VCST-2969: Add missing permission checks (#2907)

artem-dudarev · artem-dudarev · commit c1879865b784 · 2025-06-10T10:46:24.000+02:00
diff --git a/src/VirtoCommerce.Platform.Core/PlatformConstants.cs b/src/VirtoCommerce.Platform.Core/PlatformConstants.cs
@@ -25,10 +25,12 @@ public static class Claims
                 public const string UserNameClaimType = "username";
                 public const string LimitedPermissionsClaimType = "limited_permissions";
                 public const string MemberIdClaimType = "memberId";
+
                 /// <summary>
-                /// Represents Operator User Id after impersonation 
+                /// Represents Operator User ID after impersonation 
                 /// </summary>
                 public const string OperatorUserId = "vc_operator_user_id";
+
                 /// <summary>
                 /// Represents Operator User Name after impersonation
                 /// </summary>
@@ -46,48 +48,60 @@ public static class Permissions
             {
                 public const string ResetCache = "cache:reset";
 
-                public const string AssetAccess = "platform:asset:access",
-                                    AssetDelete = "platform:asset:delete",
-                                    AssetUpdate = "platform:asset:update",
-                                    AssetCreate = "platform:asset:create",
-                                    AssetRead = "platform:asset:read";
-
-                public const string ModuleQuery = "platform:module:read",
-                                    ModuleAccess = "platform:module:access",
-                                    ModuleManage = "platform:module:manage";
-
-                public const string SettingQuery = "platform:setting:read",
-                                    SettingAccess = "platform:setting:access",
-                                    SettingUpdate = "platform:setting:update";
-
-                public const string DynamicPropertiesQuery = "platform:dynamic_properties:read",
-                                    DynamicPropertiesCreate = "platform:dynamic_properties:create",
-                                    DynamicPropertiesAccess = "platform:dynamic_properties:access",
-                                    DynamicPropertiesUpdate = "platform:dynamic_properties:update",
-                                    DynamicPropertiesDelete = "platform:dynamic_properties:delete";
-
-                public const string SecurityQuery = "platform:security:read",
-                                    SecurityCreate = "platform:security:create",
-                                    SecurityAccess = "platform:security:access",
-                                    SecurityUpdate = "platform:security:update",
-                                    SecurityDelete = "platform:security:delete",
-                                    SecurityVerifyEmail = "platform:security:verifyEmail",
-                                    SecurityLoginOnBehalf = "platform:security:loginOnBehalf",
-                                    SecurityConfirmEmail = "platform:security:confirmEmail",
-                                    SecurityGenerateToken = "platform:security:generateToken",
-                                    SecurityVerifyToken = "platform:security:verifyToken";
+                public const string AssetAccess = "platform:asset:access";
+                public const string AssetDelete = "platform:asset:delete";
+                public const string AssetUpdate = "platform:asset:update";
+                public const string AssetCreate = "platform:asset:create";
+                public const string AssetRead = "platform:asset:read";
+
+                public const string ModuleQuery = "platform:module:read";
+                public const string ModuleAccess = "platform:module:access";
+                public const string ModuleManage = "platform:module:manage";
+
+                public const string SettingQuery = "platform:setting:read";
+                public const string SettingAccess = "platform:setting:access";
+                public const string SettingUpdate = "platform:setting:update";
+
+                public const string DynamicPropertiesQuery = "platform:dynamic_properties:read";
+                public const string DynamicPropertiesCreate = "platform:dynamic_properties:create";
+                public const string DynamicPropertiesAccess = "platform:dynamic_properties:access";
+                public const string DynamicPropertiesUpdate = "platform:dynamic_properties:update";
+                public const string DynamicPropertiesDelete = "platform:dynamic_properties:delete";
+
+                public const string SecurityQuery = "platform:security:read";
+                public const string SecurityCreate = "platform:security:create";
+                public const string SecurityAccess = "platform:security:access";
+                public const string SecurityUpdate = "platform:security:update";
+                public const string SecurityDelete = "platform:security:delete";
+                public const string SecurityLoginOnBehalf = "platform:security:loginOnBehalf";
+                public const string SecurityVerifyEmail = "platform:security:verifyEmail";
+                public const string SecurityConfirmEmail = "platform:security:confirmEmail";
+                public const string SecurityGenerateToken = "platform:security:generateToken";
+                public const string SecurityVerifyToken = "platform:security:verifyToken";
+                public const string SecurityOAuthApplicationsCreate = "platform:security:oauth_applications:create";
+                public const string SecurityOAuthApplicationsRead = "platform:security:oauth_applications:read";
+                public const string SecurityOAuthApplicationsUpdate = "platform:security:oauth_applications:update";
+                public const string SecurityOAuthApplicationsDelete = "platform:security:oauth_applications:delete";
 
                 public const string BackgroundJobsManage = "background_jobs:manage";
 
-                public const string PlatformExportImportAccess = "platform:exportImport:access",
-                                    PlatformImport = "platform:import",
-                                    PlatformExport = "platform:export";
-
-                public static string[] AllPermissions { get; } = new[] { ResetCache, AssetAccess, AssetDelete, AssetUpdate, AssetCreate, AssetRead, ModuleQuery, ModuleAccess, ModuleManage,
-                                              SettingQuery, SettingAccess, SettingUpdate, DynamicPropertiesQuery, DynamicPropertiesCreate, DynamicPropertiesAccess, DynamicPropertiesUpdate, DynamicPropertiesDelete,
-                                              SecurityQuery, SecurityCreate, SecurityAccess,  SecurityUpdate,  SecurityDelete, BackgroundJobsManage, PlatformExportImportAccess, PlatformImport, PlatformExport, SecurityLoginOnBehalf ,
-                                              SecurityVerifyEmail, SecurityConfirmEmail, SecurityGenerateToken, SecurityVerifyToken,
-                };
+                public const string PlatformExportImportAccess = "platform:exportImport:access";
+                public const string PlatformImport = "platform:import";
+                public const string PlatformExport = "platform:export";
+
+                public static string[] AllPermissions { get; } =
+                [
+                    ResetCache,
+                    AssetAccess, AssetDelete, AssetUpdate, AssetCreate, AssetRead,
+                    ModuleQuery, ModuleAccess, ModuleManage,
+                    SettingQuery, SettingAccess, SettingUpdate,
+                    DynamicPropertiesQuery, DynamicPropertiesCreate, DynamicPropertiesAccess, DynamicPropertiesUpdate, DynamicPropertiesDelete,
+                    SecurityQuery, SecurityCreate, SecurityAccess, SecurityUpdate, SecurityDelete,
+                    SecurityLoginOnBehalf, SecurityVerifyEmail, SecurityConfirmEmail, SecurityGenerateToken, SecurityVerifyToken,
+                    SecurityOAuthApplicationsCreate, SecurityOAuthApplicationsRead, SecurityOAuthApplicationsUpdate, SecurityOAuthApplicationsDelete,
+                    BackgroundJobsManage,
+                    PlatformExportImportAccess, PlatformImport, PlatformExport,
+                ];
             }
 
             public static class Changes
diff --git a/src/VirtoCommerce.Platform.Web/Controllers/Api/OAuthAppsController.cs b/src/VirtoCommerce.Platform.Web/Controllers/Api/OAuthAppsController.cs
@@ -9,6 +9,7 @@
 using OpenIddict.EntityFrameworkCore.Models;
 using VirtoCommerce.Platform.Core.Common;
 using VirtoCommerce.Platform.Web.Model.Security;
+using Permissions = VirtoCommerce.Platform.Core.PlatformConstants.Security.Permissions;
 
 namespace VirtoCommerce.Platform.Web.Controllers.Api
 {
@@ -34,6 +35,7 @@ public OAuthAppsController(OpenIddictApplicationManager<OpenIddictEntityFramewor
 
         [HttpGet]
         [Route("new")]
+        [Authorize(Permissions.SecurityOAuthApplicationsCreate)]
         public ActionResult<OpenIddictApplicationDescriptor> New()
         {
             var app = new OpenIddictApplicationDescriptor
@@ -50,6 +52,7 @@ public ActionResult<OpenIddictApplicationDescriptor> New()
 
         [HttpPost]
         [Route("")]
+        [Authorize(Permissions.SecurityOAuthApplicationsUpdate)]
         public async Task<ActionResult<OpenIddictApplicationDescriptor>> SaveAsync(OpenIddictApplicationDescriptor descriptor)
         {
             descriptor.Permissions.Clear();
@@ -77,6 +80,7 @@ public async Task<ActionResult<OpenIddictApplicationDescriptor>> SaveAsync(OpenI
 
         [HttpDelete]
         [Route("")]
+        [Authorize(Permissions.SecurityOAuthApplicationsDelete)]
         public async Task<ActionResult> DeleteAsync([FromQuery] string[] clientIds)
         {
             var apps = await _manager.ListAsync(x => x.Where(y => clientIds.Contains(y.ClientId))).ToListAsync();
@@ -91,6 +95,7 @@ public async Task<ActionResult> DeleteAsync([FromQuery] string[] clientIds)
 
         [HttpPost]
         [Route("search")]
+        [Authorize(Permissions.SecurityOAuthApplicationsRead)]
         public async Task<ActionResult<OAuthAppSearchResult>> SearchAsync(OAuthAppSearchCriteria criteria)
         {
             if (criteria.Sort.IsNullOrEmpty())
diff --git a/src/VirtoCommerce.Platform.Web/Controllers/Api/PlatformExportImportController.cs b/src/VirtoCommerce.Platform.Web/Controllers/Api/PlatformExportImportController.cs
@@ -119,13 +119,15 @@ public ActionResult<SampleDataState> GetSampleDataState()
 
         [HttpGet]
         [Route("export/manifest/new")]
+        [Authorize(Permissions.PlatformExport)]
         public ActionResult<PlatformExportManifest> GetNewExportManifest()
         {
             return Ok(_platformExportManager.GetNewExportManifest(_userNameResolver.GetCurrentUserName()));
         }
 
         [HttpGet]
         [Route("export/manifest/load")]
+        [Authorize(Permissions.PlatformImport)]
         public ActionResult<PlatformExportManifest> LoadExportManifest([FromQuery] string fileUrl)
         {
             if (string.IsNullOrEmpty(fileUrl))

Original file line number	Diff line number	Diff line change
`@@ -119,13 +119,15 @@ public ActionResult<SampleDataState> GetSampleDataState()`
`119`	`119`
`120`	`120`	`[HttpGet]`
`121`	`121`	`[Route("export/manifest/new")]`
	`122`	`+ [Authorize(Permissions.PlatformExport)]`
`122`	`123`	`public ActionResult<PlatformExportManifest> GetNewExportManifest()`
`123`	`124`	`{`
`124`	`125`	`return Ok(_platformExportManager.GetNewExportManifest(_userNameResolver.GetCurrentUserName()));`
`125`	`126`	`}`
`126`	`127`
`127`	`128`	`[HttpGet]`
`128`	`129`	`[Route("export/manifest/load")]`
	`130`	`+ [Authorize(Permissions.PlatformImport)]`
`129`	`131`	`public ActionResult<PlatformExportManifest> LoadExportManifest([FromQuery] string fileUrl)`
`130`	`132`	`{`
`131`	`133`	`if (string.IsNullOrEmpty(fileUrl))`