From 04bcecad9ef284a8df3c8764c4d703762e6df154 Mon Sep 17 00:00:00 2001
From: Paul Schneider <paulschneider@free.fr>
Date: Tue, 18 Feb 2025 20:17:06 +0000
Subject: [PATCH] Blog posts Permission handling

---
 src/Yavsc/Extensions/PermissionHandler.cs     | 26 +++++++++--
 .../ViewComponents/BlogIndexViewComponent.cs  | 43 +++++++++++++------
 src/Yavsc/Views/Blogspot/Index.cshtml         |  2 +-
 3 files changed, 54 insertions(+), 17 deletions(-)

diff --git a/src/Yavsc/Extensions/PermissionHandler.cs b/src/Yavsc/Extensions/PermissionHandler.cs
index bb42da50..f0d5615c 100644
--- a/src/Yavsc/Extensions/PermissionHandler.cs
+++ b/src/Yavsc/Extensions/PermissionHandler.cs
@@ -1,11 +1,20 @@
 using System.Security.Claims;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.EntityFrameworkCore;
+using Yavsc.Helpers;
+using Yavsc.Models;
+using Yavsc.Models.Blog;
 using Yavsc.ViewModels.Auth;
 
 namespace Yavsc.Extensions;
 
 public class PermissionHandler : IAuthorizationHandler
 {
+    ApplicationDbContext applicationDbContext;
+    public PermissionHandler(ApplicationDbContext applicationDbContext)
+    {
+        this.applicationDbContext = applicationDbContext;
+    }
     public Task HandleAsync(AuthorizationHandlerContext context)
     {
         var pendingRequirements = context.PendingRequirements.ToList();
@@ -34,13 +43,22 @@ public class PermissionHandler : IAuthorizationHandler
 
     private static bool IsOwner(ClaimsPrincipal user, object? resource)
     {
-        // Code omitted for brevity
-        return true;
+        if (resource is BlogPost blogPost)
+        {
+            return blogPost.AuthorId == user.GetUserId();
+        }
+        return false;
     }
 
-    private static bool IsSponsor(ClaimsPrincipal user, object? resource)
+    private bool IsSponsor(ClaimsPrincipal user, object? resource)
     {
-        // Code omitted for brevity
+        if (resource is BlogPost blogPost)
+        {
+            return applicationDbContext.CircleMembers
+            .Include(c => c.Circle)
+            .Where(m=>m.MemberId==user.GetUserId() && m.Circle.OwnerId == blogPost.OwnerId)
+            .Any();
+        }
         return true;
     }
 }
diff --git a/src/Yavsc/ViewComponents/BlogIndexViewComponent.cs b/src/Yavsc/ViewComponents/BlogIndexViewComponent.cs
index e38ad975..ff66e4eb 100644
--- a/src/Yavsc/ViewComponents/BlogIndexViewComponent.cs
+++ b/src/Yavsc/ViewComponents/BlogIndexViewComponent.cs
@@ -3,6 +3,9 @@ using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
 using Yavsc.Models;
 using Yavsc.Models.Blog;
+using Yavsc.Helpers;
+using System.Security.Claims;
+using IdentityServer8.Extensions;
 
 namespace Yavsc.ViewComponents
 {
@@ -18,23 +21,39 @@ namespace Yavsc.ViewComponents
 
         // Renders blog index ofr the specified user by name,
         // grouped by title
-        public async Task<IViewComponentResult> InvokeAsync(string viewerId, int skip=0, int maxLen=25)
+        public async Task<IViewComponentResult> InvokeAsync(int skip=0, int maxLen=25)
         {
-            long[] usercircles = await _context.Circle.Include(c=>c.Members).
-            Where(c=>c.Members.Any(m=>m.MemberId == viewerId))
-            .Select(c=>c.Id).ToArrayAsync();
-
-            var allposts = _context.BlogSpot
+            IEnumerable<BlogPost> posts;
+
+            if (User.IsAuthenticated())
+            {
+                string viewerId = UserClaimsPrincipal.GetUserId();
+                long[] usercircles = await _context.Circle.Include(c=>c.Members).
+                    Where(c=>c.Members.Any(m=>m.MemberId == viewerId))
+                    .Select(c=>c.Id).ToArrayAsync();
+                
+                IQueryable<BlogPost> allposts = _context.BlogSpot
+                    .Include(b => b.Author)
+                    .Include(p=>p.ACL)
+                    .Include(p=>p.Tags)
+                    .Include(p=>p.Comments)
+                    .Where(p => p.AuthorId == viewerId || p.Visible);
+
+                posts = (usercircles != null) ? 
+                    allposts.Where(p=> p.ACL.Count==0 || p.ACL.Any(a => usercircles.Contains(a.CircleId)))
+                    : allposts.Where(p => p.ACL.Count == 0);
+
+            }
+            else 
+            {
+                 posts = _context.BlogSpot
                 .Include(b => b.Author)
                 .Include(p=>p.ACL)
                 .Include(p=>p.Tags)
                 .Include(p=>p.Comments)
-                .Where(p => p.AuthorId == viewerId || p.Visible).ToArray();
-
-            IEnumerable<BlogPost> posts = (usercircles != null) ? 
-                allposts.Where(p=> p.ACL.Count==0 || p.ACL.Any(a => usercircles.Contains(a.CircleId)))
-                : allposts.Where(p => p.ACL.Count == 0);
-
+                .Where(p => p.Visible && p.ACL.Count == 0 ).ToArray();
+            }
+          
             var data = posts.OrderByDescending( p=> p.DateCreated);
             var grouped = data.GroupBy(p=> p.Title).Skip(skip).Take(maxLen);
 
diff --git a/src/Yavsc/Views/Blogspot/Index.cshtml b/src/Yavsc/Views/Blogspot/Index.cshtml
index e5b8134c..cebdea12 100644
--- a/src/Yavsc/Views/Blogspot/Index.cshtml
+++ b/src/Yavsc/Views/Blogspot/Index.cshtml
@@ -45,5 +45,5 @@
 }
 
 <div class="container">
-     @await Component.InvokeAsync("BlogIndex",new{ viewerId = User.GetUserId() ?? "_anonymous_" })   
+     @await Component.InvokeAsync("BlogIndex")   
 </div>