Merge pull request #4982 from sbwalker/dev

improve filtering logic in UserRole API

Oqtane.Server/Controllers/UserRoleController.cs

@@ -120,6 +120,13 @@ namespace Oqtane.Controllers
         }
 
         private UserRole Filter(UserRole userrole, int userid)
+        {
+            // include all properties if authorized
+            if (_userPermissions.IsAuthorized(User, userrole.User.SiteId, EntityNames.UserRole, -1, PermissionNames.Write, RoleNames.Admin))
+            {
+                return userrole;
+            }
+            else
             {
                 // clone object to avoid mutating cache 
                 UserRole filtered = null;
@@ -128,7 +135,7 @@ namespace Oqtane.Controllers
                 {
                     filtered = new UserRole();
 
-                // public properties
+                    // include public properties
                     filtered.UserRoleId = userrole.UserRoleId;
                     filtered.UserId = userrole.UserId;
                     filtered.RoleId = userrole.RoleId;
@@ -143,20 +150,11 @@ namespace Oqtane.Controllers
                     filtered.Role.SiteId = userrole.Role.SiteId;
                     filtered.Role.RoleId = userrole.Role.RoleId;
                     filtered.Role.Name = userrole.Role.Name;
-
-                // include private properties if administrator
-                if (_userPermissions.IsAuthorized(User, filtered.User.SiteId, EntityNames.UserRole, -1, PermissionNames.Write, RoleNames.Admin))
-                {
-                    filtered.User.Email = userrole.User.Email;
-                    filtered.User.PhotoFileId = userrole.User.PhotoFileId;
-                    filtered.User.LastLoginOn = userrole.User.LastLoginOn;
-                    filtered.User.LastIPAddress = userrole.User.LastIPAddress;
-                    filtered.User.CreatedOn = userrole.User.CreatedOn;
-                }
                 }
 
                 return filtered;
             }
+        }
 
         // POST api/<controller>
         [HttpPost]