feat(ui): restrict blog post editing to post author or Admin (#300)#302
Conversation
Add UI-level ownership check in Edit.razor: - AuthenticationStateProvider injected; sub claim extracted in OnParametersSetAsync - After loading post, check if current user is Admin OR post.AuthorId matches sub - If neither, redirect to /blog immediately - Admins retain unrestricted edit access bUnit tests added for: - author can edit own post - non-owner Author redirected to /blog - Admin can edit any post Closes #300 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
🏗️ PR Added to Squad Triage QueueThis PR has been labeled with Next steps:
|
There was a problem hiding this comment.
Pull request overview
Adds an ownership-based UI access control check to the blog post edit page so that only the post’s author (Auth0 sub) or an Admin can edit, with bUnit coverage for the key scenarios.
Changes:
- Added an ownership/Admin check in
Edit.razorduringOnParametersSetAsync, redirecting non-owners away after loading the post. - Introduced new bUnit tests validating redirect for non-owners and access for owners/Admins.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/Web/Features/BlogPosts/Edit/Edit.razor | Adds UI-level ownership/Admin gating when loading an edit model. |
| tests/Web.Tests.Bunit/Features/EditAclTests.cs | Adds bUnit tests for owner/non-owner/admin edit access behavior. |
| protected override async Task OnParametersSetAsync() | ||
| { | ||
| var result = await Sender.Send(new GetBlogPostByIdQuery(Id)); | ||
| if (result.Success) | ||
| _model = result.Value is not null | ||
| ? new PostFormModel { Title = result.Value.Title, Content = result.Value.Content } | ||
| : null; | ||
| { | ||
| if (result.Value is not null) | ||
| { | ||
| var authState = await AuthStateProvider.GetAuthenticationStateAsync(); | ||
| var user = authState.User; | ||
| var userSub = user.FindFirst("sub")?.Value ?? string.Empty; | ||
| var isAdmin = user.IsInRole("Admin"); | ||
| var isAuthor = result.Value.AuthorId == userSub; | ||
|
|
||
| if (!isAdmin && !isAuthor) | ||
| { | ||
| Navigation.NavigateTo("/blog"); | ||
| return; | ||
| } | ||
|
|
||
| _model = new PostFormModel { Title = result.Value.Title, Content = result.Value.Content }; |
| var userSub = user.FindFirst("sub")?.Value ?? string.Empty; | ||
| var isAdmin = user.IsInRole("Admin"); | ||
| var isAuthor = result.Value.AuthorId == userSub; | ||
|
|
| if (!isAdmin && !isAuthor) | ||
| { | ||
| Navigation.NavigateTo("/blog"); | ||
| return; | ||
| } |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## dev #302 +/- ##
==========================================
+ Coverage 83.08% 83.19% +0.10%
==========================================
Files 47 47
Lines 1230 1238 +8
Branches 148 150 +2
==========================================
+ Hits 1022 1030 +8
- Misses 147 148 +1
+ Partials 61 60 -1
🚀 New features to boost your workflow:
|
|
🚫 Lead gate verdict: REJECT / CHANGES REQUIRED I cannot file a formal Blocking findings
Signals reviewed
🔄 Reviewer lockout
Re-review requirements
|
…ation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Summary
Closes #300
Adds UI-level author ownership check to
Edit.razor:subclaim) or an Admin can edit/bloginOnParametersSetAsyncChanges
src/Web/Features/BlogPosts/Edit/Edit.razor— ACL check inOnParametersSetAsyncafter post load;AuthenticationStateProviderinjectedtests/Web.Tests.Bunit/Features/EditAclTests.cs— bUnit tests for author/non-author/admin scenariosTest Results
Working as Legolas (Frontend Developer) + Sam (Backend)