src/Umbraco.Web.Common/Security/BackofficeSecurity.cs

using Microsoft.AspNetCore.Http;
using Umbraco.Cms.Core;
using Umbraco.Cms.Core.Models.Membership;
using Umbraco.Cms.Core.Security;
using Umbraco.Cms.Core.Services;
using Umbraco.Extensions;

namespace Umbraco.Cms.Web.Common.Security
{
    public class BackOfficeSecurity : IBackOfficeSecurity
    {
        private readonly IUserService _userService;
        private readonly IHttpContextAccessor _httpContextAccessor;

        private readonly object _currentUserLock = new object();
        private IUser _currentUser;

        public BackOfficeSecurity(
            IUserService userService,
            IHttpContextAccessor httpContextAccessor)
        {
            _userService = userService;
            _httpContextAccessor = httpContextAccessor;
        }


        /// <inheritdoc />
        public IUser CurrentUser
        {
            get
            {

                //only load it once per instance! (but make sure groups are loaded)
                if (_currentUser == null)
                {
                    lock (_currentUserLock)
                    {
                        //Check again
                        if (_currentUser == null)
                        {
                            var id = GetUserId();
                            _currentUser = id ? _userService.GetUserById(id.Result) : null;
                        }
                    }
                }

                return _currentUser;
            }
        }

        /// <inheritdoc />
        public Attempt<int> GetUserId()
        {
            var identity = _httpContextAccessor.HttpContext?.GetCurrentIdentity();
            return identity == null ? Attempt.Fail<int>() : Attempt.Succeed(identity.GetId());
        }

        /// <inheritdoc />
        public bool IsAuthenticated()
        {
            var httpContext = _httpContextAccessor.HttpContext;
            return httpContext?.User != null && httpContext.User.Identity.IsAuthenticated && httpContext.GetCurrentIdentity() != null;
        }

        /// <inheritdoc />
        public bool UserHasSectionAccess(string section, IUser user)
        {
            return user.HasSectionAccess(section);
        }

    }
}
kill IBackOfficeSecurityFactory and fix the broken dependency chain 2021-03-04 15:07:54 +11:00			`using Microsoft.AspNetCore.Http;`
Netcore: Align namespaces (#9801) * Rename Umbraco.Core namespace to Umbraco.Cms.Core * Move extension methods in core project to Umbraco.Extensions * Move extension methods in core project to Umbraco.Extensions * Rename Umbraco.Examine namespace to Umbraco.Cms.Examine * Move examine extensions to Umbraco.Extensions namespace * Reflect changed namespaces in Builder and fix unit tests * Adjust namespace in Umbraco.ModelsBuilder.Embedded * Adjust namespace in Umbraco.Persistence.SqlCe * Adjust namespace in Umbraco.PublishedCache.NuCache * Align namespaces in Umbraco.Web.BackOffice * Align namespaces in Umbraco.Web.Common * Ensure that SqlCeSupport is still enabled after changing the namespace * Align namespaces in Umbraco.Web.Website * Align namespaces in Umbraco.Web.UI.NetCore * Align namespaces in Umbraco.Tests.Common * Align namespaces in Umbraco.Tests.UnitTests * Align namespaces in Umbraco.Tests.Integration * Fix errors caused by changed namespaces * Fix integration tests * Undo the Umbraco.Examine.Lucene namespace change This breaks integration tests on linux, since the namespace wont exists there because it's only used on windows. * Fix merge * Fix Merge 2021-02-18 11:06:02 +01:00			`using Umbraco.Cms.Core;`
			`using Umbraco.Cms.Core.Models.Membership;`
			`using Umbraco.Cms.Core.Security;`
			`using Umbraco.Cms.Core.Services;`
Implements more BackOfficeController and AuthenticationController, some web security and more, gets the back office UI almost rendering 2020-05-25 23:15:32 +10:00			`using Umbraco.Extensions;`
Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers 2020-05-12 10:21:40 +10:00
Netcore: Align namespaces (#9801) * Rename Umbraco.Core namespace to Umbraco.Cms.Core * Move extension methods in core project to Umbraco.Extensions * Move extension methods in core project to Umbraco.Extensions * Rename Umbraco.Examine namespace to Umbraco.Cms.Examine * Move examine extensions to Umbraco.Extensions namespace * Reflect changed namespaces in Builder and fix unit tests * Adjust namespace in Umbraco.ModelsBuilder.Embedded * Adjust namespace in Umbraco.Persistence.SqlCe * Adjust namespace in Umbraco.PublishedCache.NuCache * Align namespaces in Umbraco.Web.BackOffice * Align namespaces in Umbraco.Web.Common * Ensure that SqlCeSupport is still enabled after changing the namespace * Align namespaces in Umbraco.Web.Website * Align namespaces in Umbraco.Web.UI.NetCore * Align namespaces in Umbraco.Tests.Common * Align namespaces in Umbraco.Tests.UnitTests * Align namespaces in Umbraco.Tests.Integration * Fix errors caused by changed namespaces * Fix integration tests * Undo the Umbraco.Examine.Lucene namespace change This breaks integration tests on linux, since the namespace wont exists there because it's only used on windows. * Fix merge * Fix Merge 2021-02-18 11:06:02 +01:00			`namespace Umbraco.Cms.Web.Common.Security`
Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers 2020-05-12 10:21:40 +10:00			`{`
It builds! 2020-10-23 14:18:53 +11:00			`public class BackOfficeSecurity : IBackOfficeSecurity`
Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers 2020-05-12 10:21:40 +10:00			`{`
https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController 2020-05-19 09:52:58 +02:00			`private readonly IUserService _userService;`
Implements more BackOfficeController and AuthenticationController, some web security and more, gets the back office UI almost rendering 2020-05-25 23:15:32 +10:00			`private readonly IHttpContextAccessor _httpContextAccessor;`
https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController 2020-05-19 09:52:58 +02:00
Implement password config storage for members (#10170) * Getting new netcore PublicAccessChecker in place * Adds full test coverage for PublicAccessChecker * remove PublicAccessComposer * adjust namespaces, ensure RoleManager works, separate public access controller, reduce content controller * Implements the required methods on IMemberManager, removes old migrated code * Updates routing to be able to re-route, Fixes middleware ordering ensuring endpoints are last, refactors pipeline options, adds public access middleware, ensures public access follows all hops * adds note * adds note * Cleans up ext methods, ensures that members identity is added on both front-end and back ends. updates how UmbracoApplicationBuilder works in that it explicitly starts endpoints at the time of calling. * Changes name to IUmbracoEndpointBuilder * adds note * Fixing tests, fixing error describers so there's 2x one for back office, one for members, fixes TryConvertTo, fixes login redirect * fixing build * Updates user manager to correctly validate password hashing and injects the IBackOfficeUserPasswordChecker * Merges PR * Fixes up build and notes * Implements security stamp and email confirmed for members, cleans up a bunch of repo/service level member groups stuff, shares user store code between members and users and fixes the user identity object so we arent' tracking both groups and roles. * Security stamp for members is now working * Fixes keepalive, fixes PublicAccessMiddleware to not throw, updates startup code to be more clear and removes magic that registers middleware. * adds note * removes unused filter, fixes build * fixes WebPath and tests * Looks up entities in one query * remove usings * Fix test, remove stylesheet * Set status code before we write to response to avoid error * Ensures that users and members are validated when logging in. Shares more code between users and members. * merge changes * oops * Reducing and removing published member cache * Fixes RepositoryCacheKeys to ensure the keys are normalized * oops didn't mean to commit this * Fix casing issues with caching, stop boxing value types for all cache operations, stop re-creating string keys in DefaultRepositoryCachePolicy * oops didn't mean to comit this * bah, far out this keeps getting recommitted. sorry * cannot inject IPublishedMemberCache and cannot have IPublishedMember * splits out files, fixes build * fix tests * removes membership provider classes * removes membership provider classes * updates the identity map definition * reverts commented out lines * reverts commented out lines * Implements members Password config in db, fixes members cookie auth to not interfere with the back office cookie auth, fixes Startup sequence, fixes startup pipeline * commits change to Startup * Rename migration from `MemberTableColumns2` to `AddPasswordConfigToMemberTable` * Fix test * Fix tests, but adding default passwordConfig to members Co-authored-by: Bjarke Berg <mail@bergmania.dk> 2021-04-22 23:59:13 +10:00			`private readonly object _currentUserLock = new object();`
Netcore: Fixes issues with user invites (#9616) * AB9629 Fixes issues with user invites - Issue with the generated link in the invite email - Allow anonymous access to CurrentUserController.PostSetInvitedUserPassword, as it is used by users not logged in - Allow anonymous access to AuthenticationController.GetPasswordConfig, as this is used to set a password for newly invited users, before they login * Fix issues with invite flow * Fix minor typos * Fixed issue with validation response and remove/change avatar * Fix issue with disable users, after all enums are handled like strings * Fix tests * Fix other validation issue * Fix yet another validation issue Co-authored-by: Elitsa Marinovska <elm@umbraco.dk> 2021-01-12 16:15:19 +01:00			`private IUser _currentUser;`

It builds! 2020-10-23 14:18:53 +11:00			`public BackOfficeSecurity(`
Cleaning up websecurity and implementing it, migrates security stamp and session id validation for cookie auth 2020-06-02 13:28:30 +10:00			`IUserService userService,`
			`IHttpContextAccessor httpContextAccessor)`
https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController 2020-05-19 09:52:58 +02:00			`{`
			`_userService = userService;`
Implements more BackOfficeController and AuthenticationController, some web security and more, gets the back office UI almost rendering 2020-05-25 23:15:32 +10:00			`_httpContextAccessor = httpContextAccessor;`
https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController 2020-05-19 09:52:58 +02:00			`}`

Netcore: Fixes issues with user invites (#9616) * AB9629 Fixes issues with user invites - Issue with the generated link in the invite email - Allow anonymous access to CurrentUserController.PostSetInvitedUserPassword, as it is used by users not logged in - Allow anonymous access to AuthenticationController.GetPasswordConfig, as this is used to set a password for newly invited users, before they login * Fix issues with invite flow * Fix minor typos * Fixed issue with validation response and remove/change avatar * Fix issue with disable users, after all enums are handled like strings * Fix tests * Fix other validation issue * Fix yet another validation issue Co-authored-by: Elitsa Marinovska <elm@umbraco.dk> 2021-01-12 16:15:19 +01:00
https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController 2020-05-19 09:52:58 +02:00
Gets WebSecurity implemented 2020-06-02 14:46:58 +10:00			`/// <inheritdoc />`
https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController 2020-05-19 09:52:58 +02:00			`public IUser CurrentUser`
https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated TourController 2020-05-18 15:19:52 +02:00			`{`
https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController 2020-05-19 09:52:58 +02:00			`get`
			`{`
Netcore: Fixes issues with user invites (#9616) * AB9629 Fixes issues with user invites - Issue with the generated link in the invite email - Allow anonymous access to CurrentUserController.PostSetInvitedUserPassword, as it is used by users not logged in - Allow anonymous access to AuthenticationController.GetPasswordConfig, as this is used to set a password for newly invited users, before they login * Fix issues with invite flow * Fix minor typos * Fixed issue with validation response and remove/change avatar * Fix issue with disable users, after all enums are handled like strings * Fix tests * Fix other validation issue * Fix yet another validation issue Co-authored-by: Elitsa Marinovska <elm@umbraco.dk> 2021-01-12 16:15:19 +01:00
https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController 2020-05-19 09:52:58 +02:00			`//only load it once per instance! (but make sure groups are loaded)`
			`if (_currentUser == null)`
			`{`
Netcore: Fixes issues with user invites (#9616) * AB9629 Fixes issues with user invites - Issue with the generated link in the invite email - Allow anonymous access to CurrentUserController.PostSetInvitedUserPassword, as it is used by users not logged in - Allow anonymous access to AuthenticationController.GetPasswordConfig, as this is used to set a password for newly invited users, before they login * Fix issues with invite flow * Fix minor typos * Fixed issue with validation response and remove/change avatar * Fix issue with disable users, after all enums are handled like strings * Fix tests * Fix other validation issue * Fix yet another validation issue Co-authored-by: Elitsa Marinovska <elm@umbraco.dk> 2021-01-12 16:15:19 +01:00			`lock (_currentUserLock)`
			`{`
			`//Check again`
			`if (_currentUser == null)`
			`{`
			`var id = GetUserId();`
			`_currentUser = id ? _userService.GetUserById(id.Result) : null;`
			`}`
			`}`
https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController 2020-05-19 09:52:58 +02:00			`}`
https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated TourController 2020-05-18 15:19:52 +02:00
https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController 2020-05-19 09:52:58 +02:00			`return _currentUser;`
			`}`
			`}`
Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers 2020-05-12 10:21:40 +10:00
Gets WebSecurity implemented 2020-06-02 14:46:58 +10:00			`/// <inheritdoc />`
Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers 2020-05-12 10:21:40 +10:00			`public Attempt<int> GetUserId()`
			`{`
Changed the UmbracoIntegrationTest setup to be sync, to avoid issue with AsyncLocal Signed-off-by: Bjarke Berg <mail@bergmania.dk> 2020-10-05 10:02:11 +02:00			`var identity = _httpContextAccessor.HttpContext?.GetCurrentIdentity();`
Switch simple properties to extension methods 2021-02-17 10:11:04 +01:00			`return identity == null ? Attempt.Fail<int>() : Attempt.Succeed(identity.GetId());`
Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers 2020-05-12 10:21:40 +10:00			`}`

Gets WebSecurity implemented 2020-06-02 14:46:58 +10:00			`/// <inheritdoc />`
Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers 2020-05-12 10:21:40 +10:00			`public bool IsAuthenticated()`
			`{`
Implements more BackOfficeController and AuthenticationController, some web security and more, gets the back office UI almost rendering 2020-05-25 23:15:32 +10:00			`var httpContext = _httpContextAccessor.HttpContext;`
			`return httpContext?.User != null && httpContext.User.Identity.IsAuthenticated && httpContext.GetCurrentIdentity() != null;`
Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers 2020-05-12 10:21:40 +10:00			`}`

Gets WebSecurity implemented 2020-06-02 14:46:58 +10:00			`/// <inheritdoc />`
Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers 2020-05-12 10:21:40 +10:00			`public bool UserHasSectionAccess(string section, IUser user)`
			`{`
Gets WebSecurity implemented 2020-06-02 14:46:58 +10:00			`return user.HasSectionAccess(section);`
Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers 2020-05-12 10:21:40 +10:00			`}`

			`}`
			`}`