Fixed #656 and more work on #218

2025-07-11 15:56:05 -07:00 · 2016-11-07 14:29:13 +00:00 · 2016-11-07 14:29:13 +00:00 · e46c43610f
commit e46c43610f
parent e39512905a
11 changed files with 159 additions and 100 deletions
--- a/PlexRequests.Helpers/Permissions/Permissions.cs
+++ b/PlexRequests.Helpers/Permissions/Permissions.cs
@ -46,6 +46,9 @@ namespace PlexRequests.Helpers.Permissions
        RequestMusic = 8,
        [Display(Name = "Report Issue")]
-        ReportIssue = 16
+        ReportIssue = 16,
        [Display(Name = "Read Only User")]
        ReadOnlyUser = 32,
    }
 }
--- a/PlexRequests.Helpers/PlexRequests.Helpers.csproj
+++ b/PlexRequests.Helpers/PlexRequests.Helpers.csproj
@ -39,6 +39,10 @@
      <HintPath>..\packages\Newtonsoft.Json.9.0.1\lib\net45\Newtonsoft.Json.dll</HintPath>
      <Private>True</Private>
    </Reference>
    <Reference Include="Ninject, Version=3.2.0.0, Culture=neutral, PublicKeyToken=c7192dc5380945e7, processorArchitecture=MSIL">
      <HintPath>..\packages\Ninject.3.2.0.0\lib\net45-full\Ninject.dll</HintPath>
      <Private>True</Private>
    </Reference>
    <Reference Include="NLog, Version=4.0.0.0, Culture=neutral, PublicKeyToken=5120e14c03d0593c, processorArchitecture=MSIL">
      <HintPath>..\packages\NLog.4.3.6\lib\net45\NLog.dll</HintPath>
      <Private>True</Private>
--- a/PlexRequests.Helpers/packages.config
+++ b/PlexRequests.Helpers/packages.config
@ -2,6 +2,7 @@
 <packages>
  <package id="Nancy" version="1.4.3" targetFramework="net45" />
  <package id="Newtonsoft.Json" version="9.0.1" targetFramework="net45" />
  <package id="Ninject" version="3.2.0.0" targetFramework="net45" />
  <package id="NLog" version="4.3.6" targetFramework="net45" />
  <package id="Owin" version="1.0" targetFramework="net45" />
 </packages>
--- a/PlexRequests.Store/Repository/UserRepository.cs
+++ b/PlexRequests.Store/Repository/UserRepository.cs
@ -49,21 +49,21 @@ namespace PlexRequests.Store.Repository
        public UsersModel GetUser(string userGuid)
        {
-            var sql = @"SELECT * FROM UsersModel
+            var sql = @"SELECT * FROM Users
            WHERE Userguid = @UserGuid";
            return Db.QueryFirstOrDefault<UsersModel>(sql, new {UserGuid = userGuid});
        }
        public UsersModel GetUserByUsername(string username)
        {
-            var sql = @"SELECT * FROM UsersModel
+            var sql = @"SELECT * FROM Users
            WHERE UserName = @UserName";
            return Db.QueryFirstOrDefault<UsersModel>(sql, new {UserName = username});
        }
        public async Task<UsersModel> GetUserAsync(string userguid)
        {
-            var sql = @"SELECT * FROM UsersModel
+            var sql = @"SELECT * FROM Users
            WHERE UserGuid = @UserGuid";
            return await Db.QueryFirstOrDefaultAsync<UsersModel>(sql, new {UserGuid = userguid});
        }
--- a/PlexRequests.UI/Helpers/HtmlSecurityHelper.cs
+++ b/PlexRequests.UI/Helpers/HtmlSecurityHelper.cs
@ -27,23 +27,36 @@
 using Nancy.Security;
 using Nancy.ViewEngines.Razor;
 using Ninject;
 using PlexRequests.Helpers.Permissions;
 using PlexRequests.Store.Repository;
 namespace PlexRequests.UI.Helpers
 {
    public static class HtmlSecurityHelper
    {
-        public static bool HasAnyPermission(this HtmlHelpers helper, params string[] claims)
+        private static SecurityExtensions Security
        {
-            if (!helper.CurrentUser.IsAuthenticated())
+
            get
            {
-                return false;
+                var userRepo = ServiceLocator.Instance.Resolve<IUserRepository>();
                return _security ?? (_security = new SecurityExtensions(userRepo, null));
            }
            return helper.CurrentUser.HasAnyClaim(claims);
        }
-        public static bool DoesNotHaveAnyPermission(this HtmlHelpers helper, params string[] claims)
+        private static SecurityExtensions _security;
        public static bool HasAnyPermission(this HtmlHelpers helper, int permission)
        {
-            return SecurityExtensions.DoesNotHaveClaims(claims, helper.CurrentUser);
+            return helper.CurrentUser.IsAuthenticated() 
                && Security.HasPermissions(helper.CurrentUser, (Permissions) permission);
        }
        public static bool DoesNotHavePermission(this HtmlHelpers helper, int permission)
        {
            return Security.DoesNotHavePermissions(permission, helper.CurrentUser);
        }
    }
 }
--- a/PlexRequests.UI/Helpers/SecurityExtensions.cs
+++ b/PlexRequests.UI/Helpers/SecurityExtensions.cs
@ -31,14 +31,25 @@ using System.Linq;
 using Nancy;
 using Nancy.Extensions;
 using Nancy.Security;
 using Ninject;
 using PlexRequests.Helpers.Permissions;
 using PlexRequests.Store.Repository;
 using PlexRequests.UI.Models;
 namespace PlexRequests.UI.Helpers
 {
-    public static class SecurityExtensions
+    public class SecurityExtensions
    {
        public SecurityExtensions(IUserRepository userRepository, NancyModule context)
        {
            UserRepository = userRepository;
            Module = context;
        }
-        public static bool IsLoggedIn(this NancyContext context)
+        private IUserRepository UserRepository { get; }
        private NancyModule Module { get; }
        public bool IsLoggedIn(NancyContext context)
        {
            var userName = context.Request.Session[SessionKeys.UsernameKey];
            var realUser = false;
@ -52,7 +63,7 @@ namespace PlexRequests.UI.Helpers
            return realUser || plexUser;
        }
-        public static bool IsPlexUser(this NancyContext context)
+        public bool IsPlexUser(NancyContext context)
        {
            var userName = context.Request.Session[SessionKeys.UsernameKey];
            var plexUser = userName != null;
@ -62,7 +73,7 @@ namespace PlexRequests.UI.Helpers
            return plexUser && !isAuth;
        }
-        public static bool IsNormalUser(this NancyContext context)
+        public bool IsNormalUser(NancyContext context)
        {
            var userName = context.Request.Session[SessionKeys.UsernameKey];
            var plexUser = userName != null;
@ -72,63 +83,72 @@ namespace PlexRequests.UI.Helpers
            return isAuth && !plexUser;
        }
        /// <summary>
        /// This module requires authentication and NO certain claims to be present.
        /// </summary>
        /// <param name="module">Module to enable</param>
        /// <param name="requiredClaims">Claim(s) required</param>
        public static void DoesNotHaveClaim(this INancyModule module, params string[] bannedClaims)
        {
            module.AddBeforeHookOrExecute(SecurityHooks.RequiresAuthentication(), "Requires Authentication");
            module.AddBeforeHookOrExecute(DoesNotHaveClaims(bannedClaims), "Has Banned Claims");
        }
        public static bool DoesNotHaveClaimCheck(this INancyModule module, params string[] bannedClaims)
        {
            if (!module.Context?.CurrentUser?.IsAuthenticated() ?? false)
            {
                return false;
            }
            if (DoesNotHaveClaims(bannedClaims, module.Context))
            {
                return false;
            }
            return true;
        }
        public static bool DoesNotHaveClaimCheck(this NancyContext context, params string[] bannedClaims)
        {
            if (!context?.CurrentUser?.IsAuthenticated() ?? false)
            {
                return false;
            }
            if (DoesNotHaveClaims(bannedClaims, context))
            {
                return false;
            }
            return true;
        }
        /// <summary>
        /// Creates a hook to be used in a pipeline before a route handler to ensure
        /// that the request was made by an authenticated user does not have the claims.
        /// </summary>
-        /// <param name="claims">Claims the authenticated user needs to have</param>
+        /// <param name="perm">Claims the authenticated user needs to have</param>
        /// <returns>Hook that returns an Unauthorized response if the user is not
        /// authenticated or does have the claims, null otherwise</returns>
-        private static Func<NancyContext, Response> DoesNotHaveClaims(IEnumerable<string> claims)
+        private Func<NancyContext, Response> DoesNotHavePermissions(int perm)
        { 
-            return ForbiddenIfNot(ctx => !ctx.CurrentUser.HasAnyClaim(claims));
+            return ForbiddenIfNot(ctx =>
            {
                var dbUser = UserRepository.GetUserByUsername(ctx.CurrentUser.UserName);
                if (dbUser == null) return false;
                var permissions = (Permissions)dbUser.Permissions;
                var result = permissions.HasFlag((Permissions)perm);
                return !result;
            });
        }
-        public static bool DoesNotHaveClaims(IEnumerable<string> claims, NancyContext ctx)
+        public bool DoesNotHavePermissions(int perm, IUserIdentity currentUser)
        {
-            return !ctx.CurrentUser.HasAnyClaim(claims);
+            return DoesNotHavePermissions((Permissions) perm, currentUser);
        }
-        public static bool DoesNotHaveClaims(IEnumerable<string> claims, IUserIdentity identity)
+        public bool DoesNotHavePermissions(Permissions perm, IUserIdentity currentUser)
        {
-            return !identity?.HasAnyClaim(claims) ?? true;
+            var dbUser = UserRepository.GetUserByUsername(currentUser.UserName);
            if (dbUser == null) return false;
            var permissions = (Permissions)dbUser.Permissions;
            var result = permissions.HasFlag((Permissions)perm);
            return !result;
        }
        public bool HasPermissions(IUserIdentity user, Permissions perm)
        {
           if (user == null) return false;
            var dbUser = UserRepository.GetUserByUsername(user.UserName);
            if (dbUser == null) return false;
            var permissions = (Permissions)dbUser.Permissions;
            var result = permissions.HasFlag(perm);
            return result;
        }
        public void HasPermissionsResponse(Permissions perm)
        {
            Module.AddBeforeHookOrExecute(
            ForbiddenIfNot(ctx =>
            {
                if (ctx.CurrentUser == null) return false;
                var dbUser = UserRepository.GetUserByUsername(ctx.CurrentUser.UserName);
                if (dbUser == null) return false;
                var permissions = (Permissions)dbUser.Permissions;
                var result = permissions.HasFlag(perm);
                return result;
            }), "Requires Claims");
        }
@ -140,7 +160,7 @@ namespace PlexRequests.UI.Helpers
        /// </summary>
        /// <param name="test">Test that must return true for the request to continue</param>
        /// <returns>Hook that returns an Forbidden response if the test fails, null otherwise</returns>
-        private static Func<NancyContext, Response> ForbiddenIfNot(Func<NancyContext, bool> test)
+        public Func<NancyContext, Response> ForbiddenIfNot(Func<NancyContext, bool> test)
        {
            return HttpStatusCodeIfNot(HttpStatusCode.Forbidden, test);
        }
@ -152,7 +172,7 @@ namespace PlexRequests.UI.Helpers
        /// <param name="statusCode">HttpStatusCode to use for the response</param>
        /// <param name="test">Test that must return true for the request to continue</param>
        /// <returns>Hook that returns a response with a specific HttpStatusCode if the test fails, null otherwise</returns>
-        private static Func<NancyContext, Response> HttpStatusCodeIfNot(HttpStatusCode statusCode, Func<NancyContext, bool> test)
+        public Func<NancyContext, Response> HttpStatusCodeIfNot(HttpStatusCode statusCode, Func<NancyContext, bool> test)
        {
            return ctx =>
            {
--- a/PlexRequests.UI/Modules/AdminModule.cs
+++ b/PlexRequests.UI/Modules/AdminModule.cs
@ -56,6 +56,7 @@ using PlexRequests.Core.SettingModels;
 using PlexRequests.Helpers;
 using PlexRequests.Helpers.Analytics;
 using PlexRequests.Helpers.Exceptions;
 using PlexRequests.Helpers.Permissions;
 using PlexRequests.Services.Interfaces;
 using PlexRequests.Services.Jobs;
 using PlexRequests.Services.Notification;
@ -153,7 +154,7 @@ namespace PlexRequests.UI.Modules
            NotifySettings = notifyService;
            RecentlyAdded = recentlyAdded;
-            this.RequiresClaims(UserClaims.Admin);
+            Security.HasPermissionsResponse(Permissions.Administrator);
            Get["/"] = _ => Admin();
@ -849,7 +850,8 @@ namespace PlexRequests.UI.Modules
        private Response CreateApiKey()
        {
-            this.RequiresClaims(UserClaims.Admin);
+            Security.HasPermissionsResponse(Permissions.Administrator);
            Analytics.TrackEventAsync(Category.Admin, Action.Create, "Created API Key", Username, CookieHelper.GetAnalyticClientId(Cookies));
            var apiKey = Guid.NewGuid().ToString("N");
            var settings = PrService.GetSettings();
--- a/PlexRequests.UI/Modules/BaseModule.cs
+++ b/PlexRequests.UI/Modules/BaseModule.cs
@ -30,6 +30,7 @@ using System.Linq;
 using System.Threading;
 using Nancy;
 using Nancy.Security;
 using Ninject;
 using PlexRequests.Core;
 using PlexRequests.Core.SettingModels;
@ -121,10 +122,6 @@ namespace PlexRequests.UI.Modules
        protected IDictionary<string, string> Cookies => Request?.Cookies;
        // This is not ideal, but it's cleaner than having to pass it down through each module.
        [Inject]
        protected IUserRepository UserRepository { get; set; }
        protected bool IsAdmin
        {
            get
@ -134,7 +131,9 @@ namespace PlexRequests.UI.Modules
                    return false;
                }
-                var user = UserRepository.GetUserByUsername(Context?.CurrentUser?.UserName);
+                var userRepo = ServiceLocator.Instance.Resolve<IUserRepository>();
                var user = userRepo.GetUserByUsername(Context?.CurrentUser?.UserName);
                if (user == null) return false;
@ -144,6 +143,22 @@ namespace PlexRequests.UI.Modules
            }
        }
        protected IUserIdentity User => Context?.CurrentUser;
        protected SecurityExtensions Security
        {
            get
            {
                var userRepo = ServiceLocator.Instance.Resolve<IUserRepository>();
                return _security ?? (_security = new SecurityExtensions(userRepo, this));
            }
        }
        private SecurityExtensions _security;
        protected bool LoggedIn => Context?.CurrentUser != null;
        protected string Culture { get; set; }
--- a/PlexRequests.UI/Modules/SearchModule.cs
+++ b/PlexRequests.UI/Modules/SearchModule.cs
@ -55,6 +55,7 @@ using PlexRequests.Api.Models.Sonarr;
 using PlexRequests.Api.Models.Tv;
 using PlexRequests.Core.Models;
 using PlexRequests.Helpers.Analytics;
 using PlexRequests.Helpers.Permissions;
 using PlexRequests.Store.Models;
 using PlexRequests.Store.Repository;
@ -444,7 +445,7 @@ namespace PlexRequests.UI.Modules
        private async Task<Response> RequestMovie(int movieId)
        {
-            if (this.DoesNotHaveClaimCheck(UserClaims.ReadOnlyUser))
+            if (Security.DoesNotHavePermissions(Permissions.ReadOnlyUser, User))
            {
                return
                    Response.AsJson(new JsonResponseModel()
@ -553,7 +554,7 @@ namespace PlexRequests.UI.Modules
        /// <returns></returns>
        private async Task<Response> RequestTvShow(int showId, string seasons)
        {
-            if (this.DoesNotHaveClaimCheck(UserClaims.ReadOnlyUser))
+            if (Security.DoesNotHavePermissions(Permissions.ReadOnlyUser, User))
            {
                return
                    Response.AsJson(new JsonResponseModel()
--- a/PlexRequests.UI/Startup.cs
+++ b/PlexRequests.UI/Startup.cs
@ -33,7 +33,6 @@ using NLog;
 using Owin;
 using PlexRequests.Core.Migration;
 using PlexRequests.Services.Jobs;
 using PlexRequests.UI.Helpers;
 using PlexRequests.UI.Jobs;
 using PlexRequests.UI.NinjectModules;
@ -57,7 +56,7 @@ namespace PlexRequests.UI
                Debug.WriteLine("Modules found finished.");
-                var kernel = new StandardKernel(modules);
+                var kernel = new StandardKernel(new NinjectSettings { InjectNonPublic = true }, modules);
                Debug.WriteLine("Created Kernel and Injected Modules");
                Debug.WriteLine("Added Contravariant Binder");
--- a/PlexRequests.UI/Views/Admin/Settings.cshtml
+++ b/PlexRequests.UI/Views/Admin/Settings.cshtml
@ -57,7 +57,8 @@
            <div class="form-group">
                <label for="ApiKey" class="control-label">Api Key</label>
                <div class="input-group">
-                    <input type="text" disabled="disabled" class="form-control form-control-custom" id="apiKey" name="ApiKey" value="@Model.ApiKey">
+                    <input type="text" hidden="hidden" name="ApiKey" value="@Model.ApiKey"/>
                    <input type="text" disabled="disabled" class="form-control form-control-custom" id="ApiKey" name="ApiKey" value="@Model.ApiKey">
                    <div class="input-group-addon">
                        <div id="refreshKey" class="fa fa-refresh" title="Reset API Key"></div>
@ -373,7 +374,7 @@
                success: function(response) {
                    if (response) {
                        generateNotify("Success!", "success");
-                        $('#apiKey').val(response);
+                        $('#ApiKey').val(response);
                    }
                },
                error: function(e) {