kocoded/oqtane.framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

prevent notifications from being accessed by other users

Browse Source
This commit is contained in:
sbwalker 2024-11-26 14:30:41 -05:00
parent f71a3a1ce3
commit ffea9e3210
5 changed files with 12 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Oqtane.Client/Modules/Admin/UserProfile/Index.razor
View File

@ -230,13 +230,13 @@
@if (context.IsRead)
{
<td>@context.FromDisplayName</td>
<td>@(string.IsNullOrEmpty(context.FromDisplayName) ? SharedLocalizer["System"] : context.FromDisplayName)</td>
<td>@context.Subject</td>
<td>@string.Format("{0:dd-MMM-yyyy HH:mm:ss}", @context.CreatedOn)</td>
}
else
{
<td><b>@context.FromDisplayName</b></td>
<td><b>@(string.IsNullOrEmpty(context.FromDisplayName) ? SharedLocalizer["System"] : context.FromDisplayName)</b></td>
<td><b>@context.Subject</b></td>
<td><b>@string.Format("{0:dd-MMM-yyyy HH:mm:ss}", @context.CreatedOn)</b></td>
}

2
Oqtane.Client/Modules/Admin/UserProfile/View.razor
View File

@ -128,7 +128,7 @@
createdon = notification.CreatedOn.ToString();
body = notification.Body;
if (title == "From")
if (title == "From" && !notification.IsRead)
{
notification.IsRead = true;
notification = await NotificationService.UpdateNotificationAsync(notification);

3
Oqtane.Client/Resources/Modules/Admin/Site/Index.resx
View File

@ -435,4 +435,7 @@
<data name="Functionality" xml:space="preserve">
<value>Functionality</value>
</data>
<data name="System" xml:space="preserve">
<value>System</value>
</data>
</root>

4
Oqtane.Server/Controllers/NotificationController.cs
View File

@ -183,7 +183,7 @@ namespace Oqtane.Controllers
{
if (ModelState.IsValid && notification.SiteId == _alias.SiteId && notification.NotificationId == id && _notifications.GetNotification(notification.NotificationId, false) != null && (IsAuthorized(notification.FromUserId) || IsAuthorized(notification.ToUserId)))
{
if (!User.IsInRole(RoleNames.Admin))
if (!User.IsInRole(RoleNames.Admin) && notification.FromUserId != null)
{
// content must be HTML encoded for non-admins to prevent HTML injection
notification.Subject = WebUtility.HtmlEncode(notification.Subject);
@ -223,7 +223,7 @@ namespace Oqtane.Controllers
private bool IsAuthorized(int? userid)
{
bool authorized = true;
bool authorized = false;
if (userid != null)
{
authorized = (_userPermissions.GetUser(User).UserId == userid);

8
Oqtane.Shared/Models/Notification.cs
View File

@ -144,25 +144,25 @@ namespace Oqtane.Models
{
FromUserId = from.UserId;
FromDisplayName = from.DisplayName;
FromEmail = from.Email;
FromEmail = from.Email ?? "";
}
else
{
FromUserId = null;
FromDisplayName = fromDisplayName;
FromEmail = fromEmail;
FromEmail = fromEmail ?? "";
}
if (to != null)
{
ToUserId = to.UserId;
ToDisplayName = to.DisplayName;
ToEmail = to.Email;
ToEmail = to.Email ?? "";
}
else
{
ToUserId = null;
ToDisplayName = toDisplayName;
ToEmail = toEmail;
ToEmail = toEmail ?? "";
}
Subject = subject;
Body = body;