From d9f9de3dec2847acf5b6c214c9e5f087df1e887c Mon Sep 17 00:00:00 2001 From: Sebastian Date: Mon, 8 Mar 2021 10:56:37 +0100 Subject: [PATCH] Change permission for bulk endpoints. --- .../AssetsBulkUpdateCommandMiddleware.cs | 8 ++++---- .../ContentsBulkUpdateCommandMiddleware.cs | 16 ++++++++-------- .../Api/Controllers/Assets/AssetsController.cs | 2 +- .../Controllers/Contents/ContentsController.cs | 2 +- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/backend/src/Squidex.Domain.Apps.Entities/Assets/DomainObject/AssetsBulkUpdateCommandMiddleware.cs b/backend/src/Squidex.Domain.Apps.Entities/Assets/DomainObject/AssetsBulkUpdateCommandMiddleware.cs index c851ab5e7..d39247fa7 100644 --- a/backend/src/Squidex.Domain.Apps.Entities/Assets/DomainObject/AssetsBulkUpdateCommandMiddleware.cs +++ b/backend/src/Squidex.Domain.Apps.Entities/Assets/DomainObject/AssetsBulkUpdateCommandMiddleware.cs @@ -169,7 +169,7 @@ namespace Squidex.Domain.Apps.Entities.Assets.DomainObject { var command = new AnnotateAsset(); - Enrich(task, command, Permissions.AppAssetsUpdate); + EnrichAndCheckPermission(task, command, Permissions.AppAssetsUpdate); return command; } @@ -177,7 +177,7 @@ namespace Squidex.Domain.Apps.Entities.Assets.DomainObject { var command = new MoveAsset(); - Enrich(task, command, Permissions.AppAssetsUpdate); + EnrichAndCheckPermission(task, command, Permissions.AppAssetsUpdate); return command; } @@ -185,7 +185,7 @@ namespace Squidex.Domain.Apps.Entities.Assets.DomainObject { var command = new DeleteAsset(); - Enrich(task, command, Permissions.AppAssetsDelete); + EnrichAndCheckPermission(task, command, Permissions.AppAssetsDelete); return command; } @@ -194,7 +194,7 @@ namespace Squidex.Domain.Apps.Entities.Assets.DomainObject } } - private void Enrich(BulkTask task, T command, string permissionId) where T : AssetCommand + private void EnrichAndCheckPermission(BulkTask task, T command, string permissionId) where T : AssetCommand { SimpleMapper.Map(task.Command, command); SimpleMapper.Map(task.Job, command); diff --git a/backend/src/Squidex.Domain.Apps.Entities/Contents/DomainObject/ContentsBulkUpdateCommandMiddleware.cs b/backend/src/Squidex.Domain.Apps.Entities/Contents/DomainObject/ContentsBulkUpdateCommandMiddleware.cs index f4f3802d5..3562081a0 100644 --- a/backend/src/Squidex.Domain.Apps.Entities/Contents/DomainObject/ContentsBulkUpdateCommandMiddleware.cs +++ b/backend/src/Squidex.Domain.Apps.Entities/Contents/DomainObject/ContentsBulkUpdateCommandMiddleware.cs @@ -198,7 +198,7 @@ namespace Squidex.Domain.Apps.Entities.Contents.DomainObject { var command = new CreateContent(); - await EnrichAsync(task, command, Permissions.AppContentsCreate); + await EnrichAndCheckPermissionAsync(task, command, Permissions.AppContentsCreate); return command; } @@ -206,7 +206,7 @@ namespace Squidex.Domain.Apps.Entities.Contents.DomainObject { var command = new UpdateContent(); - await EnrichAsync(task, command, Permissions.AppContentsUpdateOwn); + await EnrichAndCheckPermissionAsync(task, command, Permissions.AppContentsUpdateOwn); return command; } @@ -214,7 +214,7 @@ namespace Squidex.Domain.Apps.Entities.Contents.DomainObject { var command = new UpsertContent(); - await EnrichAsync(task, command, Permissions.AppContentsUpsert); + await EnrichAndCheckPermissionAsync(task, command, Permissions.AppContentsUpsert); return command; } @@ -222,7 +222,7 @@ namespace Squidex.Domain.Apps.Entities.Contents.DomainObject { var command = new PatchContent(); - await EnrichAsync(task, command, Permissions.AppContentsUpdateOwn); + await EnrichAndCheckPermissionAsync(task, command, Permissions.AppContentsUpdateOwn); return command; } @@ -230,7 +230,7 @@ namespace Squidex.Domain.Apps.Entities.Contents.DomainObject { var command = new ValidateContent(); - await EnrichAsync(task, command, Permissions.AppContentsReadOwn); + await EnrichAndCheckPermissionAsync(task, command, Permissions.AppContentsReadOwn); return command; } @@ -238,7 +238,7 @@ namespace Squidex.Domain.Apps.Entities.Contents.DomainObject { var command = new ChangeContentStatus { Status = job.Status ?? Status.Draft }; - await EnrichAsync(task, command, Permissions.AppContentsChangeStatusOwn); + await EnrichAndCheckPermissionAsync(task, command, Permissions.AppContentsChangeStatusOwn); return command; } @@ -246,7 +246,7 @@ namespace Squidex.Domain.Apps.Entities.Contents.DomainObject { var command = new DeleteContent(); - await EnrichAsync(task, command, Permissions.AppContentsDeleteOwn); + await EnrichAndCheckPermissionAsync(task, command, Permissions.AppContentsDeleteOwn); return command; } @@ -255,7 +255,7 @@ namespace Squidex.Domain.Apps.Entities.Contents.DomainObject } } - private async Task EnrichAsync(BulkTask task, T command, string permissionId) where T : ContentCommand + private async Task EnrichAndCheckPermissionAsync(BulkTask task, T command, string permissionId) where T : ContentCommand { SimpleMapper.Map(task.Command, command); SimpleMapper.Map(task.Job, command); diff --git a/backend/src/Squidex/Areas/Api/Controllers/Assets/AssetsController.cs b/backend/src/Squidex/Areas/Api/Controllers/Assets/AssetsController.cs index 36e47f1a3..018aa5e7d 100644 --- a/backend/src/Squidex/Areas/Api/Controllers/Assets/AssetsController.cs +++ b/backend/src/Squidex/Areas/Api/Controllers/Assets/AssetsController.cs @@ -220,7 +220,7 @@ namespace Squidex.Areas.Api.Controllers.Assets [HttpPost] [Route("apps/{app}/assets/bulk")] [ProducesResponseType(typeof(BulkResultDto[]), StatusCodes.Status200OK)] - [ApiPermissionOrAnonymous(Permissions.AppAssets)] + [ApiPermissionOrAnonymous(Permissions.AppAssetsRead)] [ApiCosts(5)] public async Task BulkUpdateAssets(string app, [FromBody] BulkUpdateAssetsDto request) { diff --git a/backend/src/Squidex/Areas/Api/Controllers/Contents/ContentsController.cs b/backend/src/Squidex/Areas/Api/Controllers/Contents/ContentsController.cs index d7f817cf4..cb475c0d3 100644 --- a/backend/src/Squidex/Areas/Api/Controllers/Contents/ContentsController.cs +++ b/backend/src/Squidex/Areas/Api/Controllers/Contents/ContentsController.cs @@ -416,7 +416,7 @@ namespace Squidex.Areas.Api.Controllers.Contents [HttpPost] [Route("content/{app}/{name}/bulk")] [ProducesResponseType(typeof(BulkResultDto[]), StatusCodes.Status200OK)] - [ApiPermissionOrAnonymous(Permissions.AppContents)] + [ApiPermissionOrAnonymous(Permissions.AppContentsReadOwn)] [ApiCosts(5)] public async Task BulkUpdateContents(string app, string name, [FromBody] BulkUpdateContentsDto request) {