Fix missing return in authorization
This commit is contained in:
@@ -183,7 +183,7 @@ public class PostController(
|
||||
|
||||
// If not the resource owner
|
||||
var userId = HttpContext.User.Claims.First(c => c.Type == ClaimTypes.NameIdentifier).Value;
|
||||
if (userId != post.Author.Id) Forbid();
|
||||
if (userId != post.Author.Id) return Forbid();
|
||||
|
||||
if (fileRecord.FinishedDate != null)
|
||||
return Problem(statusCode: StatusCodes.Status400BadRequest,
|
||||
@@ -354,10 +354,7 @@ public class PostController(
|
||||
var isAdmin = HttpContext.User.IsInRole(UserRoles.Admin);
|
||||
|
||||
// If neither the admin nor the resource owner
|
||||
if (!isAdmin && userId != post.Author.Id)
|
||||
{
|
||||
Forbid();
|
||||
}
|
||||
if (!isAdmin && userId != post.Author.Id) return Forbid();
|
||||
|
||||
// Clean up the file record first
|
||||
var fullPath = Path.Combine(env.ContentRootPath, post.File.FilePath);
|
||||
@@ -383,6 +380,8 @@ public class PostController(
|
||||
[HttpPatch("{id:int}")]
|
||||
[ProducesResponseType(StatusCodes.Status200OK)]
|
||||
[ProducesResponseType(StatusCodes.Status400BadRequest)]
|
||||
[ProducesResponseType(StatusCodes.Status401Unauthorized)]
|
||||
[ProducesResponseType(StatusCodes.Status403Forbidden)]
|
||||
[ProducesResponseType(StatusCodes.Status404NotFound)]
|
||||
public async Task<ActionResult<PostDto>> Update(int id, EditPostDto dto)
|
||||
{
|
||||
@@ -393,11 +392,7 @@ public class PostController(
|
||||
var isAdmin = HttpContext.User.IsInRole(UserRoles.Admin);
|
||||
|
||||
// If neither the admin nor the resource owner
|
||||
if (!isAdmin && userId != post.Author.Id)
|
||||
{
|
||||
Forbid();
|
||||
}
|
||||
|
||||
if (!isAdmin && userId != post.Author.Id) return Forbid();
|
||||
|
||||
if (!string.IsNullOrEmpty(dto.Title))
|
||||
post.Title = dto.Title;
|
||||
@@ -424,12 +419,22 @@ public class PostController(
|
||||
return Ok(PostDto.FromPost(updated, fileUrl));
|
||||
}
|
||||
|
||||
|
||||
/// <summary>
|
||||
/// Create a comment under the specified post.
|
||||
/// </summary>
|
||||
/// <param name="postId">Post ID</param>
|
||||
/// <param name="dto">Comment data</param>
|
||||
/// <response code="201">New comment data</response>
|
||||
/// <response code="400">If request is malformed</response>
|
||||
/// <response code="401">If authentication is missing</response>
|
||||
/// <response code="403">If authorization is missing</response>
|
||||
/// <response code="404">If post is not found</response>
|
||||
[HttpPost("{postId:int}/comments")]
|
||||
[Authorize]
|
||||
[Authorize(Roles = UserRoles.Regular)]
|
||||
[ProducesResponseType(StatusCodes.Status201Created)]
|
||||
[ProducesResponseType(StatusCodes.Status401Unauthorized)]
|
||||
[ProducesResponseType(StatusCodes.Status403Forbidden)]
|
||||
[ProducesResponseType(StatusCodes.Status400BadRequest)]
|
||||
[ProducesResponseType(StatusCodes.Status409Conflict)]
|
||||
public async Task<ActionResult<PostDto>> CreateComment(int postId, CreateCommentDto dto)
|
||||
{
|
||||
var userId = HttpContext.User.Claims.First(c => c.Type == ClaimTypes.NameIdentifier).Value;
|
||||
@@ -439,11 +444,18 @@ public class PostController(
|
||||
var post = await postService.GetById(postId);
|
||||
if (post == null) return NotFound();
|
||||
|
||||
|
||||
var created = await commentService.Create(dto.Text, user, post);
|
||||
return CreatedAtAction(nameof(GetComment), new {postId = postId, commentId = created.Id}, CommentDto.FromComment(created));
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Get specific post comment.
|
||||
/// </summary>
|
||||
/// <param name="postId">Post ID</param>
|
||||
/// <param name="commentId">Comment ID</param>
|
||||
/// <response code="200">Comment data</response>
|
||||
/// <response code="400">If request is malformed</response>
|
||||
/// <response code="404">If post or comment is not found</response>
|
||||
[HttpGet("{postId:int}/comments/{commentId:int}")]
|
||||
[ProducesResponseType(StatusCodes.Status200OK)]
|
||||
[ProducesResponseType(StatusCodes.Status400BadRequest)]
|
||||
@@ -459,6 +471,14 @@ public class PostController(
|
||||
return Ok(CommentDto.FromComment(comment));
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Get paginated list of specific post comments.
|
||||
/// </summary>
|
||||
/// <param name="postId">Post ID</param>
|
||||
/// <param name="pageNumber">Page number</param>
|
||||
/// <response code="200">Paginated list of comments</response>
|
||||
/// <response code="400">If request is malformed</response>
|
||||
/// <response code="404">If post is not found</response>
|
||||
[HttpGet("{postId:int}/comments")]
|
||||
[ProducesResponseType(StatusCodes.Status200OK)]
|
||||
[ProducesResponseType(StatusCodes.Status400BadRequest)]
|
||||
@@ -476,11 +496,22 @@ public class PostController(
|
||||
return Ok(new PagedList<CommentDto>(newItems, list.CurrentPage, list.PageSize, list.TotalCount));
|
||||
}
|
||||
|
||||
|
||||
[Authorize]
|
||||
/// <summary>
|
||||
/// Delete a specific comment under a specific post.
|
||||
/// </summary>
|
||||
/// <param name="postId">Post ID</param>
|
||||
/// <param name="commentId">Comment ID</param>
|
||||
/// <response code="204">If comment was deleted successfully</response>
|
||||
/// <response code="400">If request is malformed</response>
|
||||
/// <response code="401">If authentication is missing</response>
|
||||
/// <response code="403">If authorization is missing</response>
|
||||
/// <response code="404">If post or comment is not found</response>
|
||||
[Authorize(Roles = UserRoles.Regular)]
|
||||
[HttpDelete("{postId:int}/comments/{commentId:int}")]
|
||||
[ProducesResponseType(StatusCodes.Status204NoContent)]
|
||||
[ProducesResponseType(StatusCodes.Status400BadRequest)]
|
||||
[ProducesResponseType(StatusCodes.Status401Unauthorized)]
|
||||
[ProducesResponseType(StatusCodes.Status403Forbidden)]
|
||||
[ProducesResponseType(StatusCodes.Status404NotFound)]
|
||||
public async Task<ActionResult> DeleteComment(int postId, int commentId)
|
||||
{
|
||||
@@ -494,19 +525,30 @@ public class PostController(
|
||||
var isAdmin = HttpContext.User.IsInRole(UserRoles.Admin);
|
||||
|
||||
// If neither the admin nor the resource owner
|
||||
if (!isAdmin && userId != comment.Author.Id)
|
||||
{
|
||||
Forbid();
|
||||
}
|
||||
if (!isAdmin && userId != comment.Author.Id) return Forbid();
|
||||
|
||||
var deleted = await commentService.Delete(comment);
|
||||
if (!deleted) return NotFound();
|
||||
return NoContent();
|
||||
}
|
||||
|
||||
[Authorize]
|
||||
/// <summary>
|
||||
/// Update a specific comment under a specific post.
|
||||
/// </summary>
|
||||
/// <param name="postId">Post ID</param>
|
||||
/// <param name="commentId">Comment ID</param>
|
||||
/// <param name="dto">Comment data</param>
|
||||
/// <response code="200">New comment data</response>
|
||||
/// <response code="400">If request is malformed</response>
|
||||
/// <response code="401">If authentication is missing</response>
|
||||
/// <response code="403">If authorization is missing</response>
|
||||
/// <response code="404">If post or comment is not found</response>
|
||||
[Authorize(Roles = UserRoles.Regular)]
|
||||
[HttpPatch("{postId:int}/comments/{commentId:int}")]
|
||||
[ProducesResponseType(StatusCodes.Status200OK)]
|
||||
[ProducesResponseType(StatusCodes.Status400BadRequest)]
|
||||
[ProducesResponseType(StatusCodes.Status401Unauthorized)]
|
||||
[ProducesResponseType(StatusCodes.Status403Forbidden)]
|
||||
[ProducesResponseType(StatusCodes.Status404NotFound)]
|
||||
public async Task<ActionResult<CommentDto>> Update(int postId, int commentId, EditCommentDto dto)
|
||||
{
|
||||
@@ -520,10 +562,7 @@ public class PostController(
|
||||
var isAdmin = HttpContext.User.IsInRole(UserRoles.Admin);
|
||||
|
||||
// If neither the admin nor the resource owner
|
||||
if (!isAdmin && userId != comment.Author.Id)
|
||||
{
|
||||
Forbid();
|
||||
}
|
||||
if (!isAdmin && userId != comment.Author.Id) return Forbid();
|
||||
|
||||
comment.Text = dto.Text;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user