diff --git a/Oqtane.Client/Modules/Admin/SearchResults/Index.razor b/Oqtane.Client/Modules/Admin/SearchResults/Index.razor index 1b414fd1..21d358b3 100644 --- a/Oqtane.Client/Modules/Admin/SearchResults/Index.razor +++ b/Oqtane.Client/Modules/Admin/SearchResults/Index.razor @@ -107,7 +107,7 @@ PageSize = int.MaxValue }; - _searchResults = await SearchResultsService.SearchAsync(ModuleState.ModuleId, searchQuery); + _searchResults = await SearchResultsService.GetSearchResultsAsync(searchQuery); _loading = false; StateHasChanged(); diff --git a/Oqtane.Client/Services/Interfaces/ISearchResultsService.cs b/Oqtane.Client/Services/Interfaces/ISearchResultsService.cs index 0671117c..49eb02ec 100644 --- a/Oqtane.Client/Services/Interfaces/ISearchResultsService.cs +++ b/Oqtane.Client/Services/Interfaces/ISearchResultsService.cs @@ -8,6 +8,6 @@ namespace Oqtane.Services [PrivateApi("Mark SearchResults classes as private, since it's not very useful in the public docs")] public interface ISearchResultsService { - Task SearchAsync(int moduleId, SearchQuery searchQuery); + Task GetSearchResultsAsync(SearchQuery searchQuery); } } diff --git a/Oqtane.Client/Services/SearchResultsService.cs b/Oqtane.Client/Services/SearchResultsService.cs index da9687d5..6597dc33 100644 --- a/Oqtane.Client/Services/SearchResultsService.cs +++ b/Oqtane.Client/Services/SearchResultsService.cs @@ -15,9 +15,9 @@ namespace Oqtane.Services private string ApiUrl => CreateApiUrl("SearchResults"); - public async Task SearchAsync(int moduleId, SearchQuery searchQuery) + public async Task GetSearchResultsAsync(SearchQuery searchQuery) { - return await PostJsonAsync(CreateAuthorizationPolicyUrl(ApiUrl, EntityNames.Module, moduleId), searchQuery); + return await PostJsonAsync(ApiUrl, searchQuery); } } } diff --git a/Oqtane.Server/Controllers/SearchResultsController.cs b/Oqtane.Server/Controllers/SearchResultsController.cs index eabe711e..6a78ebfd 100644 --- a/Oqtane.Server/Controllers/SearchResultsController.cs +++ b/Oqtane.Server/Controllers/SearchResultsController.cs @@ -1,38 +1,40 @@ -using System; using System.Net; using System.Threading.Tasks; -using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Oqtane.Enums; using Oqtane.Infrastructure; +using Oqtane.Models; using Oqtane.Services; using Oqtane.Shared; namespace Oqtane.Controllers { [Route(ControllerRoutes.ApiRoute)] - public class SearchResultsController : ModuleControllerBase + public class SearchResultsController : Controller { private readonly ISearchService _searchService; + private readonly ILogManager _logger; + private readonly Alias _alias; - public SearchResultsController(ISearchService searchService, ILogManager logger, IHttpContextAccessor accessor) : base(logger, accessor) + public SearchResultsController(ISearchService searchService, ILogManager logger, ITenantManager tenantManager) { _searchService = searchService; + _logger = logger; + _alias = tenantManager.GetAlias(); } [HttpPost] - [Authorize(Policy = PolicyNames.ViewModule)] - public async Task Post([FromBody] Models.SearchQuery searchQuery) + public async Task Post([FromBody] SearchQuery searchQuery) { - try + if (ModelState.IsValid && searchQuery.SiteId == _alias.SiteId) { return await _searchService.GetSearchResultsAsync(searchQuery); } - catch (Exception ex) + else { - _logger.Log(LogLevel.Error, this, LogFunction.Other, ex, "Fetch search results failed.", searchQuery); - HttpContext.Response.StatusCode = (int)HttpStatusCode.BadRequest; + _logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Search Results Post Attempt {SearchQuery}", searchQuery); + HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; return null; } }