From 1e16cf892d330064db0e20617337a7d90e3a0713 Mon Sep 17 00:00:00 2001 From: JustAnyone Date: Mon, 6 Oct 2025 17:09:43 +0300 Subject: [PATCH] Fix missing return in authorization --- Bruno/Seed/Create accounts/Login as admin.bru | 2 +- .../Controllers/PostController.cs | 89 +++++++++++++------ 2 files changed, 65 insertions(+), 26 deletions(-) diff --git a/Bruno/Seed/Create accounts/Login as admin.bru b/Bruno/Seed/Create accounts/Login as admin.bru index ae926ca..041838d 100644 --- a/Bruno/Seed/Create accounts/Login as admin.bru +++ b/Bruno/Seed/Create accounts/Login as admin.bru @@ -1,7 +1,7 @@ meta { name: Login as admin type: http - seq: 5 + seq: 3 } post { diff --git a/T120B165-ImgBoard/Controllers/PostController.cs b/T120B165-ImgBoard/Controllers/PostController.cs index 6e26089..5052ae1 100644 --- a/T120B165-ImgBoard/Controllers/PostController.cs +++ b/T120B165-ImgBoard/Controllers/PostController.cs @@ -183,7 +183,7 @@ public class PostController( // If not the resource owner var userId = HttpContext.User.Claims.First(c => c.Type == ClaimTypes.NameIdentifier).Value; - if (userId != post.Author.Id) Forbid(); + if (userId != post.Author.Id) return Forbid(); if (fileRecord.FinishedDate != null) return Problem(statusCode: StatusCodes.Status400BadRequest, @@ -354,10 +354,7 @@ public class PostController( var isAdmin = HttpContext.User.IsInRole(UserRoles.Admin); // If neither the admin nor the resource owner - if (!isAdmin && userId != post.Author.Id) - { - Forbid(); - } + if (!isAdmin && userId != post.Author.Id) return Forbid(); // Clean up the file record first var fullPath = Path.Combine(env.ContentRootPath, post.File.FilePath); @@ -383,6 +380,8 @@ public class PostController( [HttpPatch("{id:int}")] [ProducesResponseType(StatusCodes.Status200OK)] [ProducesResponseType(StatusCodes.Status400BadRequest)] + [ProducesResponseType(StatusCodes.Status401Unauthorized)] + [ProducesResponseType(StatusCodes.Status403Forbidden)] [ProducesResponseType(StatusCodes.Status404NotFound)] public async Task> Update(int id, EditPostDto dto) { @@ -393,11 +392,7 @@ public class PostController( var isAdmin = HttpContext.User.IsInRole(UserRoles.Admin); // If neither the admin nor the resource owner - if (!isAdmin && userId != post.Author.Id) - { - Forbid(); - } - + if (!isAdmin && userId != post.Author.Id) return Forbid(); if (!string.IsNullOrEmpty(dto.Title)) post.Title = dto.Title; @@ -424,12 +419,22 @@ public class PostController( return Ok(PostDto.FromPost(updated, fileUrl)); } - + /// + /// Create a comment under the specified post. + /// + /// Post ID + /// Comment data + /// New comment data + /// If request is malformed + /// If authentication is missing + /// If authorization is missing + /// If post is not found [HttpPost("{postId:int}/comments")] - [Authorize] + [Authorize(Roles = UserRoles.Regular)] [ProducesResponseType(StatusCodes.Status201Created)] + [ProducesResponseType(StatusCodes.Status401Unauthorized)] + [ProducesResponseType(StatusCodes.Status403Forbidden)] [ProducesResponseType(StatusCodes.Status400BadRequest)] - [ProducesResponseType(StatusCodes.Status409Conflict)] public async Task> CreateComment(int postId, CreateCommentDto dto) { var userId = HttpContext.User.Claims.First(c => c.Type == ClaimTypes.NameIdentifier).Value; @@ -439,11 +444,18 @@ public class PostController( var post = await postService.GetById(postId); if (post == null) return NotFound(); - var created = await commentService.Create(dto.Text, user, post); return CreatedAtAction(nameof(GetComment), new {postId = postId, commentId = created.Id}, CommentDto.FromComment(created)); } + /// + /// Get specific post comment. + /// + /// Post ID + /// Comment ID + /// Comment data + /// If request is malformed + /// If post or comment is not found [HttpGet("{postId:int}/comments/{commentId:int}")] [ProducesResponseType(StatusCodes.Status200OK)] [ProducesResponseType(StatusCodes.Status400BadRequest)] @@ -459,6 +471,14 @@ public class PostController( return Ok(CommentDto.FromComment(comment)); } + /// + /// Get paginated list of specific post comments. + /// + /// Post ID + /// Page number + /// Paginated list of comments + /// If request is malformed + /// If post is not found [HttpGet("{postId:int}/comments")] [ProducesResponseType(StatusCodes.Status200OK)] [ProducesResponseType(StatusCodes.Status400BadRequest)] @@ -476,11 +496,22 @@ public class PostController( return Ok(new PagedList(newItems, list.CurrentPage, list.PageSize, list.TotalCount)); } - - [Authorize] + /// + /// Delete a specific comment under a specific post. + /// + /// Post ID + /// Comment ID + /// If comment was deleted successfully + /// If request is malformed + /// If authentication is missing + /// If authorization is missing + /// If post or comment is not found + [Authorize(Roles = UserRoles.Regular)] [HttpDelete("{postId:int}/comments/{commentId:int}")] [ProducesResponseType(StatusCodes.Status204NoContent)] [ProducesResponseType(StatusCodes.Status400BadRequest)] + [ProducesResponseType(StatusCodes.Status401Unauthorized)] + [ProducesResponseType(StatusCodes.Status403Forbidden)] [ProducesResponseType(StatusCodes.Status404NotFound)] public async Task DeleteComment(int postId, int commentId) { @@ -494,19 +525,30 @@ public class PostController( var isAdmin = HttpContext.User.IsInRole(UserRoles.Admin); // If neither the admin nor the resource owner - if (!isAdmin && userId != comment.Author.Id) - { - Forbid(); - } + if (!isAdmin && userId != comment.Author.Id) return Forbid(); + var deleted = await commentService.Delete(comment); if (!deleted) return NotFound(); return NoContent(); } - [Authorize] + /// + /// Update a specific comment under a specific post. + /// + /// Post ID + /// Comment ID + /// Comment data + /// New comment data + /// If request is malformed + /// If authentication is missing + /// If authorization is missing + /// If post or comment is not found + [Authorize(Roles = UserRoles.Regular)] [HttpPatch("{postId:int}/comments/{commentId:int}")] [ProducesResponseType(StatusCodes.Status200OK)] [ProducesResponseType(StatusCodes.Status400BadRequest)] + [ProducesResponseType(StatusCodes.Status401Unauthorized)] + [ProducesResponseType(StatusCodes.Status403Forbidden)] [ProducesResponseType(StatusCodes.Status404NotFound)] public async Task> Update(int postId, int commentId, EditCommentDto dto) { @@ -520,10 +562,7 @@ public class PostController( var isAdmin = HttpContext.User.IsInRole(UserRoles.Admin); // If neither the admin nor the resource owner - if (!isAdmin && userId != comment.Author.Id) - { - Forbid(); - } + if (!isAdmin && userId != comment.Author.Id) return Forbid(); comment.Text = dto.Text;