From 95327a3146d62bdbeef029e8509da6eafd01c741 Mon Sep 17 00:00:00 2001 From: tidusjar Date: Fri, 13 Oct 2017 22:18:26 +0100 Subject: [PATCH] Fixed #1553 --- src/Ombi/Controllers/IdentityController.cs | 55 ++++++++++++++++------ 1 file changed, 41 insertions(+), 14 deletions(-) diff --git a/src/Ombi/Controllers/IdentityController.cs b/src/Ombi/Controllers/IdentityController.cs index cf4cbd8d2..6c6a4628a 100644 --- a/src/Ombi/Controllers/IdentityController.cs +++ b/src/Ombi/Controllers/IdentityController.cs @@ -126,7 +126,7 @@ namespace Ombi.Controllers /// Gets all users. /// /// Information about all users - [HttpGet("Users")] + [HttpGet("Users")] [PowerUser] public async Task> GetAllUsers() { @@ -160,7 +160,7 @@ namespace Ombi.Controllers /// Gets the user by the user id. /// /// Information about the user - [HttpGet("User/{id}")] + [HttpGet("User/{id}")] [PowerUser] public async Task GetUser(string id) { @@ -213,7 +213,7 @@ namespace Ombi.Controllers /// /// The user. /// - [HttpPost] + [HttpPost] [PowerUser] public async Task CreateUser([FromBody] UserViewModel user) { @@ -221,6 +221,10 @@ namespace Ombi.Controllers { return Error($"The email address {user.EmailAddress} is not a valid format"); } + if (!CanModifyUser(user.Claims.Select(x => x.Value))) + { + return Error("You do not have the correct permissions to create this user"); + } var ombiUser = new OmbiUser { Alias = user.Alias, @@ -261,6 +265,19 @@ namespace Ombi.Controllers }; } + private bool CanModifyUser(IEnumerable roles) + { + if (roles.Any(x => x.Equals("admin", StringComparison.CurrentCultureIgnoreCase))) + { + // Only Admins can create admins + if (!User.IsInRole(OmbiRoles.Admin)) + { + return false; + } + } + return true; + } + /// /// This is for the local user to change their details. /// @@ -274,7 +291,7 @@ namespace Ombi.Controllers { return Error("You need to provide your current password to make any changes"); } - + var changingPass = !string.IsNullOrEmpty(ui.Password) || !string.IsNullOrEmpty(ui.ConfirmNewPassword); if (changingPass) @@ -338,7 +355,7 @@ namespace Ombi.Controllers /// /// The user. /// - [HttpPut] + [HttpPut] [PowerUser] public async Task UpdateUser([FromBody] UserViewModel ui) { @@ -346,6 +363,10 @@ namespace Ombi.Controllers { return Error($"The email address {ui.EmailAddress} is not a valid format"); } + if (!CanModifyUser(ui.Claims.Select(x => x.Value))) + { + return Error("You do not have the correct permissions to create this user"); + } // Get the user var user = await UserManager.Users.FirstOrDefaultAsync(x => x.Id == ui.Id); user.Alias = ui.Alias; @@ -394,14 +415,20 @@ namespace Ombi.Controllers /// /// The user. /// - [HttpDelete("{userId}")] + [HttpDelete("{userId}")] [PowerUser] public async Task DeleteUser(string userId) { - var userToDelete = await UserManager.Users.FirstOrDefaultAsync(x => x.Id == userId); if (userToDelete != null) { + + // Can we delete this user? + var userRoles = await UserManager.GetRolesAsync(userToDelete); + if (!CanModifyUser(userRoles)) + { + return Error("You do not have the correct permissions to delete this user"); + } var result = await UserManager.DeleteAsync(userToDelete); if (result.Succeeded) { @@ -423,7 +450,7 @@ namespace Ombi.Controllers /// Gets all available claims in the system. /// /// - [HttpGet("claims")] + [HttpGet("claims")] [PowerUser] public async Task> GetAllClaims() { @@ -444,7 +471,7 @@ namespace Ombi.Controllers //public async Task SendWelcomeEmail([FromBody] UserViewModel user) //{ - + //} /// @@ -459,18 +486,18 @@ namespace Ombi.Controllers { // Check if account exists var user = await UserManager.FindByEmailAsync(email.Email); - + var defaultMessage = new OmbiIdentityResult { Successful = true, Errors = new List { "If this account exists you should recieve a password reset link." } }; - + if (user == null) { return defaultMessage; } - + // We have the user var token = await UserManager.GeneratePasswordResetTokenAsync(user); // We now need to email the user with this token @@ -531,7 +558,7 @@ namespace Ombi.Controllers }; } - [HttpPost("welcomeEmail")] + [HttpPost("welcomeEmail")] [PowerUser] public void SendWelcomeEmail([FromBody] UserViewModel user) { @@ -542,7 +569,7 @@ namespace Ombi.Controllers }; BackgroundJob.Enqueue(() => WelcomeEmail.SendEmail(ombiUser)); } - + private async Task> AddRoles(IEnumerable roles, OmbiUser ombiUser) { var roleResult = new List();