bao/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
adae7ba26d8b06a1c665bb5d0072531984f0a733
nexus/backend/Controllers/AdminController.cs
T
devops 1df663f57c
CI - Build & Test / Backend (.NET) (push) Successful in 31s
Details
CI - Build & Test / Frontend (Vue/TS) (push) Successful in 19s
Details
CI - Build & Test / Security Check (push) Successful in 5s
Details
fix: AdminController roles hardened (owner+admin) + SettingsView visibility 
- [Authorize(Roles = "owner,admin")] statt nur owner – admin darf jetzt
  ebenfalls User verwalten
- CreateUser erlaubt nur Rollen admin|user|viewer; owner ist blockiert
- UpdateUserRole erlaubt nur admin|user|viewer; owner kann weder gesetzt
  noch überschrieben werden; admin darf andere admins nicht ändern
  und sich nicht selbst herabstufen
- SettingsView: canManageUsers = role owner || admin statt nur owner
- UI-Dropdown zeigt nur admin|user|viewer (owner als Kommentar notiert)
2026-06-20 14:27:24 +02:00

185 lines
7.3 KiB
C#
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Nexus.Api.Data;
using Nexus.Api.DTOs;
using Nexus.Api.Repositories;
using Nexus.Api.Services;
namespace Nexus.Api.Controllers;
/// <summary>
/// Admin/User-Management erreichbar für owner und admin-Rollen.
///
/// Sicherheitsregeln:
/// - Nur owner und admin dürfen User verwalten.
/// - Die Rolle "owner" kann weder vergeben noch überschrieben werden sie ist
/// eine Sonderrolle, die nur bei der initialen Seed-Erstellung gesetzt wird.
/// - Über die API sind nur die Rollen "admin", "user" und "viewer" wählbar.
/// </summary>
[ApiController]
[Route("api/v1/admin")]
[Authorize(Roles = "owner,admin")]
public class AdminController(
IUserRepository userRepository,
ILogger<AdminController> logger) : ControllerBase
{
private static readonly string[] SettableRoles = ["admin", "user", "viewer"];
/// <summary>
/// Alle registrierten User auflisten.
/// </summary>
[HttpGet("users")]
public async Task<IResult> GetUsers(CancellationToken ct)
{
var users = await userRepository.GetAllAsync(ct);
var result = users.Select(u => new AdminUserInfo
{
Id = u.Id,
Email = u.Email,
DisplayName = u.DisplayName,
Role = u.Role,
CreatedAt = u.CreatedAt,
LastLoginAt = u.LastLoginAt,
}).ToList();
return Results.Ok(result);
}
/// <summary>
/// Neuen User anlegen.
/// Die Rolle "owner" kann NICHT gesetzt werden.
/// </summary>
[HttpPost("users")]
public async Task<IResult> CreateUser([FromBody] AdminCreateUserRequest request, CancellationToken ct)
{
if (string.IsNullOrWhiteSpace(request.Email) || string.IsNullOrWhiteSpace(request.Password))
return Results.ValidationProblem(new Dictionary<string, string[]>
{
["request"] = ["Email and password are required."]
});
if (request.Password.Length < 10)
return Results.ValidationProblem(new Dictionary<string, string[]>
{
["password"] = ["Password must be at least 10 characters."]
});
// Role validieren owner ist nicht über API setzbar
var targetRole = string.IsNullOrWhiteSpace(request.Role) ? "user" : request.Role.Trim().ToLowerInvariant();
if (!SettableRoles.Contains(targetRole))
return Results.ValidationProblem(new Dictionary<string, string[]>
{
["role"] = [$"Invalid role. Valid roles: {string.Join(", ", SettableRoles)}."]
});
var normalizedEmail = AuthService.NormalizeEmail(request.Email);
var existing = await userRepository.GetByEmailAsync(normalizedEmail, ct);
if (existing is not null)
return Results.Conflict(new { error = "A user with this email already exists." });
var user = new NexusUser
{
Email = request.Email.Trim(),
NormalizedEmail = normalizedEmail,
DisplayName = string.IsNullOrWhiteSpace(request.DisplayName)
? request.Email.Split('@')[0]
: request.DisplayName.Trim(),
PasswordHash = PasswordSecurity.Hash(request.Password),
Role = targetRole,
};
await userRepository.AddAsync(user, ct);
logger.LogInformation("User {Role} created user {Email} with role {Role}", UserRole(), user.Email, user.Role);
return Results.Created($"/api/v1/admin/users/{user.Id}", new AdminUserInfo
{
Id = user.Id,
Email = user.Email,
DisplayName = user.DisplayName,
Role = user.Role,
CreatedAt = user.CreatedAt,
});
}
/// <summary>
/// User löschen. Eigene owner-User und der eigene Account sind geschützt.
/// </summary>
[HttpDelete("users/{id:guid}")]
public async Task<IResult> DeleteUser(Guid id, CancellationToken ct)
{
var user = await userRepository.GetByIdAsync(id, ct);
if (user is null)
return Results.NotFound(new { error = "User not found." });
if (string.Equals(user.Role, "owner", StringComparison.OrdinalIgnoreCase))
return Results.Problem("Owner accounts cannot be deleted via API.", statusCode: 403);
if (user.Id.ToString() == CurrentUserId())
return Results.Problem("You cannot delete your own account.", statusCode: 403);
await userRepository.DeleteAsync(user, ct);
logger.LogInformation("User {Role} deleted user {Email}", UserRole(), user.Email);
return Results.NoContent();
}
/// <summary>
/// Rolle eines Users ändern. "owner" kann weder gesetzt noch überschrieben werden.
/// </summary>
[HttpPatch("users/{id:guid}/role")]
public async Task<IResult> UpdateUserRole(Guid id, [FromBody] AdminUpdateRoleRequest request, CancellationToken ct)
{
if (string.IsNullOrWhiteSpace(request.Role))
return Results.ValidationProblem(new Dictionary<string, string[]>
{
["role"] = ["Role is required."]
});
var newRole = request.Role.Trim().ToLowerInvariant();
if (!SettableRoles.Contains(newRole))
return Results.ValidationProblem(new Dictionary<string, string[]>
{
["role"] = [$"Invalid role. Valid: {string.Join(", ", SettableRoles)}. Owner is reserved."]
});
var user = await userRepository.GetByIdAsync(id, ct);
if (user is null)
return Results.NotFound(new { error = "User not found." });
// Niemals owner überschreiben
if (string.Equals(user.Role, "owner", StringComparison.OrdinalIgnoreCase))
return Results.Problem("Owner role cannot be modified via API.", statusCode: 403);
// admin darf andere admins nicht ändern (nur owner)
var callerRole = UserRole();
if (callerRole == "admin" && string.Equals(user.Role, "admin", StringComparison.OrdinalIgnoreCase))
return Results.Problem("Admin users can only be managed by the owner.", statusCode: 403);
// admin darf sich nicht selbst herabstufen
if (callerRole == "admin" && user.Id.ToString() == CurrentUserId() && newRole != "admin")
return Results.Problem("You cannot demote yourself.", statusCode: 403);
user.Role = newRole;
user.UpdatedAt = DateTimeOffset.UtcNow;
await userRepository.UpdateAsync(user, ct);
logger.LogInformation("User {Role} changed role for {Email} from {OldRole} to {NewRole}",
callerRole, user.Email, user.Role, newRole);
return Results.Ok(new AdminUserInfo
{
Id = user.Id,
Email = user.Email,
DisplayName = user.DisplayName,
Role = user.Role,
CreatedAt = user.CreatedAt,
LastLoginAt = user.LastLoginAt,
});
}
/// <summary>Liefert die Rolle des aufrufenden Users.</summary>
private string UserRole()
=> User.FindFirst(System.Security.Claims.ClaimTypes.Role)?.Value?.ToLowerInvariant() ?? "unknown";
/// <summary>Liefert die Subject-ID des aufrufenden Users.</summary>
private string? CurrentUserId()
=> User.FindFirst(System.IdentityModel.Tokens.Jwt.JwtRegisteredClaimNames.Sub)?.Value;
}
Reference in New Issue View Git Blame Copy Permalink