From af70cfb5f84e58ba92d3a447e2242326db187bd0 Mon Sep 17 00:00:00 2001
From: LD-Reborn <lucretia.dietz@gmx.de>
Date: Sun, 2 Nov 2025 15:23:31 +0100
Subject: [PATCH] Added CanManageSettings claim, Implemented authorization for
 admin settings

---
 docs/Specs/Object attribute specs.md    |  2 +-
 src/Controllers/SettingsController.cs   |  3 +++
 src/Models/GroupModel.cs                |  3 ++-
 src/Models/GroupsViewModels.cs          |  4 +++-
 src/Resources/Views.Home.Groups.de.resx |  6 ++++++
 src/Views/Home/Groups.cshtml            | 19 +++++++++++++++++++
 src/Views/Shared/_Layout.cshtml         |  5 ++++-
 7 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/docs/Specs/Object attribute specs.md b/docs/Specs/Object attribute specs.md
index 71ab039..8a27bb7 100644
--- a/docs/Specs/Object attribute specs.md	
+++ b/docs/Specs/Object attribute specs.md	
@@ -29,7 +29,7 @@
 - gidNumber = group id number (e.g. 1)
 - displayName = display name (e.g. "Administrator")
 - description = json string containing data as JSON. E.g.:
-    - `{"Permissions": ["CanInventorize", "CanManageUsers", "CanManageLocations", "CanManageAssets", "CanManageGroups"]}`
+    - `{"Permissions": ["CanInventorize", "CanManageUsers", "CanManageLocations", "CanManageAssets", "CanManageGroups", "CanManageSettings"]}`
 
 ## assets
 - ObjectClass:
diff --git a/src/Controllers/SettingsController.cs b/src/Controllers/SettingsController.cs
index f694867..fa01430 100644
--- a/src/Controllers/SettingsController.cs
+++ b/src/Controllers/SettingsController.cs
@@ -28,12 +28,15 @@ public class SettingsController : Controller
         return View();
     }
 
+    [Authorize(Roles = "CanManageSettings")]
     [HttpGet("Admin")]
     public async Task<IActionResult> AdminAsync()
     {
         AdminSettingsModel adminSettingsModel = await _ldap.GetAdminSettingsModelAsync();
         return View();
     }
+
+    [Authorize(Roles = "CanManageSettings")]
     [HttpPut("Admin")]
     public async Task<AdminUpdateResponseModel> UpdateAdminAsync([FromBody]AdminUpdateRequestModel adminSettingsRequestModel)
     {
diff --git a/src/Models/GroupModel.cs b/src/Models/GroupModel.cs
index 0b7c424..389349a 100644
--- a/src/Models/GroupModel.cs
+++ b/src/Models/GroupModel.cs
@@ -48,5 +48,6 @@ public enum GroupPermission
     CanManageUsers,
     CanManageLocations,
     CanManageAssets,
-    CanManageGroups
+    CanManageGroups,
+    CanManageSettings
 }
\ No newline at end of file
diff --git a/src/Models/GroupsViewModels.cs b/src/Models/GroupsViewModels.cs
index 362145d..9585287 100644
--- a/src/Models/GroupsViewModels.cs
+++ b/src/Models/GroupsViewModels.cs
@@ -16,7 +16,8 @@ public class GroupsIndexViewModel
                 CanManageAssets = model.Permissions.Any(x => x == GroupPermission.CanManageAssets),
                 CanManageGroups = model.Permissions.Any(x => x == GroupPermission.CanManageGroups),
                 CanManageLocations = model.Permissions.Any(x => x == GroupPermission.CanManageLocations),
-                CanManageUsers = model.Permissions.Any(x => x == GroupPermission.CanManageUsers)
+                CanManageUsers = model.Permissions.Any(x => x == GroupPermission.CanManageUsers),
+                CanManageSettings = model.Permissions.Any(x => x == GroupPermission.CanManageSettings)
             });
         }
     }
@@ -35,4 +36,5 @@ public class GroupsTableViewModel
     public required bool CanManageLocations { get; set; }
     public required bool CanManageAssets { get; set; }
     public required bool CanManageGroups { get; set; }
+    public required bool CanManageSettings { get; set; }
 }
\ No newline at end of file
diff --git a/src/Resources/Views.Home.Groups.de.resx b/src/Resources/Views.Home.Groups.de.resx
index 4e8c2fd..8314635 100644
--- a/src/Resources/Views.Home.Groups.de.resx
+++ b/src/Resources/Views.Home.Groups.de.resx
@@ -37,6 +37,9 @@
     <data name="manage groups" xml:space="preserve">
         <value>Gruppen verwalten</value>
     </data>
+    <data name="manage settings" xml:space="preserve">
+        <value>Einstellungen verwalten</value>
+    </data>
     <data name="Action" xml:space="preserve">
         <value>Aktion</value>
     </data>
@@ -79,6 +82,9 @@
     <data name="Can manage locations" xml:space="preserve">
         <value>Kann Orte verwalten</value>
     </data>
+    <data name="Can manage settings" xml:space="preserve">
+        <value>Kann Einstellungen verwalten</value>
+    </data>
     <data name="Cancel" xml:space="preserve">
         <value>Abbrechen</value>
     </data>
diff --git a/src/Views/Home/Groups.cshtml b/src/Views/Home/Groups.cshtml
index ee67bad..c1a941e 100644
--- a/src/Views/Home/Groups.cshtml
+++ b/src/Views/Home/Groups.cshtml
@@ -29,6 +29,7 @@
                     <th class="text-center">@T["Can"]:<br/>@T["manage locations"]</th>
                     <th class="text-center">@T["Can"]:<br/>@T["manage assets"]</th>
                     <th class="text-center">@T["Can"]:<br/>@T["manage groups"]</th>
+                    <th class="text-center">@T["Can"]:<br/>@T["manage settings"]</th>
                     <th class="text-center">@T["Action"]</th>
                 </tr>
             </thead>
@@ -43,6 +44,7 @@
                     <td class="text-center @(groupTableViewModel.CanManageLocations ? "text-success" : "text-danger")">@(groupTableViewModel.CanManageLocations ? "✓" : "✗")</td>
                     <td class="text-center @(groupTableViewModel.CanManageAssets ? "text-success" : "text-danger")">@(groupTableViewModel.CanManageAssets ? "✓" : "✗")</td>
                     <td class="text-center @(groupTableViewModel.CanManageGroups ? "text-success" : "text-danger")">@(groupTableViewModel.CanManageGroups ? "✓" : "✗")</td>
+                    <td class="text-center @(groupTableViewModel.CanManageSettings ? "text-success" : "text-danger")">@(groupTableViewModel.CanManageSettings ? "✓" : "✗")</td>
                     <td class="text-center">
                         <div class="d-flex gap-2 justify-content-center">
                             <button class="btn btn-sm btn-warning btn-update"
@@ -202,6 +204,10 @@
                                 <input type="checkbox" class="form-check-input" name="Permissions.CanManageLocations" id="canManageLocations" />
                                 <label class="form-check-label" for="canManageLocations">@T["Can manage locations"]</label>
                             </div>
+                            <div class="form-check">
+                                <input type="checkbox" class="form-check-input" name="Permissions.CanManageSettings" id="canManageSettings" />
+                                <label class="form-check-label" for="canManageSettings">@T["Can manage settings"]</label>
+                            </div>
                         </div>
                     </div>
                 </div>
@@ -236,6 +242,7 @@
             if (createForm.querySelector('[name="Permissions.CanManageAssets"]').checked) jsonData.Permissions.push("CanManageAssets");
             if (createForm.querySelector('[name="Permissions.CanManageUsers"]').checked) jsonData.Permissions.push("CanManageUsers");
             if (createForm.querySelector('[name="Permissions.CanManageGroups"]').checked) jsonData.Permissions.push("CanManageGroups");
+            if (createForm.querySelector('[name="Permissions.CanManageSettings"]').checked) jsonData.Permissions.push("CanManageSettings");
             if (createForm.querySelector('[name="Permissions.CanManageLocations"]').checked) jsonData.Permissions.push("CanManageLocations");
 
             try {
@@ -265,6 +272,7 @@
                         <td class="text-center ${jsonData.Permissions.includes("CanManageLocations") ? "text-success" : "text-danger"}">${jsonData.Permissions.includes("CanManageLocations") ? "✓" : "✗"}</td>
                         <td class="text-center ${jsonData.Permissions.includes("CanManageAssets") ? "text-success" : "text-danger"}">${jsonData.Permissions.includes("CanManageAssets") ? "✓" : "✗"}</td>
                         <td class="text-center ${jsonData.Permissions.includes("CanManageGroups") ? "text-success" : "text-danger"}">${jsonData.Permissions.includes("CanManageGroups") ? "✓" : "✗"}</td>
+                        <td class="text-center ${jsonData.Permissions.includes("CanManageSettings") ? "text-success" : "text-danger"}">${jsonData.Permissions.includes("CanManageSettings") ? "✓" : "✗"}</td>
                         <td style="text-align: center">
                             <div class="d-flex gap-2 justify-content-center">
                                 <button class="btn btn-sm btn-warning btn-update"
@@ -353,6 +361,10 @@
                                 <input type="checkbox" class="form-check-input" name="Description.Permissions.CanManageLocations" id="canManageLocations" />
                                 <label class="form-check-label" for="canManageLocations">@T["Can manage locations"]</label>
                             </div>
+                            <div class="form-check">
+                                <input type="checkbox" class="form-check-input" name="Description.Permissions.CanManageSettings" id="canManageSettings" />
+                                <label class="form-check-label" for="canManageSettings">@T["Can manage settings"]</label>
+                            </div>
                         </div>
                     </div>
                 </div>
@@ -451,6 +463,7 @@ document.addEventListener('DOMContentLoaded', () => {
                     row.children[3].textContent = jsonData.Description.Permissions.includes("CanManageLocations") ? "✓" : "✗" || '';
                     row.children[4].textContent = jsonData.Description.Permissions.includes("CanManageAssets") ? "✓" : "✗" || '';
                     row.children[5].textContent = jsonData.Description.Permissions.includes("CanManageGroups") ? "✓" : "✗" || '';
+                    row.children[6].textContent = jsonData.Description.Permissions.includes("CanManageSettings") ? "✓" : "✗" || '';
                     if (jsonData.Description.Permissions.includes("CanInventorize")) {
                         row.children[1].className = "text-center text-success";
                     } else {
@@ -480,6 +493,12 @@ document.addEventListener('DOMContentLoaded', () => {
                     } else {
                         row.children[5].className = "text-center text-danger";
                     }
+
+                    if (jsonData.Description.Permissions.includes("CanManageSettings")) {
+                        row.children[6].className = "text-center text-success";
+                    } else {
+                        row.children[6].className = "text-center text-danger";
+                    }
                 }
             } else {
                 showToast(result.reason || '@T["Error updating group"]', 'danger');
diff --git a/src/Views/Shared/_Layout.cshtml b/src/Views/Shared/_Layout.cshtml
index 84a6135..dfbcf8a 100644
--- a/src/Views/Shared/_Layout.cshtml
+++ b/src/Views/Shared/_Layout.cshtml
@@ -97,7 +97,10 @@
                                 </div>
                                 <ul class="dropdown-menu dropdown-menu-end" aria-labelledby="userDropdown">
                                     <li><a class="dropdown-item" asp-controller="Settings" asp-action="User">@T["User settings"]</a></li>
-                                    <li><a class="dropdown-item" asp-controller="Settings" asp-action="Admin">@T["Admin settings"]</a></li>
+                                    @if (User.HasClaim(ClaimTypes.Role, "CanManageSettings"))
+                                    {
+                                        <li><a class="dropdown-item" asp-controller="Settings" asp-action="Admin">@T["Admin settings"]</a></li>
+                                    }
                                     <li><hr class="dropdown-divider"></li>
                                     <li><a class="dropdown-item" asp-controller="Home" asp-action="Logout">@T["Log out"]</a></li>
                                 </ul>