kocoded/oqtane.framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #4949 from sbwalker/dev

Browse Source 
fix #4946 - allow administrators to access user roles via API
This commit is contained in:
Shaun Walker 2024-12-23 09:27:04 -05:00 committed by GitHub
commit ed729bbd4f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Oqtane.Server/Controllers/UserRoleController.cs
View File

@ -42,7 +42,7 @@ namespace Oqtane.Controllers
int UserId = -1;
if (int.TryParse(siteid, out SiteId) && SiteId == _alias.SiteId && (userid != null && int.TryParse(userid, out UserId) || rolename != null))
{
if (IsAuthorized(UserId, rolename))
if (IsAuthorized(UserId, rolename, SiteId))
{
var userroles = _userRoles.GetUserRoles(SiteId).ToList();
if (UserId != -1)
@ -82,7 +82,7 @@ namespace Oqtane.Controllers
public UserRole Get(int id)
{
var userrole = _userRoles.GetUserRole(id);
if (userrole != null && SiteValid(userrole.Role.SiteId) && IsAuthorized(userrole.UserId, userrole.Role.Name))
if (userrole != null && SiteValid(userrole.Role.SiteId) && IsAuthorized(userrole.UserId, userrole.Role.Name, userrole.Role.SiteId ?? -1))
{
return Filter(userrole, _userPermissions.GetUser().UserId);
}
@ -101,17 +101,21 @@ namespace Oqtane.Controllers
}
}
private bool IsAuthorized(int userId, string roleName)
private bool IsAuthorized(int userId, string roleName, int siteId)
{
bool authorized = true;
if (userId != -1)
{
authorized = _userPermissions.GetUser(User).UserId == userId;
authorized = (_userPermissions.GetUser(User).UserId == userId);
}
if (authorized && !string.IsNullOrEmpty(roleName))
{
authorized = User.IsInRole(roleName);
}
if (!authorized)
{
authorized = _userPermissions.IsAuthorized(User, siteId, EntityNames.UserRole, -1, PermissionNames.Write, RoleNames.Admin);
}
return authorized;
}