Skip to content

Commit b54651d

Browse files
rxturrxtur
committed
Security related admin updates
1 parent 4e31438 commit b54651d

File tree

6 files changed

+50
-41
lines changed

6 files changed

+50
-41
lines changed

Blogifier.Core/Controllers/SettingsController.cs

Lines changed: 5 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -28,22 +28,6 @@ public SettingsController(IUnitOfWork db, ILogger<SettingsController> logger)
2828
_theme = $"~/{ApplicationSettings.BlogAdminFolder}/Settings/";
2929
}
3030

31-
[VerifyProfile]
32-
[Route("application")]
33-
public IActionResult Application(int page = 1)
34-
{
35-
var pager = new Pager(page);
36-
var blogs = _db.Profiles.ProfileList(p => p.Id > 0, pager);
37-
38-
var model = new AdminApplicationModel
39-
{
40-
Profile = GetProfile(),
41-
Blogs = blogs,
42-
Pager = pager
43-
};
44-
return View(_theme + "Application.cshtml", model);
45-
}
46-
4731
[Route("profile")]
4832
public IActionResult Profile()
4933
{
@@ -110,21 +94,14 @@ public IActionResult Profile(SettingsProfile model)
11094
return View(_theme + "Profile.cshtml", model);
11195
}
11296

113-
[VerifyProfile]
114-
[Route("import")]
115-
public IActionResult Import()
116-
{
117-
return View(_theme + "Import.cshtml", new AdminBaseModel { Profile = GetProfile() });
118-
}
119-
12097
[VerifyProfile]
12198
[Route("about")]
12299
public IActionResult About()
123100
{
124101
return View(_theme + "About.cshtml", new AdminBaseModel { Profile = GetProfile() });
125102
}
126103

127-
[VerifyProfile]
104+
[MustBeAdmin]
128105
[Route("general")]
129106
public IActionResult General()
130107
{
@@ -149,6 +126,7 @@ public IActionResult General()
149126
}
150127

151128
[HttpPost]
129+
[MustBeAdmin]
152130
[Route("general")]
153131
public IActionResult General(SettingsGeneral model)
154132
{
@@ -184,7 +162,7 @@ public IActionResult General(SettingsGeneral model)
184162
return View(_theme + "General.cshtml", model);
185163
}
186164

187-
[VerifyProfile]
165+
[MustBeAdmin]
188166
[Route("posts")]
189167
public IActionResult Posts()
190168
{
@@ -201,6 +179,7 @@ public IActionResult Posts()
201179
}
202180

203181
[HttpPost]
182+
[MustBeAdmin]
204183
[Route("posts")]
205184
public IActionResult Posts(SettingsPosts model)
206185
{
@@ -223,7 +202,7 @@ public IActionResult Posts(SettingsPosts model)
223202
return View(_theme + "Posts.cshtml", model);
224203
}
225204

226-
[VerifyProfile]
205+
[MustBeAdmin]
227206
[Route("advanced")]
228207
public IActionResult Advanced()
229208
{

Blogifier.Core/Middleware/ActionFilters.cs

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,4 +38,32 @@ public override void OnActionExecuting(ActionExecutingContext filterContext)
3838
}
3939
}
4040
}
41+
42+
public class MustBeAdmin : ActionFilterAttribute
43+
{
44+
DbContextOptions<BlogifierDbContext> _options;
45+
46+
public MustBeAdmin()
47+
{
48+
var builder = new DbContextOptionsBuilder<BlogifierDbContext>();
49+
50+
ApplicationSettings.DatabaseOptions(builder);
51+
52+
_options = builder.Options;
53+
}
54+
55+
public override void OnActionExecuting(ActionExecutingContext filterContext)
56+
{
57+
using (var context = new BlogifierDbContext(_options))
58+
{
59+
var loggedUser = filterContext.HttpContext.User.Identity.Name;
60+
var profile = context.Profiles.SingleOrDefaultAsync(p => p.IdentityName == loggedUser).Result;
61+
62+
if(profile == null || !profile.IsAdmin)
63+
{
64+
filterContext.Result = new RedirectResult("~/Error/403");
65+
}
66+
}
67+
}
68+
}
4169
}

Blogifier.Web/Controllers/SettingsController.cs

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -52,15 +52,11 @@ IUnitOfWork db
5252
[TempData]
5353
public string ErrorMessage { get; set; }
5454

55-
[VerifyProfile]
55+
[MustBeAdmin]
5656
[Route("users")]
5757
public IActionResult Users(int page = 1)
5858
{
5959
var profile = GetProfile();
60-
if (!profile.IsAdmin)
61-
{
62-
return View($"~/{ApplicationSettings.BlogThemesFolder}/{BlogSettings.Theme}/Error.cshtml", 403);
63-
}
6460
var pager = new Pager(page);
6561
var blogs = _db.Profiles.ProfileList(p => p.Id > 0, pager);
6662

@@ -72,6 +68,7 @@ public IActionResult Users(int page = 1)
7268
}
7369

7470
[HttpPost]
71+
[MustBeAdmin]
7572
[ValidateAntiForgeryToken]
7673
[Route("users")]
7774
public async Task<IActionResult> Register(UsersViewModel model, string returnUrl = null)
@@ -133,6 +130,7 @@ public async Task<IActionResult> Register(UsersViewModel model, string returnUrl
133130
return View(_theme + "Settings/Users.cshtml", regModel);
134131
}
135132

133+
[MustBeAdmin]
136134
[HttpDelete("{id}")]
137135
[Route("users/{id}")]
138136
public async Task<IActionResult> Delete(int id)

Blogifier.Web/Startup.cs

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -63,10 +63,6 @@ public void Configure(IApplicationBuilder app, IHostingEnvironment env)
6363
app.UseDeveloperExceptionPage();
6464
app.UseDatabaseErrorPage();
6565
}
66-
else
67-
{
68-
app.UseExceptionHandler("/Home/Error");
69-
}
7066

7167
app.UseStaticFiles();
7268

Blogifier.Web/Views/Blogifier/Admin/_Shared/_Taskbar.cshtml

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -33,12 +33,20 @@
3333
<i class="taskbar-item-icon fa fa-cube"></i>
3434
</a>
3535
</li>
36+
<li is-active-route asp-controller="Settings" class="taskbar-item">
37+
<a asp-controller="Settings" asp-action="General" class="taskbar-item-link" title="Settings">
38+
<i class="taskbar-item-icon fa fa-gear"></i>
39+
</a>
40+
</li>
41+
}
42+
else
43+
{
44+
<li is-active-route asp-controller="Settings" class="taskbar-item">
45+
<a asp-controller="Settings" asp-action="Profile" class="taskbar-item-link" title="Settings">
46+
<i class="taskbar-item-icon fa fa-gear"></i>
47+
</a>
48+
</li>
3649
}
37-
<li is-active-route asp-controller="Settings" class="taskbar-item">
38-
<a asp-controller="Settings" asp-action="General" class="taskbar-item-link" title="Settings">
39-
<i class="taskbar-item-icon fa fa-gear"></i>
40-
</a>
41-
</li>
4250
<li class="taskbar-item ml-auto ml-lg-0 mt-lg-auto">
4351
<a class="taskbar-item-link" href="~/" return false;" title="Visit Blog" target="_blank"><i class="taskbar-item-icon fa fa-globe"></i></a>
4452
</li>

Blogifier.Web/wwwroot/admin/js/app/postsController.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -79,7 +79,7 @@ var postsController = function(dataService) {
7979

8080
function reload() {
8181
setTimeout(function() {
82-
window.location.href = webRoot + 'admin';
82+
window.location.href = webRoot + 'admin/posts';
8383
}, 1000);
8484
}
8585

0 commit comments

Comments
 (0)