Merge pull request #4605 from sbwalker/dev

fix #4600 - filter user settings in API layer
oqtane · Sep 11, 2024 · 4d4a7bf · 4d4a7bf
2 parents e194971 + 044cee3
commit 4d4a7bf
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 23 deletions.
diff --git a/Oqtane.Server/Controllers/UserController.cs b/Oqtane.Server/Controllers/UserController.cs
@@ -28,9 +28,10 @@ public class UserController : Controller
         private readonly IUserPermissions _userPermissions;
         private readonly IJwtManager _jwtManager;
         private readonly IFileRepository _files;
+        private readonly ISettingRepository _settings;
         private readonly ILogManager _logger;
 
-        public UserController(IUserRepository users, ITenantManager tenantManager, IUserManager userManager, ISiteRepository sites, IUserPermissions userPermissions, IJwtManager jwtManager, IFileRepository files, ILogManager logger)
+        public UserController(IUserRepository users, ITenantManager tenantManager, IUserManager userManager, ISiteRepository sites, IUserPermissions userPermissions, IJwtManager jwtManager, IFileRepository files, ISettingRepository settings, ILogManager logger)
         {
             _users = users;
             _tenantManager = tenantManager;
@@ -39,6 +40,7 @@ public UserController(IUserRepository users, ITenantManager tenantManager, IUser
             _userPermissions = userPermissions;
             _jwtManager = jwtManager;
             _files = files;
+            _settings = settings;
             _logger = logger;
         }
 
@@ -110,31 +112,54 @@ public User Get(string username, string email, string siteid)
 
         private User Filter(User user)
         {
+            // clone object to avoid mutating cache 
+            User filtered = null;
+
             if (user != null)
             {
-                user.Password = "";
-                user.IsAuthenticated = false;
-                user.TwoFactorCode = "";
-                user.TwoFactorExpiry = null;
+                filtered = new User();
+
+                // public properties
+                filtered.UserId = user.UserId;
+                filtered.Username = user.Username;
+                filtered.DisplayName = user.DisplayName;
+                filtered.Password = "";
+                filtered.TwoFactorCode = "";
+
+                // include private properties if authenticated user is accessing their own user account os is an administrator
+                if (_userPermissions.IsAuthorized(User, user.SiteId, EntityNames.User, -1, PermissionNames.Write, RoleNames.Admin) || _userPermissions.GetUser(User).UserId == user.UserId)
+                {
+                    filtered.Email = user.Email;
+                    filtered.PhotoFileId = user.PhotoFileId;
+                    filtered.LastLoginOn = user.LastLoginOn;
+                    filtered.LastIPAddress = user.LastIPAddress;
+                    filtered.TwoFactorRequired = false;
+                    filtered.Roles = user.Roles;
+                    filtered.CreatedBy = user.CreatedBy;
+                    filtered.CreatedOn = user.CreatedOn;
+                    filtered.ModifiedBy = user.ModifiedBy;
+                    filtered.ModifiedOn = user.ModifiedOn;
+                    filtered.DeletedBy = user.DeletedBy;
+                    filtered.DeletedOn = user.DeletedOn;
+                    filtered.IsDeleted = user.IsDeleted;
+                }
 
-                if (!_userPermissions.IsAuthorized(User, user.SiteId, EntityNames.User, -1, PermissionNames.Write, RoleNames.Admin) && User.Identity.Name?.ToLower() != user.Username.ToLower())
+                // if authenticated user is accessing their own user account
+                if (_userPermissions.GetUser(User).UserId == user.UserId)
                 {
-                    user.Email = "";
-                    user.PhotoFileId = null;
-                    user.LastLoginOn = DateTime.MinValue;
-                    user.LastIPAddress = "";
-                    user.Roles = "";
-                    user.CreatedBy = "";
-                    user.CreatedOn = DateTime.MinValue;
-                    user.ModifiedBy = "";
-                    user.ModifiedOn = DateTime.MinValue;
-                    user.DeletedBy = "";
-                    user.DeletedOn = DateTime.MinValue;
-                    user.IsDeleted = false;
-                    user.TwoFactorRequired = false;
+                    // include all settings
+                    filtered.Settings = user.Settings;
+                }
+                else
+                {
+                    // include only public settings
+                    filtered.Settings = _settings.GetSettings(EntityNames.User, user.UserId)
+                        .Where(item => !item.IsPrivate)
+                        .ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
                 }
             }
-            return user;
+
+            return filtered;
         }
 
         // POST api/<controller>

diff --git a/Oqtane.Server/Managers/UserManager.cs b/Oqtane.Server/Managers/UserManager.cs
@@ -12,7 +12,6 @@
 using Oqtane.Infrastructure;
 using Oqtane.Models;
 using Oqtane.Repository;
-using Oqtane.Security;
 using Oqtane.Shared;
 
 namespace Oqtane.Managers
@@ -65,8 +64,7 @@ public User GetUser(int userid, int siteid)
                 {
                     user.SiteId = siteid;
                     user.Roles = GetUserRoles(user.UserId, user.SiteId);
-                    List<Setting> settings = _settings.GetSettings(EntityNames.User, user.UserId).ToList();
-                    user.Settings = settings.Where(item => !item.IsPrivate || user.UserId == user.UserId)
+                    user.Settings = _settings.GetSettings(EntityNames.User, user.UserId)
                         .ToDictionary(setting => setting.SettingName, setting => setting.SettingValue);
                 }
                 return user;