fix: AdminController roles hardened (owner+admin) + SettingsView visibility
- [Authorize(Roles = "owner,admin")] statt nur owner – admin darf jetzt ebenfalls User verwalten - CreateUser erlaubt nur Rollen admin|user|viewer; owner ist blockiert - UpdateUserRole erlaubt nur admin|user|viewer; owner kann weder gesetzt noch überschrieben werden; admin darf andere admins nicht ändern und sich nicht selbst herabstufen - SettingsView: canManageUsers = role owner || admin statt nur owner - UI-Dropdown zeigt nur admin|user|viewer (owner als Kommentar notiert)
This commit is contained in:
@@ -1,6 +1,5 @@
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
using Microsoft.EntityFrameworkCore;
|
||||
using Nexus.Api.Data;
|
||||
using Nexus.Api.DTOs;
|
||||
using Nexus.Api.Repositories;
|
||||
@@ -8,15 +7,26 @@ using Nexus.Api.Services;
|
||||
|
||||
namespace Nexus.Api.Controllers;
|
||||
|
||||
/// <summary>
|
||||
/// Admin/User-Management – erreichbar für owner und admin-Rollen.
|
||||
///
|
||||
/// Sicherheitsregeln:
|
||||
/// - Nur owner und admin dürfen User verwalten.
|
||||
/// - Die Rolle "owner" kann weder vergeben noch überschrieben werden – sie ist
|
||||
/// eine Sonderrolle, die nur bei der initialen Seed-Erstellung gesetzt wird.
|
||||
/// - Über die API sind nur die Rollen "admin", "user" und "viewer" wählbar.
|
||||
/// </summary>
|
||||
[ApiController]
|
||||
[Route("api/v1/admin")]
|
||||
[Authorize(Roles = "owner")]
|
||||
[Authorize(Roles = "owner,admin")]
|
||||
public class AdminController(
|
||||
IUserRepository userRepository,
|
||||
ILogger<AdminController> logger) : ControllerBase
|
||||
{
|
||||
private static readonly string[] SettableRoles = ["admin", "user", "viewer"];
|
||||
|
||||
/// <summary>
|
||||
/// List all registered users.
|
||||
/// Alle registrierten User auflisten.
|
||||
/// </summary>
|
||||
[HttpGet("users")]
|
||||
public async Task<IResult> GetUsers(CancellationToken ct)
|
||||
@@ -35,8 +45,8 @@ public class AdminController(
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Create a new user account (admin only).
|
||||
/// Email muss eindeutig sein, Passwort mindestens 10 Zeichen.
|
||||
/// Neuen User anlegen.
|
||||
/// Die Rolle "owner" kann NICHT gesetzt werden.
|
||||
/// </summary>
|
||||
[HttpPost("users")]
|
||||
public async Task<IResult> CreateUser([FromBody] AdminCreateUserRequest request, CancellationToken ct)
|
||||
@@ -53,6 +63,14 @@ public class AdminController(
|
||||
["password"] = ["Password must be at least 10 characters."]
|
||||
});
|
||||
|
||||
// Role validieren – owner ist nicht über API setzbar
|
||||
var targetRole = string.IsNullOrWhiteSpace(request.Role) ? "user" : request.Role.Trim().ToLowerInvariant();
|
||||
if (!SettableRoles.Contains(targetRole))
|
||||
return Results.ValidationProblem(new Dictionary<string, string[]>
|
||||
{
|
||||
["role"] = [$"Invalid role. Valid roles: {string.Join(", ", SettableRoles)}."]
|
||||
});
|
||||
|
||||
var normalizedEmail = AuthService.NormalizeEmail(request.Email);
|
||||
var existing = await userRepository.GetByEmailAsync(normalizedEmail, ct);
|
||||
if (existing is not null)
|
||||
@@ -66,11 +84,11 @@ public class AdminController(
|
||||
? request.Email.Split('@')[0]
|
||||
: request.DisplayName.Trim(),
|
||||
PasswordHash = PasswordSecurity.Hash(request.Password),
|
||||
Role = string.IsNullOrWhiteSpace(request.Role) ? "user" : request.Role.Trim().ToLowerInvariant(),
|
||||
Role = targetRole,
|
||||
};
|
||||
|
||||
await userRepository.AddAsync(user, ct);
|
||||
logger.LogInformation("Admin created user {Email} with role {Role}", user.Email, user.Role);
|
||||
logger.LogInformation("User {Role} created user {Email} with role {Role}", UserRole(), user.Email, user.Role);
|
||||
|
||||
return Results.Created($"/api/v1/admin/users/{user.Id}", new AdminUserInfo
|
||||
{
|
||||
@@ -83,7 +101,7 @@ public class AdminController(
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Delete a user account (admin only, cannot delete owner).
|
||||
/// User löschen. Eigene owner-User und der eigene Account sind geschützt.
|
||||
/// </summary>
|
||||
[HttpDelete("users/{id:guid}")]
|
||||
public async Task<IResult> DeleteUser(Guid id, CancellationToken ct)
|
||||
@@ -93,15 +111,18 @@ public class AdminController(
|
||||
return Results.NotFound(new { error = "User not found." });
|
||||
|
||||
if (string.Equals(user.Role, "owner", StringComparison.OrdinalIgnoreCase))
|
||||
return Results.Forbid();
|
||||
return Results.Problem("Owner accounts cannot be deleted via API.", statusCode: 403);
|
||||
|
||||
if (user.Id.ToString() == CurrentUserId())
|
||||
return Results.Problem("You cannot delete your own account.", statusCode: 403);
|
||||
|
||||
await userRepository.DeleteAsync(user, ct);
|
||||
logger.LogInformation("Admin deleted user {Email}", user.Email);
|
||||
logger.LogInformation("User {Role} deleted user {Email}", UserRole(), user.Email);
|
||||
return Results.NoContent();
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Update a user's role (admin only, cannot change owner role).
|
||||
/// Rolle eines Users ändern. "owner" kann weder gesetzt noch überschrieben werden.
|
||||
/// </summary>
|
||||
[HttpPatch("users/{id:guid}/role")]
|
||||
public async Task<IResult> UpdateUserRole(Guid id, [FromBody] AdminUpdateRoleRequest request, CancellationToken ct)
|
||||
@@ -112,24 +133,35 @@ public class AdminController(
|
||||
["role"] = ["Role is required."]
|
||||
});
|
||||
|
||||
var validRoles = new[] { "owner", "admin", "user", "viewer" };
|
||||
if (!validRoles.Contains(request.Role.ToLowerInvariant()))
|
||||
var newRole = request.Role.Trim().ToLowerInvariant();
|
||||
if (!SettableRoles.Contains(newRole))
|
||||
return Results.ValidationProblem(new Dictionary<string, string[]>
|
||||
{
|
||||
["role"] = ["Invalid role. Valid roles: owner, admin, user, viewer."]
|
||||
["role"] = [$"Invalid role. Valid: {string.Join(", ", SettableRoles)}. Owner is reserved."]
|
||||
});
|
||||
|
||||
var user = await userRepository.GetByIdAsync(id, ct);
|
||||
if (user is null)
|
||||
return Results.NotFound(new { error = "User not found." });
|
||||
|
||||
// Niemals owner überschreiben
|
||||
if (string.Equals(user.Role, "owner", StringComparison.OrdinalIgnoreCase))
|
||||
return Results.Forbid();
|
||||
return Results.Problem("Owner role cannot be modified via API.", statusCode: 403);
|
||||
|
||||
user.Role = request.Role.Trim().ToLowerInvariant();
|
||||
// admin darf andere admins nicht ändern (nur owner)
|
||||
var callerRole = UserRole();
|
||||
if (callerRole == "admin" && string.Equals(user.Role, "admin", StringComparison.OrdinalIgnoreCase))
|
||||
return Results.Problem("Admin users can only be managed by the owner.", statusCode: 403);
|
||||
|
||||
// admin darf sich nicht selbst herabstufen
|
||||
if (callerRole == "admin" && user.Id.ToString() == CurrentUserId() && newRole != "admin")
|
||||
return Results.Problem("You cannot demote yourself.", statusCode: 403);
|
||||
|
||||
user.Role = newRole;
|
||||
user.UpdatedAt = DateTimeOffset.UtcNow;
|
||||
await userRepository.UpdateAsync(user, ct);
|
||||
logger.LogInformation("Admin updated role for {Email} to {Role}", user.Email, user.Role);
|
||||
logger.LogInformation("User {Role} changed role for {Email} from {OldRole} to {NewRole}",
|
||||
callerRole, user.Email, user.Role, newRole);
|
||||
|
||||
return Results.Ok(new AdminUserInfo
|
||||
{
|
||||
@@ -141,4 +173,12 @@ public class AdminController(
|
||||
LastLoginAt = user.LastLoginAt,
|
||||
});
|
||||
}
|
||||
|
||||
/// <summary>Liefert die Rolle des aufrufenden Users.</summary>
|
||||
private string UserRole()
|
||||
=> User.FindFirst(System.Security.Claims.ClaimTypes.Role)?.Value?.ToLowerInvariant() ?? "unknown";
|
||||
|
||||
/// <summary>Liefert die Subject-ID des aufrufenden Users.</summary>
|
||||
private string? CurrentUserId()
|
||||
=> User.FindFirst(System.IdentityModel.Tokens.Jwt.JwtRegisteredClaimNames.Sub)?.Value;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user