From f2c8d80ff8e1130426fd2714a7b56c2f5c7a7761 Mon Sep 17 00:00:00 2001 From: sbwalker Date: Wed, 18 Sep 2024 18:31:40 -0400 Subject: [PATCH] fix trimming of site, page, and module settings --- Oqtane.Server/Repository/SettingRepository.cs | 1 - Oqtane.Server/Repository/ThemeRepository.cs | 4 -- Oqtane.Server/Services/SiteService.cs | 46 +++++++++---------- Oqtane.Shared/Interfaces/IThemeControl.cs | 2 +- 4 files changed, 24 insertions(+), 29 deletions(-) diff --git a/Oqtane.Server/Repository/SettingRepository.cs b/Oqtane.Server/Repository/SettingRepository.cs index 07a2da6d..b43a1d6a 100644 --- a/Oqtane.Server/Repository/SettingRepository.cs +++ b/Oqtane.Server/Repository/SettingRepository.cs @@ -1,7 +1,6 @@ using System.Collections.Generic; using System.Linq; using Microsoft.EntityFrameworkCore; -using Microsoft.EntityFrameworkCore.Internal; using Microsoft.Extensions.Caching.Memory; using Oqtane.Infrastructure; using Oqtane.Models; diff --git a/Oqtane.Server/Repository/ThemeRepository.cs b/Oqtane.Server/Repository/ThemeRepository.cs index 338e73ed..2802f8f0 100644 --- a/Oqtane.Server/Repository/ThemeRepository.cs +++ b/Oqtane.Server/Repository/ThemeRepository.cs @@ -5,15 +5,11 @@ using System.IO; using System.Linq; using System.Reflection; using Microsoft.EntityFrameworkCore; -using System.Security; using Microsoft.Extensions.Caching.Memory; using Oqtane.Infrastructure; using Oqtane.Models; using Oqtane.Shared; using Oqtane.Themes; -using System.Reflection.Metadata; -using Oqtane.Migrations.Master; -using Oqtane.Modules; namespace Oqtane.Repository { diff --git a/Oqtane.Server/Services/SiteService.cs b/Oqtane.Server/Services/SiteService.cs index 595c4ddd..0d607d38 100644 --- a/Oqtane.Server/Services/SiteService.cs +++ b/Oqtane.Server/Services/SiteService.cs @@ -32,6 +32,7 @@ namespace Oqtane.Services private readonly ILogManager _logger; private readonly IMemoryCache _cache; private readonly IHttpContextAccessor _accessor; + private readonly string _private = "[PRIVATE]"; public ServerSiteService(ISiteRepository sites, IPageRepository pages, IThemeRepository themes, IPageModuleRepository pageModules, IModuleDefinitionRepository moduleDefinitions, ILanguageRepository languages, IUserPermissions userPermissions, ISettingRepository settings, ITenantManager tenantManager, ISyncManager syncManager, ILogManager logger, IMemoryCache cache, IHttpContextAccessor accessor) { @@ -69,18 +70,26 @@ namespace Oqtane.Services return GetSite(siteId); }); + // clone object so that cache is not mutated + site = site.Clone(site); + + // trim site settings based on user permissions + site.Settings = site.Settings + .Where(item => !item.Value.StartsWith(_private) || _accessor.HttpContext.User.IsInRole(RoleNames.Admin)) + .ToDictionary(setting => setting.Key, setting => setting.Value.Replace(_private, "")); + // trim pages based on user permissions var pages = new List(); foreach (Page page in site.Pages) { if (!page.IsDeleted && _userPermissions.IsAuthorized(_accessor.HttpContext.User, PermissionNames.View, page.PermissionList) && (Utilities.IsEffectiveAndNotExpired(page.EffectiveDate, page.ExpiryDate) || _userPermissions.IsAuthorized(_accessor.HttpContext.User, PermissionNames.Edit, page.PermissionList))) { + page.Settings = page.Settings + .Where(item => !item.Value.StartsWith(_private) || _userPermissions.IsAuthorized(_accessor.HttpContext.User, PermissionNames.Edit, page.PermissionList)) + .ToDictionary(setting => setting.Key, setting => setting.Value.Replace(_private, "")); pages.Add(page); } } - - // clone object so that cache is not mutated - site = site.Clone(site); site.Pages = pages; return Task.FromResult(site); @@ -94,14 +103,13 @@ namespace Oqtane.Services { // site settings site.Settings = _settings.GetSettings(EntityNames.Site, site.SiteId) - .Where(item => !item.IsPrivate || _accessor.HttpContext.User.IsInRole(RoleNames.Admin)) - .ToDictionary(setting => setting.SettingName, setting => setting.SettingValue); + .ToDictionary(setting => setting.SettingName, setting => (setting.IsPrivate ? _private : "") + setting.SettingValue); - // populate File Extensions + // populate file extensions site.ImageFiles = site.Settings.ContainsKey("ImageFiles") && !string.IsNullOrEmpty(site.Settings["ImageFiles"]) ? site.Settings["ImageFiles"] : Constants.ImageFiles; site.UploadableFiles = site.Settings.ContainsKey("UploadableFiles") && !string.IsNullOrEmpty(site.Settings["UploadableFiles"]) - ? site.Settings["UploadableFiles"] : Constants.UploadableFiles; + ? site.Settings["UploadableFiles"] : Constants.UploadableFiles; // pages List settings = _settings.GetSettings(EntityNames.Page).ToList(); @@ -109,14 +117,13 @@ namespace Oqtane.Services foreach (Page page in _pages.GetPages(site.SiteId)) { page.Settings = settings.Where(item => item.EntityId == page.PageId) - .Where(item => !item.IsPrivate || _userPermissions.IsAuthorized(_accessor.HttpContext.User, PermissionNames.Edit, page.PermissionList)) - .ToDictionary(setting => setting.SettingName, setting => setting.SettingValue); + .ToDictionary(setting => setting.SettingName, setting => (setting.IsPrivate ? _private : "") + setting.SettingValue); site.Pages.Add(page); } site.Pages = GetPagesHierarchy(site.Pages); // framework modules - var modules = GetModules(site.SiteId); + var modules = GetPageModules(site.SiteId); site.Settings.Add(Constants.AdminDashboardModule, modules.FirstOrDefault(item => item.ModuleDefinitionName == Constants.AdminDashboardModule).ModuleId.ToString()); site.Settings.Add(Constants.PageManagementModule, modules.FirstOrDefault(item => item.ModuleDefinitionName == Constants.PageManagementModule).ModuleId.ToString()); @@ -252,30 +259,24 @@ namespace Oqtane.Services var sitemodules = _cache.GetOrCreate($"modules:{alias.SiteKey}", entry => { entry.SlidingExpiration = TimeSpan.FromMinutes(30); - return GetModules(siteId); + return GetPageModules(siteId); }); + // trim modules for current page based on user permissions var modules = new List(); foreach (Module module in sitemodules.Where(item => (item.PageId == pageId || pageId == -1) && !item.IsDeleted && _userPermissions.IsAuthorized(_accessor.HttpContext.User, PermissionNames.View, item.PermissionList))) { if (Utilities.IsEffectiveAndNotExpired(module.EffectiveDate, module.ExpiryDate) || _userPermissions.IsAuthorized(_accessor.HttpContext.User, PermissionNames.Edit, module.PermissionList)) { + module.Settings = module.Settings + .Where(item => !item.Value.StartsWith(_private) || _userPermissions.IsAuthorized(_accessor.HttpContext.User, PermissionNames.Edit, module.PermissionList)) + .ToDictionary(setting => setting.Key, setting => setting.Value.Replace(_private, "")); modules.Add(module); } } return Task.FromResult(modules); } - private List GetModules(int siteId) - { - var alias = _tenantManager.GetAlias(); - return _cache.GetOrCreate($"modules:{alias.SiteKey}", entry => - { - entry.SlidingExpiration = TimeSpan.FromMinutes(30); - return GetPageModules(siteId); - }); - } - private List GetPageModules(int siteId) { List moduledefinitions = _moduleDefinitions.GetModuleDefinitions(siteId).ToList(); @@ -311,8 +312,7 @@ namespace Oqtane.Services ModuleDefinition = _moduleDefinitions.FilterModuleDefinition(moduledefinitions.Find(item => item.ModuleDefinitionName == pagemodule.Module.ModuleDefinitionName)), Settings = settings.Where(item => item.EntityId == pagemodule.ModuleId) - .Where(item => !item.IsPrivate || _userPermissions.IsAuthorized(_accessor.HttpContext.User, PermissionNames.Edit, pagemodule.Module.PermissionList)) - .ToDictionary(setting => setting.SettingName, setting => setting.SettingValue) + .ToDictionary(setting => setting.SettingName, setting => (setting.IsPrivate ? _private : "") + setting.SettingValue) }; modules.Add(module); diff --git a/Oqtane.Shared/Interfaces/IThemeControl.cs b/Oqtane.Shared/Interfaces/IThemeControl.cs index ef5d9bc2..9cf960fa 100644 --- a/Oqtane.Shared/Interfaces/IThemeControl.cs +++ b/Oqtane.Shared/Interfaces/IThemeControl.cs @@ -16,7 +16,7 @@ namespace Oqtane.Themes string Thumbnail { get; } /// - /// Identifies all panes in a theme ( delimited by "," or ";") - assumed to be a layout if no panes specified + /// Comma delimited list of all panes in a theme /// string Panes { get; }