feat: Update authorization for public access on maps and change log controllers; enhance documentation for clarity

Author: frasermolyneux

src/XtremeIdiots.Portal.Web/ApiControllers/MapsController.cs

@@ -12,9 +12,13 @@
 namespace XtremeIdiots.Portal.Web.ApiControllers;
 
 /// <summary>
-/// API controller for maps data operations
+/// API controller for maps data operations. The public map list endpoint
+/// (<c>GetMapListAjax</c>) is anonymous and projects only public-safe map
+/// metadata. Admin-only endpoints (e.g. <c>GetMapVotesAjax</c>, which exposes
+/// player usernames and IDs) carry their own explicit [Authorize] — each
+/// action opts in to its own auth posture rather than inheriting from the
+/// class.
 /// </summary>
-[Authorize(Policy = AuthPolicies.MapRotations_Read)]
 [Route("Maps")]
 public class MapsController(
     IRepositoryApiClient repositoryApiClient,
@@ -31,6 +35,7 @@ public class MapsController(
     /// <param name="cancellationToken">Cancellation token for the async operation</param>
     /// <returns>JSON data formatted for DataTables consumption</returns>
     [HttpPost("GetMapListAjax/{id?}")]
+    [AllowAnonymous]
     [ValidateAntiForgeryToken]
     public async Task<IActionResult> GetMapListAjax(GameType? id, CancellationToken cancellationToken = default)
     {
@@ -97,11 +102,13 @@ public async Task<IActionResult> GetMapListAjax(GameType? id, CancellationToken
     }
 
     /// <summary>
-    /// Provides paginated map vote data for DataTables Ajax requests
+    /// Provides paginated map vote data for DataTables Ajax requests (admin-only;
+    /// the payload exposes player usernames and IDs).
     /// </summary>
     /// <param name="cancellationToken">Cancellation token for the async operation</param>
     /// <returns>JSON data formatted for DataTables consumption</returns>
     [HttpPost("GetMapVotesAjax")]
+    [Authorize(Policy = AuthPolicies.MapRotations_Read)]
     [ValidateAntiForgeryToken]
     public async Task<IActionResult> GetMapVotesAjax(CancellationToken cancellationToken = default)
     {

src/XtremeIdiots.Portal.Web/Controllers/ChangeLogController.cs

@@ -8,9 +8,12 @@
 namespace XtremeIdiots.Portal.Web.Controllers;
 
 /// <summary>
-/// Controller for accessing and managing application change logs
+/// Public change log page. Surfaces portal development activity (commits, PRs,
+/// build status) sourced directly from GitHub's public REST API via
+/// client-side fetches — no portal backend data is returned from this
+/// controller.
 /// </summary>
-[Authorize]
+[AllowAnonymous]
 public class ChangeLogController(
     TelemetryClient telemetryClient,
     ILogger<ChangeLogController> logger,

src/XtremeIdiots.Portal.Web/Controllers/HomeController.cs

@@ -2,14 +2,15 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using MX.Observability.ApplicationInsights.Auditing;
-using XtremeIdiots.Portal.Web.Auth.Constants;
 
 namespace XtremeIdiots.Portal.Web.Controllers;
 
 /// <summary>
-/// Handles the main dashboard and home page functionality
+/// Handles the public landing / home page. The content is a public marketing
+/// page (community links, public server list via view component, donation block)
+/// and must remain reachable without authentication.
 /// </summary>
-[Authorize]
+[AllowAnonymous]
 public class HomeController(
     TelemetryClient telemetryClient,
     ILogger<HomeController> logger,
@@ -19,10 +20,10 @@ public class HomeController(
     // No additional dependencies required for current actions
 
     /// <summary>
-    /// Displays the main dashboard for authenticated users
+    /// Displays the public landing page
     /// </summary>
     /// <param name="cancellationToken">Cancellation token for the async operation</param>
-    /// <returns>Dashboard view with user-specific content</returns>
+    /// <returns>Landing page view</returns>
     [HttpGet]
     public IActionResult Index(CancellationToken cancellationToken = default)
     {

src/XtremeIdiots.Portal.Web/Controllers/MapsController.cs

@@ -10,7 +10,11 @@
 namespace XtremeIdiots.Portal.Web.Controllers;
 
 /// <summary>
-/// Provides map browsing, search, and image retrieval functionality
+/// Provides map browsing, search, and image retrieval. The public map browsing
+/// endpoints (<c>Index</c>, <c>GameIndex</c>, <c>MapImage</c>) are anonymous —
+/// they expose only public map metadata and imagery. Admin-only actions
+/// (e.g. <c>VoteLog</c>) carry their own explicit [Authorize] — each action
+/// opts in to its own auth posture rather than inheriting from the class.
 /// </summary>
 /// <remarks>
 /// Initializes a new instance of the MapsController
@@ -19,7 +23,6 @@ namespace XtremeIdiots.Portal.Web.Controllers;
 /// <param name="telemetryClient">Client for tracking telemetry data</param>
 /// <param name="logger">Logger instance for this controller</param>
 /// <param name="configuration">Application configuration</param>
-[Authorize(Policy = AuthPolicies.MapRotations_Read)]
 public class MapsController(
     IRepositoryApiClient repositoryApiClient,
     TelemetryClient telemetryClient,
@@ -34,6 +37,7 @@ public class MapsController(
     /// <param name="cancellationToken">Cancellation token for the async operation</param>
     /// <returns>Maps index view</returns>
     [HttpGet]
+    [AllowAnonymous]
     public async Task<IActionResult> Index(CancellationToken cancellationToken = default)
     {
         return await ExecuteWithErrorHandlingAsync(() => Task.FromResult<IActionResult>(View()), nameof(Index)).ConfigureAwait(false);
@@ -46,6 +50,7 @@ public async Task<IActionResult> Index(CancellationToken cancellationToken = def
     /// <param name="cancellationToken">Cancellation token for the async operation</param>
     /// <returns>Maps index view with game type filter applied</returns>
     [HttpGet]
+    [AllowAnonymous]
     public async Task<IActionResult> GameIndex(GameType? id, CancellationToken cancellationToken = default)
     {
         return await ExecuteWithErrorHandlingAsync(() =>
@@ -63,6 +68,7 @@ public async Task<IActionResult> GameIndex(GameType? id, CancellationToken cance
     /// <param name="cancellationToken">Cancellation token for the async operation</param>
     /// <returns>Redirect to map image URI or default no-image placeholder</returns>
     [HttpGet]
+    [AllowAnonymous]
     public async Task<IActionResult> MapImage(GameType gameType, string mapName, CancellationToken cancellationToken = default)
     {
         return await ExecuteWithErrorHandlingAsync(async () =>
@@ -88,11 +94,12 @@ public async Task<IActionResult> MapImage(GameType gameType, string mapName, Can
     }
 
     /// <summary>
-    /// Displays the map vote log/audit page
+    /// Displays the map vote log/audit page (admin-only)
     /// </summary>
     /// <param name="cancellationToken">Cancellation token for the async operation</param>
     /// <returns>Vote log view</returns>
     [HttpGet]
+    [Authorize(Policy = AuthPolicies.MapRotations_Read)]
     public async Task<IActionResult> VoteLog(CancellationToken cancellationToken = default)
     {
         return await ExecuteWithErrorHandlingAsync(() => Task.FromResult<IActionResult>(View()), nameof(VoteLog)).ConfigureAwait(false);