diff --git a/Oqtane.Client/Modules/HtmlText/Services/HtmlTextService.cs b/Oqtane.Client/Modules/HtmlText/Services/HtmlTextService.cs
index 344eb8f6..73776394 100644
--- a/Oqtane.Client/Modules/HtmlText/Services/HtmlTextService.cs
+++ b/Oqtane.Client/Modules/HtmlText/Services/HtmlTextService.cs
@@ -13,29 +13,22 @@ namespace Oqtane.Modules.HtmlText.Services
public async Task GetHtmlTextAsync(int moduleId)
{
- AddAuthorizationPolicyHeader(EntityNames.Module, moduleId);
- return await GetJsonAsync($"{ApiUrl}/{moduleId}");
+ return await GetJsonAsync(CreateAuthorizationPolicyUrl($"{ApiUrl}/{moduleId}", EntityNames.Module, moduleId));
}
public async Task AddHtmlTextAsync(Models.HtmlText htmlText)
{
- AddAntiForgeryToken();
- AddAuthorizationPolicyHeader(EntityNames.Module, htmlText.ModuleId);
- await PostJsonAsync($"{ApiUrl}", htmlText);
+ await PostJsonAsync(CreateAuthorizationPolicyUrl($"{ApiUrl}", EntityNames.Module, htmlText.ModuleId), htmlText);
}
public async Task UpdateHtmlTextAsync(Models.HtmlText htmlText)
{
- AddAntiForgeryToken();
- AddAuthorizationPolicyHeader(EntityNames.Module, htmlText.ModuleId);
- await PutJsonAsync($"{ApiUrl}/{htmlText.HtmlTextId}", htmlText);
+ await PutJsonAsync(CreateAuthorizationPolicyUrl($"{ApiUrl}/{htmlText.HtmlTextId}", EntityNames.Module, htmlText.ModuleId), htmlText);
}
public async Task DeleteHtmlTextAsync(int moduleId)
{
- AddAntiForgeryToken();
- AddAuthorizationPolicyHeader(EntityNames.Module, moduleId);
- await DeleteAsync($"{ApiUrl}/{moduleId}");
+ await DeleteAsync(CreateAuthorizationPolicyUrl($"{ApiUrl}/{moduleId}", EntityNames.Module, moduleId));
}
}
}
diff --git a/Oqtane.Client/Services/InstallationService.cs b/Oqtane.Client/Services/InstallationService.cs
index a37db439..70bfc7f6 100644
--- a/Oqtane.Client/Services/InstallationService.cs
+++ b/Oqtane.Client/Services/InstallationService.cs
@@ -13,16 +13,20 @@ namespace Oqtane.Services
public class InstallationService : ServiceBase, IInstallationService
{
private readonly NavigationManager _navigationManager;
+ private readonly SiteState _siteState;
- public InstallationService(HttpClient http, NavigationManager navigationManager) : base(http)
+ public InstallationService(HttpClient http, NavigationManager navigationManager, SiteState siteState) : base(http)
{
_navigationManager = navigationManager;
+ _siteState = siteState;
}
private string ApiUrl => CreateApiUrl("Installation", null, ControllerRoutes.ApiRoute); // tenant agnostic
public async Task IsInstalled()
{
+ // add antiforgerytoken header so that it is included on all HttpClient calls for the lifetime of the app
+ AddRequestHeader(Constants.AntiForgeryTokenHeaderName, _siteState.AntiForgeryToken);
var path = new Uri(_navigationManager.Uri).LocalPath.Substring(1);
return await GetJsonAsync($"{ApiUrl}/installed/?path={WebUtility.UrlEncode(path)}");
}
diff --git a/Oqtane.Client/Services/ServiceBase.cs b/Oqtane.Client/Services/ServiceBase.cs
index 66762fde..ecd6c37b 100644
--- a/Oqtane.Client/Services/ServiceBase.cs
+++ b/Oqtane.Client/Services/ServiceBase.cs
@@ -20,7 +20,6 @@ namespace Oqtane.Services
protected ServiceBase(HttpClient client, SiteState siteState)
{
_http = client;
- RemoveAuthorizationPolicyHeaders();
_siteState = siteState;
}
@@ -96,6 +95,7 @@ namespace Oqtane.Services
}
}
+ // note that HttpClient is registered as a Scoped(shared) service and therefore you should not use request headers whose value can vary over the lifetime of the service
protected void AddRequestHeader(string name, string value)
{
RemoveRequestHeader(name);
@@ -110,35 +110,6 @@ namespace Oqtane.Services
}
}
- protected void AddAntiForgeryToken()
- {
- AddRequestHeader(Constants.AntiForgeryTokenHeaderName, _siteState.AntiForgeryToken);
- }
-
- public void AddAuthorizationPolicyHeader(string entityName, int entityId)
- {
- AddAuthorizationPolicyHeader(new Dictionary() { { entityName, entityId } });
- }
-
- public void AddAuthorizationPolicyHeader(Dictionary authEntityId)
- {
- foreach (KeyValuePair kvp in authEntityId)
- {
- AddRequestHeader("auth" + kvp.Key.ToLower() + "id", kvp.Value.ToString());
- }
- }
-
- public void RemoveAuthorizationPolicyHeaders()
- {
- foreach (var param in _http.DefaultRequestHeaders)
- {
- if (param.Key.StartsWith("auth") && param.Key.EndsWith("id"))
- {
- _http.DefaultRequestHeaders.Remove(param.Key);
- }
- }
- }
-
protected async Task GetAsync(string uri)
{
var response = await _http.GetAsync(uri);
@@ -258,7 +229,6 @@ namespace Oqtane.Services
protected ServiceBase(HttpClient client)
{
_http = client;
- RemoveAuthorizationPolicyHeaders();
}
[Obsolete("This method is obsolete. Use CreateApiUrl(string serviceName, Alias alias) in conjunction with ControllerRoutes.ApiRoute in Controllers instead.", false)]
diff --git a/Oqtane.Server/Controllers/ModuleControllerBase.cs b/Oqtane.Server/Controllers/ModuleControllerBase.cs
index 18687ee8..6f89bac2 100644
--- a/Oqtane.Server/Controllers/ModuleControllerBase.cs
+++ b/Oqtane.Server/Controllers/ModuleControllerBase.cs
@@ -27,17 +27,6 @@ namespace Oqtane.Controllers
_authEntityId.Add(param.Key.Substring(4, param.Key.Length - 6), value);
}
}
- // if policy authorization dictionary is empty populate from headers
- if (_authEntityId.Count == 0)
- {
- foreach (var param in accessor.HttpContext.Request.Headers)
- {
- if (param.Key.StartsWith("auth") && param.Key.EndsWith("id") && int.TryParse(param.Value, out value))
- {
- _authEntityId.Add(param.Key.Substring(4, param.Key.Length - 6), value);
- }
- }
- }
// legacy support
if (_authEntityId.Count == 0 && accessor.HttpContext.Request.Query.ContainsKey("entityid"))
diff --git a/Oqtane.Server/Migrations/Tenant/02010100_AddPageIsClickable.cs b/Oqtane.Server/Migrations/Tenant/02010100_AddPageIsClickable.cs
index f1d85e45..c15db40c 100644
--- a/Oqtane.Server/Migrations/Tenant/02010100_AddPageIsClickable.cs
+++ b/Oqtane.Server/Migrations/Tenant/02010100_AddPageIsClickable.cs
@@ -19,7 +19,7 @@ namespace Oqtane.Migrations.Tenant
var pageEntityBuilder = new PageEntityBuilder(migrationBuilder, ActiveDatabase);
pageEntityBuilder.AddBooleanColumn("IsClickable");
- pageEntityBuilder.UpdateColumn("IsClickable", "true");
+ pageEntityBuilder.UpdateColumn("IsClickable", "1");
}
protected override void Down(MigrationBuilder migrationBuilder)
diff --git a/Oqtane.Server/Security/PermissionHandler.cs b/Oqtane.Server/Security/PermissionHandler.cs
index e26ddcd4..0b507e74 100644
--- a/Oqtane.Server/Security/PermissionHandler.cs
+++ b/Oqtane.Server/Security/PermissionHandler.cs
@@ -35,16 +35,6 @@ namespace Oqtane.Security
entityId = -1;
}
}
- if (entityId == -1)
- {
- if (ctx.Request.Headers.ContainsKey("auth" + requirement.EntityName.ToLower() + "id"))
- {
- if (!int.TryParse(ctx.Request.Headers["auth" + requirement.EntityName.ToLower() + "id"], out entityId))
- {
- entityId = -1;
- }
- }
- }
// legacy support
if (entityId == -1)