kocoded/oqtane.framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #5086 from sbwalker/dev

Browse Source 
improve notification add and update methods
This commit is contained in:
Shaun Walker 2025-02-10 09:50:35 -05:00 committed by GitHub
commit f4b1e8035b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 38 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
Oqtane.Server/Controllers/NotificationController.cs
View File

@ -155,7 +155,7 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public Notification Post([FromBody] Notification notification) public Notification Post([FromBody] Notification notification)
{ {
if (ModelState.IsValid && notification.SiteId == _alias.SiteId && IsAuthorized(notification.FromUserId)) if (ModelState.IsValid && notification.SiteId == _alias.SiteId && (IsAuthorized(notification.FromUserId) || (notification.FromUserId == null && User.IsInRole(RoleNames.Admin))))
{ {
if (!User.IsInRole(RoleNames.Admin)) if (!User.IsInRole(RoleNames.Admin))
{ {
@ -181,14 +181,35 @@ namespace Oqtane.Controllers
[Authorize(Roles = RoleNames.Registered)] [Authorize(Roles = RoleNames.Registered)]
public Notification Put(int id, [FromBody] Notification notification) public Notification Put(int id, [FromBody] Notification notification)
{ {
if (ModelState.IsValid && notification.SiteId == _alias.SiteId && notification.NotificationId == id && _notifications.GetNotification(notification.NotificationId, false) != null && (IsAuthorized(notification.FromUserId) || IsAuthorized(notification.ToUserId))) if (ModelState.IsValid && notification.SiteId == _alias.SiteId && notification.NotificationId == id && _notifications.GetNotification(notification.NotificationId, false) != null)
{ {
if (!User.IsInRole(RoleNames.Admin) && notification.FromUserId != null) bool update = false;
if (IsAuthorized(notification.FromUserId))
{
// notification belongs to current authenticated user - update is allowed
if (!User.IsInRole(RoleNames.Admin))
{ {
// content must be HTML encoded for non-admins to prevent HTML injection // content must be HTML encoded for non-admins to prevent HTML injection
notification.Subject = WebUtility.HtmlEncode(notification.Subject); notification.Subject = WebUtility.HtmlEncode(notification.Subject);
notification.Body = WebUtility.HtmlEncode(notification.Body); notification.Body = WebUtility.HtmlEncode(notification.Body);
} }
update = true;
}
else
{
if (IsAuthorized(notification.ToUserId))
{
// notification was sent to current authenticated user - only isread and isdeleted properties can be updated
var isread = notification.IsRead;
var isdeleted = notification.IsDeleted;
notification = _notifications.GetNotification(notification.NotificationId);
notification.IsRead = isread;
notification.IsDeleted = isdeleted;
update = true;
}
}
if (update)
{
notification = _notifications.UpdateNotification(notification); notification = _notifications.UpdateNotification(notification);
_syncManager.AddSyncEvent(_alias, EntityNames.Notification, notification.NotificationId, SyncEventActions.Update); _syncManager.AddSyncEvent(_alias, EntityNames.Notification, notification.NotificationId, SyncEventActions.Update);
_logger.Log(LogLevel.Information, this, LogFunction.Update, "Notification Updated {NotificationId}", notification.NotificationId); _logger.Log(LogLevel.Information, this, LogFunction.Update, "Notification Updated {NotificationId}", notification.NotificationId);
@ -199,6 +220,13 @@ namespace Oqtane.Controllers
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
notification = null; notification = null;
} }
}
else
{
_logger.Log(LogLevel.Error, this, LogFunction.Security, "Unauthorized Notification Put Attempt {Notification}", notification);
HttpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
notification = null;
}
return notification; return notification;
} }
@ -223,7 +251,7 @@ namespace Oqtane.Controllers
private bool IsAuthorized(int? userid) private bool IsAuthorized(int? userid)
{ {
bool authorized = User.IsInRole(RoleNames.Admin); bool authorized = false;
if (userid != null) if (userid != null)
{ {
authorized = (_userPermissions.GetUser(User).UserId == userid); authorized = (_userPermissions.GetUser(User).UserId == userid);