Hardning security in authors and posts APIs

Author: rxtur

src/Core/Api/AssetsController.cs

@@ -68,13 +68,14 @@ public async Task<AssetsModel> Get(int page = 1, string filter = "", string sear
         }
 
         /// <summary>
-        /// Select an asset in the File Manager to include in the post
+        /// Select an asset in the File Manager (authentication required)
         /// </summary>
         /// <param name="type">Type of asset (post cover, logo, avatar or post image/attachment)</param>
         /// <param name="asset">Selected asset</param>
         /// <param name="post">Post ID</param>
         /// <returns>Asset Item</returns>
         [HttpGet("pick")]
+        [Authorize]
         public async Task<AssetItem> Pick(string type, string asset, string post)
         {
             if (type == "postCover")
@@ -111,7 +112,7 @@ public async Task<AssetItem> Pick(string type, string asset, string post)
         }
 
         /// <summary>
-        /// Upload file(s) to user data store, authentication required
+        /// Upload file(s) to user data store (authentication required)
         /// </summary>
         /// <param name="files">Selected files</param>
         /// <returns>Success or internal error</returns>
@@ -134,7 +135,7 @@ public async Task<IActionResult> Upload(ICollection<IFormFile> files)
         }
 
         /// <summary>
-        /// Remove file from user data store, authentication required
+        /// Remove file from user data store (authentication required)
         /// </summary>
         /// <param name="url">Relative URL of the file to remove</param>
         /// <returns></returns>

src/Core/Api/AuthorsController.cs

@@ -41,7 +41,7 @@ public async Task<ActionResult<IEnumerable<Author>>> Get(int page = 1)
             try
             {
                 var pager = new Pager(page);
-                var authors = await _data.Authors.GetList(u => u.Created > DateTime.MinValue, pager);
+                var authors = await _data.Authors.GetList(u => u.Created > DateTime.MinValue, pager, !User.Identity.IsAuthenticated);
                 return Ok(authors);
             }
             catch (Exception ex)
@@ -60,7 +60,7 @@ public async Task<ActionResult<Author>> Get(string author)
         {
             try
             {
-                var result = _data.Authors.Single(a => a.AppUserName == author);
+                var result = _data.Authors.GetItem(a => a.AppUserName == author, !User.Identity.IsAuthenticated);
                 if (result == null) return NotFound();
 
                 return Ok(await Task.FromResult(result));
@@ -72,7 +72,7 @@ public async Task<ActionResult<Author>> Get(string author)
         }
 
         /// <summary>
-        /// Register new author. Authorized admins only.
+        /// Register new author (admins only)
         /// </summary>
         /// <param name="model">Author model</param>
         /// <returns>Created Author object</returns>
@@ -114,7 +114,7 @@ public async Task<ActionResult<Author>> Post(RegisterModel model)
         }
 
         /// <summary>
-        /// Update author
+        /// Update author (admins only)
         /// </summary>
         /// <param name="model">Author model</param>
         /// <returns>Success or 500 error</returns>
@@ -138,7 +138,7 @@ public async Task<ActionResult> Update(Author model)
         }
 
         /// <summary>
-        /// Change author password. Authorized users only.
+        /// Change author password (authentication required)
         /// </summary>
         /// <param name="model">Author model</param>
         /// <returns>Success or 500 error</returns>
@@ -169,7 +169,7 @@ public async Task<ActionResult> ChangePwd(ChangePasswordModel model)
         }
 
         /// <summary>
-        /// Delete author, from membership, database and file system. Admin only.
+        /// Delete author, from membership, database and file system (admins only)
         /// </summary>
         /// <param name="id">Author ID</param>
         /// <returns>Success or 500 error</returns>

src/Core/Api/PostsController.cs

@@ -95,18 +95,18 @@ public async Task<PostItem> GetPost(int id)
         {
             if (id > 0)
             {
-                return await _data.BlogPosts.GetItem(p => p.Id == id);
+                return await _data.BlogPosts.GetItem(p => p.Id == id, !User.Identity.IsAuthenticated);
             }
             else
             {
-                var author = await _data.Authors.GetItem(a => a.AppUserName == User.Identity.Name);
+                var author = await _data.Authors.GetItem(a => a.AppUserName == User.Identity.Name, !User.Identity.IsAuthenticated);
                 var blog = await _data.CustomFields.GetBlogSettings();
                 return new PostItem { Author = author, Cover = blog.Cover };
             }               
         }
 
         /// <summary>
-        /// Set post as published or draft
+        /// Set post as published or draft (authentication required)
         /// </summary>
         /// <param name="id">Post ID</param>
         /// <param name="flag">Flag; P - publish, U - unpublish</param>
@@ -137,7 +137,7 @@ public async Task<ActionResult> Publish(int id, string flag)
         }
 
         /// <summary>
-        /// Set post as featured
+        /// Set post as featured (admins only)
         /// </summary>
         /// <param name="id">Post ID</param>
         /// <param name="flag">Flag; F - featured, U - remove from featured</param>
@@ -168,7 +168,7 @@ public async Task<ActionResult> Feature(int id, string flag)
         }
 
         /// <summary>
-        /// Save blog post
+        /// Save blog post (authentication required)
         /// </summary>
         /// <param name="post">Post item</param>
         /// <returns>Saved post item</returns>
@@ -189,7 +189,7 @@ public async Task<ActionResult<PostItem>> Post(PostItem post)
         }
 
         /// <summary>
-        /// Remove post item
+        /// Remove post item (authentication required)
         /// </summary>
         /// <param name="id">Post ID</param>
         /// <returns>Success or failure</returns>

src/Core/Constants.cs

@@ -17,6 +17,8 @@ public class Constants
         public static string BlogCover = "blog-cover";
         public static string Culture = "culture";
 
+        public static string DummyEmail = "dummy@blog.com";
+
         public static string ThemeEditReturnUrl = "~/admin/settings/theme";
     }
 }

src/Core/CoreAPI.xml

@@ -9,8 +9,8 @@ namespace Core.Data
 {
     public interface IAuthorRepository : IRepository<Author>
     {
-        Task<Author> GetItem(Expression<Func<Author, bool>> predicate);
-        Task<IEnumerable<Author>> GetList(Expression<Func<Author, bool>> predicate, Pager pager);
+        Task<Author> GetItem(Expression<Func<Author, bool>> predicate, bool sanitized = false);
+        Task<IEnumerable<Author>> GetList(Expression<Func<Author, bool>> predicate, Pager pager, bool sanitize = false);
         Task Save(Author author);
         Task Remove(int id);
     }
@@ -24,7 +24,7 @@ public AuthorRepository(AppDbContext db) : base(db)
             _db = db;
         }
 
-        public async Task<Author> GetItem(Expression<Func<Author, bool>> predicate)
+        public async Task<Author> GetItem(Expression<Func<Author, bool>> predicate, bool sanitized = false)
         {
             try
             {
@@ -33,6 +33,7 @@ public async Task<Author> GetItem(Expression<Func<Author, bool>> predicate)
                 if (author != null)
                 {
                     author.Avatar = author.Avatar ?? AppSettings.Avatar;
+                    author.Email = sanitized ? Constants.DummyEmail : author.Email;
                 }
 
                 return await Task.FromResult(author);
@@ -43,7 +44,7 @@ public async Task<Author> GetItem(Expression<Func<Author, bool>> predicate)
             }
         }
 
-        public async Task<IEnumerable<Author>> GetList(Expression<Func<Author, bool>> predicate, Pager pager)
+        public async Task<IEnumerable<Author>> GetList(Expression<Func<Author, bool>> predicate, Pager pager, bool sanitize = false)
         {
             var take = pager.ItemsPerPage == 0 ? 10 : pager.ItemsPerPage;
             var skip = pager.CurrentPage * take - take;
@@ -55,6 +56,14 @@ public async Task<IEnumerable<Author>> GetList(Expression<Func<Author, bool>> pr
 
             var list = users.Skip(skip).Take(take).ToList();
 
+            if (sanitize)
+            {
+                foreach (var item in list)
+                {
+                    item.Email = Constants.DummyEmail;
+                }
+            }
+
             return await Task.FromResult(list);
         }
 

src/Core/Data/Repositories/AuthorRepository.cs

@@ -14,7 +14,7 @@ public interface IPostRepository : IRepository<BlogPost>
         Task<IEnumerable<PostItem>> GetList(Expression<Func<BlogPost, bool>> predicate, Pager pager);
         Task<IEnumerable<PostItem>> GetList(Pager pager, int author = 0, string category = "", string include = "", bool sanitize = false);
         Task<IEnumerable<PostItem>> Search(Pager pager, string term, int author = 0, string include = "", bool sanitize = false);
-        Task<PostItem> GetItem(Expression<Func<BlogPost, bool>> predicate);
+        Task<PostItem> GetItem(Expression<Func<BlogPost, bool>> predicate, bool sanitize = false);
         Task<PostModel> GetModel(string slug);
         Task<PostItem> SaveItem(PostItem item);
         Task SaveCover(int postId, string asset);
@@ -127,12 +127,13 @@ public async Task<IEnumerable<PostItem>> Search(Pager pager, string term, int au
             return await Task.Run(() => posts.Skip(skip).Take(pager.ItemsPerPage).ToList());
         }
 
-        public async Task<PostItem> GetItem(Expression<Func<BlogPost, bool>> predicate)
+        public async Task<PostItem> GetItem(Expression<Func<BlogPost, bool>> predicate, bool sanitize = false)
         {
             var post = _db.BlogPosts.Single(predicate);
             var item = PostToItem(post);
 
             item.Author.Avatar = string.IsNullOrEmpty(item.Author.Avatar) ? "lib/img/avatar.jpg" : item.Author.Avatar;
+            item.Author.Email = sanitize ? Constants.DummyEmail : item.Author.Email;
 
             return await Task.FromResult(item);
         }
@@ -273,7 +274,7 @@ PostItem PostToItem(BlogPost p, bool sanitize = false)
             {
                 post.Author.Avatar = string.IsNullOrEmpty(post.Author.Avatar) ?
                     AppSettings.Avatar : post.Author.Avatar;
-                post.Author.Email = sanitize ? "" : post.Author.Email;
+                post.Author.Email = sanitize ? Constants.DummyEmail : post.Author.Email;
             }
             return post;
         }

src/Core/Data/Repositories/PostRepository.cs

@@ -271,7 +271,7 @@ public async Task<IEnumerable<AssetItem>> Find(Func<AssetItem, bool> predicate,
             {
                 foreach (var p in page)
                 {
-                    p.Path = "";
+                    p.Path = p.Path.Replace(Location, "");
                 }
             }