diff --git a/Oqtane.Server/Controllers/SettingController.cs b/Oqtane.Server/Controllers/SettingController.cs index 5dcec2d8..2d400cca 100644 --- a/Oqtane.Server/Controllers/SettingController.cs +++ b/Oqtane.Server/Controllers/SettingController.cs @@ -4,6 +4,7 @@ using Microsoft.AspNetCore.Authorization; using Oqtane.Repository; using Oqtane.Models; using Oqtane.Shared; +using Oqtane.Security; namespace Oqtane.Controllers { @@ -11,10 +12,12 @@ namespace Oqtane.Controllers public class SettingController : Controller { private readonly ISettingRepository Settings; + private readonly IUserPermissions UserPermissions; - public SettingController(ISettingRepository Settings) + public SettingController(ISettingRepository Settings, IUserPermissions UserPermissions) { this.Settings = Settings; + this.UserPermissions = UserPermissions; } // GET: api/ @@ -33,10 +36,10 @@ namespace Oqtane.Controllers // POST api/ [HttpPost] - [Authorize(Roles = Constants.AdminRole)] + [Authorize] public Setting Post([FromBody] Setting Setting) { - if (ModelState.IsValid) + if (ModelState.IsValid && IsAuthorized(Setting.EntityName, Setting.EntityId)) { Setting = Settings.AddSetting(Setting); } @@ -45,10 +48,10 @@ namespace Oqtane.Controllers // PUT api//5 [HttpPut("{id}")] - [Authorize(Roles = Constants.AdminRole)] + [Authorize] public Setting Put(int id, [FromBody] Setting Setting) { - if (ModelState.IsValid) + if (ModelState.IsValid && IsAuthorized(Setting.EntityName, Setting.EntityId)) { Setting = Settings.UpdateSetting(Setting); } @@ -62,5 +65,20 @@ namespace Oqtane.Controllers { Settings.DeleteSetting(id); } + + private bool IsAuthorized(string EntityName, int EntityId) + { + bool authorized = false; + switch (EntityName) + { + case "Module": + authorized = UserPermissions.IsAuthorized(User, EntityName, EntityId, "Edit"); + break; + default: + authorized = User.IsInRole(Constants.AdminRole); + break; + } + return authorized; + } } }