using System.Collections.Generic; using Microsoft.AspNetCore.Mvc; using Oqtane.Models; using Oqtane.Shared; using Oqtane.Security; using System.Linq; using Oqtane.Enums; using Oqtane.Infrastructure; using Oqtane.Repository; namespace Oqtane.Controllers { [Route(ControllerRoutes.ApiRoute)] public class SettingController : Controller { private readonly ISettingRepository _settings; private readonly IPageModuleRepository _pageModules; private readonly IUserPermissions _userPermissions; private readonly ISyncManager _syncManager; private readonly ILogManager _logger; private readonly Alias _alias; public SettingController(ISettingRepository settings, IPageModuleRepository pageModules, IUserPermissions userPermissions, ITenantManager tenantManager, ISyncManager syncManager, ILogManager logger) { _settings = settings; _pageModules = pageModules; _userPermissions = userPermissions; _syncManager = syncManager; _logger = logger; _alias = tenantManager.GetAlias(); } // GET: api/ [HttpGet] public IEnumerable Get(string entityname, int entityid) { List settings = new List(); if (IsAuthorized(entityname, entityid, PermissionNames.View)) { settings = _settings.GetSettings(entityname, entityid).ToList(); } else { _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Settings {EntityName} {EntityId}", entityname, entityid); HttpContext.Response.StatusCode = 401; } return settings; } // GET api//5 [HttpGet("{id}")] public Setting Get(int id) { Setting setting = _settings.GetSetting(id); if (IsAuthorized(setting.EntityName, setting.EntityId, PermissionNames.View)) { return setting; } else { _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Setting {Setting}", setting); HttpContext.Response.StatusCode = 401; return null; } } // POST api/ [HttpPost] public Setting Post([FromBody] Setting setting) { if (ModelState.IsValid && IsAuthorized(setting.EntityName, setting.EntityId, PermissionNames.Edit)) { setting = _settings.AddSetting(setting); if (setting.EntityName == EntityNames.Module) { _syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, _alias.SiteId); } _logger.Log(LogLevel.Information, this, LogFunction.Create, "Setting Added {Setting}", setting); } else { _logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Setting {Setting}", setting); HttpContext.Response.StatusCode = 401; setting = null; } return setting; } // PUT api//5 [HttpPut("{id}")] public Setting Put(int id, [FromBody] Setting setting) { if (ModelState.IsValid && IsAuthorized(setting.EntityName, setting.EntityId, PermissionNames.Edit)) { setting = _settings.UpdateSetting(setting); if (setting.EntityName == EntityNames.Module) { _syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, _alias.SiteId); } _logger.Log(LogLevel.Information, this, LogFunction.Update, "Setting Updated {Setting}", setting); } else { _logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Setting {Setting}", setting); HttpContext.Response.StatusCode = 401; setting = null; } return setting; } // DELETE api//5 [HttpDelete("{id}")] public void Delete(int id) { Setting setting = _settings.GetSetting(id); if (IsAuthorized(setting.EntityName, setting.EntityId, PermissionNames.Edit)) { _settings.DeleteSetting(id); if (setting.EntityName == EntityNames.Module) { _syncManager.AddSyncEvent(_alias.TenantId, EntityNames.Site, _alias.SiteId); } _logger.Log(LogLevel.Information, this, LogFunction.Delete, "Setting Deleted {Setting}", setting); } else { _logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Setting {Setting}", setting); HttpContext.Response.StatusCode = 401; } } private bool IsAuthorized(string entityName, int entityId, string permissionName) { bool authorized = false; if (entityName == EntityNames.PageModule) { entityName = EntityNames.Module; entityId = _pageModules.GetPageModule(entityId).ModuleId; } switch (entityName) { case EntityNames.Tenant: authorized = User.IsInRole(RoleNames.Host); break; case EntityNames.Site: authorized = User.IsInRole(RoleNames.Admin); break; case EntityNames.Page: case EntityNames.Module: case EntityNames.Folder: authorized = _userPermissions.IsAuthorized(User, entityName, entityId, permissionName); break; case EntityNames.User: authorized = true; if (permissionName == PermissionNames.Edit) { authorized = User.IsInRole(RoleNames.Admin) || (_userPermissions.GetUser(User).UserId == entityId); } break; } return authorized; } } }