jonas/Hoard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1d00fb3a4b8b62fc6388d9e9c1962dc6ec7e1ab6
Hoard/API/Controllers/Auth/AppUserController.cs
T
Jonas 1d00fb3a4b Admin user edit: UI, API and server guard 
Add full admin user editing flow: introduce EditUserDialog component and integrate it into AdminUserDetail (with minor copy and button variant tweaks), plus layout tweaks to animate the account chevron. Implement updateAdminUser(...) in GUI services to PATCH /auth/user/{id} with comprehensive error handling and export FORBIDDEN_NOT_ADMIN_MESSAGE. Server-side AppUserController now prevents deactivating users in the Admin role and returns a 403, ensuring admin accounts cannot be disabled. These changes enable editing usernames and activation status from the admin UI while protecting admin accounts.
2026-05-01 15:40:54 +02:00

99 lines
3.7 KiB
C#
Raw Blame History

using API.Contracts.Auth;
using API.Models;
using API.Security;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
namespace API.Controllers.Auth
{
[ApiController]
[Authorize(Policy = PolicyNames.AdminOnly)]
[Route("auth/user")]
public class AppUserController(UserManager<AppUser> userManager) : ControllerBase
{
[HttpGet]
public async Task<ActionResult<IReadOnlyList<CurrentUserResponse>>> GetAppUsers()
{
var users = await userManager.Users
.OrderBy(x => x.UserName)
.ToListAsync();
var tasks = users.Select(user => user.ToCurrentUserResponseAsync(userManager));
return Ok(await Task.WhenAll(tasks));
}
[HttpGet("{id:guid}")]
public async Task<ActionResult<CurrentUserResponse>> GetAppUserById([FromRoute] Guid id)
{
var user = await userManager.Users.FirstOrDefaultAsync(x => x.Id == id);
if (user is null)
{
return NotFound(new { message = "Benutzer wurde nicht gefunden." });
}
return Ok(await user.ToCurrentUserResponseAsync(userManager));
}
[HttpPatch("{id:guid}")]
public async Task<IActionResult> UpdateAppUser([FromRoute] Guid id, [FromBody] ChangeUserRequest changeDto)
{
var user = await userManager.Users.FirstOrDefaultAsync(x => x.Id == id);
if (user is null)
{
return NotFound(new { message = "Benutzer wurde nicht gefunden." });
}
if (changeDto.IsActive != null)
{
if (!changeDto.IsActive.Value && await userManager.IsInRoleAsync(user, RoleNames.Admin))
{
return StatusCode(StatusCodes.Status403Forbidden,
new { message = "Adminkonten können nicht deaktiviert werden." });
}
user.IsActive = changeDto.IsActive.Value;
if (!changeDto.IsActive.Value)
{
var stampResult = await userManager.UpdateSecurityStampAsync(user);
if (!stampResult.Succeeded)
{
return StatusCode(500, new { message = "Benutzer wurde deaktiviert, aber Sessions konnten nicht invalidiert werden. " +
"Er könnte also immer noch Angemeldet sein!" });
}
}
}
if (changeDto.UserName != null)
{
var newUserName = changeDto.UserName.Trim();
if (string.IsNullOrEmpty(newUserName))
{
return BadRequest(new { message = "Benutzername darf nicht leer sein." });
}
if (!string.Equals(newUserName, user.UserName, StringComparison.OrdinalIgnoreCase))
{
var setNameResult = await userManager.SetUserNameAsync(user, newUserName);
if (!setNameResult.Succeeded)
{
if (setNameResult.Errors.Any(e => e.Code == nameof(IdentityErrorDescriber.DuplicateUserName)))
{
return Conflict(new { message = "Benutzername ist bereits vergeben." });
}
return BadRequest(new { message = "Benutzername konnte nicht geändert werden.", errors = setNameResult.Errors.Select(e => e.Description) });
}
}
}
return Ok(await user.ToCurrentUserResponseAsync(userManager));
}
}
}
Reference in New Issue View Git Blame Copy Permalink