Added permission checks to all controllers. Added role permission loading. Added frontend permission checks. Implemented user logout in admin panel.

2026-01-16 13:07:19 +01:00
parent bee381702b
commit a28b8aca7a
24 changed files with 401 additions and 62 deletions
--- a/Moonlight.Frontend/UI/Admin/Views/Users/Users.razor
+++ b/Moonlight.Frontend/UI/Admin/Views/Users/Users.razor
@@ -1,5 +1,8 @@
@using LucideBlazor
+@using Microsoft.AspNetCore.Authorization
+@using Microsoft.AspNetCore.Components.Authorization
@using Moonlight.Frontend.UI.Admin.Modals
+@using Moonlight.Shared
@using ShadcnBlazor.Buttons
@using ShadcnBlazor.DataGrids
@using ShadcnBlazor.Dropdowns
@@ -16,6 +19,7 @@
@inject AlertDialogService AlertDialogService
@inject DialogService DialogService
@inject ToastService ToastService
+@inject IAuthorizationService AuthorizationService

 <div class="flex flex-row justify-between mt-5">
    <div class="flex flex-col">
@@ -25,7 +29,7 @@
        </div>
    </div>
    <div class="flex flex-row gap-x-1.5">
-        <Button @onclick="CreateAsync">
+        <Button @onclick="CreateAsync" disabled="@(!CreateAccess.Succeeded)">
            <PlusIcon/>
            Create
        </Button>
@@ -46,19 +50,28 @@
                        <DropdownMenu>
                            <DropdownMenuTrigger>
                                <Slot Context="dropdownSlot">
-                                    <Button Size="ButtonSize.IconSm" Variant="ButtonVariant.Ghost" @attributes="dropdownSlot">
+                                    <Button Size="ButtonSize.IconSm" Variant="ButtonVariant.Ghost"
+                                            @attributes="dropdownSlot">
                                        <EllipsisIcon/>
                                    </Button>
                                </Slot>
                            </DropdownMenuTrigger>
                            <DropdownMenuContent SideOffset="2">
-                                <DropdownMenuItem OnClick="() => EditAsync(context)">
+                                <DropdownMenuItem OnClick="() => LogoutAsync(context)" Disabled="@(!LogoutAccess.Succeeded)">
+                                    Logout
+                                    <DropdownMenuShortcut>
+                                        <LogOutIcon/>
+                                    </DropdownMenuShortcut>
+                                </DropdownMenuItem>
+                                <DropdownMenuItem OnClick="() => EditAsync(context)"  Disabled="@(!EditAccess.Succeeded)">
                                    Edit
                                    <DropdownMenuShortcut>
                                        <PenIcon/>
                                    </DropdownMenuShortcut>
                                </DropdownMenuItem>
-                                <DropdownMenuItem OnClick="() => DeleteAsync(context)" Variant="DropdownMenuItemVariant.Destructive">
+                                <DropdownMenuItem OnClick="() => DeleteAsync(context)"
+                                                  Variant="DropdownMenuItemVariant.Destructive"
+                                                  Disabled="@(!DeleteAccess.Succeeded)">
                                    Delete
                                    <DropdownMenuShortcut>
                                        <TrashIcon/>
@@ -75,7 +88,24 @@

@code
 {
+    [CascadingParameter] public Task<AuthenticationState> AuthState { get; set; }
+    
    private DataGrid<UserDto> Grid;
+    
+    private AuthorizationResult LogoutAccess;
+    private AuthorizationResult EditAccess;
+    private AuthorizationResult DeleteAccess;
+    private AuthorizationResult CreateAccess;
+
+    protected override async Task OnInitializedAsync()
+    {
+        var authState = await AuthState;
+        
+        LogoutAccess = await AuthorizationService.AuthorizeAsync(authState.User, Permissions.Users.Logout);
+        EditAccess = await AuthorizationService.AuthorizeAsync(authState.User, Permissions.Users.Edit);
+        DeleteAccess = await AuthorizationService.AuthorizeAsync(authState.User, Permissions.Users.Delete);
+        CreateAccess = await AuthorizationService.AuthorizeAsync(authState.User, Permissions.Users.Create);
+    }

    private async Task<DataGridResponse<UserDto>> LoadAsync(DataGridRequest<UserDto> request)
    {
@@ -141,11 +171,30 @@
            "Do you really want to delete this user? This action cannot be undone",
            async () =>
            {
-                await HttpClient.DeleteAsync($"api/admin/users/{user.Id}");
+                var response = await HttpClient.DeleteAsync($"api/admin/users/{user.Id}");
+                response.EnsureSuccessStatusCode();
+
                await ToastService.SuccessAsync("User deletion", $"Successfully deleted user {user.Username}");

                await Grid.RefreshAsync();
            }
        );
    }
+
+    private async Task LogoutAsync(UserDto user)
+    {
+        await AlertDialogService.ConfirmDangerAsync(
+            $"Logout all session of user {user.Username}",
+            "Do you really want to logout all session of this user? This action cannot be undone",
+            async () =>
+            {
+                var response = await HttpClient.PostAsync($"api/admin/users/{user.Id}/logout", null);
+                response.EnsureSuccessStatusCode();
+
+                await ToastService.SuccessAsync("User logout", $"Successfully logged out all session of user {user.Username}");
+
+                await Grid.RefreshAsync();
+            }
+        );
+    }
 }