src/Umbraco.Web.Common/Security/BackofficeSecurity.cs

using Microsoft.AspNetCore.Http;
using Umbraco.Core;
using Umbraco.Core.Models;
using Umbraco.Core.Models.Membership;
using Umbraco.Core.Security;
using Umbraco.Core.Services;
using Umbraco.Extensions;

namespace Umbraco.Web.Common.Security
{
    // TODO: This is only for the back office, does it need to be in common?

    public class BackOfficeSecurity : IBackOfficeSecurity
    {
        private readonly IUserService _userService;
        private readonly IHttpContextAccessor _httpContextAccessor;

        private object _currentUserLock = new object();
        private IUser _currentUser;

        public BackOfficeSecurity(
            IUserService userService,
            IHttpContextAccessor httpContextAccessor)
        {
            _userService = userService;
            _httpContextAccessor = httpContextAccessor;
        }


        /// <inheritdoc />
        public IUser CurrentUser
        {
            get
            {

                //only load it once per instance! (but make sure groups are loaded)
                if (_currentUser == null)
                {
                    lock (_currentUserLock)
                    {
                        //Check again
                        if (_currentUser == null)
                        {
                            var id = GetUserId();
                            _currentUser = id ? _userService.GetUserById(id.Result) : null;
                        }
                    }
                }

                return _currentUser;
            }
        }

        /// <inheritdoc />
        public Attempt<int> GetUserId()
        {
            var identity = _httpContextAccessor.HttpContext?.GetCurrentIdentity();
            return identity == null ? Attempt.Fail<int>() : Attempt.Succeed(identity.Id);
        }

        /// <inheritdoc />
        public bool IsAuthenticated()
        {
            var httpContext = _httpContextAccessor.HttpContext;
            return httpContext?.User != null && httpContext.User.Identity.IsAuthenticated && httpContext.GetCurrentIdentity() != null;
        }

        /// <inheritdoc />
        public bool UserHasSectionAccess(string section, IUser user)
        {
            return user.HasSectionAccess(section);
        }

    }
}
-												Netcore: Fixes issues with user invites (#9616)

* AB9629
Fixes issues with user invites
- Issue with the generated link in the invite email
- Allow anonymous access to CurrentUserController.PostSetInvitedUserPassword, as it is used by users not logged in
- Allow anonymous access to AuthenticationController.GetPasswordConfig, as this is used to set a password for newly invited users, before they login

* Fix issues with invite flow

* Fix minor typos

* Fixed issue with validation response and remove/change avatar

* Fix issue with disable users, after all enums are handled like strings

* Fix tests

* Fix other validation issue

* Fix yet another validation issue

Co-authored-by: Elitsa Marinovska <elm@umbraco.dk>
											
										
										
											2021-01-12 16:15:19 +01:00
+								using Microsoft.AspNetCore.Http;
-												Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers

											
										
										
											2020-05-12 10:21:40 +10:00
+								using Umbraco.Core;
-												Amended injection of further settings to use IOptionsSnapshot.

											
										
										
											2020-08-21 14:52:47 +01:00
+								using Umbraco.Core.Models;
-												Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers

											
										
										
											2020-05-12 10:21:40 +10:00
+								using Umbraco.Core.Models.Membership;
-												It builds!

											
										
										
											2020-10-23 14:18:53 +11:00
+								using Umbraco.Core.Security;
-												https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController

											
										
										
											2020-05-19 09:52:58 +02:00
+								using Umbraco.Core.Services;
-												Implements more BackOfficeController and AuthenticationController, some web security and more, gets the back office UI almost rendering

											
										
										
											2020-05-25 23:15:32 +10:00
+								using Umbraco.Extensions;
-												Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers

											
										
										
											2020-05-12 10:21:40 +10:00
 								namespace Umbraco.Web.Common.Security
 								{
-												Revert "Revert "Moves some files, adds notes, starts poc for back office login providers""

Signed-off-by: Bjarke Berg <mail@bergmania.dk>

											
										
										
											2020-11-27 13:33:01 +01:00
+								    // TODO: This is only for the back office, does it need to be in common?
-												Netcore: Introduce BackofficeSecurityAccessor (#8871)

* Introduced IWebSecurityAccessor

Signed-off-by: Bjarke Berg <mail@bergmania.dk>

* Fixed tests

Signed-off-by: Bjarke Berg <mail@bergmania.dk>

* Renamed WebSecurity to BackofficeSecurity and all related names

* Fixes typos

Co-authored-by: Elitsa Marinovska <elm@umbraco.dk>
											
										
										
											2020-09-22 10:01:00 +02:00
-												It builds!

											
										
										
											2020-10-23 14:18:53 +11:00
+								    public class BackOfficeSecurity : IBackOfficeSecurity
-												Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers

											
										
										
											2020-05-12 10:21:40 +10:00
+								    {
-												https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController

											
										
										
											2020-05-19 09:52:58 +02:00
+								        private readonly IUserService _userService;
-												Implements more BackOfficeController and AuthenticationController, some web security and more, gets the back office UI almost rendering

											
										
										
											2020-05-25 23:15:32 +10:00
+								        private readonly IHttpContextAccessor _httpContextAccessor;
-												https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController

											
										
										
											2020-05-19 09:52:58 +02:00
-												Netcore: Fixes issues with user invites (#9616)

* AB9629
Fixes issues with user invites
- Issue with the generated link in the invite email
- Allow anonymous access to CurrentUserController.PostSetInvitedUserPassword, as it is used by users not logged in
- Allow anonymous access to AuthenticationController.GetPasswordConfig, as this is used to set a password for newly invited users, before they login

* Fix issues with invite flow

* Fix minor typos

* Fixed issue with validation response and remove/change avatar

* Fix issue with disable users, after all enums are handled like strings

* Fix tests

* Fix other validation issue

* Fix yet another validation issue

Co-authored-by: Elitsa Marinovska <elm@umbraco.dk>
											
										
										
											2021-01-12 16:15:19 +01:00
+								        private object _currentUserLock = new object();
 								        private IUser _currentUser;
-												It builds!

											
										
										
											2020-10-23 14:18:53 +11:00
+								        public BackOfficeSecurity(
-												Cleaning up websecurity and implementing it, migrates security stamp and session id validation for cookie auth

											
										
										
											2020-06-02 13:28:30 +10:00
+								            IUserService userService,
 								            IHttpContextAccessor httpContextAccessor)
-												https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController

											
										
										
											2020-05-19 09:52:58 +02:00
+								        {
 								            _userService = userService;
-												Implements more BackOfficeController and AuthenticationController, some web security and more, gets the back office UI almost rendering

											
										
										
											2020-05-25 23:15:32 +10:00
+								            _httpContextAccessor = httpContextAccessor;
-												https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController

											
										
										
											2020-05-19 09:52:58 +02:00
+								        }
-												Netcore: Fixes issues with user invites (#9616)

* AB9629
Fixes issues with user invites
- Issue with the generated link in the invite email
- Allow anonymous access to CurrentUserController.PostSetInvitedUserPassword, as it is used by users not logged in
- Allow anonymous access to AuthenticationController.GetPasswordConfig, as this is used to set a password for newly invited users, before they login

* Fix issues with invite flow

* Fix minor typos

* Fixed issue with validation response and remove/change avatar

* Fix issue with disable users, after all enums are handled like strings

* Fix tests

* Fix other validation issue

* Fix yet another validation issue

Co-authored-by: Elitsa Marinovska <elm@umbraco.dk>
											
										
										
											2021-01-12 16:15:19 +01:00
-												https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController

											
										
										
											2020-05-19 09:52:58 +02:00
-												Gets WebSecurity implemented

											
										
										
											2020-06-02 14:46:58 +10:00
+								        /// <inheritdoc />
-												https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController

											
										
										
											2020-05-19 09:52:58 +02:00
+								        public IUser CurrentUser
-												https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated TourController

											
										
										
											2020-05-18 15:19:52 +02:00
+								        {
-												https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController

											
										
										
											2020-05-19 09:52:58 +02:00
+								            get
 								            {
-												Netcore: Fixes issues with user invites (#9616)

* AB9629
Fixes issues with user invites
- Issue with the generated link in the invite email
- Allow anonymous access to CurrentUserController.PostSetInvitedUserPassword, as it is used by users not logged in
- Allow anonymous access to AuthenticationController.GetPasswordConfig, as this is used to set a password for newly invited users, before they login

* Fix issues with invite flow

* Fix minor typos

* Fixed issue with validation response and remove/change avatar

* Fix issue with disable users, after all enums are handled like strings

* Fix tests

* Fix other validation issue

* Fix yet another validation issue

Co-authored-by: Elitsa Marinovska <elm@umbraco.dk>
											
										
										
											2021-01-12 16:15:19 +01:00
-												https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController

											
										
										
											2020-05-19 09:52:58 +02:00
+								                //only load it once per instance! (but make sure groups are loaded)
 								                if (_currentUser == null)
 								                {
-												Netcore: Fixes issues with user invites (#9616)

* AB9629
Fixes issues with user invites
- Issue with the generated link in the invite email
- Allow anonymous access to CurrentUserController.PostSetInvitedUserPassword, as it is used by users not logged in
- Allow anonymous access to AuthenticationController.GetPasswordConfig, as this is used to set a password for newly invited users, before they login

* Fix issues with invite flow

* Fix minor typos

* Fixed issue with validation response and remove/change avatar

* Fix issue with disable users, after all enums are handled like strings

* Fix tests

* Fix other validation issue

* Fix yet another validation issue

Co-authored-by: Elitsa Marinovska <elm@umbraco.dk>
											
										
										
											2021-01-12 16:15:19 +01:00
+								                    lock (_currentUserLock)
 								                    {
 								                        //Check again
 								                        if (_currentUser == null)
 								                        {
 								                            var id = GetUserId();
 								                            _currentUser = id ? _userService.GetUserById(id.Result) : null;
 								                        }
 								                    }
-												https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController

											
										
										
											2020-05-19 09:52:58 +02:00
+								                }
-												https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated TourController

											
										
										
											2020-05-18 15:19:52 +02:00
-												https://dev.azure.com/umbraco/D-Team%20Tracker/_workitems/edit/6586 - Migrated DashboardController and BackOfficeAssetsController

											
										
										
											2020-05-19 09:52:58 +02:00
+								                return _currentUser;
 								            }
 								        }
-												Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers

											
										
										
											2020-05-12 10:21:40 +10:00
-												Gets WebSecurity implemented

											
										
										
											2020-06-02 14:46:58 +10:00
+								        /// <inheritdoc />
-												Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers

											
										
										
											2020-05-12 10:21:40 +10:00
+								        public Attempt<int> GetUserId()
 								        {
-												Changed the UmbracoIntegrationTest setup to be sync, to avoid issue with AsyncLocal

Signed-off-by: Bjarke Berg <mail@bergmania.dk>

											
										
										
											2020-10-05 10:02:11 +02:00
+								            var identity = _httpContextAccessor.HttpContext?.GetCurrentIdentity();
-												Gets WebSecurity implemented

											
										
										
											2020-06-02 14:46:58 +10:00
+								            return identity == null ? Attempt.Fail<int>() : Attempt.Succeed(identity.Id);
-												Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers

											
										
										
											2020-05-12 10:21:40 +10:00
+								        }
-												Gets WebSecurity implemented

											
										
										
											2020-06-02 14:46:58 +10:00
+								        /// <inheritdoc />
-												Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers

											
										
										
											2020-05-12 10:21:40 +10:00
+								        public bool IsAuthenticated()
 								        {
-												Implements more BackOfficeController and AuthenticationController, some web security and more, gets the back office UI almost rendering

											
										
										
											2020-05-25 23:15:32 +10:00
+								            var httpContext = _httpContextAccessor.HttpContext;
 								            return httpContext?.User != null && httpContext.User.Identity.IsAuthenticated && httpContext.GetCurrentIdentity() != null;
-												Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers

											
										
										
											2020-05-12 10:21:40 +10:00
+								        }
-												Gets WebSecurity implemented

											
										
										
											2020-06-02 14:46:58 +10:00
+								        /// <inheritdoc />
-												Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers

											
										
										
											2020-05-12 10:21:40 +10:00
+								        public bool UserHasSectionAccess(string section, IUser user)
 								        {
-												Gets WebSecurity implemented

											
										
										
											2020-06-02 14:46:58 +10:00
+								            return user.HasSectionAccess(section);
-												Cleans up some routing, mvc base classes, gets controller specific model binding working, applies our own application model to our controllers

											
										
										
											2020-05-12 10:21:40 +10:00
+								        }
 								    }
 								}