Fix missing return in authorization

2025-10-06 17:09:43 +03:00
parent 0a4bd23d30
commit 1e16cf892d
2 changed files with 65 additions and 26 deletions
--- a/Bruno/Seed/Create
+++ b/Bruno/Seed/Create
@@ -1,7 +1,7 @@
 meta {
  name: Login as admin
  type: http
-  seq: 5
+  seq: 3
 }

 post {
--- a/T120B165-ImgBoard/Controllers/PostController.cs
+++ b/T120B165-ImgBoard/Controllers/PostController.cs
@@ -183,7 +183,7 @@ public class PostController(
        
        // If not the resource owner
        var userId = HttpContext.User.Claims.First(c => c.Type == ClaimTypes.NameIdentifier).Value;
-        if (userId != post.Author.Id) Forbid();
+        if (userId != post.Author.Id) return Forbid();

        if (fileRecord.FinishedDate != null)
            return Problem(statusCode: StatusCodes.Status400BadRequest,
@@ -354,10 +354,7 @@ public class PostController(
        var isAdmin = HttpContext.User.IsInRole(UserRoles.Admin);

        // If neither the admin nor the resource owner
-        if (!isAdmin && userId != post.Author.Id)
-        {
-            Forbid();
-        }
+        if (!isAdmin && userId != post.Author.Id) return Forbid();

        // Clean up the file record first
        var fullPath = Path.Combine(env.ContentRootPath, post.File.FilePath);
@@ -383,6 +380,8 @@ public class PostController(
    [HttpPatch("{id:int}")]
    [ProducesResponseType(StatusCodes.Status200OK)]
    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
    [ProducesResponseType(StatusCodes.Status404NotFound)]
    public async Task<ActionResult<PostDto>> Update(int id, EditPostDto dto)
    {
@@ -393,11 +392,7 @@ public class PostController(
        var isAdmin = HttpContext.User.IsInRole(UserRoles.Admin);

        // If neither the admin nor the resource owner
-        if (!isAdmin && userId != post.Author.Id)
-        {
-            Forbid();
-        }
-        
+        if (!isAdmin && userId != post.Author.Id) return Forbid();
        
        if (!string.IsNullOrEmpty(dto.Title))
            post.Title = dto.Title;
@@ -424,12 +419,22 @@ public class PostController(
        return Ok(PostDto.FromPost(updated, fileUrl));
    }

-    
+    /// <summary>
+    /// Create a comment under the specified post.
+    /// </summary>
+    /// <param name="postId">Post ID</param>
+    /// <param name="dto">Comment data</param>
+    /// <response code="201">New comment data</response>
+    /// <response code="400">If request is malformed</response>
+    /// <response code="401">If authentication is missing</response>
+    /// <response code="403">If authorization is missing</response>
+    /// <response code="404">If post is not found</response>
    [HttpPost("{postId:int}/comments")]
-    [Authorize]
+    [Authorize(Roles = UserRoles.Regular)]
    [ProducesResponseType(StatusCodes.Status201Created)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
    [ProducesResponseType(StatusCodes.Status400BadRequest)]
-    [ProducesResponseType(StatusCodes.Status409Conflict)]
    public async Task<ActionResult<PostDto>> CreateComment(int postId, CreateCommentDto dto)
    {
        var userId = HttpContext.User.Claims.First(c => c.Type == ClaimTypes.NameIdentifier).Value;
@@ -439,11 +444,18 @@ public class PostController(
        var post = await postService.GetById(postId);
        if (post == null) return NotFound();

-
        var created = await commentService.Create(dto.Text, user, post);
        return CreatedAtAction(nameof(GetComment), new {postId = postId, commentId = created.Id}, CommentDto.FromComment(created));
    }
    
+    /// <summary>
+    /// Get specific post comment.
+    /// </summary>
+    /// <param name="postId">Post ID</param>
+    /// <param name="commentId">Comment ID</param>
+    /// <response code="200">Comment data</response>
+    /// <response code="400">If request is malformed</response>
+    /// <response code="404">If post or comment is not found</response>
    [HttpGet("{postId:int}/comments/{commentId:int}")]
    [ProducesResponseType(StatusCodes.Status200OK)]
    [ProducesResponseType(StatusCodes.Status400BadRequest)]
@@ -459,6 +471,14 @@ public class PostController(
        return Ok(CommentDto.FromComment(comment));
    }
    
+    /// <summary>
+    /// Get paginated list of specific post comments.
+    /// </summary>
+    /// <param name="postId">Post ID</param>
+    /// <param name="pageNumber">Page number</param>
+    /// <response code="200">Paginated list of comments</response>
+    /// <response code="400">If request is malformed</response>
+    /// <response code="404">If post is not found</response>
    [HttpGet("{postId:int}/comments")]
    [ProducesResponseType(StatusCodes.Status200OK)]
    [ProducesResponseType(StatusCodes.Status400BadRequest)]
@@ -476,11 +496,22 @@ public class PostController(
        return Ok(new PagedList<CommentDto>(newItems, list.CurrentPage, list.PageSize, list.TotalCount));
    }
    
-    
-    [Authorize]
+    /// <summary>
+    /// Delete a specific comment under a specific post.
+    /// </summary>
+    /// <param name="postId">Post ID</param>
+    /// <param name="commentId">Comment ID</param>
+    /// <response code="204">If comment was deleted successfully</response>
+    /// <response code="400">If request is malformed</response>
+    /// <response code="401">If authentication is missing</response>
+    /// <response code="403">If authorization is missing</response>
+    /// <response code="404">If post or comment is not found</response>
+    [Authorize(Roles = UserRoles.Regular)]
    [HttpDelete("{postId:int}/comments/{commentId:int}")]
    [ProducesResponseType(StatusCodes.Status204NoContent)]
    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
    [ProducesResponseType(StatusCodes.Status404NotFound)]
    public async Task<ActionResult> DeleteComment(int postId, int commentId)
    {
@@ -494,19 +525,30 @@ public class PostController(
        var isAdmin = HttpContext.User.IsInRole(UserRoles.Admin);

        // If neither the admin nor the resource owner
-        if (!isAdmin && userId != comment.Author.Id)
-        {
-            Forbid();
-        }
+        if (!isAdmin && userId != comment.Author.Id) return Forbid();
+        
        var deleted = await commentService.Delete(comment);
        if (!deleted) return NotFound();
        return NoContent();
    }

-    [Authorize]
+    /// <summary>
+    /// Update a specific comment under a specific post.
+    /// </summary>
+    /// <param name="postId">Post ID</param>
+    /// <param name="commentId">Comment ID</param>
+    /// <param name="dto">Comment data</param>
+    /// <response code="200">New comment data</response>
+    /// <response code="400">If request is malformed</response>
+    /// <response code="401">If authentication is missing</response>
+    /// <response code="403">If authorization is missing</response>
+    /// <response code="404">If post or comment is not found</response>
+    [Authorize(Roles = UserRoles.Regular)]
    [HttpPatch("{postId:int}/comments/{commentId:int}")]
    [ProducesResponseType(StatusCodes.Status200OK)]
    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
    [ProducesResponseType(StatusCodes.Status404NotFound)]
    public async Task<ActionResult<CommentDto>> Update(int postId, int commentId, EditCommentDto dto)
    {
@@ -520,10 +562,7 @@ public class PostController(
        var isAdmin = HttpContext.User.IsInRole(UserRoles.Admin);

        // If neither the admin nor the resource owner
-        if (!isAdmin && userId != comment.Author.Id)
-        {
-            Forbid();
-        }
+        if (!isAdmin && userId != comment.Author.Id) return Forbid();

        comment.Text = dto.Text;