Skip to content

fix: Add missing authorization to Identity endpoints#1170

Merged
iammukeshm merged 1 commit into
developfrom
fix/add-missing-identity-authorization
Jan 25, 2026
Merged

fix: Add missing authorization to Identity endpoints#1170
iammukeshm merged 1 commit into
developfrom
fix/add-missing-identity-authorization

Conversation

@iammukeshm
Copy link
Copy Markdown
Member

@iammukeshm iammukeshm commented Jan 25, 2026

Summary

This PR adds missing authorization checks to 4 Identity module endpoints that were previously accessible without proper authentication/authorization.

Changes

Endpoints Updated:

  1. ChangePasswordEndpoint - Added .RequireAuthorization() (user must be logged in to change their password)
  2. GetUserProfileEndpoint - Added .RequireAuthorization() (user must be logged in to view their profile)
  3. AssignUserRolesEndpoint - Added .RequirePermission(IdentityPermissionConstants.Users.ManageRoles) (only users with ManageRoles permission can assign roles)
  4. GetUserPermissionsEndpoint - Added .RequirePermission(IdentityPermissionConstants.Users.View) (only users with View permission can see user permissions)

Permission Constants:

  • Added new Users.ManageRoles permission constant to IdentityPermissionConstants

Security Impact

These changes ensure that:

  • Anonymous users cannot access profile/password endpoints
  • Only authorized administrators can manage user roles
  • User permissions are only visible to those with proper access

Testing

  • Followed existing FSH endpoint authorization patterns
  • Consistent with other Identity module endpoints (e.g., GetUserRoles, DeleteUser)

fix: Add missing authorization to Identity endpoints
d3a5a5e 
- ChangePasswordEndpoint: Add RequireAuthorization() for logged-in users
- GetUserProfileEndpoint: Add RequireAuthorization() for logged-in users
- AssignUserRolesEndpoint: Add RequirePermission(Users.ManageRoles)
- GetUserPermissionsEndpoint: Add RequirePermission(Users.View)
- Add Users.ManageRoles permission constant

These endpoints were previously accessible without proper authorization checks.
@iammukeshm iammukeshm merged commit 99a11e0 into develop Jan 25, 2026
8 checks passed
@iammukeshm iammukeshm deleted the fix/add-missing-identity-authorization branch January 25, 2026 15:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iammukeshm