dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(centralui): role guard uses RoleClaimType, not IsInRole

Browse Source 
ClaimsIdentity is built without an explicit roleType, so IsInRole("Design")
checks ClaimTypes.Role while actual claims use "Role" — the guard always
returned not-authorized. Switch to HasClaim(RoleClaimType, "Design").
This commit is contained in:
Joseph Doherty
2026-05-28 12:36:46 -04:00
parent c2919c2c38
commit c1e16cf9ff
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/OpcUaBrowseService.cs
+2 -1
View File
@@ -2,6 +2,7 @@ using Microsoft.AspNetCore.Components.Authorization;
using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Protocol; using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Protocol;
using ZB.MOM.WW.ScadaBridge.Commons.Messages.Management; using ZB.MOM.WW.ScadaBridge.Commons.Messages.Management;
using ZB.MOM.WW.ScadaBridge.Communication; using ZB.MOM.WW.ScadaBridge.Communication;
using ZB.MOM.WW.ScadaBridge.Security;
namespace ZB.MOM.WW.ScadaBridge.CentralUI.Services; namespace ZB.MOM.WW.ScadaBridge.CentralUI.Services;
@@ -44,7 +45,7 @@ public sealed class OpcUaBrowseService : IOpcUaBrowseService
// CentralUI-side role guard — sites don't enforce envelope-level roles, // CentralUI-side role guard — sites don't enforce envelope-level roles,
// so the Design check must happen here before any cross-cluster traffic. // so the Design check must happen here before any cross-cluster traffic.
var state = await _auth.GetAuthenticationStateAsync(); var state = await _auth.GetAuthenticationStateAsync();
if (!state.User.IsInRole("Design")) if (!state.User.HasClaim(JwtTokenService.RoleClaimType, "Design"))
{ {
return new BrowseOpcUaNodeResult( return new BrowseOpcUaNodeResult(
Array.Empty<BrowseNode>(), Array.Empty<BrowseNode>(),