Merge pull request #4876 from sbwalker/dev

prevent notifications from being accessed by other users

Oqtane.Client/Modules/Admin/UserProfile/Index.razor

@@ -230,13 +230,13 @@
 
                             @if (context.IsRead)
                             {
-                                <td>@context.FromDisplayName</td>
+                                <td>@(string.IsNullOrEmpty(context.FromDisplayName) ? SharedLocalizer["System"] : context.FromDisplayName)</td>
                                 <td>@context.Subject</td>
                                 <td>@string.Format("{0:dd-MMM-yyyy HH:mm:ss}", @context.CreatedOn)</td>
                             }
                             else
                             {
-                                <td><b>@context.FromDisplayName</b></td>
+                                <td><b>@(string.IsNullOrEmpty(context.FromDisplayName) ? SharedLocalizer["System"] : context.FromDisplayName)</b></td>
                                 <td><b>@context.Subject</b></td>
                                 <td><b>@string.Format("{0:dd-MMM-yyyy HH:mm:ss}", @context.CreatedOn)</b></td>
                             }

Oqtane.Client/Modules/Admin/UserProfile/View.razor

@@ -128,7 +128,7 @@
                 createdon = notification.CreatedOn.ToString();
                 body = notification.Body;
 
-                if (title == "From")
+                if (title == "From" && !notification.IsRead)
                 {
                     notification.IsRead = true;
                     notification = await NotificationService.UpdateNotificationAsync(notification);

Oqtane.Client/Resources/Modules/Admin/Site/Index.resx

@@ -435,4 +435,7 @@
   <data name="Functionality" xml:space="preserve">
     <value>Functionality</value>
   </data>
+  <data name="System" xml:space="preserve">
+    <value>System</value>
+  </data>
 </root>

Oqtane.Server/Controllers/NotificationController.cs

@@ -183,7 +183,7 @@ public Notification Put(int id, [FromBody] Notification notification)
         {
             if (ModelState.IsValid && notification.SiteId == _alias.SiteId && notification.NotificationId == id && _notifications.GetNotification(notification.NotificationId, false) != null && (IsAuthorized(notification.FromUserId) || IsAuthorized(notification.ToUserId)))
             {
-                if (!User.IsInRole(RoleNames.Admin))
+                if (!User.IsInRole(RoleNames.Admin) && notification.FromUserId != null)
                 {
                     // content must be HTML encoded for non-admins to prevent HTML injection
                     notification.Subject = WebUtility.HtmlEncode(notification.Subject);
@@ -223,7 +223,7 @@ public void Delete(int id)
 
         private bool IsAuthorized(int? userid)
         {
-            bool authorized = true;
+            bool authorized = false;
             if (userid != null)
             {
                 authorized = (_userPermissions.GetUser(User).UserId == userid);

Oqtane.Shared/Models/Notification.cs

@@ -144,25 +144,25 @@ private void ConstructNotification(int siteId, User from, string fromDisplayName
             {
                 FromUserId = from.UserId;
                 FromDisplayName = from.DisplayName;
-                FromEmail = from.Email;
+                FromEmail = from.Email ?? "";
             }
             else
             {
                 FromUserId = null;
                 FromDisplayName = fromDisplayName;
-                FromEmail = fromEmail;
+                FromEmail = fromEmail ?? "";
             }
             if (to != null)
             {
                 ToUserId = to.UserId;
                 ToDisplayName = to.DisplayName;
-                ToEmail = to.Email;
+                ToEmail = to.Email ?? "";
             }
             else
             {
                 ToUserId = null;
                 ToDisplayName = toDisplayName;
-                ToEmail = toEmail;
+                ToEmail = toEmail ?? "";
             }
             Subject = subject;
             Body = body;