homeburger/agologum
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Feature/Auth: last one was authentication, this one is authorization #4

Merged
homeburger merged 33 commits from feature/auth into main 2026-04-23 00:18:39 -05:00
Conversation 0 Commits 33 Files Changed 29 +49
2 changed files with 49 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit baca04fa03 - Show all commits

48
api/src/Controllers/UsersController.cs
View File

@@ -66,6 +66,54 @@ public class UsersController : ControllerBase {
return NoContent(); return NoContent();
} }
[Authorize(Policy = Permission.SensitiveData_Modify)]
[HttpDelete("{id}/permission")]
public async Task<ActionResult> removePermission(string id, string permission) {
var userId = User.FindFirstValue(ClaimTypes.NameIdentifier);
if(userId == id) return BadRequest(); // dont allow permission removal of yourself
// get list of permissions of that user
var user = await service_.GetById(id);
if (user == null) return NotFound();
if(user.Permissions == null) return NotFound();
// verify that the requested permission exists on that user
if(!user.Permissions.Contains(permission)) return NotFound();
// remove the permission from the permission list
user.Permissions.Remove(permission);
// update the user
await service_.Update(id, user);
return NoContent();
}
[Authorize(Policy = Permission.SensitiveData_Modify)]
[HttpPost("{id}/{permission}")] // TODO: this was made with a single button per permission in mind, but may be better as sending an array
public async Task<ActionResult> addPermission(string id, string permission) {
// we'll allow the superuser to elevate their own permissions because they're the superuser
// get list of permissions of the user
var user = await service_.GetById(id);
if (user == null) return NotFound();
if(user.Permissions == null) return NotFound();
// remove add the permission to the user's permission list (if it doesnt already exist)
if(user.Permissions.Contains(permission)) return NoContent();
user.Permissions.Add(permission);
// update the user
await service_.Update(id, user);
return NoContent();
// fyi the user will need to sign out and sign back in so the new permissions are reflected in their jwt claims
// TODO: or on the client i could issue a refresh token request after a permission api call
}
// TODO: add controls on editing roles // TODO: add controls on editing roles
} }

1
client/src/models/User.ts
View File

@@ -7,6 +7,7 @@ export interface UserDto {
email: string; email: string;
id: string; id: string;
userName: string; userName: string;
permissions: string;
} }
export interface RegisterDto { export interface RegisterDto {