HAM/Berufsschule_HAM
1
0
Fork 1
mirror of https://github.com/LD-Reborn/Berufsschule_HAM.git synced 2025-12-20 06:51:55 +00:00
Code Issues Packages Projects 1 Releases Wiki Activity

Merge pull request #142 from LD-Reborn/141-feature-implement-proper-authorization-with-groups

Browse Source 
141 feature implement proper authorization with groups
This commit is contained in:
LD50
2025-10-17 18:52:58 +02:00
committed by GitHub
parent 97e0d2523a 6867899268
commit 459d37eb99
9 changed files with 120 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/Controllers/AssetsController.cs
View File

@@ -20,6 +20,7 @@ public class AssetsController : Controller
_logger = logger;
}
[Authorize(Roles = "CanManageAssets,CanInventorize")]
[HttpGet("Get")]
public async Task<AssetsGetResponseModel> GetAllAssetModelAsync(string Cn)
{
@@ -41,6 +42,7 @@ public class AssetsController : Controller
return result;
}
[Authorize(Roles = "CanManageAssets")]
[HttpGet("GetAll")]
public async Task<AssetsGetAllResponseModel> GetAllAssetModelAsync()
{
@@ -63,6 +65,7 @@ public class AssetsController : Controller
return result;
}
[Authorize(Roles = "CanManageAssets")]
[HttpPost("Create")]
public async Task<AssetsCreateResponseModel> Create([FromBody]AssetsCreateRequestModel assetModel)
{
@@ -117,6 +120,7 @@ public class AssetsController : Controller
return result;
}
[Authorize(Roles = "CanManageAssets")]
[HttpDelete("Delete")]
public async Task<AssetsDeleteResponseModel> Delete([BindRequired] string cn)
{
@@ -143,6 +147,7 @@ public class AssetsController : Controller
});
}
[Authorize(Roles = "CanManageAssets,CanInventorize")]
[HttpPatch("Update")]
public async Task<AssetsUpdateResponseModel> Update([FromBody] AssetsModifyRequestModel requestModel)
{

2
src/Controllers/GroupsController.cs
View File

@@ -5,7 +5,7 @@ using Berufsschule_HAM.Models;
using System.Text.Json;
using Microsoft.AspNetCore.Authorization;
[Authorize]
[Authorize(Roles = "CanManageGroups")]
[Route("[controller]")]
public class GroupsController : Controller
{

23
src/Controllers/HomeController.cs
View File

@@ -27,7 +27,7 @@ public class HomeController : Controller
return View();
}
[Authorize]
[Authorize(Roles = "CanManageAssets")]
[HttpGet("Assets")]
public async Task<IActionResult> Assets()
{
@@ -48,14 +48,14 @@ public class HomeController : Controller
return View(new HomeIndexViewModel() { AssetsTableViewModels = assetsTableViewModels });
}
[Authorize]
[Authorize(Roles = "CanInventorize")]
[HttpGet("Inventory")]
public ActionResult Inventory()
{
return View();
}
[Authorize]
[Authorize(Roles = "CanManageLocations")]
[HttpGet("Locations")]
public async Task<ActionResult> LocationsAsync()
{
@@ -74,7 +74,7 @@ public class HomeController : Controller
return View(new LocationsIndexViewModel() { LocationTableViewModels = LocationsTableViewModels });
}
[Authorize]
[Authorize(Roles = "CanManageUsers")]
[HttpGet("Users")]
public async Task<ActionResult> UsersAsync()
{
@@ -95,7 +95,7 @@ public class HomeController : Controller
return View(new UsersIndexViewModel() { UserTableViewModels = UserTableViewModels });
}
[Authorize]
[Authorize(Roles = "CanManageGroups")]
[HttpGet("Groups")]
public async Task<ActionResult> GroupsAsync()
{
@@ -113,6 +113,19 @@ public class HomeController : Controller
[
new(ClaimTypes.Name, username)
];
HashSet<string> roles = [];
foreach (string groupCn in authenticationResult.UserModel?.Description?.Groups ?? [])
{
GroupModel group = await _ldap.GetGroupByCnAsync(groupCn, _ldap.GroupsAttributes);
foreach (GroupPermission permission in group.Permissions)
{
roles.Add(permission.ToString());
}
}
foreach (string role in roles)
{
claims.Add(new(ClaimTypes.Role, role));
}
var claimsIdentity = new ClaimsIdentity(
claims,

2
src/Controllers/LocationsController.cs
View File

@@ -6,7 +6,7 @@ using Microsoft.AspNetCore.Authorization;
using Novell.Directory.Ldap;
using Berufsschule_HAM.Helpers;
[Authorize]
[Authorize(Roles = "CanManageLocations")]
[Route("[controller]")]
public class LocationsController : Controller
{

50
src/Controllers/UsersController.cs
View File

@@ -7,8 +7,9 @@ using Berufsschule_HAM.Helpers;
using System.Security.Cryptography;
using System.Text;
using Microsoft.AspNetCore.Authorization;
using System.Text.Json;
[Authorize]
[Authorize(Roles = "CanManageUsers")]
[Route("[controller]")]
public class UsersController : Controller
{
@@ -95,9 +96,9 @@ public class UsersController : Controller
return false;
}
}
[HttpPost("Update")]
public async Task<bool> Update([FromBody]UsersModifyRequestModel requestModel)
public async Task<bool> Update([FromBody] UsersModifyRequestModel requestModel)
{
if (requestModel is null)
{
@@ -145,4 +146,47 @@ public class UsersController : Controller
}
return true;
}
[HttpPost("AddGroup")]
public async Task<bool> AddGroup([FromBody]UsersAddGroupRequestModel requestModel)
{
try
{
UserModel userModel = await _ldap.GetUserByUidAsync(requestModel.Uid);
userModel.Description ??= new() { Address = new(), BirthDate = "", Workplace = "" };
userModel.Description.Groups ??= [];
try
{
GroupModel group = await _ldap.GetGroupByCnAsync(requestModel.GroupUid, _ldap.GroupsAttributes);
} catch (Exception)
{
return false;
}
userModel.Description.Groups.Add(requestModel.GroupUid);
await _ldap.UpdateUser(requestModel.Uid, "description", JsonSerializer.Serialize(userModel.Description));
return true;
} catch (Exception ex)
{
_logger.LogError("Unable to add group {} to user {}: {ex.Message} - {ex.StackTrace}", [requestModel.GroupUid, requestModel.Uid, ex.Message, ex.StackTrace]);
return false;
}
}
[HttpPost("RemoveGroup")]
public async Task<bool> RemoveGroup([FromBody]UsersRemoveGroupRequestModel requestModel)
{
try
{
UserModel userModel = await _ldap.GetUserByUidAsync(requestModel.Uid);
userModel.Description ??= new() { Address = new(), BirthDate = "", Workplace = "" };
userModel.Description.Groups ??= [];
userModel.Description.Groups.Remove(requestModel.GroupUid);
await _ldap.UpdateUser(requestModel.Uid, "description", JsonSerializer.Serialize(userModel.Description));
return true;
} catch (Exception ex)
{
_logger.LogError("Unable to remove group {} from user {}: {ex.Message} - {ex.StackTrace}", [requestModel.GroupUid, requestModel.Uid, ex.Message, ex.StackTrace]);
return false;
}
}
}

4
src/Models/UserModels.cs
View File

@@ -29,6 +29,7 @@ public class UserDescription
public required string BirthDate { get; set; }
public required UserAddress Address { get; set; }
public required string Workplace { get; set; }
public List<string>? Groups { get; set; }
}
public class UserAddress
@@ -40,8 +41,9 @@ public class UserAddress
public class UserAuthenticationResult
{
public required bool Success;
public required bool Success { get; set; }
public UserNotAuthenticatedReason AuthenticationState { get; set; } = UserNotAuthenticatedReason.None;
public UserModel? UserModel { get; set; }
}
public enum UserNotAuthenticatedReason

12
src/Models/UsersRequestModels.cs
View File

@@ -28,4 +28,16 @@ public class UsersDeleteRequestModel(bool successful, string exception = "None")
public bool Success { get; set; } = successful;
public string? Exception { get; set; } = exception;
}
public class UsersAddGroupRequestModel
{
public required string Uid { get; set; }
public required string GroupUid { get; set; }
}
public class UsersRemoveGroupRequestModel
{
public required string Uid { get; set; }
public required string GroupUid { get; set; }
}

2
src/Services/LdapService.cs
View File

@@ -297,7 +297,7 @@ public async Task CreateAsset(LdapAttributeSet attributeSet)
}
if (CompareStringToSha256(password, user.UserPassword))
{
return new() { Success = true };
return new() { Success = true, UserModel = user };
}
return new() { Success = false, AuthenticationState = UserNotAuthenticatedReason.InvalidCredentials };
}

48
src/Views/Shared/_Layout.cshtml
View File

@@ -1,4 +1,5 @@
@using Microsoft.AspNetCore.Mvc.Localization
@using System.Security.Claims
@inject IViewLocalizer T
<!DOCTYPE html>
<html lang="en">
@@ -32,23 +33,38 @@
<li class="nav-item">
<a class="nav-link text" asp-area="" asp-controller="Home" asp-action="Index">@T["Quick-Actions"]</a>
</li>
@if (User.Identity.IsAuthenticated)
@if (User.Identity?.IsAuthenticated ?? false)
{
<li class="nav-item">
<a class="nav-link text" asp-area="" asp-controller="Home" asp-action="Inventory">@T["Inventory"]</a>
</li>
<li class="nav-item">
<a class="nav-link text" asp-area="" asp-controller="Home" asp-action="Assets">@T["Assets"]</a>
</li>
<li class="nav-item">
<a class="nav-link text" asp-area="" asp-controller="Home" asp-action="Locations">@T["Locations"]</a>
</li>
<li class="nav-item">
<a class="nav-link text" asp-area="" asp-controller="Home" asp-action="Users">@T["Users"]</a>
</li>
<li class="nav-item">
<a class="nav-link text" asp-area="" asp-controller="Home" asp-action="Groups">@T["Groups"]</a>
</li>
@if (User.HasClaim(ClaimTypes.Role, "CanInventorize"))
{
<li class="nav-item">
<a class="nav-link text" asp-area="" asp-controller="Home" asp-action="Inventory">@T["Inventory"]</a>
</li>
}
@if (User.HasClaim(ClaimTypes.Role, "CanManageAssets"))
{
<li class="nav-item">
<a class="nav-link text" asp-area="" asp-controller="Home" asp-action="Assets">@T["Assets"]</a>
</li>
}
@if (User.HasClaim(ClaimTypes.Role, "CanManageLocations"))
{
<li class="nav-item">
<a class="nav-link text" asp-area="" asp-controller="Home" asp-action="Locations">@T["Locations"]</a>
</li>
}
@if (User.HasClaim(ClaimTypes.Role, "CanManageUsers"))
{
<li class="nav-item">
<a class="nav-link text" asp-area="" asp-controller="Home" asp-action="Users">@T["Users"]</a>
</li>
}
@if (User.HasClaim(ClaimTypes.Role, "CanManageGroups"))
{
<li class="nav-item">
<a class="nav-link text" asp-area="" asp-controller="Home" asp-action="Groups">@T["Groups"]</a>
</li>
}
}
<li class="nav-item">
@if (User.Identity.IsAuthenticated)