From 37237a3194a25f7199be4826997c16385359dbe5 Mon Sep 17 00:00:00 2001
From: Mike Alhayek <mike@crestapps.com>
Date: Mon, 9 Oct 2023 12:19:35 -0700
Subject: [PATCH 1/2] Fix roles filter Fix #13276

---
 .../Controllers/AdminController.cs            | 37 ++++++++++++++-----
 1 file changed, 28 insertions(+), 9 deletions(-)

diff --git a/src/OrchardCore.Modules/OrchardCore.Users/Controllers/AdminController.cs b/src/OrchardCore.Modules/OrchardCore.Users/Controllers/AdminController.cs
index d3255e76c06..fb798dcbeed 100644
--- a/src/OrchardCore.Modules/OrchardCore.Users/Controllers/AdminController.cs
+++ b/src/OrchardCore.Modules/OrchardCore.Users/Controllers/AdminController.cs
@@ -144,17 +144,17 @@ public async Task<ActionResult> Index([ModelBinder(BinderType = typeof(UserFilte
                 new SelectListItem() { Text = S["All Users"], Value = nameof(UsersFilter.All), Selected = (options.Filter == UsersFilter.All) },
                 new SelectListItem() { Text = S["Enabled Users"], Value = nameof(UsersFilter.Enabled), Selected = (options.Filter == UsersFilter.Enabled) },
                 new SelectListItem() { Text = S["Disabled Users"], Value = nameof(UsersFilter.Disabled), Selected = (options.Filter == UsersFilter.Disabled) }
-                //new SelectListItem() { Text = S["Approved"], Value = nameof(UsersFilter.Approved) },
-                //new SelectListItem() { Text = S["Email pending"], Value = nameof(UsersFilter.EmailPending) },
-                //new SelectListItem() { Text = S["Pending"], Value = nameof(UsersFilter.Pending) }
+                // new SelectListItem() { Text = S["Approved"], Value = nameof(UsersFilter.Approved) },
+                // new SelectListItem() { Text = S["Email pending"], Value = nameof(UsersFilter.EmailPending) },
+                // new SelectListItem() { Text = S["Pending"], Value = nameof(UsersFilter.Pending) }
             };
 
             options.UserSorts = new List<SelectListItem>()
             {
                 new SelectListItem() { Text = S["Name"], Value = nameof(UsersOrder.Name), Selected = (options.Order == UsersOrder.Name) },
                 new SelectListItem() { Text = S["Email"], Value = nameof(UsersOrder.Email), Selected = (options.Order == UsersOrder.Email) },
-                //new SelectListItem() { Text = S["Created date"], Value = nameof(UsersOrder.CreatedUtc) },
-                //new SelectListItem() { Text = S["Last Login date"], Value = nameof(UsersOrder.LastLoginUtc) }
+                // new SelectListItem() { Text = S["Created date"], Value = nameof(UsersOrder.CreatedUtc) },
+                // new SelectListItem() { Text = S["Last Login date"], Value = nameof(UsersOrder.LastLoginUtc) }
             };
 
             options.UsersBulkAction = new List<SelectListItem>()
@@ -165,17 +165,36 @@ public async Task<ActionResult> Index([ModelBinder(BinderType = typeof(UserFilte
                 new SelectListItem() { Text = S["Delete"], Value = nameof(UsersBulkAction.Delete) }
             };
 
-            var allRoles = (await _roleService.GetRoleNamesAsync())
-                .Except(RoleHelper.SystemRoleNames, StringComparer.OrdinalIgnoreCase);
+            var roles = new List<string>();
+
+            foreach (var roleName in await _roleService.GetRoleNamesAsync())
+            {
+                var permission = CommonPermissions.CreateListUsersInRolePermission(roleName);
+
+                if (!await _authorizationService.AuthorizeAsync(User, permission))
+                {
+                    continue;
+                }
+
+                roles.Add(roleName);
+            }
 
             options.UserRoleFilters = new List<SelectListItem>()
             {
-                new SelectListItem() { Text = S["All roles"], Value = string.Empty, Selected = (options.SelectedRole == string.Empty) },
+                new SelectListItem() { Text = S["Any role"], Value = string.Empty, Selected = options.SelectedRole == string.Empty },
                 new SelectListItem() { Text = S["Authenticated (no roles)"], Value = "Authenticated", Selected = string.Equals(options.SelectedRole, "Authenticated", StringComparison.OrdinalIgnoreCase) }
             };
 
             // TODO Candidate for dynamic localization.
-            options.UserRoleFilters.AddRange(allRoles.Select(x => new SelectListItem { Text = x, Value = x, Selected = string.Equals(options.SelectedRole, x, StringComparison.OrdinalIgnoreCase) }));
+            options.UserRoleFilters.AddRange(
+                roles.Select(role =>
+                    new SelectListItem
+                    {
+                        Text = role,
+                        Value = role.Contains(' ') ? "\"" + role + "\"" : role,
+                        Selected = string.Equals(options.SelectedRole?.Trim('"'), role, StringComparison.OrdinalIgnoreCase)
+                    })
+                );
 
             // Populate options pager summary values.
             var startIndex = (pagerShape.Page - 1) * (pagerShape.PageSize) + 1;

From 73b5ef3de8b81f6bec2f14adafa62f3254d5f374 Mon Sep 17 00:00:00 2001
From: Mike Alhayek <mike@crestapps.com>
Date: Mon, 9 Oct 2023 12:38:43 -0700
Subject: [PATCH 2/2] cleanup

---
 .../Controllers/AdminController.cs               | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/src/OrchardCore.Modules/OrchardCore.Users/Controllers/AdminController.cs b/src/OrchardCore.Modules/OrchardCore.Users/Controllers/AdminController.cs
index fb798dcbeed..b745159995d 100644
--- a/src/OrchardCore.Modules/OrchardCore.Users/Controllers/AdminController.cs
+++ b/src/OrchardCore.Modules/OrchardCore.Users/Controllers/AdminController.cs
@@ -90,9 +90,7 @@ public AdminController(
         public async Task<ActionResult> Index([ModelBinder(BinderType = typeof(UserFilterEngineModelBinder), Name = "q")] QueryFilterResult<User> queryFilterResult, PagerParameters pagerParameters)
         {
             // Check a dummy user account to see if the current user has permission to view users.
-            var authUser = new User();
-
-            if (!await _authorizationService.AuthorizeAsync(User, CommonPermissions.ListUsers, authUser))
+            if (!await _authorizationService.AuthorizeAsync(User, CommonPermissions.ListUsers, new User()))
             {
                 return Forbid();
             }
@@ -165,7 +163,7 @@ public async Task<ActionResult> Index([ModelBinder(BinderType = typeof(UserFilte
                 new SelectListItem() { Text = S["Delete"], Value = nameof(UsersBulkAction.Delete) }
             };
 
-            var roles = new List<string>();
+            var roleNames = new List<string>();
 
             foreach (var roleName in await _roleService.GetRoleNamesAsync())
             {
@@ -176,7 +174,7 @@ public async Task<ActionResult> Index([ModelBinder(BinderType = typeof(UserFilte
                     continue;
                 }
 
-                roles.Add(roleName);
+                roleNames.Add(roleName);
             }
 
             options.UserRoleFilters = new List<SelectListItem>()
@@ -187,12 +185,12 @@ public async Task<ActionResult> Index([ModelBinder(BinderType = typeof(UserFilte
 
             // TODO Candidate for dynamic localization.
             options.UserRoleFilters.AddRange(
-                roles.Select(role =>
+                roleNames.Select(roleName =>
                     new SelectListItem
                     {
-                        Text = role,
-                        Value = role.Contains(' ') ? "\"" + role + "\"" : role,
-                        Selected = string.Equals(options.SelectedRole?.Trim('"'), role, StringComparison.OrdinalIgnoreCase)
+                        Text = roleName,
+                        Value = roleName.Contains(' ') ? $"\"{roleName}\"" : roleName,
+                        Selected = string.Equals(options.SelectedRole?.Trim('"'), roleName, StringComparison.OrdinalIgnoreCase)
                     })
                 );