open-source-mirrors
/
Ombi
mirror of https://github.com/Ombi-app/Ombi
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixed #1553

Browse Source
pull/1614/head
tidusjar 7 years ago
parent 0dfe878893
commit 95327a3146
1 changed files with 41 additions and 14 deletions
Show Stats Download Patch File Download Diff File

55
src/Ombi/Controllers/IdentityController.cs
Unescape View File

@ -126,7 +126,7 @@ namespace Ombi.Controllers
/// Gets all users. /// Gets all users.
/// </summary> /// </summary>
/// <returns>Information about all users</returns> /// <returns>Information about all users</returns>
[HttpGet("Users")] [HttpGet("Users")]
[PowerUser] [PowerUser]
public async Task<IEnumerable<UserViewModel>> GetAllUsers() public async Task<IEnumerable<UserViewModel>> GetAllUsers()
{ {
@ -160,7 +160,7 @@ namespace Ombi.Controllers
/// Gets the user by the user id. /// Gets the user by the user id.
/// </summary> /// </summary>
/// <returns>Information about the user</returns> /// <returns>Information about the user</returns>
[HttpGet("User/{id}")] [HttpGet("User/{id}")]
[PowerUser] [PowerUser]
public async Task<UserViewModel> GetUser(string id) public async Task<UserViewModel> GetUser(string id)
{ {
@ -213,7 +213,7 @@ namespace Ombi.Controllers
/// </summary> /// </summary>
/// <param name = "user" > The user.</param> /// <param name = "user" > The user.</param>
/// <returns></returns> /// <returns></returns>
[HttpPost] [HttpPost]
[PowerUser] [PowerUser]
public async Task<OmbiIdentityResult> CreateUser([FromBody] UserViewModel user) public async Task<OmbiIdentityResult> CreateUser([FromBody] UserViewModel user)
{ {
@ -221,6 +221,10 @@ namespace Ombi.Controllers
{ {
return Error($"The email address {user.EmailAddress} is not a valid format"); return Error($"The email address {user.EmailAddress} is not a valid format");
} }
if (!CanModifyUser(user.Claims.Select(x => x.Value)))
{
return Error("You do not have the correct permissions to create this user");
}
var ombiUser = new OmbiUser var ombiUser = new OmbiUser
{ {
Alias = user.Alias, Alias = user.Alias,
@ -261,6 +265,19 @@ namespace Ombi.Controllers
}; };
} }
private bool CanModifyUser(IEnumerable<string> roles)
{
if (roles.Any(x => x.Equals("admin", StringComparison.CurrentCultureIgnoreCase)))
{
// Only Admins can create admins
if (!User.IsInRole(OmbiRoles.Admin))
{
return false;
}
}
return true;
}
/// <summary> /// <summary>
/// This is for the local user to change their details. /// This is for the local user to change their details.
/// </summary> /// </summary>
@ -274,7 +291,7 @@ namespace Ombi.Controllers
{ {
return Error("You need to provide your current password to make any changes"); return Error("You need to provide your current password to make any changes");
} }
var changingPass = !string.IsNullOrEmpty(ui.Password) || !string.IsNullOrEmpty(ui.ConfirmNewPassword); var changingPass = !string.IsNullOrEmpty(ui.Password) || !string.IsNullOrEmpty(ui.ConfirmNewPassword);
if (changingPass) if (changingPass)
@ -338,7 +355,7 @@ namespace Ombi.Controllers
/// </summary> /// </summary>
/// <param name = "ui" > The user.</param> /// <param name = "ui" > The user.</param>
/// <returns></returns> /// <returns></returns>
[HttpPut] [HttpPut]
[PowerUser] [PowerUser]
public async Task<OmbiIdentityResult> UpdateUser([FromBody] UserViewModel ui) public async Task<OmbiIdentityResult> UpdateUser([FromBody] UserViewModel ui)
{ {
@ -346,6 +363,10 @@ namespace Ombi.Controllers
{ {
return Error($"The email address {ui.EmailAddress} is not a valid format"); return Error($"The email address {ui.EmailAddress} is not a valid format");
} }
if (!CanModifyUser(ui.Claims.Select(x => x.Value)))
{
return Error("You do not have the correct permissions to create this user");
}
// Get the user // Get the user
var user = await UserManager.Users.FirstOrDefaultAsync(x => x.Id == ui.Id); var user = await UserManager.Users.FirstOrDefaultAsync(x => x.Id == ui.Id);
user.Alias = ui.Alias; user.Alias = ui.Alias;
@ -394,14 +415,20 @@ namespace Ombi.Controllers
/// </summary> /// </summary>
/// <param name="userId">The user.</param> /// <param name="userId">The user.</param>
/// <returns></returns> /// <returns></returns>
[HttpDelete("{userId}")] [HttpDelete("{userId}")]
[PowerUser] [PowerUser]
public async Task<OmbiIdentityResult> DeleteUser(string userId) public async Task<OmbiIdentityResult> DeleteUser(string userId)
{ {
var userToDelete = await UserManager.Users.FirstOrDefaultAsync(x => x.Id == userId); var userToDelete = await UserManager.Users.FirstOrDefaultAsync(x => x.Id == userId);
if (userToDelete != null) if (userToDelete != null)
{ {
// Can we delete this user?
var userRoles = await UserManager.GetRolesAsync(userToDelete);
if (!CanModifyUser(userRoles))
{
return Error("You do not have the correct permissions to delete this user");
}
var result = await UserManager.DeleteAsync(userToDelete); var result = await UserManager.DeleteAsync(userToDelete);
if (result.Succeeded) if (result.Succeeded)
{ {
@ -423,7 +450,7 @@ namespace Ombi.Controllers
/// Gets all available claims in the system. /// Gets all available claims in the system.
/// </summary> /// </summary>
/// <returns></returns> /// <returns></returns>
[HttpGet("claims")] [HttpGet("claims")]
[PowerUser] [PowerUser]
public async Task<IEnumerable<ClaimCheckboxes>> GetAllClaims() public async Task<IEnumerable<ClaimCheckboxes>> GetAllClaims()
{ {
@ -444,7 +471,7 @@ namespace Ombi.Controllers
//public async Task SendWelcomeEmail([FromBody] UserViewModel user) //public async Task SendWelcomeEmail([FromBody] UserViewModel user)
//{ //{
//} //}
/// <summary> /// <summary>
@ -459,18 +486,18 @@ namespace Ombi.Controllers
{ {
// Check if account exists // Check if account exists
var user = await UserManager.FindByEmailAsync(email.Email); var user = await UserManager.FindByEmailAsync(email.Email);
var defaultMessage = new OmbiIdentityResult var defaultMessage = new OmbiIdentityResult
{ {
Successful = true, Successful = true,
Errors = new List<string> { "If this account exists you should recieve a password reset link." } Errors = new List<string> { "If this account exists you should recieve a password reset link." }
}; };
if (user == null) if (user == null)
{ {
return defaultMessage; return defaultMessage;
} }
// We have the user // We have the user
var token = await UserManager.GeneratePasswordResetTokenAsync(user); var token = await UserManager.GeneratePasswordResetTokenAsync(user);
// We now need to email the user with this token // We now need to email the user with this token
@ -531,7 +558,7 @@ namespace Ombi.Controllers
}; };
} }
[HttpPost("welcomeEmail")] [HttpPost("welcomeEmail")]
[PowerUser] [PowerUser]
public void SendWelcomeEmail([FromBody] UserViewModel user) public void SendWelcomeEmail([FromBody] UserViewModel user)
{ {
@ -542,7 +569,7 @@ namespace Ombi.Controllers
}; };
BackgroundJob.Enqueue(() => WelcomeEmail.SendEmail(ombiUser)); BackgroundJob.Enqueue(() => WelcomeEmail.SendEmail(ombiUser));
} }
private async Task<List<Microsoft.AspNetCore.Identity.IdentityResult>> AddRoles(IEnumerable<ClaimCheckboxes> roles, OmbiUser ombiUser) private async Task<List<Microsoft.AspNetCore.Identity.IdentityResult>> AddRoles(IEnumerable<ClaimCheckboxes> roles, OmbiUser ombiUser)
{ {
var roleResult = new List<Microsoft.AspNetCore.Identity.IdentityResult>(); var roleResult = new List<Microsoft.AspNetCore.Identity.IdentityResult>();

Write Preview
Loading…
Cancel
Save