improve filtering logic in UserRole API

2025-01-13 14:42:19 -05:00 · 2025-01-13 14:42:19 -05:00 · a59ec0258b
commit a59ec0258b
parent 0ac6a62b86
1 changed files with 30 additions and 32 deletions
--- a/Oqtane.Server/Controllers/UserRoleController.cs
+++ b/Oqtane.Server/Controllers/UserRoleController.cs
@ -121,41 +121,39 @@ namespace Oqtane.Controllers
        private UserRole Filter(UserRole userrole, int userid)
        {
-            // clone object to avoid mutating cache 
+            // include all properties if authorized
-            UserRole filtered = null;
+            if (_userPermissions.IsAuthorized(User, userrole.User.SiteId, EntityNames.UserRole, -1, PermissionNames.Write, RoleNames.Admin))
            if (userrole != null)
            {
-                filtered = new UserRole();
+                return userrole;
                // public properties
                filtered.UserRoleId = userrole.UserRoleId;
                filtered.UserId = userrole.UserId;
                filtered.RoleId = userrole.RoleId;
                filtered.User = new User();
                filtered.User.SiteId = userrole.User.SiteId;
                filtered.User.UserId = userrole.User.UserId;
                filtered.User.Username = userrole.User.Username;
                filtered.User.DisplayName = userrole.User.DisplayName;
                filtered.Role = new Role();
                filtered.Role.SiteId = userrole.Role.SiteId;
                filtered.Role.RoleId = userrole.Role.RoleId;
                filtered.Role.Name = userrole.Role.Name;
                // include private properties if administrator
                if (_userPermissions.IsAuthorized(User, filtered.User.SiteId, EntityNames.UserRole, -1, PermissionNames.Write, RoleNames.Admin))
                {
                    filtered.User.Email = userrole.User.Email;
                    filtered.User.PhotoFileId = userrole.User.PhotoFileId;
                    filtered.User.LastLoginOn = userrole.User.LastLoginOn;
                    filtered.User.LastIPAddress = userrole.User.LastIPAddress;
                    filtered.User.CreatedOn = userrole.User.CreatedOn;
                }
            }
            else
            {
                // clone object to avoid mutating cache 
                UserRole filtered = null;
-            return filtered;
+                if (userrole != null)
                {
                    filtered = new UserRole();
                    // include public properties
                    filtered.UserRoleId = userrole.UserRoleId;
                    filtered.UserId = userrole.UserId;
                    filtered.RoleId = userrole.RoleId;
                    filtered.User = new User();
                    filtered.User.SiteId = userrole.User.SiteId;
                    filtered.User.UserId = userrole.User.UserId;
                    filtered.User.Username = userrole.User.Username;
                    filtered.User.DisplayName = userrole.User.DisplayName;
                    filtered.Role = new Role();
                    filtered.Role.SiteId = userrole.Role.SiteId;
                    filtered.Role.RoleId = userrole.Role.RoleId;
                    filtered.Role.Name = userrole.Role.Name;
                }
                return filtered;
            }
        }
        // POST api/<controller>