2020-11-24 00:37:26 +11:00
|
|
|
|
using Microsoft.AspNetCore.Authorization;
|
|
|
|
|
|
using Microsoft.AspNetCore.Http;
|
|
|
|
|
|
using Microsoft.Extensions.Primitives;
|
|
|
|
|
|
using System;
|
|
|
|
|
|
using System.Threading.Tasks;
|
|
|
|
|
|
using Umbraco.Core;
|
|
|
|
|
|
using Umbraco.Core.Models;
|
|
|
|
|
|
using Umbraco.Core.Security;
|
|
|
|
|
|
using Umbraco.Core.Services;
|
|
|
|
|
|
|
|
|
|
|
|
namespace Umbraco.Web.BackOffice.Authorization
|
|
|
|
|
|
{
|
2020-11-24 00:42:52 +11:00
|
|
|
|
public class MediaPermissionsQueryStringHandler : AuthorizationHandler<MediaPermissionsQueryStringRequirement>
|
2020-11-24 00:37:26 +11:00
|
|
|
|
{
|
|
|
|
|
|
private readonly IBackOfficeSecurityAccessor _backofficeSecurityAccessor;
|
|
|
|
|
|
private readonly IHttpContextAccessor _httpContextAccessor;
|
|
|
|
|
|
private readonly MediaPermissions _mediaPermissions;
|
|
|
|
|
|
private readonly IEntityService _entityService;
|
|
|
|
|
|
|
2020-11-24 00:42:52 +11:00
|
|
|
|
public MediaPermissionsQueryStringHandler(
|
2020-11-24 00:37:26 +11:00
|
|
|
|
IBackOfficeSecurityAccessor backofficeSecurityAccessor,
|
|
|
|
|
|
IHttpContextAccessor httpContextAccessor,
|
2020-11-24 11:56:53 +11:00
|
|
|
|
IEntityService entityService,
|
2020-11-24 00:37:26 +11:00
|
|
|
|
MediaPermissions mediaPermissions)
|
|
|
|
|
|
{
|
|
|
|
|
|
_backofficeSecurityAccessor = backofficeSecurityAccessor;
|
|
|
|
|
|
_httpContextAccessor = httpContextAccessor;
|
2020-11-24 11:56:53 +11:00
|
|
|
|
_entityService = entityService;
|
2020-11-24 00:37:26 +11:00
|
|
|
|
_mediaPermissions = mediaPermissions;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, MediaPermissionsQueryStringRequirement requirement)
|
|
|
|
|
|
{
|
2020-11-24 11:56:53 +11:00
|
|
|
|
if (!_httpContextAccessor.HttpContext.Request.Query.TryGetValue(requirement.QueryStringName, out var routeVal))
|
2020-11-24 00:37:26 +11:00
|
|
|
|
{
|
2020-11-24 12:02:31 +11:00
|
|
|
|
// must succeed this requirement since we cannot process it
|
|
|
|
|
|
context.Succeed(requirement);
|
2020-11-24 11:56:53 +11:00
|
|
|
|
return Task.CompletedTask;
|
2020-11-24 00:37:26 +11:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int nodeId;
|
|
|
|
|
|
|
|
|
|
|
|
var argument = routeVal.ToString();
|
|
|
|
|
|
// if the argument is an int, it will parse and can be assigned to nodeId
|
|
|
|
|
|
// if might be a udi, so check that next
|
|
|
|
|
|
// otherwise treat it as a guid - unlikely we ever get here
|
|
|
|
|
|
if (int.TryParse(argument, out int parsedId))
|
|
|
|
|
|
{
|
|
|
|
|
|
nodeId = parsedId;
|
|
|
|
|
|
}
|
|
|
|
|
|
else if (UdiParser.TryParse(argument, true, out var udi))
|
|
|
|
|
|
{
|
|
|
|
|
|
nodeId = _entityService.GetId(udi).Result;
|
|
|
|
|
|
}
|
|
|
|
|
|
else
|
|
|
|
|
|
{
|
|
|
|
|
|
Guid.TryParse(argument, out Guid key);
|
|
|
|
|
|
nodeId = _entityService.GetId(key, UmbracoObjectTypes.Document).Result;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
var permissionResult = _mediaPermissions.CheckPermissions(
|
|
|
|
|
|
_backofficeSecurityAccessor.BackOfficeSecurity.CurrentUser,
|
|
|
|
|
|
nodeId,
|
|
|
|
|
|
out var mediaItem);
|
|
|
|
|
|
|
2020-11-24 11:56:53 +11:00
|
|
|
|
switch (permissionResult)
|
2020-11-24 00:37:26 +11:00
|
|
|
|
{
|
2020-11-24 11:56:53 +11:00
|
|
|
|
case MediaPermissions.MediaAccess.Denied:
|
|
|
|
|
|
context.Fail();
|
|
|
|
|
|
break;
|
|
|
|
|
|
case MediaPermissions.MediaAccess.NotFound:
|
|
|
|
|
|
default:
|
|
|
|
|
|
context.Succeed(requirement);
|
|
|
|
|
|
break;
|
2020-11-24 00:37:26 +11:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (mediaItem != null)
|
|
|
|
|
|
{
|
|
|
|
|
|
//store the content item in request cache so it can be resolved in the controller without re-looking it up
|
|
|
|
|
|
_httpContextAccessor.HttpContext.Items[typeof(IMedia).ToString()] = mediaItem;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return Task.CompletedTask;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
