Shifted sanitizing outputs into Controller.cs

Now Hiding Parents
This commit is contained in:
Kim 2023-03-30 09:27:18 +02:00
parent 46db92fee5
commit e1305126ee
5 changed files with 88 additions and 47 deletions

View File

@ -27,7 +27,7 @@ public class Controller : ControllerBase
return Unauthorized();
}
var session = new Session(user);
var session = new Session(user.HidePassword().HideParentIfUserHasNoAccessToParent(user));
//TODO The Frontend should check for the MustResetPassword Flag
@ -60,8 +60,7 @@ public class Controller : ControllerBase
if (user is null || !session.HasAccessTo(user))
return Unauthorized();
user.Password = "";
return user;
return user.HidePassword().HideParentIfUserHasNoAccessToParent(session);
}
@ -77,7 +76,7 @@ public class Controller : ControllerBase
if (installation is null || !user.HasAccessTo(installation))
return Unauthorized();
return installation;
return installation.HideParentIfUserHasNoAccessToParent(user);
}
[HttpGet(nameof(GetUsersWithDirectAccessToInstallation))]
@ -95,6 +94,7 @@ public class Controller : ControllerBase
return installation
.UsersWithDirectAccess()
.Where(u => u.IsDescendantOf(user))
.Select(u => u.HidePassword())
.ToList();
}
@ -133,6 +133,7 @@ public class Controller : ControllerBase
return folder
.UsersWithDirectAccess()
.Where(u => u.IsDescendantOf(user))
.Select(u => u.HidePassword())
.ToList();
}
@ -168,7 +169,7 @@ public class Controller : ControllerBase
if (folder is null || !user.HasAccessTo(folder))
return Unauthorized();
return folder;
return folder.HideParentIfUserHasNoAccessToParent(user);
}
[HttpGet(nameof(GetAllDirectChildUsers))]
@ -178,7 +179,7 @@ public class Controller : ControllerBase
if (user == null)
return Unauthorized();
return user.ChildUsers().ToList();
return user.ChildUsers().Select(u => u.HidePassword()).ToList();
}
[HttpGet(nameof(GetAllChildUsers))]
@ -188,7 +189,7 @@ public class Controller : ControllerBase
if (user == null)
return Unauthorized();
return user.DescendantUsers().ToList();
return user.DescendantUsers().Select(u => u.HidePassword()).ToList();
}
@ -200,9 +201,7 @@ public class Controller : ControllerBase
if (user is null)
return Unauthorized();
user.AccessibleInstallations().ForEach(i => i.FillOrderNumbers());
return user.AccessibleInstallations().ToList();
return user.AccessibleInstallations().Select(i => i.FillOrderNumbers().HideParentIfUserHasNoAccessToParent(user)).ToList();
}
@ -215,7 +214,7 @@ public class Controller : ControllerBase
if (user is null)
return Unauthorized();
return new(user.AccessibleFolders());
return new(user.AccessibleFolders().HideParentIfUserHasNoAccessToParent(user));
}
@ -228,9 +227,11 @@ public class Controller : ControllerBase
return Unauthorized();
var foldersAndInstallations = user
.AccessibleFoldersAndInstallations()
.OfType<Object>(); // Important! JSON serializer must see Objects otherwise
// it will just serialize the members of TreeNode %&@#!!!
.AccessibleFoldersAndInstallations()
.Do(o => o.FillOrderNumbers())
.Select(o => o.HideParentIfUserHasNoAccessToParent(user))
.OfType<Object>(); // Important! JSON serializer must see Objects otherwise
// it will just serialize the members of TreeNode %&@#!!!
return new (foldersAndInstallations);
}
@ -240,17 +241,19 @@ public class Controller : ControllerBase
public ActionResult<User> CreateUser(User newUser, Token authToken)
{
return Db.GetSession(authToken).Create(newUser)
? newUser
? newUser.HidePassword()
: Unauthorized() ;
}
[HttpPost(nameof(CreateInstallation))]
public async Task<ActionResult<Installation>> CreateInstallation(Installation installation, Token authToken)
{
if (!await Db.GetSession(authToken).Create(installation))
var session = Db.GetSession(authToken);
if (! await session.Create(installation))
return Unauthorized();
return installation;
return installation.HideParentIfUserHasNoAccessToParent(session!.User);
}
[HttpPost(nameof(CreateFolder))]
@ -261,7 +264,7 @@ public class Controller : ControllerBase
if (!session.Create(folder))
return Unauthorized();
return folder;
return folder.HideParentIfUserHasNoAccessToParent(session!.User);
}
[HttpPost(nameof(GrantUserAccessToFolder))]
@ -332,7 +335,7 @@ public class Controller : ControllerBase
if (!session.Update(updatedUser))
return Unauthorized();
return updatedUser;
return updatedUser.HidePassword();
}
@ -356,7 +359,7 @@ public class Controller : ControllerBase
if (!session.Update(installation))
return Unauthorized();
return installation;
return installation.HideParentIfUserHasNoAccessToParent(session.User);
}
@ -368,7 +371,7 @@ public class Controller : ControllerBase
if (!session.Update(folder))
return Unauthorized();
return folder;
return folder.HideParentIfUserHasNoAccessToParent(session.User);
}
[HttpPut(nameof(MoveInstallation))]

View File

@ -175,6 +175,7 @@ public static class SessionMethods
&& sessionUser.HasAccessTo(editedUser)
&& editedUser
.WithParentOf(originalUser) // prevent moving
.WithNameOf(originalUser)
.WithPasswordOf(originalUser)
.Apply(Db.Update);
}

View File

@ -1,3 +1,5 @@
using InnovEnergy.App.Backend.Database;
namespace InnovEnergy.App.Backend.DataTypes.Methods;
public static class TreeNodeMethods
@ -9,16 +11,38 @@ public static class TreeNodeMethods
return treeNode;
}
public static T WithNameOf<T>(this T treeNode, T other) where T: TreeNode
{
treeNode.Name = other.Name;
return treeNode;
}
public static T WithParent<T>(this T treeNode, T other) where T: TreeNode
{
treeNode.ParentId = other.Id;
return treeNode;
}
public static T HideParent<T>(this T treeNode) where T: TreeNode
public static T HideParentIfUserHasNoAccessToParent<T>(this T node, User? accessingUser)
{
treeNode.ParentId = 0;
if (accessingUser is not null && node is TreeNode treeNode && !accessingUser.HasAccessToParentOf(treeNode))
{
treeNode.ParentId = 0;
}
return node;
}
public static TreeNode FillOrderNumbers(this TreeNode treeNode)
{
if (treeNode is Installation installation)
{
installation.FillOrderNumbers();
}
return treeNode;
}
}

View File

@ -35,7 +35,7 @@ public static class UserMethods
{
var folders = user.AccessibleFolders() as IEnumerable<TreeNode>;
user.AccessibleInstallations().ForEach(i => i.FillOrderNumbers());
// user.AccessibleInstallations().ForEach(i => i.FillOrderNumbers());
var installations = user.AccessibleInstallations();
return folders.Concat(installations);
@ -49,7 +49,7 @@ public static class UserMethods
.Select(r => r.InstallationId)
.Select(i => Db.GetInstallationById(i))
.NotNull()
.Do(i => i.HideParent()); // hide inaccessible parents from calling user
.Do(i => i.HideParentIfUserHasNoAccessToParent(user)); // hide inaccessible parents from calling user
}
public static IEnumerable<Folder> DirectlyAccessibleFolders(this User user)
@ -60,7 +60,7 @@ public static class UserMethods
.Select(r => r.FolderId)
.Select(i => Db.GetFolderById(i))
.NotNull()
.Do(f => f.HideParent()); // hide inaccessible parents from calling user;
.Do(f => f.HideParentIfUserHasNoAccessToParent(user)); // hide inaccessible parents from calling user;
}
public static IEnumerable<User> ChildUsers(this User parent)
@ -93,7 +93,7 @@ public static class UserMethods
public static Boolean VerifyPassword(this User user, String password)
{
return Db.GetUserWithPasswordByName(user.Name)?.Password == user.SaltAndHashPassword(password);
return Db.GetUserByName(user.Name)?.Password == user.SaltAndHashPassword(password);
}
@ -167,7 +167,31 @@ public static class UserMethods
.Contains(user);
}
public static String Salt(this User user)
public static Boolean HasAccessTo(this User user, TreeNode? other)
{
return other?.Type switch
{
"installation" => user.HasAccessTo((Installation)other),
"user" => user.HasAccessTo((User)other),
"folder" => user.HasAccessTo((Folder)other),
_ => false
};
}
public static Boolean HasAccessToParentOf(this User user, TreeNode? other)
{
return other?.Type switch
{
"installation" => user.HasAccessTo(Db.GetInstallationById(other.ParentId)),
"user" => user.HasAccessTo(Db.GetUserById(other.ParentId)),
"folder" => user.HasAccessTo(Db.GetFolderById(other.ParentId)),
_ => false
};
}
private static String Salt(this User user)
{
// + id => salt unique per user
// + InnovEnergy => globally unique
@ -192,11 +216,10 @@ public static class UserMethods
return deletedUser;
}
public static User? HidePassword(this User? user)
public static User HidePassword(this User user)
{
if(user is not null)
user.Password = "";
user.Password = "";
return user;
}
}

View File

@ -1,7 +1,6 @@
using InnovEnergy.App.Backend.DataTypes;
using InnovEnergy.App.Backend.DataTypes.Methods;
using InnovEnergy.App.Backend.Relations;
using InnovEnergy.Lib.Utils;
namespace InnovEnergy.App.Backend.Database;
@ -18,25 +17,16 @@ public static partial class Db
public static Installation? GetInstallationById(Int64? id)
{
return Installations
.FirstOrDefault(i => i.Id == id)
.FillOrderNumbers();
.FirstOrDefault(i => i.Id == id);
}
public static User? GetUserById(Int64? id)
{
return Users
.FirstOrDefault(u => u.Id == id)
.HidePassword();
.FirstOrDefault(u => u.Id == id);
}
public static User? GetUserByName(String userName)
{
return Users
.FirstOrDefault(u => u.Name == userName)
.HidePassword();
}
public static User? GetUserWithPasswordByName(String userName)
{
return Users
.FirstOrDefault(u => u.Name == userName);