using System.Collections.Generic; using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Authorization; using Oqtane.Repository; using Oqtane.Models; using Oqtane.Shared; using System.Linq; using Oqtane.Infrastructure; using Oqtane.Security; namespace Oqtane.Controllers { [Route("{site}/api/[controller]")] public class PageController : Controller { private readonly IPageRepository _pages; private readonly IModuleRepository _modules; private readonly IPageModuleRepository _pageModules; private readonly IUserPermissions _userPermissions; private readonly ILogManager _logger; public PageController(IPageRepository Pages, IModuleRepository Modules, IPageModuleRepository PageModules, IUserPermissions UserPermissions, ILogManager logger) { this._pages = Pages; this._modules = Modules; this._pageModules = PageModules; this._userPermissions = UserPermissions; this._logger = logger; } // GET: api/?siteid=x [HttpGet] public IEnumerable Get(string siteid) { List pages = new List(); foreach (Page page in _pages.GetPages(int.Parse(siteid))) { if (_userPermissions.IsAuthorized(User, "View", page.Permissions)) { pages.Add(page); } } return pages; } // GET api//5?userid=x [HttpGet("{id}")] public Page Get(int id, string userid) { Page page; if (string.IsNullOrEmpty(userid)) { page = _pages.GetPage(id); } else { page = _pages.GetPage(id, int.Parse(userid)); } if (_userPermissions.IsAuthorized(User, "View", page.Permissions)) { return page; } else { _logger.Log(LogLevel.Error, this, LogFunction.Read, "User Not Authorized To Access Page {Page}", page); HttpContext.Response.StatusCode = 401; return null; } } // POST api/ [HttpPost] [Authorize(Roles = Constants.RegisteredRole)] public Page Post([FromBody] Page Page) { if (ModelState.IsValid) { string permissions; if (Page.ParentId != null) { permissions = _pages.GetPage(Page.ParentId.Value).Permissions; } else { permissions = UserSecurity.SetPermissionStrings(new List { new PermissionString { PermissionName = "Edit", Permissions = Constants.AdminRole } }); } if (_userPermissions.IsAuthorized(User, "Edit", permissions)) { Page = _pages.AddPage(Page); _logger.Log(LogLevel.Information, this, LogFunction.Create, "Page Added {Page}", Page); } else { _logger.Log(LogLevel.Error, this, LogFunction.Create, "User Not Authorized To Add Page {Page}", Page); HttpContext.Response.StatusCode = 401; Page = null; } } return Page; } // POST api//5?userid=x [HttpPost("{id}")] [Authorize(Roles = Constants.RegisteredRole)] public Page Post(int id, string userid) { Page page = null; Page parent = _pages.GetPage(id); if (parent != null && parent.IsPersonalizable && _userPermissions.GetUser(User).UserId == int.Parse(userid)) { page = new Page(); page.SiteId = parent.SiteId; page.Name = parent.Name; page.Path = parent.Path; page.ParentId = parent.PageId; page.Order = 0; page.IsNavigation = false; page.EditMode = false; page.ThemeType = parent.ThemeType; page.LayoutType = parent.LayoutType; page.Icon = parent.Icon; List permissions = new List(); permissions.Add(new PermissionString { PermissionName = "View", Permissions = "[" + userid + "]" }); permissions.Add(new PermissionString { PermissionName = "Edit", Permissions = "[" + userid + "]" }); page.Permissions = UserSecurity.SetPermissionStrings(permissions); page.IsPersonalizable = false; page.UserId = int.Parse(userid); page = _pages.AddPage(page); // copy modules List pagemodules = _pageModules.GetPageModules(page.SiteId).ToList(); foreach (PageModule pm in pagemodules.Where(item => item.PageId == parent.PageId && !item.IsDeleted)) { Module module = new Module(); module.SiteId = page.SiteId; module.PageId = page.PageId; module.ModuleDefinitionName = pm.Module.ModuleDefinitionName; permissions = new List(); permissions.Add(new PermissionString { PermissionName = "View", Permissions = "[" + userid + "]" }); permissions.Add(new PermissionString { PermissionName = "Edit", Permissions = "[" + userid + "]" }); module.Permissions = UserSecurity.SetPermissionStrings(permissions); module = _modules.AddModule(module); string content = _modules.ExportModule(pm.ModuleId); if (content != "") { _modules.ImportModule(module.ModuleId, content); } PageModule pagemodule = new PageModule(); pagemodule.PageId = page.PageId; pagemodule.ModuleId = module.ModuleId; pagemodule.Title = pm.Title; pagemodule.Pane = pm.Pane; pagemodule.Order = pm.Order; pagemodule.ContainerType = pm.ContainerType; _pageModules.AddPageModule(pagemodule); } } return page; } // PUT api//5 [HttpPut("{id}")] [Authorize(Roles = Constants.RegisteredRole)] public Page Put(int id, [FromBody] Page Page) { if (ModelState.IsValid && _userPermissions.IsAuthorized(User, "Page", Page.PageId, "Edit")) { Page = _pages.UpdatePage(Page); _logger.Log(LogLevel.Information, this, LogFunction.Update, "Page Updated {Page}", Page); } else { _logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Page {Page}", Page); HttpContext.Response.StatusCode = 401; Page = null; } return Page; } // PUT api//?siteid=x&pageid=y&parentid=z [HttpPut] [Authorize(Roles = Constants.RegisteredRole)] public void Put(int siteid, int pageid, int? parentid) { if (_userPermissions.IsAuthorized(User, "Page", pageid, "Edit")) { int order = 1; List pages = _pages.GetPages(siteid).ToList(); foreach (Page page in pages.Where(item => item.ParentId == parentid).OrderBy(item => item.Order)) { if (page.Order != order) { page.Order = order; _pages.UpdatePage(page); } order += 2; } _logger.Log(LogLevel.Information, this, LogFunction.Update, "Page Order Updated {SiteId} {PageId} {ParentId}", siteid, pageid, parentid); } else { _logger.Log(LogLevel.Error, this, LogFunction.Update, "User Not Authorized To Update Page Order {SiteId} {PageId} {ParentId}", siteid, pageid, parentid); HttpContext.Response.StatusCode = 401; } } // DELETE api//5 [HttpDelete("{id}")] [Authorize(Roles = Constants.RegisteredRole)] public void Delete(int id) { if (_userPermissions.IsAuthorized(User, "Page", id, "Edit")) { _pages.DeletePage(id); _logger.Log(LogLevel.Information, this, LogFunction.Delete, "Page Deleted {PageId}", id); } else { _logger.Log(LogLevel.Error, this, LogFunction.Delete, "User Not Authorized To Delete Page {PageId}", id); HttpContext.Response.StatusCode = 401; } } } }