diff --git a/src/Ombi/Controllers/IdentityController.cs b/src/Ombi/Controllers/IdentityController.cs
index cf4cbd8d2..6c6a4628a 100644
--- a/src/Ombi/Controllers/IdentityController.cs
+++ b/src/Ombi/Controllers/IdentityController.cs
@@ -126,7 +126,7 @@ namespace Ombi.Controllers
/// Gets all users.
///
/// Information about all users
- [HttpGet("Users")]
+ [HttpGet("Users")]
[PowerUser]
public async Task> GetAllUsers()
{
@@ -160,7 +160,7 @@ namespace Ombi.Controllers
/// Gets the user by the user id.
///
/// Information about the user
- [HttpGet("User/{id}")]
+ [HttpGet("User/{id}")]
[PowerUser]
public async Task GetUser(string id)
{
@@ -213,7 +213,7 @@ namespace Ombi.Controllers
///
/// The user.
///
- [HttpPost]
+ [HttpPost]
[PowerUser]
public async Task CreateUser([FromBody] UserViewModel user)
{
@@ -221,6 +221,10 @@ namespace Ombi.Controllers
{
return Error($"The email address {user.EmailAddress} is not a valid format");
}
+ if (!CanModifyUser(user.Claims.Select(x => x.Value)))
+ {
+ return Error("You do not have the correct permissions to create this user");
+ }
var ombiUser = new OmbiUser
{
Alias = user.Alias,
@@ -261,6 +265,19 @@ namespace Ombi.Controllers
};
}
+ private bool CanModifyUser(IEnumerable roles)
+ {
+ if (roles.Any(x => x.Equals("admin", StringComparison.CurrentCultureIgnoreCase)))
+ {
+ // Only Admins can create admins
+ if (!User.IsInRole(OmbiRoles.Admin))
+ {
+ return false;
+ }
+ }
+ return true;
+ }
+
///
/// This is for the local user to change their details.
///
@@ -274,7 +291,7 @@ namespace Ombi.Controllers
{
return Error("You need to provide your current password to make any changes");
}
-
+
var changingPass = !string.IsNullOrEmpty(ui.Password) || !string.IsNullOrEmpty(ui.ConfirmNewPassword);
if (changingPass)
@@ -338,7 +355,7 @@ namespace Ombi.Controllers
///
/// The user.
///
- [HttpPut]
+ [HttpPut]
[PowerUser]
public async Task UpdateUser([FromBody] UserViewModel ui)
{
@@ -346,6 +363,10 @@ namespace Ombi.Controllers
{
return Error($"The email address {ui.EmailAddress} is not a valid format");
}
+ if (!CanModifyUser(ui.Claims.Select(x => x.Value)))
+ {
+ return Error("You do not have the correct permissions to create this user");
+ }
// Get the user
var user = await UserManager.Users.FirstOrDefaultAsync(x => x.Id == ui.Id);
user.Alias = ui.Alias;
@@ -394,14 +415,20 @@ namespace Ombi.Controllers
///
/// The user.
///
- [HttpDelete("{userId}")]
+ [HttpDelete("{userId}")]
[PowerUser]
public async Task DeleteUser(string userId)
{
-
var userToDelete = await UserManager.Users.FirstOrDefaultAsync(x => x.Id == userId);
if (userToDelete != null)
{
+
+ // Can we delete this user?
+ var userRoles = await UserManager.GetRolesAsync(userToDelete);
+ if (!CanModifyUser(userRoles))
+ {
+ return Error("You do not have the correct permissions to delete this user");
+ }
var result = await UserManager.DeleteAsync(userToDelete);
if (result.Succeeded)
{
@@ -423,7 +450,7 @@ namespace Ombi.Controllers
/// Gets all available claims in the system.
///
///
- [HttpGet("claims")]
+ [HttpGet("claims")]
[PowerUser]
public async Task> GetAllClaims()
{
@@ -444,7 +471,7 @@ namespace Ombi.Controllers
//public async Task SendWelcomeEmail([FromBody] UserViewModel user)
//{
-
+
//}
///
@@ -459,18 +486,18 @@ namespace Ombi.Controllers
{
// Check if account exists
var user = await UserManager.FindByEmailAsync(email.Email);
-
+
var defaultMessage = new OmbiIdentityResult
{
Successful = true,
Errors = new List { "If this account exists you should recieve a password reset link." }
};
-
+
if (user == null)
{
return defaultMessage;
}
-
+
// We have the user
var token = await UserManager.GeneratePasswordResetTokenAsync(user);
// We now need to email the user with this token
@@ -531,7 +558,7 @@ namespace Ombi.Controllers
};
}
- [HttpPost("welcomeEmail")]
+ [HttpPost("welcomeEmail")]
[PowerUser]
public void SendWelcomeEmail([FromBody] UserViewModel user)
{
@@ -542,7 +569,7 @@ namespace Ombi.Controllers
};
BackgroundJob.Enqueue(() => WelcomeEmail.SendEmail(ombiUser));
}
-
+
private async Task> AddRoles(IEnumerable roles, OmbiUser ombiUser)
{
var roleResult = new List();