Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Read Only Account Changes + Fixes from last PR #3453

Merged
merged 5 commits into from
Dec 11, 2024
Merged

Read Only Account Changes + Fixes from last PR #3453

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1742f03
Added e2e-tests gitignore from another branch just in case.
majora2007 Dec 10, 2024
b1c5744
Fixed the menu not opening when recent double click change
majora2007 Dec 10, 2024
4a2613d
Let's trial with nightly color mixing.
majora2007 Dec 10, 2024
515e667
Backend API will now restrict any modifications to a user account/ser…
majora2007 Dec 10, 2024
8f0f7bb
Fixed a Sequence contains no elements on GetUserReadStatistics when t…
majora2007 Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion API/Controllers/AccountController.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -457,6 +457,7 @@ public async Task<ActionResult> UpdateAgeRestriction(UpdateAgeRestrictionDto dto
{
var user = await _unitOfWork.UserRepository.GetUserByUsernameAsync(User.GetUsername());
if (user == null) return Unauthorized(await _localizationService.Translate(User.GetUserId(), "permission-denied"));
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));

var isAdmin = await _unitOfWork.UserRepository.IsUserAdminAsync(user);
if (!await _accountService.CanChangeAgeRestriction(user)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));
Expand Down Expand Up @@ -494,6 +495,7 @@ public async Task<ActionResult> UpdateAccount(UpdateUserDto dto)
var adminUser = await _unitOfWork.UserRepository.GetUserByUsernameAsync(User.GetUsername());
if (adminUser == null) return Unauthorized();
if (!await _unitOfWork.UserRepository.IsUserAdminAsync(adminUser)) return Unauthorized(await _localizationService.Translate(User.GetUserId(), "permission-denied"));
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));

var user = await _unitOfWork.UserRepository.GetUserByIdAsync(dto.UserId, AppUserIncludes.SideNavStreams);
if (user == null) return BadRequest(await _localizationService.Translate(User.GetUserId(), "no-user"));
Expand Down Expand Up @@ -911,7 +913,6 @@ public async Task<ActionResult<string>> ConfirmForgotPassword(ConfirmPasswordRes
[EnableRateLimiting("Authentication")]
public async Task<ActionResult<string>> ForgotPassword([FromQuery] string email)
{

var settings = await _unitOfWork.SettingsRepository.GetSettingsDtoAsync();
var user = await _unitOfWork.UserRepository.GetUserByEmailAsync(email);
if (user == null)
Expand Down Expand Up @@ -1012,6 +1013,8 @@ public async Task<ActionResult<InviteUserResponse>> ResendConfirmationSendEmail(
await _localizationService.Translate(user.Id, "user-migration-needed"));
if (user.EmailConfirmed) return BadRequest(await _localizationService.Translate(user.Id, "user-already-confirmed"));

// TODO: If the target user is read only, we might want to just forgo this

var token = await _userManager.GenerateEmailConfirmationTokenAsync(user);
user.ConfirmationToken = token;
_unitOfWork.UserRepository.Update(user);
Expand Down
7 changes: 6 additions & 1 deletion API/Controllers/CBLController.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
using System.Collections.Generic;
using System.IO;
using System.Threading.Tasks;
using API.Constants;
using API.DTOs.ReadingLists.CBL;
using API.Extensions;
using API.Services;
Expand All @@ -20,11 +21,13 @@ public class CblController : BaseApiController
{
private readonly IReadingListService _readingListService;
private readonly IDirectoryService _directoryService;
private readonly ILocalizationService _localizationService;

public CblController(IReadingListService readingListService, IDirectoryService directoryService)
public CblController(IReadingListService readingListService, IDirectoryService directoryService, ILocalizationService localizationService)
{
_readingListService = readingListService;
_directoryService = directoryService;
_localizationService = localizationService;
}

/// <summary>
Expand Down Expand Up @@ -91,6 +94,8 @@ public async Task<ActionResult<CblImportSummaryDto>> ValidateCbl(IFormFile cbl,
[SwaggerIgnore]
public async Task<ActionResult<CblImportSummaryDto>> ImportCbl(IFormFile cbl, [FromQuery] bool dryRun = false, [FromQuery] bool useComicVineMatching = false)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));

try
{
var userId = User.GetUserId();
Expand Down
3 changes: 3 additions & 0 deletions API/Controllers/ChapterController.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using API.Constants;
using API.Data;
using API.Data.Repositories;
using API.DTOs;
Expand Down Expand Up @@ -58,6 +59,8 @@ await _unitOfWork.ChapterRepository.GetChapterDtoAsync(chapterId,
[HttpDelete]
public async Task<ActionResult<bool>> DeleteChapter(int chapterId)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));

var chapter = await _unitOfWork.ChapterRepository.GetChapterAsync(chapterId);
if (chapter == null)
return BadRequest(_localizationService.Translate(User.GetUserId(), "chapter-doesnt-exist"));
Expand Down
16 changes: 16 additions & 0 deletions API/Controllers/CollectionController.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,8 @@ public async Task<ActionResult<bool>> DoesNameExists(string name)
[HttpPost("update")]
public async Task<ActionResult> UpdateTag(AppUserCollectionDto updatedTag)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));

try
{
if (await _collectionService.UpdateTag(updatedTag, User.GetUserId()))
Expand All @@ -130,6 +132,8 @@ await _eventHub.SendMessageAsync(MessageFactory.CollectionUpdated,
[HttpPost("promote-multiple")]
public async Task<ActionResult> PromoteMultipleCollections(PromoteCollectionsDto dto)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));

// This needs to take into account owner as I can select other users cards
var collections = await _unitOfWork.CollectionTagRepository.GetCollectionsByIds(dto.CollectionIds);
var userId = User.GetUserId();
Expand Down Expand Up @@ -161,6 +165,8 @@ public async Task<ActionResult> PromoteMultipleCollections(PromoteCollectionsDto
[HttpPost("delete-multiple")]
public async Task<ActionResult> DeleteMultipleCollections(DeleteCollectionsDto dto)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));

// This needs to take into account owner as I can select other users cards
var user = await _unitOfWork.UserRepository.GetUserByIdAsync(User.GetUserId(), AppUserIncludes.Collections);
if (user == null) return Unauthorized();
Expand All @@ -182,6 +188,8 @@ public async Task<ActionResult> DeleteMultipleCollections(DeleteCollectionsDto d
[HttpPost("update-for-series")]
public async Task<ActionResult> AddToMultipleSeries(CollectionTagBulkAddDto dto)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));

// Create a new tag and save
var user = await _unitOfWork.UserRepository.GetUserByIdAsync(User.GetUserId(), AppUserIncludes.Collections);
if (user == null) return Unauthorized();
Expand Down Expand Up @@ -223,6 +231,8 @@ public async Task<ActionResult> AddToMultipleSeries(CollectionTagBulkAddDto dto)
[HttpPost("update-series")]
public async Task<ActionResult> RemoveTagFromMultipleSeries(UpdateSeriesForTagDto updateSeriesForTagDto)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));

try
{
var tag = await _unitOfWork.CollectionTagRepository.GetCollectionAsync(updateSeriesForTagDto.Tag.Id, CollectionIncludes.Series);
Expand All @@ -247,6 +257,8 @@ public async Task<ActionResult> RemoveTagFromMultipleSeries(UpdateSeriesForTagDt
[HttpDelete]
public async Task<ActionResult> DeleteTag(int tagId)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));

try
{
var user = await _unitOfWork.UserRepository.GetUserByIdAsync(User.GetUserId(), AppUserIncludes.Collections);
Expand Down Expand Up @@ -276,6 +288,8 @@ public async Task<ActionResult> DeleteTag(int tagId)
[HttpGet("mal-stacks")]
public async Task<ActionResult<IList<MalStackDto>>> GetMalStacksForUser()
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));

return Ok(await _externalMetadataService.GetStacksForUser(User.GetUserId()));
}

Expand All @@ -289,6 +303,8 @@ public async Task<ActionResult> ImportMalStack(MalStackDto dto)
{
var user = await _unitOfWork.UserRepository.GetUserByIdAsync(User.GetUserId(), AppUserIncludes.Collections);
if (user == null) return Unauthorized();
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));


// Validation check to ensure stack doesn't exist already
if (await _unitOfWork.CollectionTagRepository.CollectionExists(dto.Title, user.Id))
Expand Down
9 changes: 8 additions & 1 deletion API/Controllers/FilterController.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,15 @@
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using API.Constants;
using API.Data;
using API.Data.Repositories;
using API.DTOs.Dashboard;
using API.DTOs.Filtering.v2;
using API.Entities;
using API.Extensions;
using API.Helpers;
using API.Services;
using Microsoft.AspNetCore.Mvc;

namespace API.Controllers;
Expand All @@ -21,10 +23,12 @@ namespace API.Controllers;
public class FilterController : BaseApiController
{
private readonly IUnitOfWork _unitOfWork;
private readonly ILocalizationService _localizationService;

public FilterController(IUnitOfWork unitOfWork)
public FilterController(IUnitOfWork unitOfWork, ILocalizationService localizationService)
{
_unitOfWork = unitOfWork;
_localizationService = localizationService;
}

/// <summary>
Expand All @@ -37,6 +41,7 @@ public async Task<ActionResult> CreateOrUpdateSmartFilter(FilterV2Dto dto)
{
var user = await _unitOfWork.UserRepository.GetUserByIdAsync(User.GetUserId(), AppUserIncludes.SmartFilters);
if (user == null) return Unauthorized();
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));

if (string.IsNullOrWhiteSpace(dto.Name)) return BadRequest("Name must be set");
if (Seed.DefaultStreams.Any(s => s.Name.Equals(dto.Name, StringComparison.InvariantCultureIgnoreCase)))
Expand Down Expand Up @@ -78,6 +83,8 @@ public ActionResult<IEnumerable<SmartFilterDto>> GetFilters()
[HttpDelete]
public async Task<ActionResult> DeleteFilter(int filterId)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));

var filter = await _unitOfWork.AppUserSmartFilterRepository.GetById(filterId);
if (filter == null) return Ok();
// This needs to delete any dashboard filters that have it too
Expand Down
2 changes: 2 additions & 0 deletions API/Controllers/PersonController.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
using API.Services.Tasks.Metadata;
using API.SignalR;
using AutoMapper;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Nager.ArticleNumber;

Expand Down Expand Up @@ -72,6 +73,7 @@ public async Task<ActionResult<PagedList<BrowsePersonDto>>> GetAuthorsForBrowse(
/// </summary>
/// <param name="dto"></param>
/// <returns></returns>
[Authorize("AdminRequired")]
[HttpPost("update")]
public async Task<ActionResult<PersonDto>> UpdatePerson(UpdatePersonDto dto)
{
Expand Down
14 changes: 14 additions & 0 deletions API/Controllers/ReadingListController.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@ public async Task<ActionResult<IEnumerable<ReadingListItemDto>>> GetListForUser(
[HttpPost("update-position")]
public async Task<ActionResult> UpdateListItemPosition(UpdateReadingListPosition dto)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));
// Make sure UI buffers events
var user = await _readingListService.UserHasReadingListAccess(dto.ReadingListId, User.GetUsername());
if (user == null)
Expand All @@ -129,6 +130,7 @@ public async Task<ActionResult> UpdateListItemPosition(UpdateReadingListPosition
[HttpPost("delete-item")]
public async Task<ActionResult> DeleteListItem(UpdateReadingListPosition dto)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));
var user = await _readingListService.UserHasReadingListAccess(dto.ReadingListId, User.GetUsername());
if (user == null)
{
Expand All @@ -151,6 +153,8 @@ public async Task<ActionResult> DeleteListItem(UpdateReadingListPosition dto)
[HttpPost("remove-read")]
public async Task<ActionResult> DeleteReadFromList([FromQuery] int readingListId)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));

var user = await _readingListService.UserHasReadingListAccess(readingListId, User.GetUsername());
if (user == null)
{
Expand All @@ -173,6 +177,7 @@ public async Task<ActionResult> DeleteReadFromList([FromQuery] int readingListId
[HttpDelete]
public async Task<ActionResult> DeleteList([FromQuery] int readingListId)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));
var user = await _readingListService.UserHasReadingListAccess(readingListId, User.GetUsername());
if (user == null)
{
Expand All @@ -193,6 +198,7 @@ public async Task<ActionResult> DeleteList([FromQuery] int readingListId)
[HttpPost("create")]
public async Task<ActionResult<ReadingListDto>> CreateList(CreateReadingListDto dto)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));
var user = await _unitOfWork.UserRepository.GetUserByUsernameAsync(User.GetUsername(), AppUserIncludes.ReadingLists);
if (user == null) return Unauthorized();

Expand All @@ -216,6 +222,7 @@ public async Task<ActionResult<ReadingListDto>> CreateList(CreateReadingListDto
[HttpPost("update")]
public async Task<ActionResult> UpdateList(UpdateReadingListDto dto)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));
var readingList = await _unitOfWork.ReadingListRepository.GetReadingListByIdAsync(dto.ReadingListId);
if (readingList == null) return BadRequest(await _localizationService.Translate(User.GetUserId(), "reading-list-doesnt-exist"));

Expand Down Expand Up @@ -245,6 +252,7 @@ public async Task<ActionResult> UpdateList(UpdateReadingListDto dto)
[HttpPost("update-by-series")]
public async Task<ActionResult> UpdateListBySeries(UpdateReadingListBySeriesDto dto)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));
var user = await _readingListService.UserHasReadingListAccess(dto.ReadingListId, User.GetUsername());
if (user == null)
{
Expand Down Expand Up @@ -287,6 +295,7 @@ public async Task<ActionResult> UpdateListBySeries(UpdateReadingListBySeriesDto
[HttpPost("update-by-multiple")]
public async Task<ActionResult> UpdateListByMultiple(UpdateReadingListByMultipleDto dto)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));
var user = await _readingListService.UserHasReadingListAccess(dto.ReadingListId, User.GetUsername());
if (user == null)
{
Expand Down Expand Up @@ -331,6 +340,7 @@ public async Task<ActionResult> UpdateListByMultiple(UpdateReadingListByMultiple
[HttpPost("update-by-multiple-series")]
public async Task<ActionResult> UpdateListByMultipleSeries(UpdateReadingListByMultipleSeriesDto dto)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));
var user = await _readingListService.UserHasReadingListAccess(dto.ReadingListId, User.GetUsername());
if (user == null)
{
Expand Down Expand Up @@ -369,6 +379,7 @@ public async Task<ActionResult> UpdateListByMultipleSeries(UpdateReadingListByMu
[HttpPost("update-by-volume")]
public async Task<ActionResult> UpdateListByVolume(UpdateReadingListByVolumeDto dto)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));
var user = await _readingListService.UserHasReadingListAccess(dto.ReadingListId, User.GetUsername());
if (user == null)
{
Expand Down Expand Up @@ -405,6 +416,7 @@ public async Task<ActionResult> UpdateListByVolume(UpdateReadingListByVolumeDto
[HttpPost("update-by-chapter")]
public async Task<ActionResult> UpdateListByChapter(UpdateReadingListByChapterDto dto)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));
var user = await _readingListService.UserHasReadingListAccess(dto.ReadingListId, User.GetUsername());
if (user == null)
{
Expand Down Expand Up @@ -514,6 +526,8 @@ public async Task<ActionResult<bool>> DoesNameExists(string name)
[HttpPost("promote-multiple")]
public async Task<ActionResult> PromoteMultipleReadingLists(PromoteReadingListsDto dto)
{
if (User.IsInRole(PolicyConstants.ReadOnlyRole)) return BadRequest(await _localizationService.Translate(User.GetUserId(), "permission-denied"));

// This needs to take into account owner as I can select other users cards
var userId = User.GetUserId();
if (!User.IsInRole(PolicyConstants.PromoteRole) && !User.IsInRole(PolicyConstants.AdminRole))
Expand Down
Loading
Loading