homeburger/agologum
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

create permission modification endpoints
All checks were successful
Build and Deploy Frontend / build-and-deploy (push) Successful in 6s
Details
Build and Deploy API / build-and-deploy (push) Successful in 9s
Details

Browse Source
This commit is contained in:
Blitblank
2026-04-22 21:49:15 -05:00
parent 1afa30040d
commit baca04fa03
2 changed files with 49 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
api/src/Controllers/UsersController.cs
View File

@@ -66,6 +66,54 @@ public class UsersController : ControllerBase {
return NoContent();
}
[Authorize(Policy = Permission.SensitiveData_Modify)]
[HttpDelete("{id}/permission")]
public async Task<ActionResult> removePermission(string id, string permission) {
var userId = User.FindFirstValue(ClaimTypes.NameIdentifier);
if(userId == id) return BadRequest(); // dont allow permission removal of yourself
// get list of permissions of that user
var user = await service_.GetById(id);
if (user == null) return NotFound();
if(user.Permissions == null) return NotFound();
// verify that the requested permission exists on that user
if(!user.Permissions.Contains(permission)) return NotFound();
// remove the permission from the permission list
user.Permissions.Remove(permission);
// update the user
await service_.Update(id, user);
return NoContent();
}
[Authorize(Policy = Permission.SensitiveData_Modify)]
[HttpPost("{id}/{permission}")] // TODO: this was made with a single button per permission in mind, but may be better as sending an array
public async Task<ActionResult> addPermission(string id, string permission) {
// we'll allow the superuser to elevate their own permissions because they're the superuser
// get list of permissions of the user
var user = await service_.GetById(id);
if (user == null) return NotFound();
if(user.Permissions == null) return NotFound();
// remove add the permission to the user's permission list (if it doesnt already exist)
if(user.Permissions.Contains(permission)) return NoContent();
user.Permissions.Add(permission);
// update the user
await service_.Update(id, user);
return NoContent();
// fyi the user will need to sign out and sign back in so the new permissions are reflected in their jwt claims
// TODO: or on the client i could issue a refresh token request after a permission api call
}
// TODO: add controls on editing roles
}