VCST-2969: Add missing permission checks (#2907)

artem-dudarev · web-flow · commit 5a8b2bccf28e · 2025-04-07T09:55:32.000+02:00
diff --git a/src/VirtoCommerce.Platform.Core/PlatformConstants.cs b/src/VirtoCommerce.Platform.Core/PlatformConstants.cs
@@ -74,23 +74,35 @@ public static class Permissions
                 public const string SecurityAccess = "platform:security:access";
                 public const string SecurityUpdate = "platform:security:update";
                 public const string SecurityDelete = "platform:security:delete";
-                public const string SecurityVerifyEmail = "platform:security:verifyEmail";
                 public const string SecurityLoginOnBehalf = "platform:security:loginOnBehalf";
+                public const string SecurityVerifyEmail = "platform:security:verifyEmail";
                 public const string SecurityConfirmEmail = "platform:security:confirmEmail";
                 public const string SecurityGenerateToken = "platform:security:generateToken";
                 public const string SecurityVerifyToken = "platform:security:verifyToken";
+                public const string SecurityOAuthApplicationsCreate = "platform:security:oauth_applications:create";
+                public const string SecurityOAuthApplicationsRead = "platform:security:oauth_applications:read";
+                public const string SecurityOAuthApplicationsUpdate = "platform:security:oauth_applications:update";
+                public const string SecurityOAuthApplicationsDelete = "platform:security:oauth_applications:delete";
 
                 public const string BackgroundJobsManage = "background_jobs:manage";
 
                 public const string PlatformExportImportAccess = "platform:exportImport:access";
                 public const string PlatformImport = "platform:import";
                 public const string PlatformExport = "platform:export";
 
-                public static string[] AllPermissions { get; } = new[] { ResetCache, AssetAccess, AssetDelete, AssetUpdate, AssetCreate, AssetRead, ModuleQuery, ModuleAccess, ModuleManage,
-                                              SettingQuery, SettingAccess, SettingUpdate, DynamicPropertiesQuery, DynamicPropertiesCreate, DynamicPropertiesAccess, DynamicPropertiesUpdate, DynamicPropertiesDelete,
-                                              SecurityQuery, SecurityCreate, SecurityAccess,  SecurityUpdate,  SecurityDelete, BackgroundJobsManage, PlatformExportImportAccess, PlatformImport, PlatformExport, SecurityLoginOnBehalf ,
-                                              SecurityVerifyEmail, SecurityConfirmEmail, SecurityGenerateToken, SecurityVerifyToken,
-                };
+                public static string[] AllPermissions { get; } =
+                [
+                    ResetCache,
+                    AssetAccess, AssetDelete, AssetUpdate, AssetCreate, AssetRead,
+                    ModuleQuery, ModuleAccess, ModuleManage,
+                    SettingQuery, SettingAccess, SettingUpdate,
+                    DynamicPropertiesQuery, DynamicPropertiesCreate, DynamicPropertiesAccess, DynamicPropertiesUpdate, DynamicPropertiesDelete,
+                    SecurityQuery, SecurityCreate, SecurityAccess, SecurityUpdate, SecurityDelete,
+                    SecurityLoginOnBehalf, SecurityVerifyEmail, SecurityConfirmEmail, SecurityGenerateToken, SecurityVerifyToken,
+                    SecurityOAuthApplicationsCreate, SecurityOAuthApplicationsRead, SecurityOAuthApplicationsUpdate, SecurityOAuthApplicationsDelete,
+                    BackgroundJobsManage,
+                    PlatformExportImportAccess, PlatformImport, PlatformExport,
+                ];
             }
 
             public static class Changes
diff --git a/src/VirtoCommerce.Platform.Web/Controllers/Api/OAuthAppsController.cs b/src/VirtoCommerce.Platform.Web/Controllers/Api/OAuthAppsController.cs
@@ -9,6 +9,7 @@
 using OpenIddict.EntityFrameworkCore.Models;
 using VirtoCommerce.Platform.Core.Common;
 using VirtoCommerce.Platform.Web.Model.Security;
+using Permissions = VirtoCommerce.Platform.Core.PlatformConstants.Security.Permissions;
 
 namespace VirtoCommerce.Platform.Web.Controllers.Api
 {
@@ -38,6 +39,7 @@ public OAuthAppsController(OpenIddictApplicationManager<OpenIddictEntityFramewor
 
         [HttpGet]
         [Route("new")]
+        [Authorize(Permissions.SecurityOAuthApplicationsCreate)]
         public ActionResult<OpenIddictApplicationDescriptor> New()
         {
             var app = new OpenIddictApplicationDescriptor
@@ -54,6 +56,7 @@ public ActionResult<OpenIddictApplicationDescriptor> New()
 
         [HttpPost]
         [Route("")]
+        [Authorize(Permissions.SecurityOAuthApplicationsUpdate)]
         public async Task<ActionResult<OpenIddictApplicationDescriptor>> SaveAsync(OpenIddictApplicationDescriptor descriptor)
         {
             descriptor.Permissions.Clear();
@@ -81,6 +84,7 @@ public async Task<ActionResult<OpenIddictApplicationDescriptor>> SaveAsync(OpenI
 
         [HttpDelete]
         [Route("")]
+        [Authorize(Permissions.SecurityOAuthApplicationsDelete)]
         public async Task<ActionResult> DeleteAsync([FromQuery] string[] clientIds)
         {
             var apps = await _manager.ListAsync(x => x.Where(y => clientIds.Contains(y.ClientId))).ToListAsync();
@@ -95,6 +99,7 @@ public async Task<ActionResult> DeleteAsync([FromQuery] string[] clientIds)
 
         [HttpPost]
         [Route("search")]
+        [Authorize(Permissions.SecurityOAuthApplicationsRead)]
         public async Task<ActionResult<OAuthAppSearchResult>> SearchAsync(OAuthAppSearchCriteria criteria)
         {
             if (criteria.Sort.IsNullOrEmpty())
diff --git a/src/VirtoCommerce.Platform.Web/Controllers/Api/PlatformExportImportController.cs b/src/VirtoCommerce.Platform.Web/Controllers/Api/PlatformExportImportController.cs
@@ -140,13 +140,15 @@ public ActionResult<SampleDataState> GetSampleDataState()
 
         [HttpGet]
         [Route("export/manifest/new")]
+        [Authorize(Permissions.PlatformExport)]
         public ActionResult<PlatformExportManifest> GetNewExportManifest()
         {
             return Ok(_platformExportManager.GetNewExportManifest(_userNameResolver.GetCurrentUserName()));
         }
 
         [HttpGet]
         [Route("export/manifest/load")]
+        [Authorize(Permissions.PlatformImport)]
         public ActionResult<PlatformExportManifest> LoadExportManifest([FromQuery] string fileUrl)
         {
             if (string.IsNullOrEmpty(fileUrl))

Original file line number	Diff line number	Diff line change
`@@ -140,13 +140,15 @@ public ActionResult<SampleDataState> GetSampleDataState()`
`140`	`140`
`141`	`141`	`[HttpGet]`
`142`	`142`	`[Route("export/manifest/new")]`
	`143`	`+ [Authorize(Permissions.PlatformExport)]`
`143`	`144`	`public ActionResult<PlatformExportManifest> GetNewExportManifest()`
`144`	`145`	`{`
`145`	`146`	`return Ok(_platformExportManager.GetNewExportManifest(_userNameResolver.GetCurrentUserName()));`
`146`	`147`	`}`
`147`	`148`
`148`	`149`	`[HttpGet]`
`149`	`150`	`[Route("export/manifest/load")]`
	`151`	`+ [Authorize(Permissions.PlatformImport)]`
`150`	`152`	`public ActionResult<PlatformExportManifest> LoadExportManifest([FromQuery] string fileUrl)`
`151`	`153`	`{`
`152`	`154`	`if (string.IsNullOrEmpty(fileUrl))`