From df0f562817a7f583b248ee6b8ac44567ab125b13 Mon Sep 17 00:00:00 2001 From: sbwalker Date: Tue, 11 Jul 2023 08:14:00 -0400 Subject: [PATCH] support both 404 andf 403 status codes in API response (404 should not log) --- Oqtane.Client/Services/ServiceBase.cs | 1 - Oqtane.Server/Controllers/FileController.cs | 15 ++++++++++-- Oqtane.Server/Controllers/FolderController.cs | 22 +++++++++++++---- .../Controllers/LanguageController.cs | 11 +++++++-- Oqtane.Server/Controllers/ModuleController.cs | 11 +++++++-- .../Controllers/ModuleDefinitionController.cs | 15 ++++++++---- .../Controllers/NotificationController.cs | 11 +++++++-- Oqtane.Server/Controllers/PageController.cs | 15 ++++++++++-- .../Controllers/PageModuleController.cs | 22 +++++++++++++---- .../Controllers/ProfileController.cs | 11 +++++++-- Oqtane.Server/Controllers/RoleController.cs | 13 +++++++--- .../Controllers/SettingController.cs | 6 ++++- Oqtane.Server/Controllers/SiteController.cs | 13 +++++++--- .../Controllers/UrlMappingController.cs | 24 +++++++++++++++---- Oqtane.Server/Controllers/UserController.cs | 8 +++++++ .../Controllers/UserRoleController.cs | 11 +++++++-- .../Controllers/VisitorController.cs | 11 +++++++-- 17 files changed, 179 insertions(+), 41 deletions(-) diff --git a/Oqtane.Client/Services/ServiceBase.cs b/Oqtane.Client/Services/ServiceBase.cs index 0aeca63d..00b2412a 100644 --- a/Oqtane.Client/Services/ServiceBase.cs +++ b/Oqtane.Client/Services/ServiceBase.cs @@ -206,7 +206,6 @@ namespace Oqtane.Services Console.WriteLine($"Request: {response.RequestMessage.RequestUri}"); Console.WriteLine($"Response status: {response.StatusCode} {response.ReasonPhrase}"); } - return false; } diff --git a/Oqtane.Server/Controllers/FileController.cs b/Oqtane.Server/Controllers/FileController.cs index da865df8..31ed3c80 100644 --- a/Oqtane.Server/Controllers/FileController.cs +++ b/Oqtane.Server/Controllers/FileController.cs @@ -123,8 +123,15 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized File Get Attempt {FileId}", id); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (file != null) + { + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized File Get Attempt {FileId}", id); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } @@ -144,6 +151,10 @@ namespace Oqtane.Controllers _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized File Get Attempt {Name} For Folder {FolderId}", name, folderId); HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } diff --git a/Oqtane.Server/Controllers/FolderController.cs b/Oqtane.Server/Controllers/FolderController.cs index 18c85c35..68feab68 100644 --- a/Oqtane.Server/Controllers/FolderController.cs +++ b/Oqtane.Server/Controllers/FolderController.cs @@ -70,8 +70,15 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Folder Get Attempt {FolderId}", id); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (folder != null) + { + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Folder Get Attempt {FolderId}", id); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } @@ -91,8 +98,15 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Folder Get Attempt {Path} For Site {SiteId}", path, siteId); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (folder != null) + { + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Folder Get Attempt {Path} For Site {SiteId}", path, siteId); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } diff --git a/Oqtane.Server/Controllers/LanguageController.cs b/Oqtane.Server/Controllers/LanguageController.cs index e4c6dbc7..e1ac9406 100644 --- a/Oqtane.Server/Controllers/LanguageController.cs +++ b/Oqtane.Server/Controllers/LanguageController.cs @@ -89,8 +89,15 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Language Get Attempt {LanguageId}", id); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (language != null) + { + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Language Get Attempt {LanguageId}", id); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } diff --git a/Oqtane.Server/Controllers/ModuleController.cs b/Oqtane.Server/Controllers/ModuleController.cs index 7176057f..9422d019 100644 --- a/Oqtane.Server/Controllers/ModuleController.cs +++ b/Oqtane.Server/Controllers/ModuleController.cs @@ -113,8 +113,15 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Module Get Attempt {ModuleId}", id); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (module != null) + { + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Module Get Attempt {ModuleId}", id); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } diff --git a/Oqtane.Server/Controllers/ModuleDefinitionController.cs b/Oqtane.Server/Controllers/ModuleDefinitionController.cs index c8114821..21379582 100644 --- a/Oqtane.Server/Controllers/ModuleDefinitionController.cs +++ b/Oqtane.Server/Controllers/ModuleDefinitionController.cs @@ -89,15 +89,22 @@ namespace Oqtane.Controllers if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId) { ModuleDefinition moduledefinition = _moduleDefinitions.GetModuleDefinition(id, SiteId); - if (_userPermissions.IsAuthorized(User, PermissionNames.Utilize, moduledefinition.PermissionList)) + if (moduledefinition != null && _userPermissions.IsAuthorized(User, PermissionNames.Utilize, moduledefinition.PermissionList)) { - if (string.IsNullOrEmpty(moduledefinition.Version)) moduledefinition.Version = new Version(1, 0, 0).ToString(); + moduledefinition.Version = (string.IsNullOrEmpty(moduledefinition.Version)) ? new Version(1, 0, 0).ToString() : moduledefinition.Version; return moduledefinition; } else { - _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized ModuleDefinition Get Attempt {ModuleDefinitionId} {SiteId}", id, siteid); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (moduledefinition != null) + { + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized ModuleDefinition Get Attempt {ModuleDefinitionId} {SiteId}", id, siteid); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } diff --git a/Oqtane.Server/Controllers/NotificationController.cs b/Oqtane.Server/Controllers/NotificationController.cs index 95621a47..e2bfd14e 100644 --- a/Oqtane.Server/Controllers/NotificationController.cs +++ b/Oqtane.Server/Controllers/NotificationController.cs @@ -141,8 +141,15 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Notification Get Attempt {NotificationId}", id); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (notification != null) + { + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Notification Get Attempt {NotificationId}", id); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } diff --git a/Oqtane.Server/Controllers/PageController.cs b/Oqtane.Server/Controllers/PageController.cs index 1cb3eee0..a23828f7 100644 --- a/Oqtane.Server/Controllers/PageController.cs +++ b/Oqtane.Server/Controllers/PageController.cs @@ -87,8 +87,15 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Get Attempt {PageId}", id); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (page != null) + { + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Get Attempt {PageId}", id); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } @@ -112,6 +119,10 @@ namespace Oqtane.Controllers _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Page Get Attempt {SiteId} {Path}", siteid, path); HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } diff --git a/Oqtane.Server/Controllers/PageModuleController.cs b/Oqtane.Server/Controllers/PageModuleController.cs index c5b94e6d..3c445772 100644 --- a/Oqtane.Server/Controllers/PageModuleController.cs +++ b/Oqtane.Server/Controllers/PageModuleController.cs @@ -44,8 +44,15 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized PageModule Get Attempt {PageModuleId}", id); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (pagemodule != null) + { + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized PageModule Get Attempt {PageModuleId}", id); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } @@ -61,8 +68,15 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized PageModule Get Attempt {PageId} {ModuleId}", pageid, moduleid); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (pagemodule != null) + { + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized PageModule Get Attempt {PageId} {ModuleId}", pageid, moduleid); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } diff --git a/Oqtane.Server/Controllers/ProfileController.cs b/Oqtane.Server/Controllers/ProfileController.cs index 04f2c1bd..13e4e859 100644 --- a/Oqtane.Server/Controllers/ProfileController.cs +++ b/Oqtane.Server/Controllers/ProfileController.cs @@ -56,8 +56,15 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Profile Get Attempt {ProfileId}", id); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (profile != null) + { + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Profile Get Attempt {ProfileId}", id); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } diff --git a/Oqtane.Server/Controllers/RoleController.cs b/Oqtane.Server/Controllers/RoleController.cs index 7a48bdc0..15a880ef 100644 --- a/Oqtane.Server/Controllers/RoleController.cs +++ b/Oqtane.Server/Controllers/RoleController.cs @@ -59,9 +59,16 @@ namespace Oqtane.Controllers return role; } else - { - _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Role Get Attempt {RoleId}", id); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + { + if (role != null) + { + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Role Get Attempt {RoleId}", id); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } diff --git a/Oqtane.Server/Controllers/SettingController.cs b/Oqtane.Server/Controllers/SettingController.cs index c341155a..9bb9fb8e 100644 --- a/Oqtane.Server/Controllers/SettingController.cs +++ b/Oqtane.Server/Controllers/SettingController.cs @@ -89,11 +89,15 @@ namespace Oqtane.Controllers } else { - if (entityName != EntityNames.Visitor) + if (setting != null && entityName != EntityNames.Visitor) { _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Setting {EntityName} {SettingId}", entityName, id); HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } diff --git a/Oqtane.Server/Controllers/SiteController.cs b/Oqtane.Server/Controllers/SiteController.cs index ccf89e01..f239eb14 100644 --- a/Oqtane.Server/Controllers/SiteController.cs +++ b/Oqtane.Server/Controllers/SiteController.cs @@ -79,7 +79,7 @@ namespace Oqtane.Controllers private Site GetSite(int siteid) { var site = _sites.GetSite(siteid); - if (site.SiteId == _alias.SiteId) + if (site != null && site.SiteId == _alias.SiteId) { // site settings site.Settings = _settings.GetSettings(EntityNames.Site, site.SiteId) @@ -153,8 +153,15 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Site Get Attempt {SiteId}", siteid); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (site != null) + { + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Site Get Attempt {SiteId}", siteid); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } diff --git a/Oqtane.Server/Controllers/UrlMappingController.cs b/Oqtane.Server/Controllers/UrlMappingController.cs index ddfd2ddb..a81e2c35 100644 --- a/Oqtane.Server/Controllers/UrlMappingController.cs +++ b/Oqtane.Server/Controllers/UrlMappingController.cs @@ -55,9 +55,16 @@ namespace Oqtane.Controllers return urlMapping; } else - { - _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized UrlMapping Get Attempt {UrlMappingId}", id); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + { + if (urlMapping != null) + { + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized UrlMapping Get Attempt {UrlMappingId}", id); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } @@ -73,8 +80,15 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized UrlMapping Get Attempt {SiteId} {Url}", siteid, url); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (urlMapping != null) + { + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized UrlMapping Get Attempt {SiteId} {Url}", siteid, url); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } diff --git a/Oqtane.Server/Controllers/UserController.cs b/Oqtane.Server/Controllers/UserController.cs index 5f28029e..1055012a 100644 --- a/Oqtane.Server/Controllers/UserController.cs +++ b/Oqtane.Server/Controllers/UserController.cs @@ -65,6 +65,10 @@ namespace Oqtane.Controllers user.SiteId = int.Parse(siteid); user.Roles = GetUserRoles(user.UserId, user.SiteId); } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return Filter(user); } else @@ -88,6 +92,10 @@ namespace Oqtane.Controllers user.SiteId = int.Parse(siteid); user.Roles = GetUserRoles(user.UserId, user.SiteId); } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return Filter(user); } else diff --git a/Oqtane.Server/Controllers/UserRoleController.cs b/Oqtane.Server/Controllers/UserRoleController.cs index ab083144..a33872f3 100644 --- a/Oqtane.Server/Controllers/UserRoleController.cs +++ b/Oqtane.Server/Controllers/UserRoleController.cs @@ -79,8 +79,15 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized User Role Get Attempt {UserRoleId}", id); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (userrole != null) + { + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized User Role Get Attempt {UserRoleId}", id); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } } diff --git a/Oqtane.Server/Controllers/VisitorController.cs b/Oqtane.Server/Controllers/VisitorController.cs index c4a8de73..46bf8935 100644 --- a/Oqtane.Server/Controllers/VisitorController.cs +++ b/Oqtane.Server/Controllers/VisitorController.cs @@ -64,8 +64,15 @@ namespace Oqtane.Controllers } else { - _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Visitor Get Attempt {VisitorId}", id); - HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + if (visitor != null) + { + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Visitor Get Attempt {VisitorId}", id); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; + } + else + { + HttpContext.Response.StatusCode = (int)HttpStatusCode.NotFound; + } return null; } }