People: changed validation

2022-11-29 11:59:33 +03:00 · 2022-11-29 11:59:33 +03:00 · c32e90f9ef
commit c32e90f9ef
parent 475deff8b9
1 changed files with 43 additions and 13 deletions
--- a/products/ASC.People/Server/Api/UserController.cs
+++ b/products/ASC.People/Server/Api/UserController.cs
@ -204,15 +204,26 @@ public class UserController : PeopleControllerBase
    [Authorize(AuthenticationSchemes = "confirm", Roles = "LinkInvite,Everyone")]
    public async Task<EmployeeFullDto> AddMember(MemberRequestDto inDto)
    {
-        _apiContext.AuthByClaim();
-
-        _permissionContext.DemandPermissions(Constants.Action_AddRemoveUser);
-
-        var options = inDto.FromInviteLink ? await _roomLinkService.GetOptionsAsync(inDto.Key, inDto.Email, inDto.Type) : null;
-
+        _apiContext.AuthByClaim();
+
+        var options = inDto.FromInviteLink ? await _roomLinkService.GetOptionsAsync(inDto.Key, inDto.Email, inDto.Type) : null;
        if (options != null && !options.IsCorrect)
        {
            throw new SecurityException(FilesCommonResource.ErrorMessage_InvintationLink);
+        }
+
+        if (inDto.FromInviteLink && options.IsCorrect)
+        {
+            var currentUserType = _userManager.GetUserType(_authContext.CurrentAccount.ID);
+
+            if (currentUserType == EmployeeType.User || (inDto.Type == EmployeeType.DocSpaceAdmin && currentUserType != EmployeeType.DocSpaceAdmin))
+            {
+                throw new SecurityException(Resource.ErrorAccessDenied);
+            }
+        }
+        else
+        {
+            _permissionContext.DemandPermissions(Constants.Action_AddRemoveUser);
        }

        inDto.Type = options != null ? options.EmployeeType : inDto.Type;
@ -264,9 +275,9 @@ public class UserController : PeopleControllerBase
        user.BirthDate = inDto.Birthday != null && inDto.Birthday != DateTime.MinValue ? _tenantUtil.DateTimeFromUtc(inDto.Birthday) : null;
        user.WorkFromDate = inDto.Worksfrom != null && inDto.Worksfrom != DateTime.MinValue ? _tenantUtil.DateTimeFromUtc(inDto.Worksfrom) : DateTime.UtcNow.Date;

-        UpdateContacts(inDto.Contacts, user);
+        UpdateContacts(inDto.Contacts, user, !inDto.FromInviteLink);
        _cache.Insert("REWRITE_URL" + _tenantManager.GetCurrentTenant().Id, HttpContext.Request.GetUrlRewriter().ToString(), TimeSpan.FromMinutes(5));
-        user = await _userManagerWrapper.AddUser(user, inDto.PasswordHash, inDto.FromInviteLink, true, inDto.Type == EmployeeType.User, inDto.FromInviteLink, true, true, byEmail, inDto.Type == EmployeeType.DocSpaceAdmin);
+        user = await _userManagerWrapper.AddUser(user, inDto.PasswordHash, inDto.FromInviteLink, true, inDto.Type == EmployeeType.User, inDto.FromInviteLink && options.IsCorrect, true, true, byEmail, inDto.Type == EmployeeType.DocSpaceAdmin);

        await UpdateDepartments(inDto.Department, user);

@ -299,9 +310,21 @@ public class UserController : PeopleControllerBase

    [HttpPost("invite")]
    public async IAsyncEnumerable<EmployeeDto> InviteUsersAsync(InviteUsersRequestDto inDto)
-    {
-        foreach (var invite in inDto.Invitations)
+    {
+        var currentUserType = _userManager.GetUserType(_authContext.CurrentAccount.ID);
+
+        if (currentUserType == EmployeeType.User)
        {
+            throw new SecurityException(Resource.ErrorAccessDenied);
+        }
+
+        foreach (var invite in inDto.Invitations)
+        {
+            if (invite.Type == EmployeeType.DocSpaceAdmin && currentUserType != EmployeeType.DocSpaceAdmin)
+            {
+                continue;
+            }
+
            var user = await _userManagerWrapper.AddInvitedUserAsync(invite.Email, invite.Type);
            var link = _roomLinkService.GetInvitationLink(user.Email, invite.Type, _authContext.CurrentAccount.ID);

@ -1052,7 +1075,14 @@ public class UserController : PeopleControllerBase
        var users = inDto.UserIds
            .Where(userId => !_userManager.IsSystemUser(userId))
            .Select(userId => _userManager.GetUsers(userId))
-            .ToList();
+            .ToList();
+
+        var currentUserType = _userManager.GetUserType(_authContext.CurrentAccount.ID);
+
+        if (currentUserType == EmployeeType.User)
+        {
+            throw new SecurityException(Resource.ErrorAccessDenied);
+        }

        foreach (var user in users)
        {
@ -1066,12 +1096,12 @@ public class UserController : PeopleControllerBase
            {
                case EmployeeType.RoomAdmin:
                    await _countRoomAdminChecker.CheckAppend();
-                    _userManager.RemoveUserFromGroup(user.Id, Constants.GroupUser.ID);
+                    _userManager.RemoveUserFromGroup(user.Id, Constants.GroupUser.ID, false);
                    _webItemSecurityCache.ClearCache(Tenant.Id);
                    break;
                case EmployeeType.User:
                    await _countUserChecker.CheckAppend();
-                    await _userManager.AddUserIntoGroup(user.Id, Constants.GroupUser.ID);
+                    await _userManager.AddUserIntoGroup(user.Id, Constants.GroupUser.ID, checkPermissions: false);
                    _webItemSecurityCache.ClearCache(Tenant.Id);
                    break;
            }