feat: #444 only use permission strings everywhere

templates/Coalesce.Vue.Template/content/Coalesce.Starter.Vue.Data/AppDbContext.cs

@@ -80,7 +80,7 @@ protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
 	}
 #endif
 
-	protected override void OnModelCreating(ModelBuilder builder)
+    protected override void OnModelCreating(ModelBuilder builder)
 	{
 		base.OnModelCreating(builder);
 
@@ -107,6 +107,11 @@ protected override void OnModelCreating(ModelBuilder builder)
 				.IsRequired()
 				.OnDelete(DeleteBehavior.Cascade);
 		});
+
+        builder.Entity<Role>(e =>
+        {
+            e.PrimitiveCollection(e => e.Permissions).ElementType().HasConversion<string>();
+        });
 #endif
 	}
 }

templates/Coalesce.Vue.Template/content/Coalesce.Starter.Vue.Data/Auth/Permission.cs

@@ -7,19 +7,13 @@
 /// </summary>
 public enum Permission
 {
-    // Note about usage of Permission values:
-    // The numeric values are stored in the database on `Role.Permissions`.
-    // The string value are stored in the user claims,
-    // issused by `ClaimsPrincipalFactory` and consumed by role-based security attributes with `nameof`.
-
-    // Therefore, use caution and avoid editing existing roles.
-    // Always assign new roles the next highest value, never reusing old numbers.
+    // Note: Enum values/numbers are not used. Only the names are used for persistence and API representation.
 
     [Display(Name = "Admin - General", Description = "Modify application configuration and other administrative functions excluding user/role management.")]
     Admin = 1,
 
     [Display(Name = "Admin - Users", Description = "Add and modify users accounts and their assigned roles. Edit roles and their permissions.")]
-    UserAdmin = 2,
+    UserAdmin,
 
-    ViewAuditLogs = 3
+    ViewAuditLogs
 }

templates/Coalesce.Vue.Template/content/Coalesce.Starter.Vue.Web/ProgramAuth.cs

@@ -91,7 +91,7 @@ await UpdateUserPhoto(user, db, ctx.Options.Backchannel, () => {
     }
 
 #if UserPictures
-    private static async Task UpdateUserPhoto(User user, AppDbContext db, HttpClient client, Func<HttpRequestMessage> buildRequest)
+    private static async Task UpdateUserPhoto(User user, AppDbContext db, HttpClient client, Func<HttpRequestMessage> requestFactory)
     {
         UserPhoto? photo = user.Photo = db.UserPhotos.Where(p => p.UserId == user.Id).FirstOrDefault();
         if (photo is not null && photo.ModifiedOn >= DateTimeOffset.Now.AddDays(-7))
@@ -100,7 +100,7 @@ private static async Task UpdateUserPhoto(User user, AppDbContext db, HttpClient
             return;
         }
 
-        var request = buildRequest();
+        var request = requestFactory();
 
         if (request.RequestUri is null) return;
 
@@ -148,6 +148,7 @@ private static Func<TicketReceivedContext, Task> OnTicketReceived(
 
         await signInManager.UserManager.UpdateAsync(user);
 
+        // ExternalLoginSignInAsync checks that the user isn't locked out.
         var result = await signInManager.ExternalLoginSignInAsync(
             remoteLoginInfo.LoginProvider, 
             remoteLoginInfo.ProviderKey, 
@@ -190,6 +191,8 @@ SignInManager<User> signInManager
         else if (remoteUserEmail is not null)
         {
             user = await signInManager.UserManager.FindByEmailAsync(remoteUserEmail);
+            // Don't match existing users by email if the email isn't confirmed.
+            if (user?.EmailConfirmed == false) user = null;
         }
 
         if (user is null)
@@ -201,7 +204,7 @@ SignInManager<User> signInManager
 
             user = new User { UserName = remoteUserEmail };
 
-            // If this user is the first user, give them all roles so the system has an admin.
+            // If this user is the first user, give them all roles so there is an initial admin.
             if (!db.Users.Any())
             {
                 user.UserRoles = db.Roles.Select(r => new UserRole { Role = r, User = user }).ToList();