2020-12-04 02:21:21 +11:00
using System ;
2018-03-27 16:18:51 +02:00
using System.Collections.Generic ;
2018-08-14 20:21:33 +10:00
using System.Globalization ;
2018-03-27 10:04:07 +02:00
using System.Linq ;
2020-08-20 22:18:50 +01:00
using System.Threading.Tasks ;
2020-12-04 02:21:21 +11:00
using Microsoft.AspNetCore.Authorization ;
2020-06-22 10:08:08 +02:00
using Microsoft.AspNetCore.Http ;
using Microsoft.AspNetCore.Mvc ;
2020-09-21 09:52:58 +02:00
using Microsoft.Extensions.Logging ;
2020-12-04 02:21:21 +11:00
using Microsoft.Extensions.Options ;
2018-03-27 10:04:07 +02:00
using Newtonsoft.Json ;
using Umbraco.Core ;
2019-12-18 13:05:34 +01:00
using Umbraco.Core.Cache ;
2020-08-20 22:18:50 +01:00
using Umbraco.Core.Configuration.Models ;
2020-04-03 11:03:06 +11:00
using Umbraco.Core.Hosting ;
2020-08-20 22:18:50 +01:00
using Umbraco.Core.IO ;
2020-06-22 10:08:08 +02:00
using Umbraco.Core.Mapping ;
2020-03-24 09:37:46 +01:00
using Umbraco.Core.Media ;
2020-09-22 10:01:00 +02:00
using Umbraco.Core.Security ;
2020-08-20 22:18:50 +01:00
using Umbraco.Core.Services ;
2020-06-22 10:08:08 +02:00
using Umbraco.Core.Strings ;
2020-05-18 13:00:32 +01:00
using Umbraco.Extensions ;
2020-06-22 10:08:08 +02:00
using Umbraco.Web.BackOffice.Filters ;
using Umbraco.Web.BackOffice.Security ;
using Umbraco.Web.Common.Attributes ;
2020-12-04 02:21:21 +11:00
using Umbraco.Web.Common.Authorization ;
2020-06-22 10:08:08 +02:00
using Umbraco.Web.Common.Exceptions ;
2020-08-20 22:18:50 +01:00
using Umbraco.Web.Models ;
using Umbraco.Web.Models.ContentEditing ;
2013-11-12 18:07:10 +11:00
2020-06-22 10:08:08 +02:00
namespace Umbraco.Web.BackOffice.Controllers
2013-11-12 18:07:10 +11:00
{
/// <summary>
/// Controller to back the User.Resource service, used for fetching user data when already authenticated. user.service is currently used for handling authentication
/// </summary>
2020-08-04 12:27:21 +10:00
[PluginController(Constants.Web.Mvc.BackOfficeApiArea)]
2013-11-12 18:07:10 +11:00
public class CurrentUserController : UmbracoAuthorizedJsonController
{
2019-12-18 13:05:34 +01:00
private readonly IMediaFileSystem _mediaFileSystem ;
2020-08-20 22:18:50 +01:00
private readonly ContentSettings _contentSettings ;
2020-04-03 11:03:06 +11:00
private readonly IHostingEnvironment _hostingEnvironment ;
2020-02-11 11:43:54 -08:00
private readonly IImageUrlGenerator _imageUrlGenerator ;
2020-10-21 16:51:00 +11:00
private readonly IBackOfficeSecurityAccessor _backofficeSecurityAccessor ;
2020-06-22 10:08:08 +02:00
private readonly IUserService _userService ;
private readonly UmbracoMapper _umbracoMapper ;
2020-09-22 14:44:41 +02:00
private readonly IBackOfficeUserManager _backOfficeUserManager ;
2020-09-21 09:52:58 +02:00
private readonly ILoggerFactory _loggerFactory ;
2020-06-22 10:08:08 +02:00
private readonly ILocalizedTextService _localizedTextService ;
private readonly AppCaches _appCaches ;
private readonly IShortStringHelper _shortStringHelper ;
2019-12-18 13:05:34 +01:00
public CurrentUserController (
2019-12-18 18:55:00 +01:00
IMediaFileSystem mediaFileSystem ,
2020-08-23 23:36:48 +02:00
IOptions < ContentSettings > contentSettings ,
2020-04-03 11:03:06 +11:00
IHostingEnvironment hostingEnvironment ,
2020-02-14 13:04:49 +01:00
IImageUrlGenerator imageUrlGenerator ,
2020-10-21 16:51:00 +11:00
IBackOfficeSecurityAccessor backofficeSecurityAccessor ,
2020-06-22 10:08:08 +02:00
IUserService userService ,
UmbracoMapper umbracoMapper ,
2020-09-22 14:44:41 +02:00
IBackOfficeUserManager backOfficeUserManager ,
2020-09-21 09:52:58 +02:00
ILoggerFactory loggerFactory ,
2020-06-22 10:08:08 +02:00
ILocalizedTextService localizedTextService ,
AppCaches appCaches ,
IShortStringHelper shortStringHelper )
2019-12-18 13:05:34 +01:00
{
_mediaFileSystem = mediaFileSystem ;
2020-08-20 22:18:50 +01:00
_contentSettings = contentSettings . Value ;
2020-06-22 10:08:08 +02:00
_hostingEnvironment = hostingEnvironment ;
2020-02-11 11:43:54 -08:00
_imageUrlGenerator = imageUrlGenerator ;
2020-09-22 10:01:00 +02:00
_backofficeSecurityAccessor = backofficeSecurityAccessor ;
2020-06-22 10:08:08 +02:00
_userService = userService ;
_umbracoMapper = umbracoMapper ;
_backOfficeUserManager = backOfficeUserManager ;
2020-09-21 09:52:58 +02:00
_loggerFactory = loggerFactory ;
2020-06-22 10:08:08 +02:00
_localizedTextService = localizedTextService ;
_appCaches = appCaches ;
_shortStringHelper = shortStringHelper ;
2019-12-18 13:05:34 +01:00
}
2020-06-22 10:08:08 +02:00
2018-08-14 20:21:33 +10:00
/// <summary>
/// Returns permissions for all nodes passed in for the current user
/// </summary>
/// <param name="nodeIds"></param>
/// <returns></returns>
[HttpPost]
public Dictionary < int , string [ ] > GetPermissions ( int [ ] nodeIds )
{
2020-06-22 10:08:08 +02:00
var permissions = _userService
2020-10-21 16:51:00 +11:00
. GetPermissions ( _backofficeSecurityAccessor . BackOfficeSecurity . CurrentUser , nodeIds ) ;
2018-08-14 20:21:33 +10:00
var permissionsDictionary = new Dictionary < int , string [ ] > ( ) ;
foreach ( var nodeId in nodeIds )
{
var aggregatePerms = permissions . GetAllPermissions ( nodeId ) . ToArray ( ) ;
permissionsDictionary . Add ( nodeId , aggregatePerms ) ;
}
return permissionsDictionary ;
}
/// <summary>
/// Checks a nodes permission for the current user
/// </summary>
/// <param name="permissionToCheck"></param>
/// <param name="nodeId"></param>
/// <returns></returns>
[HttpGet]
public bool HasPermission ( string permissionToCheck , int nodeId )
{
2020-10-21 16:51:00 +11:00
var p = _userService . GetPermissions ( _backofficeSecurityAccessor . BackOfficeSecurity . CurrentUser , nodeId ) . GetAllPermissions ( ) ;
2018-08-14 20:21:33 +10:00
if ( p . Contains ( permissionToCheck . ToString ( CultureInfo . InvariantCulture ) ) )
{
return true ;
}
return false ;
}
2018-03-27 10:04:07 +02:00
/// <summary>
/// Saves a tour status for the current user
/// </summary>
/// <param name="status"></param>
/// <returns></returns>
public IEnumerable < UserTourStatus > PostSetUserTour ( UserTourStatus status )
{
2018-03-28 16:38:10 +02:00
if ( status = = null ) throw new ArgumentNullException ( nameof ( status ) ) ;
2018-03-27 10:04:07 +02:00
List < UserTourStatus > userTours ;
2020-10-21 16:51:00 +11:00
if ( _backofficeSecurityAccessor . BackOfficeSecurity . CurrentUser . TourData . IsNullOrWhiteSpace ( ) )
2018-03-27 10:04:07 +02:00
{
2018-03-28 16:38:10 +02:00
userTours = new List < UserTourStatus > { status } ;
2020-10-21 16:51:00 +11:00
_backofficeSecurityAccessor . BackOfficeSecurity . CurrentUser . TourData = JsonConvert . SerializeObject ( userTours ) ;
_userService . Save ( _backofficeSecurityAccessor . BackOfficeSecurity . CurrentUser ) ;
2018-03-27 10:04:07 +02:00
return userTours ;
}
2020-10-21 16:51:00 +11:00
userTours = JsonConvert . DeserializeObject < IEnumerable < UserTourStatus > > ( _backofficeSecurityAccessor . BackOfficeSecurity . CurrentUser . TourData ) . ToList ( ) ;
2018-03-27 10:04:07 +02:00
var found = userTours . FirstOrDefault ( x = > x . Alias = = status . Alias ) ;
if ( found ! = null )
{
//remove it and we'll replace it next
userTours . Remove ( found ) ;
}
userTours . Add ( status ) ;
2020-10-21 16:51:00 +11:00
_backofficeSecurityAccessor . BackOfficeSecurity . CurrentUser . TourData = JsonConvert . SerializeObject ( userTours ) ;
_userService . Save ( _backofficeSecurityAccessor . BackOfficeSecurity . CurrentUser ) ;
2018-03-27 10:04:07 +02:00
return userTours ;
}
/// <summary>
/// Returns the user's tours
/// </summary>
/// <returns></returns>
public IEnumerable < UserTourStatus > GetUserTours ( )
{
2020-10-21 16:51:00 +11:00
if ( _backofficeSecurityAccessor . BackOfficeSecurity . CurrentUser . TourData . IsNullOrWhiteSpace ( ) )
2018-03-27 10:04:07 +02:00
return Enumerable . Empty < UserTourStatus > ( ) ;
2020-10-21 16:51:00 +11:00
var userTours = JsonConvert . DeserializeObject < IEnumerable < UserTourStatus > > ( _backofficeSecurityAccessor . BackOfficeSecurity . CurrentUser . TourData ) ;
2018-03-27 10:04:07 +02:00
return userTours ;
}
2017-09-12 16:22:16 +02:00
2013-11-12 18:07:10 +11:00
/// <summary>
2017-09-12 16:22:16 +02:00
/// When a user is invited and they click on the invitation link, they will be partially logged in
/// where they can set their username/password
2013-11-12 18:07:10 +11:00
/// </summary>
2017-09-12 16:22:16 +02:00
/// <param name="newPassword"></param>
2013-11-12 18:07:10 +11:00
/// <returns></returns>
2017-09-12 16:22:16 +02:00
/// <remarks>
/// This only works when the user is logged in (partially)
/// </remarks>
2020-11-20 15:32:36 +11:00
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)] // TODO: Why is this necessary? This inherits from UmbracoAuthorizedApiController
2017-09-12 16:22:16 +02:00
public async Task < UserDetail > PostSetInvitedUserPassword ( [ FromBody ] string newPassword )
2013-11-12 18:07:10 +11:00
{
2020-10-21 16:51:00 +11:00
var user = await _backOfficeUserManager . FindByIdAsync ( _backofficeSecurityAccessor . BackOfficeSecurity . GetUserId ( ) . ResultOr ( 0 ) . ToString ( ) ) ;
2020-04-30 15:48:32 +01:00
if ( user = = null ) throw new InvalidOperationException ( "Could not find user" ) ;
2020-06-22 10:08:08 +02:00
var result = await _backOfficeUserManager . AddPasswordAsync ( user , newPassword ) ;
2017-09-12 16:22:16 +02:00
if ( result . Succeeded = = false )
{
//it wasn't successful, so add the change error to the model state, we've name the property alias _umb_password on the form
// so that is why it is being used here.
2020-05-04 18:49:02 +01:00
ModelState . AddModelError ( "value" , result . Errors . ToErrorMessage ( ) ) ;
2017-09-12 16:22:16 +02:00
2020-06-22 10:08:08 +02:00
throw HttpResponseException . CreateValidationErrorResponse ( ModelState ) ;
2017-09-12 16:22:16 +02:00
}
//They've successfully set their password, we can now update their user account to be approved
2020-10-21 16:51:00 +11:00
_backofficeSecurityAccessor . BackOfficeSecurity . CurrentUser . IsApproved = true ;
2019-05-09 10:31:44 +02:00
//They've successfully set their password, and will now get fully logged into the back office, so the lastlogindate is set so the backoffice shows they have logged in
2020-10-21 16:51:00 +11:00
_backofficeSecurityAccessor . BackOfficeSecurity . CurrentUser . LastLoginDate = DateTime . UtcNow ;
_userService . Save ( _backofficeSecurityAccessor . BackOfficeSecurity . CurrentUser ) ;
2017-09-12 16:22:16 +02:00
//now we can return their full object since they are now really logged into the back office
2020-10-21 16:51:00 +11:00
var userDisplay = _umbracoMapper . Map < UserDetail > ( _backofficeSecurityAccessor . BackOfficeSecurity . CurrentUser ) ;
2020-06-22 10:08:08 +02:00
userDisplay . SecondsUntilTimeout = HttpContext . User . GetRemainingAuthSeconds ( ) ;
2017-09-12 16:22:16 +02:00
return userDisplay ;
}
[AppendUserModifiedHeader]
2020-10-23 14:18:53 +11:00
public IActionResult PostSetAvatar ( IList < IFormFile > files )
2017-09-12 16:22:16 +02:00
{
//borrow the logic from the user controller
2020-10-23 14:18:53 +11:00
return UsersController . PostSetAvatarInternal ( files , _userService , _appCaches . RuntimeCache , _mediaFileSystem , _shortStringHelper , _contentSettings , _hostingEnvironment , _imageUrlGenerator , _backofficeSecurityAccessor . BackOfficeSecurity . GetUserId ( ) . ResultOr ( 0 ) ) ;
2016-09-01 19:06:08 +02:00
}
2013-11-12 18:07:10 +11:00
/// <summary>
/// Changes the users password
/// </summary>
/// <param name="data"></param>
/// <returns>
/// If the password is being reset it will return the newly reset password, otherwise will return an empty value
/// </returns>
2017-09-12 16:22:16 +02:00
public async Task < ModelWithNotifications < string > > PostChangePassword ( ChangingPasswordModel data )
2013-11-12 18:07:10 +11:00
{
2020-10-23 14:18:53 +11:00
// TODO: Why don't we inject this? Then we can just inject a logger
2020-09-21 09:52:58 +02:00
var passwordChanger = new PasswordChanger ( _loggerFactory . CreateLogger < PasswordChanger > ( ) ) ;
2020-10-21 16:51:00 +11:00
var passwordChangeResult = await passwordChanger . ChangePasswordWithIdentityAsync ( _backofficeSecurityAccessor . BackOfficeSecurity . CurrentUser , _backofficeSecurityAccessor . BackOfficeSecurity . CurrentUser , data , _backOfficeUserManager ) ;
2013-11-12 18:07:10 +11:00
if ( passwordChangeResult . Success )
{
//even if we weren't resetting this, it is the correct value (null), otherwise if we were resetting then it will contain the new pword
var result = new ModelWithNotifications < string > ( passwordChangeResult . Result . ResetPassword ) ;
2020-06-22 10:08:08 +02:00
result . AddSuccessNotification ( _localizedTextService . Localize ( "user/password" ) , _localizedTextService . Localize ( "user/passwordChanged" ) ) ;
2013-11-12 18:07:10 +11:00
return result ;
}
2017-09-19 15:51:47 +02:00
foreach ( var memberName in passwordChangeResult . Result . ChangeError . MemberNames )
{
ModelState . AddModelError ( memberName , passwordChangeResult . Result . ChangeError . ErrorMessage ) ;
}
2020-06-22 10:08:08 +02:00
throw HttpResponseException . CreateValidationErrorResponse ( ModelState ) ;
2013-11-12 18:07:10 +11:00
}
2020-11-20 15:32:36 +11:00
// TODO: Why is this necessary? This inherits from UmbracoAuthorizedApiController
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
2020-08-20 11:54:35 +02:00
[ValidateAngularAntiForgeryToken]
public async Task < Dictionary < string , string > > GetCurrentUserLinkedLogins ( )
{
2020-10-21 16:51:00 +11:00
var identityUser = await _backOfficeUserManager . FindByIdAsync ( _backofficeSecurityAccessor . BackOfficeSecurity . GetUserId ( ) . ResultOr ( 0 ) . ToString ( ) ) ;
2020-10-23 14:18:53 +11:00
// deduplicate in case there are duplicates (there shouldn't be now since we have a unique constraint on the external logins
// but there didn't used to be)
var result = new Dictionary < string , string > ( ) ;
foreach ( var l in identityUser . Logins )
{
result [ l . LoginProvider ] = l . ProviderKey ;
}
return result ;
2020-08-20 11:54:35 +02:00
}
2013-11-12 18:07:10 +11:00
}
}
