src/Umbraco.Web.BackOffice/Controllers/UserGroupEditorAuthorizationHelper.cs

using System.Collections.Generic;
using System.Linq;
using Umbraco.Cms.Core;
using Umbraco.Cms.Core.Models;
using Umbraco.Cms.Core.Models.Membership;
using Umbraco.Cms.Core.Services;
using Umbraco.Extensions;
using Constants = Umbraco.Cms.Core.Constants;

namespace Umbraco.Cms.Web.BackOffice.Controllers
{
    internal class UserGroupEditorAuthorizationHelper
    {
        private readonly IUserService _userService;
        private readonly IContentService _contentService;
        private readonly IMediaService _mediaService;
        private readonly IEntityService _entityService;

        public UserGroupEditorAuthorizationHelper(IUserService userService, IContentService contentService, IMediaService mediaService, IEntityService entityService)
        {
            _userService = userService;
            _contentService = contentService;
            _mediaService = mediaService;
            _entityService = entityService;
        }

        /// <summary>
        /// Authorize that the current user belongs to these groups
        /// </summary>
        /// <param name="currentUser"></param>
        /// <param name="groupIds"></param>
        /// <returns></returns>
        public Attempt<string> AuthorizeGroupAccess(IUser currentUser, params int[] groupIds)
        {
            if (currentUser.IsAdmin())
                return Attempt<string>.Succeed();

            var groups = _userService.GetAllUserGroups(groupIds.ToArray());
            var groupAliases = groups.Select(x => x.Alias).ToArray();
            var userGroups = currentUser.Groups.Select(x => x.Alias).ToArray();
            var missingAccess = groupAliases.Except(userGroups).ToArray();
            return missingAccess.Length == 0
                ? Attempt<string>.Succeed()
                : Attempt.Fail("User is not a member of " + string.Join(", ", missingAccess));
        }

        /// <summary>
        /// Authorize that the current user belongs to these groups
        /// </summary>
        /// <param name="currentUser"></param>
        /// <param name="groupAliases"></param>
        /// <returns></returns>
        public Attempt<string> AuthorizeGroupAccess(IUser currentUser, params string[] groupAliases)
        {
            if (currentUser.IsAdmin())
                return Attempt<string>.Succeed();

            var existingGroups = _userService.GetUserGroupsByAlias(groupAliases);

            if(!existingGroups.Any())
            {
                // We're dealing with new groups,
                // so authorization should be given to any user with access to Users section
                if (currentUser.AllowedSections.Contains(Constants.Applications.Users))
                    return Attempt<string>.Succeed();
            }

            var userGroups = currentUser.Groups.Select(x => x.Alias).ToArray();
            var missingAccess = groupAliases.Except(userGroups).ToArray();
            return missingAccess.Length == 0
                ? Attempt<string>.Succeed()
                : Attempt.Fail("User is not a member of " + string.Join(", ", missingAccess));
        }

        /// <summary>
        /// Authorize that the user is not adding a section to the group that they don't have access to
        /// </summary>
        /// <param name="currentUser"></param>
        /// <param name="currentAllowedSections"></param>
        /// <param name="proposedAllowedSections"></param>
        /// <returns></returns>
        public Attempt<string> AuthorizeSectionChanges(IUser currentUser,
            IEnumerable<string> currentAllowedSections,
            IEnumerable<string> proposedAllowedSections)
        {
            if (currentUser.IsAdmin())
                return Attempt<string>.Succeed();

            var sectionsAdded = currentAllowedSections.Except(proposedAllowedSections).ToArray();
            var sectionAccessMissing = sectionsAdded.Except(currentUser.AllowedSections).ToArray();
            return sectionAccessMissing.Length > 0
                ? Attempt.Fail("Current user doesn't have access to add these sections " + string.Join(", ", sectionAccessMissing))
                : Attempt<string>.Succeed();
        }

        /// <summary>
        /// Authorize that the user is not changing to a start node that they don't have access to (including admins)
        /// </summary>
        /// <param name="currentUser"></param>
        /// <param name="currentContentStartId"></param>
        /// <param name="proposedContentStartId"></param>
        /// <param name="currentMediaStartId"></param>
        /// <param name="proposedMediaStartId"></param>
        /// <returns></returns>
        public Attempt<string> AuthorizeStartNodeChanges(IUser currentUser,
            int? currentContentStartId,
            int? proposedContentStartId,
            int? currentMediaStartId,
            int? proposedMediaStartId)
        {
            if (currentContentStartId != proposedContentStartId && proposedContentStartId.HasValue)
            {
                var content = _contentService.GetById(proposedContentStartId.Value);
                if (content != null)
                {
                    if (currentUser.HasPathAccess(content, _entityService) == false)
                        return Attempt.Fail("Current user doesn't have access to the content path " + content.Path);
                }
            }

            if (currentMediaStartId != proposedMediaStartId && proposedMediaStartId.HasValue)
            {
                var media = _mediaService.GetById(proposedMediaStartId.Value);
                if (media != null)
                {
                    if (currentUser.HasPathAccess(media, _entityService) == false)
                        return Attempt.Fail("Current user doesn't have access to the media path " + media.Path);
                }
            }

            return Attempt<string>.Succeed();
        }
    }
}
-												CrLfTab

											
										
										
											2017-09-23 10:08:18 +02:00
+								using System.Collections.Generic;
-												Port 7.7 - WIP

											
										
										
											2017-09-19 15:51:47 +02:00
+								using System.Linq;
-												Netcore: Align namespaces (#9801)

* Rename Umbraco.Core namespace to Umbraco.Cms.Core

* Move extension methods in core project to Umbraco.Extensions

* Move extension methods in core project to Umbraco.Extensions

* Rename Umbraco.Examine namespace to Umbraco.Cms.Examine

* Move examine extensions to Umbraco.Extensions namespace

* Reflect changed namespaces in Builder and fix unit tests

* Adjust namespace in Umbraco.ModelsBuilder.Embedded

* Adjust namespace in Umbraco.Persistence.SqlCe

* Adjust namespace in Umbraco.PublishedCache.NuCache

* Align namespaces in Umbraco.Web.BackOffice

* Align namespaces in Umbraco.Web.Common

* Ensure that SqlCeSupport is still enabled after changing the namespace

* Align namespaces in Umbraco.Web.Website

* Align namespaces in Umbraco.Web.UI.NetCore

* Align namespaces in Umbraco.Tests.Common

* Align namespaces in Umbraco.Tests.UnitTests

* Align namespaces in Umbraco.Tests.Integration

* Fix errors caused by changed namespaces

* Fix integration tests

* Undo the Umbraco.Examine.Lucene namespace change

This breaks integration tests on linux, since the namespace wont exists there because it's only used on windows.

* Fix merge

* Fix Merge
											
										
										
											2021-02-18 11:06:02 +01:00
+								using Umbraco.Cms.Core;
 								using Umbraco.Cms.Core.Models;
 								using Umbraco.Cms.Core.Models.Membership;
 								using Umbraco.Cms.Core.Services;
 								using Umbraco.Extensions;
 								using Constants = Umbraco.Cms.Core.Constants;
-												Port 7.7 - WIP

											
										
										
											2017-09-19 15:51:47 +02:00
-												Netcore: Align namespaces (#9801)

* Rename Umbraco.Core namespace to Umbraco.Cms.Core

* Move extension methods in core project to Umbraco.Extensions

* Move extension methods in core project to Umbraco.Extensions

* Rename Umbraco.Examine namespace to Umbraco.Cms.Examine

* Move examine extensions to Umbraco.Extensions namespace

* Reflect changed namespaces in Builder and fix unit tests

* Adjust namespace in Umbraco.ModelsBuilder.Embedded

* Adjust namespace in Umbraco.Persistence.SqlCe

* Adjust namespace in Umbraco.PublishedCache.NuCache

* Align namespaces in Umbraco.Web.BackOffice

* Align namespaces in Umbraco.Web.Common

* Ensure that SqlCeSupport is still enabled after changing the namespace

* Align namespaces in Umbraco.Web.Website

* Align namespaces in Umbraco.Web.UI.NetCore

* Align namespaces in Umbraco.Tests.Common

* Align namespaces in Umbraco.Tests.UnitTests

* Align namespaces in Umbraco.Tests.Integration

* Fix errors caused by changed namespaces

* Fix integration tests

* Undo the Umbraco.Examine.Lucene namespace change

This breaks integration tests on linux, since the namespace wont exists there because it's only used on windows.

* Fix merge

* Fix Merge
											
										
										
											2021-02-18 11:06:02 +01:00
+								namespace Umbraco.Cms.Web.BackOffice.Controllers
-												Port 7.7 - WIP

											
										
										
											2017-09-19 15:51:47 +02:00
+								{
 								    internal class UserGroupEditorAuthorizationHelper
 								    {
 								        private readonly IUserService _userService;
 								        private readonly IContentService _contentService;
 								        private readonly IMediaService _mediaService;
 								        private readonly IEntityService _entityService;
 								        public UserGroupEditorAuthorizationHelper(IUserService userService, IContentService contentService, IMediaService mediaService, IEntityService entityService)
 								        {
 								            _userService = userService;
 								            _contentService = contentService;
 								            _mediaService = mediaService;
 								            _entityService = entityService;
 								        }
 								        /// <summary>
 								        /// Authorize that the current user belongs to these groups
 								        /// </summary>
 								        /// <param name="currentUser"></param>
 								        /// <param name="groupIds"></param>
 								        /// <returns></returns>
 								        public Attempt<string> AuthorizeGroupAccess(IUser currentUser, params int[] groupIds)
 								        {
 								            if (currentUser.IsAdmin())
 								                return Attempt<string>.Succeed();
 								            var groups = _userService.GetAllUserGroups(groupIds.ToArray());
 								            var groupAliases = groups.Select(x => x.Alias).ToArray();
 								            var userGroups = currentUser.Groups.Select(x => x.Alias).ToArray();
 								            var missingAccess = groupAliases.Except(userGroups).ToArray();
 								            return missingAccess.Length == 0
 								                ? Attempt<string>.Succeed()
 								                : Attempt.Fail("User is not a member of " + string.Join(", ", missingAccess));
 								        }
 								        /// <summary>
 								        /// Authorize that the current user belongs to these groups
 								        /// </summary>
 								        /// <param name="currentUser"></param>
 								        /// <param name="groupAliases"></param>
 								        /// <returns></returns>
 								        public Attempt<string> AuthorizeGroupAccess(IUser currentUser, params string[] groupAliases)
 								        {
 								            if (currentUser.IsAdmin())
 								                return Attempt<string>.Succeed();
-												Issue 3018 - non-admin users cannot create groups

											
										
										
											2018-10-02 18:43:12 +02:00
+								            var existingGroups = _userService.GetUserGroupsByAlias(groupAliases);
 								            if(!existingGroups.Any())
 								            {
 								                // We're dealing with new groups,
 								                // so authorization should be given to any user with access to Users section
 								                if (currentUser.AllowedSections.Contains(Constants.Applications.Users))
 								                    return Attempt<string>.Succeed();
 								            }
-												Port 7.7 - WIP

											
										
										
											2017-09-19 15:51:47 +02:00
+								            var userGroups = currentUser.Groups.Select(x => x.Alias).ToArray();
 								            var missingAccess = groupAliases.Except(userGroups).ToArray();
 								            return missingAccess.Length == 0
 								                ? Attempt<string>.Succeed()
 								                : Attempt.Fail("User is not a member of " + string.Join(", ", missingAccess));
 								        }
 								        /// <summary>
 								        /// Authorize that the user is not adding a section to the group that they don't have access to
 								        /// </summary>
 								        /// <param name="currentUser"></param>
 								        /// <param name="currentAllowedSections"></param>
 								        /// <param name="proposedAllowedSections"></param>
 								        /// <returns></returns>
 								        public Attempt<string> AuthorizeSectionChanges(IUser currentUser,
 								            IEnumerable<string> currentAllowedSections,
 								            IEnumerable<string> proposedAllowedSections)
 								        {
 								            if (currentUser.IsAdmin())
 								                return Attempt<string>.Succeed();
 								            var sectionsAdded = currentAllowedSections.Except(proposedAllowedSections).ToArray();
 								            var sectionAccessMissing = sectionsAdded.Except(currentUser.AllowedSections).ToArray();
 								            return sectionAccessMissing.Length > 0
 								                ? Attempt.Fail("Current user doesn't have access to add these sections " + string.Join(", ", sectionAccessMissing))
 								                : Attempt<string>.Succeed();
 								        }
 								        /// <summary>
 								        /// Authorize that the user is not changing to a start node that they don't have access to (including admins)
 								        /// </summary>
 								        /// <param name="currentUser"></param>
 								        /// <param name="currentContentStartId"></param>
 								        /// <param name="proposedContentStartId"></param>
 								        /// <param name="currentMediaStartId"></param>
 								        /// <param name="proposedMediaStartId"></param>
 								        /// <returns></returns>
 								        public Attempt<string> AuthorizeStartNodeChanges(IUser currentUser,
 								            int? currentContentStartId,
 								            int? proposedContentStartId,
 								            int? currentMediaStartId,
 								            int? proposedMediaStartId)
 								        {
 								            if (currentContentStartId != proposedContentStartId && proposedContentStartId.HasValue)
 								            {
 								                var content = _contentService.GetById(proposedContentStartId.Value);
 								                if (content != null)
 								                {
 								                    if (currentUser.HasPathAccess(content, _entityService) == false)
 								                        return Attempt.Fail("Current user doesn't have access to the content path " + content.Path);
 								                }
 								            }
 								            if (currentMediaStartId != proposedMediaStartId && proposedMediaStartId.HasValue)
 								            {
 								                var media = _mediaService.GetById(proposedMediaStartId.Value);
 								                if (media != null)
 								                {
 								                    if (currentUser.HasPathAccess(media, _entityService) == false)
 								                        return Attempt.Fail("Current user doesn't have access to the media path " + media.Path);
 								                }
 								            }
 								            return Attempt<string>.Succeed();
 								        }
 								    }
-												CrLfTab

											
										
										
											2017-09-23 10:08:18 +02:00
+								}