeType()); : PhysicalFile(filepath, file.GetMimeType());
return result; return result;
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Read, "File Does Not Exist {FileId} {FilePath}", id, filepath); _logger.Log(LogLevel.Error, this, LogFunction.Read, "File Does Not Exist {FileId} {FilePath}", id, filepath);
HttpContext.Response.StatusCode = 404; HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound;
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access File {FileId}", id);
HttpContext.Response.StatusCode = 401;
} }
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "File Not Found {FileId}", id); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized File Access Attempt {FileId}", id);
HttpContext.Response.StatusCode = 404; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
} }
string errorPath = Path.Combine(GetFolderPath("images"), "error.png"); string errorPath = Path.Combine(GetFolderPath("images"), "error.png");

81
Oqtane.Server/Controllers/FolderController.cs
View File

@ -21,16 +21,16 @@ namespace Oqtane.Controllers
private readonly IWebHostEnvironment _environment; private readonly IWebHostEnvironment _environment;
private readonly IFolderRepository _folders; private readonly IFolderRepository _folders;
private readonly IUserPermissions _userPermissions; private readonly IUserPermissions _userPermissions;
private readonly ITenantManager _tenantManager;
private readonly ILogManager _logger; private readonly ILogManager _logger;
private readonly Alias _alias;
public FolderController(IWebHostEnvironment environment, IFolderRepository folders, IUserPermissions userPermissions, ITenantManager tenantManager, ILogManager logger) public FolderController(IWebHostEnvironment environment, IFolderRepository folders, IUserPermissions userPermissions, ILogManager logger, ITenantManager tenantManager)
{ {
_environment = environment; _environment = environment;
_folders = folders; _folders = folders;
_userPermissions = userPermissions; _userPermissions = userPermissions;
_tenantManager = tenantManager;
_logger = logger; _logger = logger;
_alias = tenantManager.GetAlias();
} }
// GET: api/<controller>?siteid=x // GET: api/<controller>?siteid=x
@ -38,13 +38,23 @@ namespace Oqtane.Controllers
public IEnumerable<Folder> Get(string siteid) public IEnumerable<Folder> Get(string siteid)
{ {
List<Folder> folders = new List<Folder>(); List<Folder> folders = new List<Folder>();
foreach (Folder folder in _folders.GetFolders(int.Parse(siteid))) int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{
foreach (Folder folder in _folders.GetFolders(SiteId))
{ {
if (_userPermissions.IsAuthorized(User, PermissionNames.Browse, folder.Permissions)) if (_userPermissions.IsAuthorized(User, PermissionNames.Browse, folder.Permissions))
{ {
folders.Add(folder); folders.Add(folder);
} }
} }
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Folder Get Attempt {SiteId}", siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
folders = null;
}
return folders; return folders;
} }
@ -53,14 +63,14 @@ namespace Oqtane.Controllers
public Folder Get(int id) public Folder Get(int id)
{ {
Folder folder = _folders.GetFolder(id); Folder folder = _folders.GetFolder(id);
if (_userPermissions.IsAuthorized(User, PermissionNames.Browse, folder.Permissions)) if (folder != null && folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, PermissionNames.Browse, folder.Permissions))
{ {
return folder; return folder;
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Folder {Folder}", folder); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Folder Get Attempt {FolderId}", id);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null; return null;
} }
} }
@ -74,23 +84,14 @@ namespace Oqtane.Controllers
folderPath = Utilities.PathCombine(folderPath, System.IO.Path.DirectorySeparatorChar.ToString()); folderPath = Utilities.PathCombine(folderPath, System.IO.Path.DirectorySeparatorChar.ToString());
} }
Folder folder = _folders.GetFolder(siteId, folderPath); Folder folder = _folders.GetFolder(siteId, folderPath);
if (folder != null) if (folder != null && folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, PermissionNames.Browse, folder.Permissions))
if (_userPermissions.IsAuthorized(User, PermissionNames.Browse, folder.Permissions))
{ {
return folder; return folder;
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Folder {Folder}", _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Folder Get Attempt {Path} For Site {SiteId}", path, siteId);
folder); HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
HttpContext.Response.StatusCode = 401;
return null;
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Read, "Folder not found {path}",
path);
HttpContext.Response.StatusCode = 401;
return null; return null;
} }
} }
@ -100,7 +101,7 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public Folder Post([FromBody] Folder folder) public Folder Post([FromBody] Folder folder)
{ {
if (ModelState.IsValid) if (ModelState.IsValid && folder.SiteId == _alias.SiteId)
{ {
string permissions; string permissions;
if (folder.ParentId != null) if (folder.ParentId != null)
@ -129,17 +130,23 @@ namespace Oqtane.Controllers
else else
{ {
_logger.Log(LogLevel.Information, this, LogFunction.Create, "Folder Name Not Valid {Folder}", folder); _logger.Log(LogLevel.Information, this, LogFunction.Create, "Folder Name Not Valid {Folder}", folder);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
folder = null; folder = null;
} }
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Folder {Folder}", folder); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Folder Post Attempt {Folder}", folder);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
folder = null; folder = null;
} }
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Folder Post Attempt {Folder}", folder);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
folder = null;
}
return folder; return folder;
} }
@ -148,7 +155,7 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public Folder Put(int id, [FromBody] Folder folder) public Folder Put(int id, [FromBody] Folder folder)
{ {
if (ModelState.IsValid && _userPermissions.IsAuthorized(User, EntityNames.Folder, folder.FolderId, PermissionNames.Edit)) if (ModelState.IsValid && folder.SiteId == _alias.SiteId && _folders.GetFolder(folder.FolderId, false) != null && _userPermissions.IsAuthorized(User, EntityNames.Folder, folder.FolderId, PermissionNames.Edit))
{ {
if (folder.IsPathValid()) if (folder.IsPathValid())
{ {
@ -171,14 +178,14 @@ namespace Oqtane.Controllers
else else
{ {
_logger.Log(LogLevel.Information, this, LogFunction.Create, "Folder Name Not Valid {Folder}", folder); _logger.Log(LogLevel.Information, this, LogFunction.Create, "Folder Name Not Valid {Folder}", folder);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
folder = null; folder = null;
} }
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Folder {Folder}", folder); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Folder Put Attempt {Folder}", folder);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
folder = null; folder = null;
} }
return folder; return folder;
@ -189,7 +196,7 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public void Put(int siteid, int folderid, int? parentid) public void Put(int siteid, int folderid, int? parentid)
{ {
if (_userPermissions.IsAuthorized(User, EntityNames.Folder, folderid, PermissionNames.Edit)) if (siteid == _alias.SiteId && _folders.GetFolder(folderid, false) != null && _userPermissions.IsAuthorized(User, EntityNames.Folder, folderid, PermissionNames.Edit))
{ {
int order = 1; int order = 1;
List<Folder> folders = _folders.GetFolders(siteid).ToList(); List<Folder> folders = _folders.GetFolders(siteid).ToList();
@ -206,8 +213,8 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Folder Order {SiteId} {FolderId} {ParentId}", siteid, folderid, parentid); _logger.Log(LogLevel.Error, this, LogFunction.Update, "Unauthorized Folder Put Attempt {SiteId} {FolderId} {ParentId}", siteid, folderid, parentid);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
} }
} }
@ -216,26 +223,26 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public void Delete(int id) public void Delete(int id)
{ {
if (_userPermissions.IsAuthorized(User, EntityNames.Folder, id, PermissionNames.Edit)) var folder = _folders.GetFolder(id, false);
if (folder != null && folder.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Folder, id, PermissionNames.Edit))
{ {
Models.Folder _folder = _folders.GetFolder(id, false); if (Directory.Exists(GetFolderPath(folder)))
if (Directory.Exists(GetFolderPath(_folder)))
{ {
Directory.Delete(GetFolderPath(_folder)); Directory.Delete(GetFolderPath(folder));
} }
_folders.DeleteFolder(id); _folders.DeleteFolder(id);
_logger.Log(LogLevel.Information, this, LogFunction.Delete, "Folder Deleted {FolderId}", id); _logger.Log(LogLevel.Information, this, LogFunction.Delete, "Folder Deleted {FolderId}", id);
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Folder {FolderId}", id); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Folder Delete Attempt {FolderId}", id);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
} }
} }
private string GetFolderPath(Folder folder) private string GetFolderPath(Folder folder)
{ {
return Utilities.PathCombine(_environment.ContentRootPath, "Content", "Tenants", _tenantManager.GetTenant().TenantId.ToString(), "Sites", folder.SiteId.ToString(), folder.Path); return Utilities.PathCombine(_environment.ContentRootPath, "Content", "Tenants", _alias.TenantId.ToString(), "Sites", folder.SiteId.ToString(), folder.Path);
} }
} }
} }

3
Oqtane.Server/Controllers/InstallationController.cs
View File

@ -12,6 +12,7 @@ using Oqtane.Modules;
using Oqtane.Shared; using Oqtane.Shared;
using Oqtane.Themes; using Oqtane.Themes;
using Microsoft.Extensions.Caching.Memory; using Microsoft.Extensions.Caching.Memory;
using System.Net;
namespace Oqtane.Controllers namespace Oqtane.Controllers
{ {
@ -85,7 +86,7 @@ namespace Oqtane.Controllers
} }
else else
{ {
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null; return null;
} }
} }

53
Oqtane.Server/Controllers/LanguageController.cs
View File

@ -1,4 +1,5 @@
using System.Collections.Generic; using System.Collections.Generic;
using System.Net;
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc;
using Oqtane.Enums; using Oqtane.Enums;
@ -14,37 +15,81 @@ namespace Oqtane.Controllers
{ {
private readonly ILanguageRepository _languages; private readonly ILanguageRepository _languages;
private readonly ILogManager _logger; private readonly ILogManager _logger;
private readonly Alias _alias;
public LanguageController(ILanguageRepository language, ILogManager logger) public LanguageController(ILanguageRepository language, ILogManager logger, ITenantManager tenantManager)
{ {
_languages = language; _languages = language;
_logger = logger; _logger = logger;
_alias = tenantManager.GetAlias();
} }
[HttpGet] [HttpGet]
public IEnumerable<Language> Get(string siteid) => _languages.GetLanguages(int.Parse(siteid)); public IEnumerable<Language> Get(string siteid)
{
int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{
return _languages.GetLanguages(SiteId);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Language Get Attempt {SiteId}", siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
}
[HttpGet("{id}")] [HttpGet("{id}")]
public Language Get(int id) => _languages.GetLanguage(id); public Language Get(int id)
{
var language = _languages.GetLanguage(id);
if (language != null && language.SiteId == _alias.SiteId)
{
return language;
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Language Get Attempt {LanguageId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
}
[HttpPost] [HttpPost]
[Authorize(Roles = RoleNames.Admin)] [Authorize(Roles = RoleNames.Admin)]
public Language Post([FromBody] Language language) public Language Post([FromBody] Language language)
{ {
if (ModelState.IsValid) if (ModelState.IsValid && language.SiteId == _alias.SiteId)
{ {
language = _languages.AddLanguage(language); language = _languages.AddLanguage(language);
_logger.Log(LogLevel.Information, this, LogFunction.Create, "Language Added {Language}", language); _logger.Log(LogLevel.Information, this, LogFunction.Create, "Language Added {Language}", language);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Language Post Attempt {Language}", language);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
language = null;
}
return language; return language;
} }
[HttpDelete("{id}")] [HttpDelete("{id}")]
[Authorize(Roles = RoleNames.Admin)] [Authorize(Roles = RoleNames.Admin)]
public void Delete(int id) public void Delete(int id)
{
var language = _languages.GetLanguage(id);
if (language != null && language.SiteId == _alias.SiteId)
{ {
_languages.DeleteLanguage(id); _languages.DeleteLanguage(id);
_logger.Log(LogLevel.Information, this, LogFunction.Delete, "Language Deleted {LanguageId}", id); _logger.Log(LogLevel.Information, this, LogFunction.Delete, "Language Deleted {LanguageId}", id);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Language Delete Attempt {LanguageId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
}
} }
} }

38
Oqtane.Server/Controllers/LogController.cs
View File

@ -5,6 +5,8 @@ using Microsoft.AspNetCore.Authorization;
using Oqtane.Infrastructure; using Oqtane.Infrastructure;
using Oqtane.Repository; using Oqtane.Repository;
using Oqtane.Shared; using Oqtane.Shared;
using Oqtane.Enums;
using System.Net;
namespace Oqtane.Controllers namespace Oqtane.Controllers
{ {
@ -14,11 +16,13 @@ namespace Oqtane.Controllers
{ {
private readonly ILogManager _logger; private readonly ILogManager _logger;
private readonly ILogRepository _logs; private readonly ILogRepository _logs;
private readonly Alias _alias;
public LogController(ILogManager logger, ILogRepository logs) public LogController(ILogManager logger, ILogRepository logs, ITenantManager tenantManager)
{ {
_logger = logger; _logger = logger;
_logs = logs; _logs = logs;
_alias = tenantManager.GetAlias();
} }
// GET: api/<controller>?siteid=x&level=y&function=z&rows=50 // GET: api/<controller>?siteid=x&level=y&function=z&rows=50
@ -26,7 +30,18 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Admin)] [Authorize(Roles = RoleNames.Admin)]
public IEnumerable<Log> Get(string siteid, string level, string function, string rows) public IEnumerable<Log> Get(string siteid, string level, string function, string rows)
{ {
return _logs.GetLogs(int.Parse(siteid), level, function, int.Parse(rows)); int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{
return _logs.GetLogs(SiteId, level, function, int.Parse(rows));
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Log Get Attempt {SiteId}", siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
} }
// GET api/<controller>/5 // GET api/<controller>/5
@ -34,17 +49,32 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Admin)] [Authorize(Roles = RoleNames.Admin)]
public Log Get(int id) public Log Get(int id)
{ {
return _logs.GetLog(id); var log = _logs.GetLog(id);
if (log != null && log.SiteId == _alias.SiteId)
{
return log;
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Log Get Attempt {LogId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
} }
// POST api/<controller> // POST api/<controller>
[HttpPost] [HttpPost]
public void Post([FromBody] Log log) public void Post([FromBody] Log log)
{ {
if (ModelState.IsValid) if (ModelState.IsValid && log.SiteId == _alias.SiteId)
{ {
_logger.Log(log); _logger.Log(log);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Log Post Attempt {Log}", log);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
} }
} }
} }

59
Oqtane.Server/Controllers/ModuleController.cs
View File

@ -8,6 +8,7 @@ using Oqtane.Enums;
using Oqtane.Infrastructure; using Oqtane.Infrastructure;
using Oqtane.Repository; using Oqtane.Repository;
using Oqtane.Security; using Oqtane.Security;
using System.Net;
namespace Oqtane.Controllers namespace Oqtane.Controllers
{ {
@ -41,11 +42,15 @@ namespace Oqtane.Controllers
[HttpGet] [HttpGet]
public IEnumerable<Module> Get(string siteid) public IEnumerable<Module> Get(string siteid)
{ {
List<ModuleDefinition> moduledefinitions = _moduleDefinitions.GetModuleDefinitions(int.Parse(siteid)).ToList(); List<Module> modules = new List<Module>();
int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{
List<ModuleDefinition> moduledefinitions = _moduleDefinitions.GetModuleDefinitions(SiteId).ToList();
List<Setting> settings = _settings.GetSettings(EntityNames.Module).ToList(); List<Setting> settings = _settings.GetSettings(EntityNames.Module).ToList();
List<Module> modules = new List<Module>(); foreach (PageModule pagemodule in _pageModules.GetPageModules(SiteId))
foreach (PageModule pagemodule in _pageModules.GetPageModules(int.Parse(siteid)))
{ {
if (_userPermissions.IsAuthorized(User, PermissionNames.View, pagemodule.Module.Permissions)) if (_userPermissions.IsAuthorized(User, PermissionNames.View, pagemodule.Module.Permissions))
{ {
@ -75,6 +80,14 @@ namespace Oqtane.Controllers
modules.Add(module); modules.Add(module);
} }
} }
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Module Get Attempt {SiteId}", siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
modules = null;
}
return modules; return modules;
} }
@ -83,19 +96,18 @@ namespace Oqtane.Controllers
public Module Get(int id) public Module Get(int id)
{ {
Module module = _modules.GetModule(id); Module module = _modules.GetModule(id);
if (_userPermissions.IsAuthorized(User,PermissionNames.View, module.Permissions)) if (module != null && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User,PermissionNames.View, module.Permissions))
{ {
List<ModuleDefinition> moduledefinitions = _moduleDefinitions.GetModuleDefinitions(module.SiteId).ToList(); List<ModuleDefinition> moduledefinitions = _moduleDefinitions.GetModuleDefinitions(module.SiteId).ToList();
module.ModuleDefinition = moduledefinitions.Find(item => item.ModuleDefinitionName == module.ModuleDefinitionName); module.ModuleDefinition = moduledefinitions.Find(item => item.ModuleDefinitionName == module.ModuleDefinitionName);
module.Settings = _settings.GetSettings(EntityNames.Module, id) module.Settings = _settings.GetSettings(EntityNames.Module, id)
.ToDictionary(setting => setting.SettingName, setting => setting.SettingValue); .ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
return module; return module;
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Module {Module}", module); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Module Get Attempt {ModuleId}", id);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null; return null;
} }
} }
@ -105,7 +117,7 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public Module Post([FromBody] Module module) public Module Post([FromBody] Module module)
{ {
if (ModelState.IsValid && _userPermissions.IsAuthorized(User, EntityNames.Page, module.PageId, PermissionNames.Edit)) if (ModelState.IsValid && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Page, module.PageId, PermissionNames.Edit))
{ {
module = _modules.AddModule(module); module = _modules.AddModule(module);
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, _alias.SiteId); _syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, _alias.SiteId);
@ -113,8 +125,8 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Module {Module}", module); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Module Post Attempt {Module}", module);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
module = null; module = null;
} }
return module; return module;
@ -125,7 +137,7 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public Module Put(int id, [FromBody] Module module) public Module Put(int id, [FromBody] Module module)
{ {
if (ModelState.IsValid && _userPermissions.IsAuthorized(User, EntityNames.Module, module.ModuleId, PermissionNames.Edit)) if (ModelState.IsValid && module.SiteId == _alias.SiteId && _modules.GetModule(module.ModuleId, false) != null && _userPermissions.IsAuthorized(User, EntityNames.Module, module.ModuleId, PermissionNames.Edit))
{ {
module = _modules.UpdateModule(module); module = _modules.UpdateModule(module);
if (module.AllPages) if (module.AllPages)
@ -146,8 +158,8 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Module {Module}", module); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Module Put Attempt {Module}", module);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
module = null; module = null;
} }
return module; return module;
@ -158,7 +170,8 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public void Delete(int id) public void Delete(int id)
{ {
if (_userPermissions.IsAuthorized(User, EntityNames.Module, id, PermissionNames.Edit)) var module = _modules.GetModule(id);
if (module != null && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Page, module.ModuleId, PermissionNames.Edit))
{ {
_modules.DeleteModule(id); _modules.DeleteModule(id);
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, _alias.SiteId); _syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, _alias.SiteId);
@ -166,8 +179,8 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Module {ModuleId}", id); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Module Delete Attempt {ModuleId}", id);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
} }
} }
@ -177,14 +190,15 @@ namespace Oqtane.Controllers
public string Export(int moduleid) public string Export(int moduleid)
{ {
string content = ""; string content = "";
if (_userPermissions.IsAuthorized(User, EntityNames.Module, moduleid, PermissionNames.Edit)) var module = _modules.GetModule(moduleid);
if (module != null && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Module, module.ModuleId, PermissionNames.Edit))
{ {
content = _modules.ExportModule(moduleid); content = _modules.ExportModule(moduleid);
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Other, "User Not Authorized To Export Module {ModuleId}", moduleid); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Module Export Attempt {ModuleId}", moduleid);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
} }
return content; return content;
} }
@ -195,14 +209,15 @@ namespace Oqtane.Controllers
public bool Import(int moduleid, [FromBody] string content) public bool Import(int moduleid, [FromBody] string content)
{ {
bool success = false; bool success = false;
if (ModelState.IsValid && _userPermissions.IsAuthorized(User, EntityNames.Module, moduleid, PermissionNames.Edit)) var module = _modules.GetModule(moduleid);
if (ModelState.IsValid && module != null && module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Module, module.ModuleId, PermissionNames.Edit))
{ {
success = _modules.ImportModule(moduleid, content); success = _modules.ImportModule(moduleid, content);
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Other, "User Not Authorized To Import Module {ModuleId}", moduleid); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Module Import Attempt {ModuleId}", moduleid);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
} }
return success; return success;
} }

127
Oqtane.Server/Controllers/ModuleDefinitionController.cs
View File

@ -14,6 +14,7 @@ using Oqtane.Security;
using System; using System;
using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.DependencyInjection;
using System.Text.Json; using System.Text.Json;
using System.Net;
namespace Oqtane.Controllers namespace Oqtane.Controllers
{ {
@ -29,6 +30,7 @@ namespace Oqtane.Controllers
private readonly IServiceProvider _serviceProvider; private readonly IServiceProvider _serviceProvider;
private readonly ITenantManager _tenantManager; private readonly ITenantManager _tenantManager;
private readonly ILogManager _logger; private readonly ILogManager _logger;
private readonly Alias _alias;
public ModuleDefinitionController(IModuleDefinitionRepository moduleDefinitions, ITenantRepository tenants, ISqlRepository sql, IUserPermissions userPermissions, IInstallationManager installationManager, IWebHostEnvironment environment, IServiceProvider serviceProvider, ITenantManager tenantManager, ILogManager logger) public ModuleDefinitionController(IModuleDefinitionRepository moduleDefinitions, ITenantRepository tenants, ISqlRepository sql, IUserPermissions userPermissions, IInstallationManager installationManager, IWebHostEnvironment environment, IServiceProvider serviceProvider, ITenantManager tenantManager, ILogManager logger)
{ {
@ -41,14 +43,18 @@ namespace Oqtane.Controllers
_serviceProvider = serviceProvider; _serviceProvider = serviceProvider;
_tenantManager = tenantManager; _tenantManager = tenantManager;
_logger = logger; _logger = logger;
_alias = tenantManager.GetAlias();
} }
// GET: api/<controller>?siteid=x // GET: api/<controller>?siteid=x
[HttpGet] [HttpGet]
public IEnumerable<ModuleDefinition> Get(string siteid) public IEnumerable<ModuleDefinition> Get(string siteid)
{
int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{ {
List<ModuleDefinition> moduledefinitions = new List<ModuleDefinition>(); List<ModuleDefinition> moduledefinitions = new List<ModuleDefinition>();
foreach(ModuleDefinition moduledefinition in _moduleDefinitions.GetModuleDefinitions(int.Parse(siteid))) foreach (ModuleDefinition moduledefinition in _moduleDefinitions.GetModuleDefinitions(SiteId))
{ {
if (_userPermissions.IsAuthorized(User, PermissionNames.Utilize, moduledefinition.Permissions)) if (_userPermissions.IsAuthorized(User, PermissionNames.Utilize, moduledefinition.Permissions))
{ {
@ -57,42 +63,93 @@ namespace Oqtane.Controllers
} }
return moduledefinitions; return moduledefinitions;
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized ModuleDefinition Get Attempt {SiteId}", siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
}
// GET api/<controller>/5?siteid=x // GET api/<controller>/5?siteid=x
[HttpGet("{id}")] [HttpGet("{id}")]
public ModuleDefinition Get(int id, string siteid) public ModuleDefinition Get(int id, string siteid)
{ {
ModuleDefinition moduledefinition = _moduleDefinitions.GetModuleDefinition(id, int.Parse(siteid)); int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{
ModuleDefinition moduledefinition = _moduleDefinitions.GetModuleDefinition(id, SiteId);
if (_userPermissions.IsAuthorized(User, PermissionNames.Utilize, moduledefinition.Permissions)) if (_userPermissions.IsAuthorized(User, PermissionNames.Utilize, moduledefinition.Permissions))
{ {
return moduledefinition; return moduledefinition;
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access ModuleDefinition {ModuleDefinition}", moduledefinition); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized ModuleDefinition Get Attempt {ModuleDefinitionId} {SiteId}", id, siteid);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null; return null;
} }
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized ModuleDefinition Get Attempt {ModuleDefinitionId} {SiteId}", id, siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
}
// POST api/<controller>
[HttpPost]
[Authorize(Roles = RoleNames.Host)]
public ModuleDefinition Post([FromBody] ModuleDefinition moduleDefinition)
{
if (ModelState.IsValid && moduleDefinition.SiteId == _alias.SiteId)
{
string rootPath;
DirectoryInfo rootFolder = Directory.GetParent(_environment.ContentRootPath);
string templatePath = Utilities.PathCombine(_environment.WebRootPath, "Modules", "Templates", moduleDefinition.Template, Path.DirectorySeparatorChar.ToString());
if (moduleDefinition.Template.ToLower().Contains("internal"))
{
rootPath = Utilities.PathCombine(rootFolder.FullName, Path.DirectorySeparatorChar.ToString());
moduleDefinition.ModuleDefinitionName = moduleDefinition.Owner + "." + moduleDefinition.Name + ", Oqtane.Client";
moduleDefinition.ServerManagerType = moduleDefinition.Owner + "." + moduleDefinition.Name + ".Manager." + moduleDefinition.Name + "Manager, Oqtane.Server";
}
else
{
rootPath = Utilities.PathCombine(rootFolder.Parent.FullName, moduleDefinition.Owner + "." + moduleDefinition.Name, Path.DirectorySeparatorChar.ToString());
moduleDefinition.ModuleDefinitionName = moduleDefinition.Owner + "." + moduleDefinition.Name + ", " + moduleDefinition.Owner + "." + moduleDefinition.Name + ".Client.Oqtane";
moduleDefinition.ServerManagerType = moduleDefinition.Owner + "." + moduleDefinition.Name + ".Manager." + moduleDefinition.Name + "Manager, " + moduleDefinition.Owner + "." + moduleDefinition.Name + ".Server.Oqtane";
}
ProcessTemplatesRecursively(new DirectoryInfo(templatePath), rootPath, rootFolder.Name, templatePath, moduleDefinition);
_logger.Log(LogLevel.Information, this, LogFunction.Create, "Module Definition Created {ModuleDefinition}", moduleDefinition);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized ModuleDefinition Post Attempt {ModuleDefinition}", moduleDefinition);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
moduleDefinition = null;
}
return moduleDefinition;
}
// PUT api/<controller>/5 // PUT api/<controller>/5
[HttpPut("{id}")] [HttpPut("{id}")]
[Authorize(Roles = RoleNames.Admin)] [Authorize(Roles = RoleNames.Admin)]
public void Put(int id, [FromBody] ModuleDefinition moduleDefinition) public void Put(int id, [FromBody] ModuleDefinition moduleDefinition)
{ {
if (ModelState.IsValid) if (ModelState.IsValid && moduleDefinition.SiteId == _alias.SiteId && _moduleDefinitions.GetModuleDefinition(moduleDefinition.ModuleDefinitionId, moduleDefinition.SiteId) != null)
{ {
_moduleDefinitions.UpdateModuleDefinition(moduleDefinition); _moduleDefinitions.UpdateModuleDefinition(moduleDefinition);
_logger.Log(LogLevel.Information, this, LogFunction.Update, "Module Definition Updated {ModuleDefinition}", moduleDefinition); _logger.Log(LogLevel.Information, this, LogFunction.Update, "Module Definition Updated {ModuleDefinition}", moduleDefinition);
} }
} else
[HttpGet("install")]
[Authorize(Roles = RoleNames.Host)]
public void InstallModules()
{ {
_logger.Log(LogLevel.Information, this, LogFunction.Create, "Modules Installed"); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized ModuleDefinition Put Attempt {ModuleDefinition}", moduleDefinition);
_installationManager.InstallPackages(); HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
} }
// DELETE api/<controller>/5?siteid=x // DELETE api/<controller>/5?siteid=x
@ -101,7 +158,7 @@ namespace Oqtane.Controllers
public void Delete(int id, int siteid) public void Delete(int id, int siteid)
{ {
ModuleDefinition moduledefinition = _moduleDefinitions.GetModuleDefinition(id, siteid); ModuleDefinition moduledefinition = _moduleDefinitions.GetModuleDefinition(id, siteid);
if (moduledefinition != null && Utilities.GetAssemblyName(moduledefinition.ServerManagerType) != "Oqtane.Server") if (moduledefinition != null && moduledefinition.SiteId == _alias.SiteId && Utilities.GetAssemblyName(moduledefinition.ServerManagerType) != "Oqtane.Server")
{ {
// execute uninstall logic or scripts // execute uninstall logic or scripts
if (!string.IsNullOrEmpty(moduledefinition.ServerManagerType)) if (!string.IsNullOrEmpty(moduledefinition.ServerManagerType))
@ -157,6 +214,19 @@ namespace Oqtane.Controllers
_moduleDefinitions.DeleteModuleDefinition(id); _moduleDefinitions.DeleteModuleDefinition(id);
_logger.Log(LogLevel.Information, this, LogFunction.Delete, "Module Definition {ModuleDefinitionName} Deleted", moduledefinition.Name); _logger.Log(LogLevel.Information, this, LogFunction.Delete, "Module Definition {ModuleDefinitionName} Deleted", moduledefinition.Name);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized ModuleDefinition Delete Attempt {ModuleDefinitionId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
}
[HttpGet("install")]
[Authorize(Roles = RoleNames.Host)]
public void InstallModules()
{
_logger.Log(LogLevel.Information, this, LogFunction.Create, "Modules Installed");
_installationManager.InstallPackages();
} }
// GET: api/<controller>/templates // GET: api/<controller>/templates
@ -189,37 +259,6 @@ namespace Oqtane.Controllers
return templates; return templates;
} }
// POST api/<controller>
[HttpPost]
[Authorize(Roles = RoleNames.Host)]
public ModuleDefinition Post([FromBody] ModuleDefinition moduleDefinition)
{
if (ModelState.IsValid)
{
string rootPath;
DirectoryInfo rootFolder = Directory.GetParent(_environment.ContentRootPath);
string templatePath = Utilities.PathCombine(_environment.WebRootPath, "Modules", "Templates", moduleDefinition.Template,Path.DirectorySeparatorChar.ToString());
if (moduleDefinition.Template.ToLower().Contains("internal"))
{
rootPath = Utilities.PathCombine(rootFolder.FullName, Path.DirectorySeparatorChar.ToString());
moduleDefinition.ModuleDefinitionName = moduleDefinition.Owner + "." + moduleDefinition.Name + ", Oqtane.Client";
moduleDefinition.ServerManagerType = moduleDefinition.Owner + "." + moduleDefinition.Name + ".Manager." + moduleDefinition.Name + "Manager, Oqtane.Server";
}
else
{
rootPath = Utilities.PathCombine(rootFolder.Parent.FullName, moduleDefinition.Owner + "." + moduleDefinition.Name, Path.DirectorySeparatorChar.ToString());
moduleDefinition.ModuleDefinitionName = moduleDefinition.Owner + "." + moduleDefinition.Name + ", " + moduleDefinition.Owner + "." + moduleDefinition.Name + ".Client.Oqtane";
moduleDefinition.ServerManagerType = moduleDefinition.Owner + "." + moduleDefinition.Name + ".Manager." + moduleDefinition.Name + "Manager, " + moduleDefinition.Owner + "." + moduleDefinition.Name + ".Server.Oqtane";
}
ProcessTemplatesRecursively(new DirectoryInfo(templatePath), rootPath, rootFolder.Name, templatePath, moduleDefinition);
_logger.Log(LogLevel.Information, this, LogFunction.Create, "Module Definition Created {ModuleDefinition}", moduleDefinition);
}
return moduleDefinition;
}
private void ProcessTemplatesRecursively(DirectoryInfo current, string rootPath, string rootFolder, string templatePath, ModuleDefinition moduleDefinition) private void ProcessTemplatesRecursively(DirectoryInfo current, string rootPath, string rootFolder, string templatePath, ModuleDefinition moduleDefinition)
{ {
// process folder // process folder

55
Oqtane.Server/Controllers/NotificationController.cs
View File

@ -7,6 +7,7 @@ using Oqtane.Shared;
using Oqtane.Infrastructure; using Oqtane.Infrastructure;
using Oqtane.Repository; using Oqtane.Repository;
using Oqtane.Security; using Oqtane.Security;
using System.Net;
namespace Oqtane.Controllers namespace Oqtane.Controllers
{ {
@ -16,12 +17,14 @@ namespace Oqtane.Controllers
private readonly INotificationRepository _notifications; private readonly INotificationRepository _notifications;
private readonly IUserPermissions _userPermissions; private readonly IUserPermissions _userPermissions;
private readonly ILogManager _logger; private readonly ILogManager _logger;
private readonly Alias _alias;
public NotificationController(INotificationRepository notifications, IUserPermissions userPermissions, ILogManager logger) public NotificationController(INotificationRepository notifications, IUserPermissions userPermissions, ILogManager logger, ITenantManager tenantManager)
{ {
_notifications = notifications; _notifications = notifications;
_userPermissions = userPermissions; _userPermissions = userPermissions;
_logger = logger; _logger = logger;
_alias = tenantManager.GetAlias();
} }
// GET: api/<controller>?siteid=x&type=y&userid=z // GET: api/<controller>?siteid=x&type=y&userid=z
@ -30,17 +33,27 @@ namespace Oqtane.Controllers
public IEnumerable<Notification> Get(string siteid, string direction, string userid) public IEnumerable<Notification> Get(string siteid, string direction, string userid)
{ {
IEnumerable<Notification> notifications = null; IEnumerable<Notification> notifications = null;
if (IsAuthorized(int.Parse(userid)))
int SiteId;
int UserId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId && int.TryParse(userid, out UserId) && IsAuthorized(UserId))
{ {
if (direction == "to") if (direction == "to")
{ {
notifications = _notifications.GetNotifications(int.Parse(siteid), -1, int.Parse(userid)); notifications = _notifications.GetNotifications(SiteId, -1, UserId);
} }
else else
{ {
notifications = _notifications.GetNotifications(int.Parse(siteid), int.Parse(userid), -1); notifications = _notifications.GetNotifications(SiteId, UserId, -1);
} }
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Notification Get Attempt {SiteId} {Direction} {UserId}", siteid, direction, userid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
notifications = null;
}
return notifications; return notifications;
} }
@ -50,23 +63,34 @@ namespace Oqtane.Controllers
public Notification Get(int id) public Notification Get(int id)
{ {
Notification notification = _notifications.GetNotification(id); Notification notification = _notifications.GetNotification(id);
if (!(IsAuthorized(notification.FromUserId) || IsAuthorized(notification.ToUserId))) if (notification != null && notification.SiteId == _alias.SiteId && (IsAuthorized(notification.FromUserId) || IsAuthorized(notification.ToUserId)))
{ {
notification = null;
}
return notification; return notification;
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Notification Get Attempt {NotificationId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
}
// POST api/<controller> // POST api/<controller>
[HttpPost] [HttpPost]
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public Notification Post([FromBody] Notification notification) public Notification Post([FromBody] Notification notification)
{ {
if (IsAuthorized(notification.FromUserId)) if (ModelState.IsValid && notification.SiteId == _alias.SiteId && IsAuthorized(notification.FromUserId))
{ {
notification = _notifications.AddNotification(notification); notification = _notifications.AddNotification(notification);
_logger.Log(LogLevel.Information, this, LogFunction.Create, "Notification Added {NotificationId}", notification.NotificationId); _logger.Log(LogLevel.Information, this, LogFunction.Create, "Notification Added {NotificationId}", notification.NotificationId);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Notification Post Attempt {Notification}", notification);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
notification = null;
}
return notification; return notification;
} }
@ -75,11 +99,17 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public Notification Put(int id, [FromBody] Notification notification) public Notification Put(int id, [FromBody] Notification notification)
{ {
if (IsAuthorized(notification.FromUserId)) if (ModelState.IsValid && notification.SiteId == _alias.SiteId && _notifications.GetNotification(notification.NotificationId, false) != null && IsAuthorized(notification.FromUserId))
{ {
notification = _notifications.UpdateNotification(notification); notification = _notifications.UpdateNotification(notification);
_logger.Log(LogLevel.Information, this, LogFunction.Update, "Notification Updated {NotificationId}", notification.NotificationId); _logger.Log(LogLevel.Information, this, LogFunction.Update, "Notification Updated {NotificationId}", notification.NotificationId);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Notification Put Attempt {Notification}", notification);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
notification = null;
}
return notification; return notification;
} }
@ -89,11 +119,16 @@ namespace Oqtane.Controllers
public void Delete(int id) public void Delete(int id)
{ {
Notification notification = _notifications.GetNotification(id); Notification notification = _notifications.GetNotification(id);
if (IsAuthorized(notification.FromUserId) || IsAuthorized(notification.ToUserId)) if (notification != null && notification.SiteId == _alias.SiteId && (IsAuthorized(notification.FromUserId) || IsAuthorized(notification.ToUserId)))
{ {
_notifications.DeleteNotification(id); _notifications.DeleteNotification(id);
_logger.Log(LogLevel.Information, this, LogFunction.Delete, "Notification Deleted {NotificationId}", id); _logger.Log(LogLevel.Information, this, LogFunction.Delete, "Notification Deleted {NotificationId}", id);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Notification Delete Attempt {NotificationId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
} }
private bool IsAuthorized(int? userid) private bool IsAuthorized(int? userid)

69
Oqtane.Server/Controllers/PageController.cs
View File

@ -42,11 +42,15 @@ namespace Oqtane.Controllers
// GET: api/<controller>?siteid=x // GET: api/<controller>?siteid=x
[HttpGet] [HttpGet]
public IEnumerable<Page> Get(string siteid) public IEnumerable<Page> Get(string siteid)
{
List<Page> pages = new List<Page>();
int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{ {
List<Setting> settings = _settings.GetSettings(EntityNames.Page).ToList(); List<Setting> settings = _settings.GetSettings(EntityNames.Page).ToList();
List<Page> pages = new List<Page>(); foreach (Page page in _pages.GetPages(SiteId))
foreach (Page page in _pages.GetPages(int.Parse(siteid)))
{ {
if (_userPermissions.IsAuthorized(User, PermissionNames.View, page.Permissions)) if (_userPermissions.IsAuthorized(User, PermissionNames.View, page.Permissions))
{ {
@ -55,6 +59,14 @@ namespace Oqtane.Controllers
pages.Add(page); pages.Add(page);
} }
} }
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Get Attempt {SiteId}", siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
pages = null;
}
return pages; return pages;
} }
@ -62,7 +74,7 @@ namespace Oqtane.Controllers
[HttpGet("{id}")] [HttpGet("{id}")]
public Page Get(int id, string userid) public Page Get(int id, string userid)
{ {
Page page; Page page = null;
if (string.IsNullOrEmpty(userid)) if (string.IsNullOrEmpty(userid))
{ {
page = _pages.GetPage(id); page = _pages.GetPage(id);
@ -79,8 +91,8 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Page {Page}", page); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Get Attempt {Page}", page);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null; return null;
} }
} }
@ -90,7 +102,7 @@ namespace Oqtane.Controllers
public Page Get(string path, int siteid) public Page Get(string path, int siteid)
{ {
Page page = _pages.GetPage(WebUtility.UrlDecode(path), siteid); Page page = _pages.GetPage(WebUtility.UrlDecode(path), siteid);
if (page != null) if (page != null && page.SiteId == _alias.SiteId)
{ {
if (_userPermissions.IsAuthorized(User,PermissionNames.View, page.Permissions)) if (_userPermissions.IsAuthorized(User,PermissionNames.View, page.Permissions))
{ {
@ -100,14 +112,15 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Page {Page}", page); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Get Attempt {Page}", page);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null; return null;
} }
} }
else else
{ {
HttpContext.Response.StatusCode = 404; _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Get Attempt {Path} for Site {SiteId}", path, siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null; return null;
} }
} }
@ -117,7 +130,7 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public Page Post([FromBody] Page page) public Page Post([FromBody] Page page)
{ {
if (ModelState.IsValid) if (ModelState.IsValid && page.SiteId == _alias.SiteId)
{ {
string permissions; string permissions;
if (page.ParentId != null) if (page.ParentId != null)
@ -149,11 +162,17 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Page {Page}", page); _logger.Log(LogLevel.Warning, this, LogFunction.Create, "User Not Authorized To Add Page {Page}", page);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
page = null; page = null;
} }
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Post Attempt {Page}", page);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
page = null;
}
return page; return page;
} }
@ -164,7 +183,7 @@ namespace Oqtane.Controllers
{ {
Page page = null; Page page = null;
Page parent = _pages.GetPage(id); Page parent = _pages.GetPage(id);
if (parent != null && parent.IsPersonalizable && _userPermissions.GetUser(User).UserId == int.Parse(userid)) if (parent != null && parent.SiteId == _alias.SiteId && parent.IsPersonalizable && _userPermissions.GetUser(User).UserId == int.Parse(userid))
{ {
page = new Page(); page = new Page();
page.SiteId = parent.SiteId; page.SiteId = parent.SiteId;
@ -219,6 +238,12 @@ namespace Oqtane.Controllers
_pageModules.AddPageModule(pagemodule); _pageModules.AddPageModule(pagemodule);
} }
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Post Attempt {PageId} By User {UserId}", id, userid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
page = null;
}
return page; return page;
} }
@ -227,7 +252,7 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public Page Put(int id, [FromBody] Page page) public Page Put(int id, [FromBody] Page page)
{ {
if (ModelState.IsValid && _userPermissions.IsAuthorized(User, EntityNames.Page, page.PageId, PermissionNames.Edit)) if (ModelState.IsValid && page.SiteId == _alias.SiteId && _pages.GetPage(page.PageId, false) != null && _userPermissions.IsAuthorized(User, EntityNames.Page, page.PageId, PermissionNames.Edit))
{ {
// preserve page permissions // preserve page permissions
var oldPermissions = _permissionRepository.GetPermissions(EntityNames.Page, page.PageId).ToList(); var oldPermissions = _permissionRepository.GetPermissions(EntityNames.Page, page.PageId).ToList();
@ -282,8 +307,8 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Page {Page}", page); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Put Attempt {Page}", page);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
page = null; page = null;
} }
return page; return page;
@ -307,7 +332,7 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public void Put(int siteid, int pageid, int? parentid) public void Put(int siteid, int pageid, int? parentid)
{ {
if (_userPermissions.IsAuthorized(User, EntityNames.Page, pageid, PermissionNames.Edit)) if (siteid == _alias.SiteId && siteid == _alias.SiteId && _pages.GetPage(pageid, false) != null && _userPermissions.IsAuthorized(User, EntityNames.Page, pageid, PermissionNames.Edit))
{ {
int order = 1; int order = 1;
List<Page> pages = _pages.GetPages(siteid).ToList(); List<Page> pages = _pages.GetPages(siteid).ToList();
@ -325,8 +350,8 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Page Order {SiteId} {PageId} {ParentId}", siteid, pageid, parentid); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Put Attempt {SiteId} {PageId} {ParentId}", siteid, pageid, parentid);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
} }
} }
@ -336,7 +361,7 @@ namespace Oqtane.Controllers
public void Delete(int id) public void Delete(int id)
{ {
Page page = _pages.GetPage(id); Page page = _pages.GetPage(id);
if (_userPermissions.IsAuthorized(User, EntityNames.Page, page.PageId, PermissionNames.Edit)) if (page != null && page.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Page, page.PageId, PermissionNames.Edit))
{ {
_pages.DeletePage(page.PageId); _pages.DeletePage(page.PageId);
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, page.SiteId); _syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, page.SiteId);
@ -344,8 +369,8 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Page {PageId}", page.PageId); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Delete Attempt {PageId}", id);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
} }
} }
} }

44
Oqtane.Server/Controllers/PageModuleController.cs
View File

@ -8,6 +8,7 @@ using Oqtane.Enums;
using Oqtane.Infrastructure; using Oqtane.Infrastructure;
using Oqtane.Repository; using Oqtane.Repository;
using Oqtane.Security; using Oqtane.Security;
using System.Net;
namespace Oqtane.Controllers namespace Oqtane.Controllers
{ {
@ -15,14 +16,16 @@ namespace Oqtane.Controllers
public class PageModuleController : Controller public class PageModuleController : Controller
{ {
private readonly IPageModuleRepository _pageModules; private readonly IPageModuleRepository _pageModules;
private readonly IPageRepository _pages;
private readonly IUserPermissions _userPermissions; private readonly IUserPermissions _userPermissions;
private readonly ISyncManager _syncManager; private readonly ISyncManager _syncManager;
private readonly ILogManager _logger; private readonly ILogManager _logger;
private readonly Alias _alias; private readonly Alias _alias;
public PageModuleController(IPageModuleRepository pageModules, IUserPermissions userPermissions, ITenantManager tenantManager, ISyncManager syncManager, ILogManager logger) public PageModuleController(IPageModuleRepository pageModules, IPageRepository pages, IUserPermissions userPermissions, ITenantManager tenantManager, ISyncManager syncManager, ILogManager logger)
{ {
_pageModules = pageModules; _pageModules = pageModules;
_pages = pages;
_userPermissions = userPermissions; _userPermissions = userPermissions;
_syncManager = syncManager; _syncManager = syncManager;
_logger = logger; _logger = logger;
@ -34,14 +37,14 @@ namespace Oqtane.Controllers
public PageModule Get(int id) public PageModule Get(int id)
{ {
PageModule pagemodule = _pageModules.GetPageModule(id); PageModule pagemodule = _pageModules.GetPageModule(id);
if (_userPermissions.IsAuthorized(User,PermissionNames.View, pagemodule.Module.Permissions)) if (pagemodule != null && pagemodule.Module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, PermissionNames.View, pagemodule.Module.Permissions))
{ {
return pagemodule; return pagemodule;
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access PageModule {PageModule}", pagemodule); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized PageModule Get Attempt {PageModuleId}", id);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null; return null;
} }
} }
@ -51,14 +54,14 @@ namespace Oqtane.Controllers
public PageModule Get(int pageid, int moduleid) public PageModule Get(int pageid, int moduleid)
{ {
PageModule pagemodule = _pageModules.GetPageModule(pageid, moduleid); PageModule pagemodule = _pageModules.GetPageModule(pageid, moduleid);
if (_userPermissions.IsAuthorized(User,PermissionNames.View, pagemodule.Module.Permissions)) if (pagemodule != null && pagemodule.Module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User,PermissionNames.View, pagemodule.Module.Permissions))
{ {
return pagemodule; return pagemodule;
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access PageModule {PageModule}", pagemodule); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized PageModule Get Attempt {PageId} {ModuleId}", pageid, moduleid);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null; return null;
} }
} }
@ -68,7 +71,8 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public PageModule Post([FromBody] PageModule pageModule) public PageModule Post([FromBody] PageModule pageModule)
{ {
if (ModelState.IsValid && _userPermissions.IsAuthorized(User, EntityNames.Page, pageModule.PageId, PermissionNames.Edit)) var page = _pages.GetPage(pageModule.PageId);
if (ModelState.IsValid && page != null && page.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Page, pageModule.PageId, PermissionNames.Edit))
{ {
pageModule = _pageModules.AddPageModule(pageModule); pageModule = _pageModules.AddPageModule(pageModule);
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, _alias.SiteId); _syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, _alias.SiteId);
@ -76,8 +80,8 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add PageModule {PageModule}", pageModule); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized PageModule Post Attempt {PageModule}", pageModule);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
pageModule = null; pageModule = null;
} }
return pageModule; return pageModule;
@ -88,7 +92,8 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public PageModule Put(int id, [FromBody] PageModule pageModule) public PageModule Put(int id, [FromBody] PageModule pageModule)
{ {
if (ModelState.IsValid && _userPermissions.IsAuthorized(User, EntityNames.Module, pageModule.ModuleId, PermissionNames.Edit)) var page = _pages.GetPage(pageModule.PageId);
if (ModelState.IsValid && page != null && page.SiteId == _alias.SiteId && _pageModules.GetPageModule(pageModule.PageModuleId, false) != null && _userPermissions.IsAuthorized(User, EntityNames.Module, pageModule.ModuleId, PermissionNames.Edit))
{ {
pageModule = _pageModules.UpdatePageModule(pageModule); pageModule = _pageModules.UpdatePageModule(pageModule);
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, _alias.SiteId); _syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, _alias.SiteId);
@ -96,8 +101,8 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update PageModule {PageModule}", pageModule); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized PageModule Put Attempt {PageModule}", pageModule);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
pageModule = null; pageModule = null;
} }
return pageModule; return pageModule;
@ -108,7 +113,8 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public void Put(int pageid, string pane) public void Put(int pageid, string pane)
{ {
if (_userPermissions.IsAuthorized(User, EntityNames.Page, pageid, PermissionNames.Edit)) var page = _pages.GetPage(pageid);
if (page != null && page.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Page, pageid, PermissionNames.Edit))
{ {
int order = 1; int order = 1;
List<PageModule> pagemodules = _pageModules.GetPageModules(pageid, pane).OrderBy(item => item.Order).ToList(); List<PageModule> pagemodules = _pageModules.GetPageModules(pageid, pane).OrderBy(item => item.Order).ToList();
@ -126,8 +132,8 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Page Module Order {PageId} {Pane}", pageid, pane); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized PageModule Put Attempt {PageId} {Pane}", pageid, pane);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
} }
} }
@ -137,7 +143,7 @@ namespace Oqtane.Controllers
public void Delete(int id) public void Delete(int id)
{ {
PageModule pagemodule = _pageModules.GetPageModule(id); PageModule pagemodule = _pageModules.GetPageModule(id);
if (_userPermissions.IsAuthorized(User, EntityNames.Page, pagemodule.PageId, PermissionNames.Edit)) if (pagemodule != null && pagemodule.Module.SiteId == _alias.SiteId && _userPermissions.IsAuthorized(User, EntityNames.Page, pagemodule.PageId, PermissionNames.Edit))
{ {
_pageModules.DeletePageModule(id); _pageModules.DeletePageModule(id);
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, _alias.SiteId); _syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, _alias.SiteId);
@ -145,8 +151,8 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete PageModule {PageModuleId}", id); _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized PageModule Delete Attempt {PageModuleId}", id);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
} }
} }
} }

54
Oqtane.Server/Controllers/ProfileController.cs
View File

@ -6,6 +6,7 @@ using Oqtane.Models;
using Oqtane.Shared; using Oqtane.Shared;
using Oqtane.Infrastructure; using Oqtane.Infrastructure;
using Oqtane.Repository; using Oqtane.Repository;
using System.Net;
namespace Oqtane.Controllers namespace Oqtane.Controllers
{ {
@ -14,25 +15,47 @@ namespace Oqtane.Controllers
{ {
private readonly IProfileRepository _profiles; private readonly IProfileRepository _profiles;
private readonly ILogManager _logger; private readonly ILogManager _logger;
private readonly Alias _alias;
public ProfileController(IProfileRepository profiles, ILogManager logger) public ProfileController(IProfileRepository profiles, ILogManager logger, ITenantManager tenantManager)
{ {
_profiles = profiles; _profiles = profiles;
_logger = logger; _logger = logger;
_alias = tenantManager.GetAlias();
} }
// GET: api/<controller>?siteid=x // GET: api/<controller>?siteid=x
[HttpGet] [HttpGet]
public IEnumerable<Profile> Get(string siteid) public IEnumerable<Profile> Get(string siteid)
{ {
return _profiles.GetProfiles(int.Parse(siteid)); int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{
return _profiles.GetProfiles(SiteId);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Profile Get Attempt {SiteId}", siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
} }
// GET api/<controller>/5 // GET api/<controller>/5
[HttpGet("{id}")] [HttpGet("{id}")]
public Profile Get(int id) public Profile Get(int id)
{ {
return _profiles.GetProfile(id); var profile = _profiles.GetProfile(id);
if (profile != null && profile.SiteId == _alias.SiteId)
{
return profile;
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Profile Get Attempt {ProfileId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
} }
// POST api/<controller> // POST api/<controller>
@ -40,11 +63,17 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Admin)] [Authorize(Roles = RoleNames.Admin)]
public Profile Post([FromBody] Profile profile) public Profile Post([FromBody] Profile profile)
{ {
if (ModelState.IsValid) if (ModelState.IsValid && profile.SiteId == _alias.SiteId)
{ {
profile = _profiles.AddProfile(profile); profile = _profiles.AddProfile(profile);
_logger.Log(LogLevel.Information, this, LogFunction.Create, "Profile Added {Profile}", profile); _logger.Log(LogLevel.Information, this, LogFunction.Create, "Profile Added {Profile}", profile);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Profile Post Attempt {Profile}", profile);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
profile = null;
}
return profile; return profile;
} }
@ -53,11 +82,17 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Admin)] [Authorize(Roles = RoleNames.Admin)]
public Profile Put(int id, [FromBody] Profile profile) public Profile Put(int id, [FromBody] Profile profile)
{ {
if (ModelState.IsValid) if (ModelState.IsValid && profile.SiteId == _alias.SiteId && _profiles.GetProfile(profile.ProfileId, false) != null)
{ {
profile = _profiles.UpdateProfile(profile); profile = _profiles.UpdateProfile(profile);
_logger.Log(LogLevel.Information, this, LogFunction.Update, "Profile Updated {Profile}", profile); _logger.Log(LogLevel.Information, this, LogFunction.Update, "Profile Updated {Profile}", profile);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Profile Put Attempt {Profile}", profile);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
profile = null;
}
return profile; return profile;
} }
@ -65,9 +100,18 @@ namespace Oqtane.Controllers
[HttpDelete("{id}")] [HttpDelete("{id}")]
[Authorize(Roles = RoleNames.Admin)] [Authorize(Roles = RoleNames.Admin)]
public void Delete(int id) public void Delete(int id)
{
var profile = _profiles.GetProfile(id);
if (profile != null && profile.SiteId == _alias.SiteId)
{ {
_profiles.DeleteProfile(id); _profiles.DeleteProfile(id);
_logger.Log(LogLevel.Information, this, LogFunction.Delete, "Profile Deleted {ProfileId}", id); _logger.Log(LogLevel.Information, this, LogFunction.Delete, "Profile Deleted {ProfileId}", id);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Profile Delete Attempt {ProfileId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
}
} }
} }

56
Oqtane.Server/Controllers/RoleController.cs
View File

@ -6,6 +6,7 @@ using Oqtane.Models;
using Oqtane.Shared; using Oqtane.Shared;
using Oqtane.Infrastructure; using Oqtane.Infrastructure;
using Oqtane.Repository; using Oqtane.Repository;
using System.Net;
namespace Oqtane.Controllers namespace Oqtane.Controllers
{ {
@ -14,31 +15,53 @@ namespace Oqtane.Controllers
{ {
private readonly IRoleRepository _roles; private readonly IRoleRepository _roles;
private readonly ILogManager _logger; private readonly ILogManager _logger;
private readonly Alias _alias;
public RoleController(IRoleRepository roles, ILogManager logger) public RoleController(IRoleRepository roles, ILogManager logger, ITenantManager tenantManager)
{ {
_roles = roles; _roles = roles;
_logger = logger; _logger = logger;
_alias = tenantManager.GetAlias();
} }
// GET: api/<controller>?siteid=x&global=true/false // GET: api/<controller>?siteid=x&global=true/false
[HttpGet] [HttpGet]
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Admin)]
public IEnumerable<Role> Get(string siteid, string global) public IEnumerable<Role> Get(string siteid, string global)
{
int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{ {
if (string.IsNullOrEmpty(global)) if (string.IsNullOrEmpty(global))
{ {
global = "False"; global = "False";
} }
return _roles.GetRoles(int.Parse(siteid), bool.Parse(global)); return _roles.GetRoles(SiteId, bool.Parse(global));
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Role Get Attempt {SiteId}", siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
} }
// GET api/<controller>/5 // GET api/<controller>/5
[HttpGet("{id}")] [HttpGet("{id}")]
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Admin)]
public Role Get(int id) public Role Get(int id)
{ {
return _roles.GetRole(id); var role = _roles.GetRole(id);
if (role != null && role.SiteId == _alias.SiteId)
{
return role;
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Role Get Attempt {RoleId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
} }
// POST api/<controller> // POST api/<controller>
@ -46,11 +69,17 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Admin)] [Authorize(Roles = RoleNames.Admin)]
public Role Post([FromBody] Role role) public Role Post([FromBody] Role role)
{ {
if (ModelState.IsValid) if (ModelState.IsValid && role.SiteId == _alias.SiteId)
{ {
role = _roles.AddRole(role); role = _roles.AddRole(role);
_logger.Log(LogLevel.Information, this, LogFunction.Create, "Role Added {Role}", role); _logger.Log(LogLevel.Information, this, LogFunction.Create, "Role Added {Role}", role);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Role Post Attempt {Role}", role);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
role = null;
}
return role; return role;
} }
@ -59,11 +88,17 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Admin)] [Authorize(Roles = RoleNames.Admin)]
public Role Put(int id, [FromBody] Role role) public Role Put(int id, [FromBody] Role role)
{ {
if (ModelState.IsValid) if (ModelState.IsValid && role.SiteId == _alias.SiteId && _roles.GetRole(role.RoleId, false) != null)
{ {
role = _roles.UpdateRole(role); role = _roles.UpdateRole(role);
_logger.Log(LogLevel.Information, this, LogFunction.Update, "Role Updated {Role}", role); _logger.Log(LogLevel.Information, this, LogFunction.Update, "Role Updated {Role}", role);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Role Put Attempt {Role}", role);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
role = null;
}
return role; return role;
} }
@ -73,11 +108,16 @@ namespace Oqtane.Controllers
public void Delete(int id) public void Delete(int id)
{ {
var role = _roles.GetRole(id); var role = _roles.GetRole(id);
if (!role.IsSystem) if (role != null && !role.IsSystem && role.SiteId == _alias.SiteId)
{ {
_roles.DeleteRole(id); _roles.DeleteRole(id);
_logger.Log(LogLevel.Information, this, LogFunction.Delete, "Role Deleted {RoleId}", id); _logger.Log(LogLevel.Information, this, LogFunction.Delete, "Role Deleted {RoleId}", id);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Role Delete Attempt {RoleId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
} }
} }
} }

11
Oqtane.Server/Controllers/SettingController.cs
View File

@ -7,6 +7,7 @@ using System.Linq;
using Oqtane.Enums; using Oqtane.Enums;
using Oqtane.Infrastructure; using Oqtane.Infrastructure;
using Oqtane.Repository; using Oqtane.Repository;
using System.Net;
namespace Oqtane.Controllers namespace Oqtane.Controllers
{ {
@ -42,7 +43,7 @@ namespace Oqtane.Controllers
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityname, entityid); _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityname, entityid);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
} }
return settings; return settings;
} }
@ -59,7 +60,7 @@ namespace Oqtane.Controllers
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Setting {Setting}", setting); _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Setting {Setting}", setting);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null; return null;
} }
} }
@ -80,7 +81,7 @@ namespace Oqtane.Controllers
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Setting {Setting}", setting); _logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Setting {Setting}", setting);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
setting = null; setting = null;
} }
return setting; return setting;
@ -102,7 +103,7 @@ namespace Oqtane.Controllers
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Setting {Setting}", setting); _logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Setting {Setting}", setting);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
setting = null; setting = null;
} }
return setting; return setting;
@ -125,7 +126,7 @@ namespace Oqtane.Controllers
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Setting {Setting}", setting); _logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Setting {Setting}", setting);
HttpContext.Response.StatusCode = 401; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
} }
} }

30
Oqtane.Server/Controllers/SiteController.cs
View File

@ -7,6 +7,7 @@ using System.Linq;
using Oqtane.Enums; using Oqtane.Enums;
using Oqtane.Infrastructure; using Oqtane.Infrastructure;
using Oqtane.Repository; using Oqtane.Repository;
using System.Net;
namespace Oqtane.Controllers namespace Oqtane.Controllers
{ {
@ -38,7 +39,17 @@ namespace Oqtane.Controllers
[HttpGet("{id}")] [HttpGet("{id}")]
public Site Get(int id) public Site Get(int id)
{ {
return _sites.GetSite(id); var site = _sites.GetSite(id);
if (site.SiteId == _alias.SiteId)
{
return site;
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Site Get Attempt {SiteId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
} }
// POST api/<controller> // POST api/<controller>
@ -72,12 +83,18 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Admin)] [Authorize(Roles = RoleNames.Admin)]
public Site Put(int id, [FromBody] Site site) public Site Put(int id, [FromBody] Site site)
{ {
if (ModelState.IsValid) if (ModelState.IsValid && site.SiteId == _alias.SiteId && site.TenantId == _alias.TenantId && _sites.GetSite(site.SiteId, false) != null)
{ {
site = _sites.UpdateSite(site); site = _sites.UpdateSite(site);
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, site.SiteId); _syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, site.SiteId);
_logger.Log(site.SiteId, LogLevel.Information, this, LogFunction.Update, "Site Updated {Site}", site); _logger.Log(site.SiteId, LogLevel.Information, this, LogFunction.Update, "Site Updated {Site}", site);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Site Put Attempt {Site}", site);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
site = null;
}
return site; return site;
} }
@ -85,9 +102,18 @@ namespace Oqtane.Controllers
[HttpDelete("{id}")] [HttpDelete("{id}")]
[Authorize(Roles = RoleNames.Host)] [Authorize(Roles = RoleNames.Host)]
public void Delete(int id) public void Delete(int id)
{
var site = _sites.GetSite(id);
if (site != null && site.SiteId == _alias.SiteId)
{ {
_sites.DeleteSite(id); _sites.DeleteSite(id);
_logger.Log(id, LogLevel.Information, this, LogFunction.Delete, "Site Deleted {SiteId}", id); _logger.Log(id, LogLevel.Information, this, LogFunction.Delete, "Site Deleted {SiteId}", id);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Site Delete Attempt {SiteId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
}
} }
} }

55
Oqtane.Server/Controllers/UserController.cs
View File

@ -52,6 +52,9 @@ namespace Oqtane.Controllers
[HttpGet("{id}")] [HttpGet("{id}")]
[Authorize] [Authorize]
public User Get(int id, string siteid) public User Get(int id, string siteid)
{
int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{ {
User user = _users.GetUser(id); User user = _users.GetUser(id);
if (user != null) if (user != null)
@ -61,10 +64,20 @@ namespace Oqtane.Controllers
} }
return Filter(user); return Filter(user);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized User Get Attempt {UserId} {SiteId}", id, siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
}
// GET api/<controller>/name/x?siteid=x // GET api/<controller>/name/x?siteid=x
[HttpGet("name/{name}")] [HttpGet("name/{name}")]
public User Get(string name, string siteid) public User Get(string name, string siteid)
{
int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{ {
User user = _users.GetUser(name); User user = _users.GetUser(name);
if (user != null) if (user != null)
@ -74,6 +87,13 @@ namespace Oqtane.Controllers
} }
return Filter(user); return Filter(user);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized User Get Attempt {Username} {SiteId}", name, siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
}
private User Filter(User user) private User Filter(User user)
{ {
@ -102,14 +122,19 @@ namespace Oqtane.Controllers
[HttpPost] [HttpPost]
public async Task<User> Post([FromBody] User user) public async Task<User> Post([FromBody] User user)
{ {
if (ModelState.IsValid) if (ModelState.IsValid && user.SiteId == _alias.SiteId)
{ {
var newUser = await CreateUser(user); var User = await CreateUser(user);
return newUser; return User;
} }
else
{
user.Password = ""; // remove sensitive information
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized User Post Attempt {User}", user);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null; return null;
} }
}
private async Task<User> CreateUser(User user) private async Task<User> CreateUser(User user)
{ {
@ -230,9 +255,7 @@ namespace Oqtane.Controllers
[Authorize] [Authorize]
public async Task<User> Put(int id, [FromBody] User user) public async Task<User> Put(int id, [FromBody] User user)
{ {
if (ModelState.IsValid) if (ModelState.IsValid && user.SiteId == _alias.SiteId && _users.GetUser(user.UserId, false) != null && (User.IsInRole(RoleNames.Admin) || User.Identity.Name == user.Username))
{
if (User.IsInRole(RoleNames.Admin) || User.Identity.Name == user.Username)
{ {
if (user.Password != "") if (user.Password != "")
{ {
@ -250,11 +273,11 @@ namespace Oqtane.Controllers
} }
else else
{ {
_logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update User {User}", user); user.Password = ""; // remove sensitive information
HttpContext.Response.StatusCode = 401; _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized User Post Attempt {User}", user);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
user = null; user = null;
} }
}
return user; return user;
} }
@ -263,18 +286,19 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Admin)] [Authorize(Roles = RoleNames.Admin)]
public async Task Delete(int id, string siteid) public async Task Delete(int id, string siteid)
{ {
int SiteId;
User user = _users.GetUser(id); User user = _users.GetUser(id);
if (user != null) if (user != null && int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{ {
// remove user roles for site // remove user roles for site
foreach (UserRole userrole in _userRoles.GetUserRoles(user.UserId, Int32.Parse(siteid)).ToList()) foreach (UserRole userrole in _userRoles.GetUserRoles(user.UserId, SiteId).ToList())
{ {
_userRoles.DeleteUserRole(userrole.UserRoleId); _userRoles.DeleteUserRole(userrole.UserRoleId);
_logger.Log(LogLevel.Information, this, LogFunction.Delete, "User Role Deleted {UserRole}", userrole); _logger.Log(LogLevel.Information, this, LogFunction.Delete, "User Role Deleted {UserRole}", userrole);
} }
// remove user folder for site // remove user folder for site
var folder = _folders.GetFolder(Int32.Parse(siteid), Utilities.PathCombine("Users", user.UserId.ToString(), Path.DirectorySeparatorChar.ToString())); var folder = _folders.GetFolder(SiteId, Utilities.PathCombine("Users", user.UserId.ToString(), Path.DirectorySeparatorChar.ToString()));
if (folder != null) if (folder != null)
{ {
if (Directory.Exists(_folders.GetFolderPath(folder))) if (Directory.Exists(_folders.GetFolderPath(folder)))
@ -307,6 +331,11 @@ namespace Oqtane.Controllers
} }
} }
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized User Delete Attempt {UserId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
} }
// POST api/<controller>/login // POST api/<controller>/login

48
Oqtane.Server/Controllers/UserRoleController.cs
View File

@ -7,6 +7,7 @@ using Oqtane.Shared;
using Oqtane.Infrastructure; using Oqtane.Infrastructure;
using Oqtane.Repository; using Oqtane.Repository;
using System.Linq; using System.Linq;
using System.Net;
namespace Oqtane.Controllers namespace Oqtane.Controllers
{ {
@ -33,7 +34,17 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Admin)] [Authorize(Roles = RoleNames.Admin)]
public IEnumerable<UserRole> Get(string siteid) public IEnumerable<UserRole> Get(string siteid)
{ {
return _userRoles.GetUserRoles(int.Parse(siteid)); int SiteId;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId)
{
return _userRoles.GetUserRoles(SiteId);
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized UserRole Get Attempt {SiteId}", siteid);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
} }
// GET api/<controller>/5 // GET api/<controller>/5
@ -41,7 +52,17 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Admin)] [Authorize(Roles = RoleNames.Admin)]
public UserRole Get(int id) public UserRole Get(int id)
{ {
return _userRoles.GetUserRole(id); var userrole = _userRoles.GetUserRole(id);
if (userrole != null && userrole.Role.SiteId == _alias.SiteId)
{
return userrole;
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized User Role Get Attempt {UserRoleId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return null;
}
} }
// POST api/<controller> // POST api/<controller>
@ -50,7 +71,7 @@ namespace Oqtane.Controllers
public UserRole Post([FromBody] UserRole userRole) public UserRole Post([FromBody] UserRole userRole)
{ {
var role = _roles.GetRole(userRole.RoleId); var role = _roles.GetRole(userRole.RoleId);
if (ModelState.IsValid && (User.IsInRole(RoleNames.Host) || role.Name != RoleNames.Host)) if (ModelState.IsValid && role != null && role.SiteId == _alias.SiteId && (User.IsInRole(RoleNames.Host) || role.Name != RoleNames.Host))
{ {
if (role.Name == RoleNames.Host) if (role.Name == RoleNames.Host)
{ {
@ -64,6 +85,12 @@ namespace Oqtane.Controllers
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.User, userRole.UserId); _syncManager.AddSyncEvent(_alias.TenantId, EntityNames.User, userRole.UserId);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized UserRole Post Attempt {UserRole}", userRole);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
userRole = null;
}
return userRole; return userRole;
} }
@ -73,12 +100,18 @@ namespace Oqtane.Controllers
public UserRole Put(int id, [FromBody] UserRole userRole) public UserRole Put(int id, [FromBody] UserRole userRole)
{ {
var role = _roles.GetRole(userRole.RoleId); var role = _roles.GetRole(userRole.RoleId);
if (ModelState.IsValid && (User.IsInRole(RoleNames.Host) || role.Name != RoleNames.Host)) if (ModelState.IsValid && role != null && role.SiteId == _alias.SiteId && _userRoles.GetUserRole(userRole.UserRoleId, false) != null && (User.IsInRole(RoleNames.Host) || role.Name != RoleNames.Host))
{ {
userRole = _userRoles.UpdateUserRole(userRole); userRole = _userRoles.UpdateUserRole(userRole);
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.User, userRole.UserId); _syncManager.AddSyncEvent(_alias.TenantId, EntityNames.User, userRole.UserId);
_logger.Log(LogLevel.Information, this, LogFunction.Update, "User Role Updated {UserRole}", userRole); _logger.Log(LogLevel.Information, this, LogFunction.Update, "User Role Updated {UserRole}", userRole);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized User Role Put Attempt {UserRole}", userRole);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
userRole = null;
}
return userRole; return userRole;
} }
@ -88,7 +121,7 @@ namespace Oqtane.Controllers
public void Delete(int id) public void Delete(int id)
{ {
UserRole userRole = _userRoles.GetUserRole(id); UserRole userRole = _userRoles.GetUserRole(id);
if (User.IsInRole(RoleNames.Host) || userRole.Role.Name != RoleNames.Host) if (userRole != null && userRole.Role.SiteId == _alias.SiteId && (User.IsInRole(RoleNames.Host) || userRole.Role.Name != RoleNames.Host))
{ {
_userRoles.DeleteUserRole(id); _userRoles.DeleteUserRole(id);
_logger.Log(LogLevel.Information, this, LogFunction.Delete, "User Role Deleted {UserRole}", userRole); _logger.Log(LogLevel.Information, this, LogFunction.Delete, "User Role Deleted {UserRole}", userRole);
@ -106,6 +139,11 @@ namespace Oqtane.Controllers
_syncManager.AddSyncEvent(_alias.TenantId, EntityNames.User, userRole.UserId); _syncManager.AddSyncEvent(_alias.TenantId, EntityNames.User, userRole.UserId);
} }
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized User Role Delete Attempt {UserRoleId}", id);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
}
} }
} }
} }

5
Oqtane.Server/Repository/FileRepository.cs
View File

@ -63,12 +63,11 @@ namespace Oqtane.Repository
File file; File file;
if (tracking) if (tracking)
{ {
file = _db.File.Where(item => item.FileId == fileId).Include(item => item.Folder).FirstOrDefault(); file = _db.File.Include(item => item.Folder).FirstOrDefault(item => item.FileId == fileId);
} }
else else
{ {
file = _db.File.AsNoTracking().Where(item => item.FileId == fileId).Include(item => item.Folder).FirstOrDefault(); file = _db.File.AsNoTracking().Include(item => item.Folder).FirstOrDefault(item => item.FileId == fileId);
} }
if (file != null) if (file != null)
{ {

2
Oqtane.Server/Repository/FolderRepository.cs
View File

@ -61,7 +61,7 @@ namespace Oqtane.Repository
Folder folder; Folder folder;
if (tracking) if (tracking)
{ {
folder = _db.Folder.Where(item => item.FolderId == folderId).FirstOrDefault(); folder = _db.Folder.Find(folderId);
} }
else else
{ {

3
Oqtane.Server/Repository/Interfaces/IModuleRepository.cs
View File

@ -1,4 +1,4 @@
using System.Collections.Generic; using System.Collections.Generic;
using Oqtane.Models; using Oqtane.Models;
namespace Oqtane.Repository namespace Oqtane.Repository
@ -9,6 +9,7 @@ namespace Oqtane.Repository
Module AddModule(Module module); Module AddModule(Module module);
Module UpdateModule(Module module); Module UpdateModule(Module module);
Module GetModule(int moduleId); Module GetModule(int moduleId);
Module GetModule(int moduleId, bool tracking);
void DeleteModule(int moduleId); void DeleteModule(int moduleId);
string ExportModule(int moduleId); string ExportModule(int moduleId);
bool ImportModule(int moduleId, string content); bool ImportModule(int moduleId, string content);

3
Oqtane.Server/Repository/Interfaces/INotificationRepository.cs
View File

@ -1,4 +1,4 @@
using System.Collections.Generic; using System.Collections.Generic;
using Oqtane.Models; using Oqtane.Models;
namespace Oqtane.Repository namespace Oqtane.Repository
@ -9,6 +9,7 @@ namespace Oqtane.Repository
Notification AddNotification(Notification notification); Notification AddNotification(Notification notification);
Notification UpdateNotification(Notification notification); Notification UpdateNotification(Notification notification);
Notification GetNotification(int notificationId); Notification GetNotification(int notificationId);
Notification GetNotification(int notificationId, bool tracking);
void DeleteNotification(int notificationId); void DeleteNotification(int notificationId);
} }
} }

3
Oqtane.Server/Repository/Interfaces/IPageModuleRepository.cs
View File

@ -1,4 +1,4 @@
using System.Collections.Generic; using System.Collections.Generic;
using Oqtane.Models; using Oqtane.Models;
namespace Oqtane.Repository namespace Oqtane.Repository
@ -10,6 +10,7 @@ namespace Oqtane.Repository
PageModule AddPageModule(PageModule pageModule); PageModule AddPageModule(PageModule pageModule);
PageModule UpdatePageModule(PageModule pageModule); PageModule UpdatePageModule(PageModule pageModule);
PageModule GetPageModule(int pageModuleId); PageModule GetPageModule(int pageModuleId);
PageModule GetPageModule(int pageModuleId, bool tracking);
PageModule GetPageModule(int pageId, int moduleId); PageModule GetPageModule(int pageId, int moduleId);
void DeletePageModule(int pageModuleId); void DeletePageModule(int pageModuleId);
} }

3
Oqtane.Server/Repository/Interfaces/IPageRepository.cs
View File

@ -1,4 +1,4 @@
using System.Collections.Generic; using System.Collections.Generic;
using Oqtane.Models; using Oqtane.Models;
namespace Oqtane.Repository namespace Oqtane.Repository
@ -9,6 +9,7 @@ namespace Oqtane.Repository
Page AddPage(Page page); Page AddPage(Page page);
Page UpdatePage(Page page); Page UpdatePage(Page page);
Page GetPage(int pageId); Page GetPage(int pageId);
Page GetPage(int pageId, bool tracking);
Page GetPage(int pageId, int userId); Page GetPage(int pageId, int userId);
Page GetPage(string path, int siteId); Page GetPage(string path, int siteId);
void DeletePage(int pageId); void DeletePage(int pageId);

3
Oqtane.Server/Repository/Interfaces/IProfileRepository.cs
View File

@ -1,4 +1,4 @@
using System.Collections.Generic; using System.Collections.Generic;
using Oqtane.Models; using Oqtane.Models;
namespace Oqtane.Repository namespace Oqtane.Repository
@ -9,6 +9,7 @@ namespace Oqtane.Repository
Profile AddProfile(Profile profile); Profile AddProfile(Profile profile);
Profile UpdateProfile(Profile profile); Profile UpdateProfile(Profile profile);
Profile GetProfile(int profileId); Profile GetProfile(int profileId);
Profile GetProfile(int profileId, bool tracking);
void DeleteProfile(int profileId); void DeleteProfile(int profileId);
} }
} }

3
Oqtane.Server/Repository/Interfaces/IRoleRepository.cs
View File

@ -1,4 +1,4 @@
using System.Collections.Generic; using System.Collections.Generic;
using Oqtane.Models; using Oqtane.Models;
namespace Oqtane.Repository namespace Oqtane.Repository
@ -10,6 +10,7 @@ namespace Oqtane.Repository
Role AddRole(Role role); Role AddRole(Role role);
Role UpdateRole(Role role); Role UpdateRole(Role role);
Role GetRole(int roleId); Role GetRole(int roleId);
Role GetRole(int roleId, bool tracking);
void DeleteRole(int roleId); void DeleteRole(int roleId);
} }
} }

3
Oqtane.Server/Repository/Interfaces/ISiteRepository.cs
View File

@ -1,4 +1,4 @@
using System.Collections.Generic; using System.Collections.Generic;
using Oqtane.Models; using Oqtane.Models;
namespace Oqtane.Repository namespace Oqtane.Repository
@ -9,6 +9,7 @@ namespace Oqtane.Repository
Site AddSite(Site site); Site AddSite(Site site);
Site UpdateSite(Site site); Site UpdateSite(Site site);
Site GetSite(int siteId); Site GetSite(int siteId);
Site GetSite(int siteId, bool tracking);
void DeleteSite(int siteId); void DeleteSite(int siteId);
void CreatePages(Site site, List<PageTemplate> pageTemplates); void CreatePages(Site site, List<PageTemplate> pageTemplates);
} }

3
Oqtane.Server/Repository/Interfaces/IUserRepository.cs
View File

@ -1,4 +1,4 @@
using System.Collections.Generic; using System.Collections.Generic;
using Oqtane.Models; using Oqtane.Models;
namespace Oqtane.Repository namespace Oqtane.Repository
@ -9,6 +9,7 @@ namespace Oqtane.Repository
User AddUser(User user); User AddUser(User user);
User UpdateUser(User user); User UpdateUser(User user);
User GetUser(int userId); User GetUser(int userId);
User GetUser(int userId, bool tracking);
User GetUser(string username); User GetUser(string username);
void DeleteUser(int userId); void DeleteUser(int userId);
} }

1
Oqtane.Server/Repository/Interfaces/IUserRoleRepository.cs
View File

@ -10,6 +10,7 @@ namespace Oqtane.Repository
UserRole AddUserRole(UserRole userRole); UserRole AddUserRole(UserRole userRole);
UserRole UpdateUserRole(UserRole userRole); UserRole UpdateUserRole(UserRole userRole);
UserRole GetUserRole(int userRoleId); UserRole GetUserRole(int userRoleId);
UserRole GetUserRole(int userRoleId, bool tracking);
void DeleteUserRole(int userRoleId); void DeleteUserRole(int userRoleId);
void DeleteUserRoles(int userId); void DeleteUserRoles(int userId);
} }

18
Oqtane.Server/Repository/ModuleRepository.cs
View File

@ -1,4 +1,4 @@
using System; using System;
using System.Collections.Generic; using System.Collections.Generic;
using System.Linq; using System.Linq;
using System.Text.Json; using System.Text.Json;
@ -48,12 +48,24 @@ namespace Oqtane.Repository
public Module GetModule(int moduleId) public Module GetModule(int moduleId)
{ {
Module module = _db.Module.Find(moduleId); return GetModule(moduleId, true);
}
public Module GetModule(int moduleId, bool tracking)
{
Module module;
if (tracking)
{
module = _db.Module.Find(moduleId);
}
else
{
module = _db.Module.AsNoTracking().FirstOrDefault(item => item.ModuleId == moduleId);
}
if (module != null) if (module != null)
{ {
module.Permissions = _permissions.GetPermissionString("Module", module.ModuleId); module.Permissions = _permissions.GetPermissionString("Module", module.ModuleId);
} }
return module; return module;
} }

13
Oqtane.Server/Repository/NotificationRepository.cs
View File

@ -45,11 +45,22 @@ namespace Oqtane.Repository
_db.SaveChanges(); _db.SaveChanges();
return notification; return notification;
} }
public Notification GetNotification(int notificationId) public Notification GetNotification(int notificationId)
{
return GetNotification(notificationId, true);
}
public Notification GetNotification(int notificationId, bool tracking)
{
if (tracking)
{ {
return _db.Notification.Find(notificationId); return _db.Notification.Find(notificationId);
} }
else
{
return _db.Notification.AsNoTracking().FirstOrDefault(item => item.NotificationId == notificationId);
}
}
public void DeleteNotification(int notificationId) public void DeleteNotification(int notificationId)
{ {

20
Oqtane.Server/Repository/PageModuleRepository.cs
View File

@ -1,4 +1,4 @@
using System.Collections.Generic; using System.Collections.Generic;
using System.Linq; using System.Linq;
using Microsoft.EntityFrameworkCore; using Microsoft.EntityFrameworkCore;
using Oqtane.Extensions; using Oqtane.Extensions;
@ -69,8 +69,22 @@ namespace Oqtane.Repository
public PageModule GetPageModule(int pageModuleId) public PageModule GetPageModule(int pageModuleId)
{ {
PageModule pagemodule = _db.PageModule.Include(item => item.Module) // eager load modules return GetPageModule(pageModuleId, true);
.SingleOrDefault(item => item.PageModuleId == pageModuleId); }
public PageModule GetPageModule(int pageModuleId, bool tracking)
{
PageModule pagemodule;
if (tracking)
{
pagemodule = _db.PageModule.Include(item => item.Module) // eager load modules
.FirstOrDefault(item => item.PageModuleId == pageModuleId);
}
else
{
pagemodule = _db.PageModule.AsNoTracking().Include(item => item.Module) // eager load modules
.FirstOrDefault(item => item.PageModuleId == pageModuleId);
}
if (pagemodule != null) if (pagemodule != null)
{ {
pagemodule.Module.Permissions = _permissions.GetPermissionString("Module", pagemodule.ModuleId); pagemodule.Module.Permissions = _permissions.GetPermissionString("Module", pagemodule.ModuleId);

18
Oqtane.Server/Repository/PageRepository.cs
View File

@ -1,4 +1,4 @@
using System.Collections.Generic; using System.Collections.Generic;
using System.Linq; using System.Linq;
using Microsoft.EntityFrameworkCore; using Microsoft.EntityFrameworkCore;
using Oqtane.Extensions; using Oqtane.Extensions;
@ -49,7 +49,21 @@ namespace Oqtane.Repository
public Page GetPage(int pageId) public Page GetPage(int pageId)
{ {
Page page = _db.Page.Find(pageId); return GetPage(pageId, true);
}
public Page GetPage(int pageId, bool tracking)
{
Page page;
if (tracking)
{
page = _db.Page.Find(pageId);
}
else
{
page = _db.Page.AsNoTracking().FirstOrDefault(item => item.PageId == pageId);
}
if (page != null) if (page != null)
{ {
page.Permissions = _permissions.GetPermissionString(EntityNames.Page, page.PageId); page.Permissions = _permissions.GetPermissionString(EntityNames.Page, page.PageId);

14
Oqtane.Server/Repository/ProfileRepository.cs
View File

@ -1,4 +1,4 @@
using System.Collections.Generic; using System.Collections.Generic;
using System.Linq; using System.Linq;
using Microsoft.EntityFrameworkCore; using Microsoft.EntityFrameworkCore;
using Oqtane.Models; using Oqtane.Models;
@ -34,9 +34,21 @@ namespace Oqtane.Repository
} }
public Profile GetProfile(int profileId) public Profile GetProfile(int profileId)
{
return GetProfile(profileId, true);
}
public Profile GetProfile(int profileId, bool tracking)
{
if (tracking)
{ {
return _db.Profile.Find(profileId); return _db.Profile.Find(profileId);
} }
else
{
return _db.Profile.AsNoTracking().FirstOrDefault(item => item.ProfileId == profileId);
}
}
public void DeleteProfile(int profileId) public void DeleteProfile(int profileId)
{ {

12
Oqtane.Server/Repository/RoleRepository.cs
View File

@ -48,9 +48,21 @@ namespace Oqtane.Repository
} }
public Role GetRole(int roleId) public Role GetRole(int roleId)
{
return GetRole(roleId, true);
}
public Role GetRole(int roleId, bool tracking)
{
if (tracking)
{ {
return _db.Role.Find(roleId); return _db.Role.Find(roleId);
} }
else
{
return _db.Role.AsNoTracking().FirstOrDefault(item => item.RoleId == roleId);
}
}
public void DeleteRole(int roleId) public void DeleteRole(int roleId)
{ {

12
Oqtane.Server/Repository/SiteRepository.cs
View File

@ -619,9 +619,21 @@ namespace Oqtane.Repository
} }
public Site GetSite(int siteId) public Site GetSite(int siteId)
{
return GetSite(siteId, true);
}
public Site GetSite(int siteId, bool tracking)
{
if (tracking)
{ {
return _db.Site.Find(siteId); return _db.Site.Find(siteId);
} }
else
{
return _db.Site.AsNoTracking().FirstOrDefault(item => item.SiteId == siteId);
}
}
public void DeleteSite(int siteId) public void DeleteSite(int siteId)
{ {

14
Oqtane.Server/Repository/UserRepository.cs
View File

@ -1,4 +1,4 @@
using System.Collections.Generic; using System.Collections.Generic;
using System.Linq; using System.Linq;
using Microsoft.EntityFrameworkCore; using Microsoft.EntityFrameworkCore;
using Oqtane.Models; using Oqtane.Models;
@ -34,9 +34,21 @@ namespace Oqtane.Repository
} }
public User GetUser(int userId) public User GetUser(int userId)
{
return GetUser(userId, true);
}
public User GetUser(int userId, bool tracking)
{
if (tracking)
{ {
return _db.User.Find(userId); return _db.User.Find(userId);
} }
else
{
return _db.User.AsNoTracking().FirstOrDefault(item => item.UserId == userId);
}
}
public User GetUser(string username) public User GetUser(string username)
{ {

17
Oqtane.Server/Repository/UserRoleRepository.cs
View File

@ -45,11 +45,26 @@ namespace Oqtane.Repository
} }
public UserRole GetUserRole(int userRoleId) public UserRole GetUserRole(int userRoleId)
{
return GetUserRole(userRoleId, true);
}
public UserRole GetUserRole(int userRoleId, bool tracking)
{
if (tracking)
{ {
return _db.UserRole return _db.UserRole
.Include(item => item.Role) // eager load roles .Include(item => item.Role) // eager load roles
.Include(item => item.User) // eager load users .Include(item => item.User) // eager load users
.SingleOrDefault(item => item.UserRoleId == userRoleId); .FirstOrDefault(item => item.UserRoleId == userRoleId);
}
else
{
return _db.UserRole.AsNoTracking()
.Include(item => item.Role) // eager load roles
.Include(item => item.User) // eager load users
.FirstOrDefault(item => item.UserRoleId == userRoleId);
}
} }
public void DeleteUserRole(int userRoleId) public void DeleteUserRole(int userRoleId)

3
Oqtane.Server/Startup.cs
View File

@ -2,6 +2,7 @@ using System;
using System.Collections.Generic; using System.Collections.Generic;
using System.IO; using System.IO;
using System.Linq; using System.Linq;
using System.Net;
using System.Net.Http; using System.Net.Http;
using System.Threading.Tasks; using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authorization;
@ -165,7 +166,7 @@ namespace Oqtane
options.Cookie.HttpOnly = false; options.Cookie.HttpOnly = false;
options.Events.OnRedirectToLogin = context => options.Events.OnRedirectToLogin = context =>
{ {
context.Response.StatusCode = 401; context.Response.StatusCode = (int)HttpStatusCode.Forbidden;
return Task.CompletedTask; return Task.CompletedTask;
}; };
options.Events.OnValidatePrincipal = PrincipalValidator.ValidateAsync; options.Events.OnValidatePrincipal = PrincipalValidator.ValidateAsync;