tsai
/
squidex
mirror of https://github.com/Squidex/squidex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Headless CMS and Content Managment Hub
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5134 Commits
10 Branches
150 Tags
122 MiB
 
 
 
 
 
Tree: 4a948a00ac
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4a948a00ac'
${ noResults }
squidex/backend/src/Squidex.Web/ApiPermissionAttribute.cs

77 lines
2.4 KiB
Raw Blame History

// ==========================================================================
// Squidex Headless CMS
// ==========================================================================
// Copyright (c) Squidex UG (haftungsbeschraenkt)
// All rights reserved. Licensed under the MIT license.
// ==========================================================================
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using Squidex.Infrastructure.Security;
using Squidex.Shared;
namespace Squidex.Web
{
public class ApiPermissionAttribute : AuthorizeAttribute, IAsyncActionFilter
{
private readonly string[] permissionIds;
public IEnumerable<string> PermissionIds
{
get => permissionIds;
}
public ApiPermissionAttribute(params string[] ids)
{
AuthenticationSchemes = Constants.ApiSecurityScheme;
permissionIds = ids;
}
public Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
{
if (permissionIds.Length > 0)
{
var permissions = context.HttpContext.Context().UserPermissions;
var hasPermission = false;
if (permissions != null)
{
foreach (var id in permissionIds)
{
var app = context.HttpContext.Features.Get<IAppFeature>()?.App.Name;
if (string.IsNullOrWhiteSpace(app))
{
app = Permission.Any;
}
var schema = context.HttpContext.Features.Get<ISchemaFeature>()?.Schema.SchemaDef.Name;
if (string.IsNullOrWhiteSpace(schema))
{
schema = Permission.Any;
}
if (permissions.Allows(id, app, schema))
{
hasPermission = true;
break;
}
}
}
if (!hasPermission)
{
context.Result = new StatusCodeResult(403);
return Task.CompletedTask;
}
}
return next();
}
}
}