Settings authorization

2019-08-30 13:42:16 -04:00 · 2019-08-30 13:42:16 -04:00 · 838b48f91e
commit 838b48f91e
parent c651dedffd
1 changed files with 23 additions and 5 deletions
--- a/Oqtane.Server/Controllers/SettingController.cs
+++ b/Oqtane.Server/Controllers/SettingController.cs
@ -4,6 +4,7 @@ using Microsoft.AspNetCore.Authorization;
 using Oqtane.Repository;
 using Oqtane.Models;
 using Oqtane.Shared;
+using Oqtane.Security;

 namespace Oqtane.Controllers
 {
@ -11,10 +12,12 @@ namespace Oqtane.Controllers
    public class SettingController : Controller
    {
        private readonly ISettingRepository Settings;
+        private readonly IUserPermissions UserPermissions;

-        public SettingController(ISettingRepository Settings)
+        public SettingController(ISettingRepository Settings, IUserPermissions UserPermissions)
        {
            this.Settings = Settings;
+            this.UserPermissions = UserPermissions;
        }

        // GET: api/<controller>
@ -33,10 +36,10 @@ namespace Oqtane.Controllers

        // POST api/<controller>
        [HttpPost]
-        [Authorize(Roles = Constants.AdminRole)]
+        [Authorize]
        public Setting Post([FromBody] Setting Setting)
        {
-            if (ModelState.IsValid)
+            if (ModelState.IsValid && IsAuthorized(Setting.EntityName, Setting.EntityId))
            {
                Setting = Settings.AddSetting(Setting);
            }
@ -45,10 +48,10 @@ namespace Oqtane.Controllers

        // PUT api/<controller>/5
        [HttpPut("{id}")]
-        [Authorize(Roles = Constants.AdminRole)]
+        [Authorize]
        public Setting Put(int id, [FromBody] Setting Setting)
        {
-            if (ModelState.IsValid)
+            if (ModelState.IsValid && IsAuthorized(Setting.EntityName, Setting.EntityId))
            {
                Setting = Settings.UpdateSetting(Setting);
            }
@ -62,5 +65,20 @@ namespace Oqtane.Controllers
        {
            Settings.DeleteSetting(id);
        }
+
+        private bool IsAuthorized(string EntityName, int EntityId)
+        {
+            bool authorized = false;
+            switch (EntityName)
+            {
+                case "Module":
+                    authorized = UserPermissions.IsAuthorized(User, EntityName, EntityId, "Edit");
+                    break;
+                default:
+                    authorized = User.IsInRole(Constants.AdminRole);
+                    break;
+            }
+            return authorized;
+        }
    }
 }