From 05eaf12003ea1eac27d1c8437d7fa6937a32cd48 Mon Sep 17 00:00:00 2001
From: Shaun Walker <shaun.walker@siliqon.com>
Date: Tue, 18 Feb 2020 17:49:36 -0500
Subject: [PATCH] fix page management

---
 Oqtane.Client/Modules/Admin/Pages/Add.razor   |   7 +-
 Oqtane.Client/Modules/Admin/Pages/Edit.razor  | 301 +++++++++---------
 .../Controllers/NotificationController.cs     |  10 +-
 Oqtane.Server/Controllers/PageController.cs   |   2 +-
 .../Controllers/SettingController.cs          |   7 +-
 Oqtane.Server/Infrastructure/LogManager.cs    |  12 +-
 Oqtane.Server/Security/IUserPermissions.cs    |   5 +-
 Oqtane.Server/Security/UserPermissions.cs     |  23 +-
 8 files changed, 197 insertions(+), 170 deletions(-)

diff --git a/Oqtane.Client/Modules/Admin/Pages/Add.razor b/Oqtane.Client/Modules/Admin/Pages/Add.razor
index 538f94af..7a619b57 100644
--- a/Oqtane.Client/Modules/Admin/Pages/Add.razor
+++ b/Oqtane.Client/Modules/Admin/Pages/Add.razor
@@ -4,6 +4,8 @@
 @inject IPageService PageService
 @inject IThemeService  ThemeService
 
+@if (Themes != null)
+{
     <table class="table table-borderless">
         <tr>
             <td>
@@ -139,8 +141,9 @@
             </td>
         </tr>
     </table>
-<button type="button" class="btn btn-success" @onclick="SavePage">Save</button>
-<NavLink class="btn btn-secondary" href="@NavigateUrl()">Cancel</NavLink>
+    <button type="button" class="btn btn-success" @onclick="SavePage">Save</button>
+    <NavLink class="btn btn-secondary" href="@NavigateUrl()">Cancel</NavLink>
+}
 
 @code {
     public override SecurityAccessLevel SecurityAccessLevel { get { return SecurityAccessLevel.Admin; } }
diff --git a/Oqtane.Client/Modules/Admin/Pages/Edit.razor b/Oqtane.Client/Modules/Admin/Pages/Edit.razor
index 10cff51b..3eb2a97d 100644
--- a/Oqtane.Client/Modules/Admin/Pages/Edit.razor
+++ b/Oqtane.Client/Modules/Admin/Pages/Edit.razor
@@ -4,164 +4,167 @@
 @inject IPageService PageService
 @inject IThemeService  ThemeService
 
-<table class="table table-borderless">
-    <tr>
-        <td>
-            <label for="Name" class="control-label">Name: </label>
-        </td>
-        <td>
-            <input class="form-control" @bind="@name" />
-        </td>
-    </tr>
-    <tr>
-        <td>
-            <label for="Name" class="control-label">Path: </label>
-        </td>
-        <td>
-            <input class="form-control" @bind="@path" />
-        </td>
-    </tr>
-    <tr>
-        <td>
-            <label for="Name" class="control-label">Parent: </label>
-        </td>
-        <td>
-            <select class="form-control" @onchange="(e => ParentChanged(e))">
-                <option value="-1">&lt;Site Root&gt;</option>
-                @foreach (Page page in pages)
-                {
-                    if (page.PageId.ToString() == parentid)
+@if (Themes != null)
+{
+    <table class="table table-borderless">
+        <tr>
+            <td>
+                <label for="Name" class="control-label">Name: </label>
+            </td>
+            <td>
+                <input class="form-control" @bind="@name" />
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <label for="Name" class="control-label">Path: </label>
+            </td>
+            <td>
+                <input class="form-control" @bind="@path" />
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <label for="Name" class="control-label">Parent: </label>
+            </td>
+            <td>
+                <select class="form-control" @onchange="(e => ParentChanged(e))">
+                    <option value="-1">&lt;Site Root&gt;</option>
+                    @foreach (Page page in pages)
                     {
-                        <option value="@(page.PageId)" selected>@(new string('-', page.Level * 2))@(page.Name)</option>
-                    }
-                    else
-                    {
-                        <option value="@(page.PageId)">@(new string('-', page.Level * 2))@(page.Name)</option>
-                    }
-                }
-            </select>
-        </td>
-    </tr>
-    <tr>
-        <td>
-            <label for="Name" class="control-label">Move: </label>
-        </td>
-        <td>
-            <select class="form-control" @bind="@insert">
-                @if (parentid == currentparentid)
-                {
-                    <option value="=">&lt;Maintain Current Location&gt;</option>
-                }
-                <option value="<<">To Beginning</option>
-                @if (children != null && children.Count > 0)
-                {
-                    <option value="<">Before</option>
-                    <option value=">">After</option>
-                }
-                <option value=">>">To End</option>
-            </select>
-            @if (children != null && children.Count > 0 && (insert == "<" || insert == ">"))
-            {
-                <select class="form-control" @bind="@childid">
-                    <option value="-1">&lt;Select Page&gt;</option>
-                    @foreach (Page page in children)
-                    {
-                        <option value="@(page.PageId)">@(page.Name)</option>
+                        if (page.PageId.ToString() == parentid)
+                        {
+                            <option value="@(page.PageId)" selected>@(new string('-', page.Level * 2))@(page.Name)</option>
+                        }
+                        else
+                        {
+                            <option value="@(page.PageId)">@(new string('-', page.Level * 2))@(page.Name)</option>
+                        }
                     }
                 </select>
-            }
-        </td>
-    </tr>
-    <tr>
-        <td>
-            <label for="Name" class="control-label">Navigation? </label>
-        </td>
-        <td>
-            <select class="form-control" @bind="@isnavigation">
-                <option value="True">Yes</option>
-                <option value="False">No</option>
-            </select>
-        </td>
-    </tr>
-    <tr>
-        <td>
-            <label for="Name" class="control-label">Personalizable? </label>
-        </td>
-        <td>
-            <select class="form-control" @bind="@ispersonalizable">
-                <option value="True">Yes</option>
-                <option value="False">No</option>
-            </select>
-        </td>
-    </tr>
-    <tr>
-        <td>
-            <label for="Name" class="control-label">Default Mode? </label>
-        </td>
-        <td>
-            <select class="form-control" @bind="@mode">
-                <option value="view">View Mode</option>
-                <option value="edit">Edit Mode</option>
-            </select>
-        </td>
-    </tr>
-    <tr>
-        <td>
-            <label for="Name" class="control-label">Theme: </label>
-        </td>
-        <td>
-            <select class="form-control" @onchange="(e => ThemeChanged(e))">
-                <option value="">&lt;Select Theme&gt;</option>
-                @foreach (KeyValuePair<string, string> item in themes)
-                {
-                    if (item.Key == themetype)
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <label for="Name" class="control-label">Move: </label>
+            </td>
+            <td>
+                <select class="form-control" @bind="@insert">
+                    @if (parentid == currentparentid)
                     {
-                        <option value="@item.Key" selected>@item.Value</option>
+                        <option value="=">&lt;Maintain Current Location&gt;</option>
                     }
-                    else
+                    <option value="<<">To Beginning</option>
+                    @if (children != null && children.Count > 0)
                     {
-                        <option value="@item.Key">@item.Value</option>
+                        <option value="<">Before</option>
+                        <option value=">">After</option>
                     }
-                }
-            </select>
-        </td>
-    </tr>
-    <tr>
-        <td>
-            <label for="Name" class="control-label">Layout: </label>
-        </td>
-        <td>
-            <select class="form-control" @bind="@layouttype">
-                <option value="">&lt;Select Layout&gt;</option>
-                @foreach (KeyValuePair<string, string> panelayout in panelayouts)
+                    <option value=">>">To End</option>
+                </select>
+                @if (children != null && children.Count > 0 && (insert == "<" || insert == ">"))
                 {
-                    <option value="@panelayout.Key">@panelayout.Value</option>
+                    <select class="form-control" @bind="@childid">
+                        <option value="-1">&lt;Select Page&gt;</option>
+                        @foreach (Page page in children)
+                        {
+                            <option value="@(page.PageId)">@(page.Name)</option>
+                        }
+                    </select>
                 }
-            </select>
-        </td>
-    </tr>
-    <tr>
-        <td>
-            <label for="Name" class="control-label">Icon: </label>
-        </td>
-        <td>
-            <input class="form-control" @bind="@icon" />
-        </td>
-    </tr>
-    <tr>
-        <td>
-            <label for="Name" class="control-label">Permissions: </label>
-        </td>
-        <td>
-            <PermissionGrid EntityName="Page" Permissions="@permissions" @ref="permissiongrid" />
-        </td>
-    </tr>
-</table>
-<button type="button" class="btn btn-success" @onclick="SavePage">Save</button>
-<NavLink class="btn btn-secondary" href="@NavigateUrl()">Cancel</NavLink>
-<br />
-<br />
-<AuditInfo CreatedBy="@createdby" CreatedOn="@createdon" ModifiedBy="@modifiedby" ModifiedOn="@modifiedon" DeletedBy="@deletedby" DeletedOn="@deletedon"></AuditInfo>
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <label for="Name" class="control-label">Navigation? </label>
+            </td>
+            <td>
+                <select class="form-control" @bind="@isnavigation">
+                    <option value="True">Yes</option>
+                    <option value="False">No</option>
+                </select>
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <label for="Name" class="control-label">Personalizable? </label>
+            </td>
+            <td>
+                <select class="form-control" @bind="@ispersonalizable">
+                    <option value="True">Yes</option>
+                    <option value="False">No</option>
+                </select>
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <label for="Name" class="control-label">Default Mode? </label>
+            </td>
+            <td>
+                <select class="form-control" @bind="@mode">
+                    <option value="view">View Mode</option>
+                    <option value="edit">Edit Mode</option>
+                </select>
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <label for="Name" class="control-label">Theme: </label>
+            </td>
+            <td>
+                <select class="form-control" @onchange="(e => ThemeChanged(e))">
+                    <option value="">&lt;Select Theme&gt;</option>
+                    @foreach (KeyValuePair<string, string> item in themes)
+                    {
+                        if (item.Key == themetype)
+                        {
+                            <option value="@item.Key" selected>@item.Value</option>
+                        }
+                        else
+                        {
+                            <option value="@item.Key">@item.Value</option>
+                        }
+                    }
+                </select>
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <label for="Name" class="control-label">Layout: </label>
+            </td>
+            <td>
+                <select class="form-control" @bind="@layouttype">
+                    <option value="">&lt;Select Layout&gt;</option>
+                    @foreach (KeyValuePair<string, string> panelayout in panelayouts)
+                    {
+                        <option value="@panelayout.Key">@panelayout.Value</option>
+                    }
+                </select>
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <label for="Name" class="control-label">Icon: </label>
+            </td>
+            <td>
+                <input class="form-control" @bind="@icon" />
+            </td>
+        </tr>
+        <tr>
+            <td>
+                <label for="Name" class="control-label">Permissions: </label>
+            </td>
+            <td>
+                <PermissionGrid EntityName="Page" Permissions="@permissions" @ref="permissiongrid" />
+            </td>
+        </tr>
+    </table>
+    <button type="button" class="btn btn-success" @onclick="SavePage">Save</button>
+    <NavLink class="btn btn-secondary" href="@NavigateUrl()">Cancel</NavLink>
+    <br />
+    <br />
+    <AuditInfo CreatedBy="@createdby" CreatedOn="@createdon" ModifiedBy="@modifiedby" ModifiedOn="@modifiedon" DeletedBy="@deletedby" DeletedOn="@deletedon"></AuditInfo>
+}
 
 @code {
     public override SecurityAccessLevel SecurityAccessLevel { get { return SecurityAccessLevel.Admin; } }
diff --git a/Oqtane.Server/Controllers/NotificationController.cs b/Oqtane.Server/Controllers/NotificationController.cs
index 8333f53f..2390297e 100644
--- a/Oqtane.Server/Controllers/NotificationController.cs
+++ b/Oqtane.Server/Controllers/NotificationController.cs
@@ -5,8 +5,8 @@ using Oqtane.Repository;
 using Oqtane.Models;
 using Oqtane.Shared;
 using Oqtane.Infrastructure;
-using System.Security.Claims;
 using Microsoft.AspNetCore.Http;
+using Oqtane.Security;
 
 namespace Oqtane.Controllers
 {
@@ -14,13 +14,13 @@ namespace Oqtane.Controllers
     public class NotificationController : Controller
     {
         private readonly INotificationRepository Notifications;
-        private readonly IHttpContextAccessor Accessor;
+        private readonly IUserPermissions UserPermissions;
         private readonly ILogManager logger;
 
-        public NotificationController(INotificationRepository Notifications, IHttpContextAccessor Accessor, ILogManager logger)
+        public NotificationController(INotificationRepository Notifications, IUserPermissions UserPermissions, ILogManager logger)
         {
             this.Notifications = Notifications;
-            this.Accessor = Accessor;
+            this.UserPermissions = UserPermissions;
             this.logger = logger;
         }
 
@@ -101,7 +101,7 @@ namespace Oqtane.Controllers
             bool authorized = true;
             if (userid != null)
             {
-                authorized = (int.Parse(Accessor.HttpContext.User.FindFirst(ClaimTypes.PrimarySid).Value) == userid);
+                authorized = (UserPermissions.GetUser(User).UserId == userid);
             }
             return authorized;
         }
diff --git a/Oqtane.Server/Controllers/PageController.cs b/Oqtane.Server/Controllers/PageController.cs
index ec5a7dbf..c7bb7ded 100644
--- a/Oqtane.Server/Controllers/PageController.cs
+++ b/Oqtane.Server/Controllers/PageController.cs
@@ -107,7 +107,7 @@ namespace Oqtane.Controllers
         {
             Page page = null;
             Page parent = Pages.GetPage(id);
-            if (parent != null && parent.IsPersonalizable && !string.IsNullOrEmpty(userid))
+            if (parent != null && parent.IsPersonalizable && UserPermissions.GetUser(User).UserId == int.Parse(userid))
             {
                 page = new Page();
                 page.SiteId = parent.SiteId;
diff --git a/Oqtane.Server/Controllers/SettingController.cs b/Oqtane.Server/Controllers/SettingController.cs
index bad1ea83..fbc45cc4 100644
--- a/Oqtane.Server/Controllers/SettingController.cs
+++ b/Oqtane.Server/Controllers/SettingController.cs
@@ -6,7 +6,6 @@ using Oqtane.Shared;
 using Oqtane.Security;
 using Oqtane.Infrastructure;
 using System.Linq;
-using System.Security.Claims;
 using Microsoft.AspNetCore.Http;
 
 namespace Oqtane.Controllers
@@ -17,15 +16,13 @@ namespace Oqtane.Controllers
         private readonly ISettingRepository Settings;
         private readonly IPageModuleRepository PageModules;
         private readonly IUserPermissions UserPermissions;
-        private readonly IHttpContextAccessor Accessor;
         private readonly ILogManager logger;
 
-        public SettingController(ISettingRepository Settings, IPageModuleRepository PageModules, IUserPermissions UserPermissions, IHttpContextAccessor Accessor, ILogManager logger)
+        public SettingController(ISettingRepository Settings, IPageModuleRepository PageModules, IUserPermissions UserPermissions, ILogManager logger)
         {
             this.Settings = Settings;
             this.PageModules = PageModules;
             this.UserPermissions = UserPermissions;
-            this.Accessor = Accessor;
             this.logger = logger;
         }
 
@@ -141,7 +138,7 @@ namespace Oqtane.Controllers
                     authorized = true;
                     if (PermissionName == "Edit")
                     {
-                        authorized = User.IsInRole(Constants.AdminRole) || (int.Parse(Accessor.HttpContext.User.FindFirst(ClaimTypes.PrimarySid).Value) == EntityId);
+                        authorized = User.IsInRole(Constants.AdminRole) || (UserPermissions.GetUser(User).UserId == EntityId);
                     }
                     break;
             }
diff --git a/Oqtane.Server/Infrastructure/LogManager.cs b/Oqtane.Server/Infrastructure/LogManager.cs
index 3ec24b76..2beb795e 100644
--- a/Oqtane.Server/Infrastructure/LogManager.cs
+++ b/Oqtane.Server/Infrastructure/LogManager.cs
@@ -5,8 +5,8 @@ using System.Text.Json;
 using Oqtane.Repository;
 using Microsoft.Extensions.Configuration;
 using Microsoft.AspNetCore.Http;
-using System.Security.Claims;
 using System.Collections.Generic;
+using Oqtane.Security;
 
 namespace Oqtane.Infrastructure
 {
@@ -15,13 +15,15 @@ namespace Oqtane.Infrastructure
         private readonly ILogRepository Logs;
         private readonly ITenantResolver TenantResolver;
         private readonly IConfigurationRoot Config;
+        private readonly IUserPermissions UserPermissions;
         private readonly IHttpContextAccessor Accessor;
 
-        public LogManager(ILogRepository Logs, ITenantResolver TenantResolver, IConfigurationRoot Config, IHttpContextAccessor Accessor)
+        public LogManager(ILogRepository Logs, ITenantResolver TenantResolver, IConfigurationRoot Config, IUserPermissions UserPermissions, IHttpContextAccessor Accessor)
         {
             this.Logs = Logs;
             this.TenantResolver = TenantResolver;
             this.Config = Config;
+            this.UserPermissions = UserPermissions;
             this.Accessor = Accessor;
         }
 
@@ -37,9 +39,11 @@ namespace Oqtane.Infrastructure
             log.SiteId = alias.SiteId;
             log.PageId = null;
             log.ModuleId = null;
-            if (Accessor.HttpContext.User.FindFirst(ClaimTypes.PrimarySid) != null)
+            log.UserId = null;
+            User user = UserPermissions.GetUser();
+            if (user != null)
             {
-                log.UserId = int.Parse(Accessor.HttpContext.User.FindFirst(ClaimTypes.PrimarySid).Value);
+                log.UserId = user.UserId;
             }
             HttpRequest request = Accessor.HttpContext.Request;
             if (request != null)
diff --git a/Oqtane.Server/Security/IUserPermissions.cs b/Oqtane.Server/Security/IUserPermissions.cs
index a04aff07..92e50d1d 100644
--- a/Oqtane.Server/Security/IUserPermissions.cs
+++ b/Oqtane.Server/Security/IUserPermissions.cs
@@ -1,4 +1,5 @@
-using System.Security.Claims;
+using Oqtane.Models;
+using System.Security.Claims;
 
 namespace Oqtane.Security
 {
@@ -6,5 +7,7 @@ namespace Oqtane.Security
     {
         bool IsAuthorized(ClaimsPrincipal User, string EntityName, int EntityId, string PermissionName);
         bool IsAuthorized(ClaimsPrincipal User, string PermissionName, string Permissions);
+        User GetUser(ClaimsPrincipal User);
+        User GetUser();
     }
 }
diff --git a/Oqtane.Server/Security/UserPermissions.cs b/Oqtane.Server/Security/UserPermissions.cs
index 43eb8e20..283d8738 100644
--- a/Oqtane.Server/Security/UserPermissions.cs
+++ b/Oqtane.Server/Security/UserPermissions.cs
@@ -1,4 +1,5 @@
-using Oqtane.Models;
+using Microsoft.AspNetCore.Http;
+using Oqtane.Models;
 using Oqtane.Repository;
 using System.Linq;
 using System.Security.Claims;
@@ -8,10 +9,12 @@ namespace Oqtane.Security
     public class UserPermissions : IUserPermissions
     {
         private readonly IPermissionRepository Permissions;
+        private readonly IHttpContextAccessor Accessor;
 
-        public UserPermissions(IPermissionRepository Permissions)
+        public UserPermissions(IPermissionRepository Permissions, IHttpContextAccessor Accessor)
         {
             this.Permissions = Permissions;
+            this.Accessor = Accessor;
         }
 
         public bool IsAuthorized(ClaimsPrincipal User, string EntityName, int EntityId, string PermissionName)
@@ -20,13 +23,22 @@ namespace Oqtane.Security
         }
 
         public bool IsAuthorized(ClaimsPrincipal User, string PermissionName, string Permissions)
+        {
+            return UserSecurity.IsAuthorized(GetUser(User), PermissionName, Permissions);
+        }
+
+        public User GetUser(ClaimsPrincipal User)
         {
             User user = new User();
+            user.Username = "";
+            user.IsAuthenticated = false;
             user.UserId = -1;
             user.Roles = "";
 
             if (User != null)
             {
+                user.Username = User.Identity.Name;
+                user.IsAuthenticated = User.Identity.IsAuthenticated;
                 var idclaim = User.Claims.Where(item => item.Type == ClaimTypes.PrimarySid).FirstOrDefault();
                 if (idclaim != null)
                 {
@@ -39,7 +51,12 @@ namespace Oqtane.Security
                 }
             }
 
-            return UserSecurity.IsAuthorized(user, PermissionName, Permissions);
+            return user;
+        }
+
+        public User GetUser()
+        {
+            return GetUser(Accessor.HttpContext.User);
         }
     }
 }