diff --git a/src/Umbraco.Cms.Api.Management/Controllers/AuditLog/AuditLogControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/AuditLog/AuditLogControllerBase.cs index ff11825755..f7e29b4682 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/AuditLog/AuditLogControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/AuditLog/AuditLogControllerBase.cs @@ -1,5 +1,4 @@ -using Asp.Versioning; -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; namespace Umbraco.Cms.Api.Management.Controllers.AuditLog; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/AuditLog/ByKeyAuditLogController.cs b/src/Umbraco.Cms.Api.Management/Controllers/AuditLog/ByKeyAuditLogController.cs index 2b154ed094..7875ad0d84 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/AuditLog/ByKeyAuditLogController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/AuditLog/ByKeyAuditLogController.cs @@ -1,4 +1,5 @@ using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.ViewModels.Pagination; @@ -7,10 +8,12 @@ using Umbraco.Cms.Api.Management.ViewModels.AuditLogs; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Services; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.AuditLog; [ApiVersion("1.0")] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessContentOrMedia)] public class ByKeyAuditLogController : AuditLogControllerBase { private readonly IAuditService _auditService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Culture/CultureControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Culture/CultureControllerBase.cs index a0fb19d0ac..3aec530319 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Culture/CultureControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Culture/CultureControllerBase.cs @@ -1,5 +1,4 @@ -using Asp.Versioning; -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; namespace Umbraco.Cms.Api.Management.Controllers.Culture; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DataType/DataTypeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/DataType/DataTypeControllerBase.cs index 984e70970e..64316f8cb7 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DataType/DataTypeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DataType/DataTypeControllerBase.cs @@ -1,16 +1,18 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.DataType; [ApiController] [VersionedApiBackOfficeRoute(Constants.UdiEntityType.DataType)] [ApiExplorerSettings(GroupName = "Data Type")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDocumentsOrDocumentTypes)] public abstract class DataTypeControllerBase : ManagementApiControllerBase { protected IActionResult DataTypeOperationStatusResult(DataTypeOperationStatus status) => diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DataType/Folder/DataTypeFolderControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/DataType/Folder/DataTypeFolderControllerBase.cs index c003f5479a..d391aab4ee 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DataType/Folder/DataTypeFolderControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DataType/Folder/DataTypeFolderControllerBase.cs @@ -1,4 +1,4 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; @@ -8,12 +8,14 @@ using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Security; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.DataType.Folder; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.DataType}/folder")] [ApiExplorerSettings(GroupName = "Data Type")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDocumentsOrDocumentTypes)] public abstract class DataTypeFolderControllerBase : FolderManagementControllerBase { private readonly IDataTypeContainerService _dataTypeContainerService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DataType/Items/DatatypeItemControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/DataType/Items/DatatypeItemControllerBase.cs index 0f13f001e7..3d3fcc2759 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DataType/Items/DatatypeItemControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DataType/Items/DatatypeItemControllerBase.cs @@ -1,12 +1,15 @@ -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.DataType.Items; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.DataType}")] [ApiExplorerSettings(GroupName = "Data Type")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDocumentsOrDocumentTypes)] public class DatatypeItemControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DataType/Tree/DataTypeTreeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/DataType/Tree/DataTypeTreeControllerBase.cs index 9e791a9758..c816602351 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DataType/Tree/DataTypeTreeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DataType/Tree/DataTypeTreeControllerBase.cs @@ -1,4 +1,5 @@ -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Models.Entities; @@ -6,12 +7,14 @@ using Umbraco.Cms.Core.Services; using Umbraco.Cms.Api.Management.Controllers.Tree; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Api.Management.ViewModels.DataType.Item; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.DataType.Tree; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.Web.RoutePath.Tree}/{Constants.UdiEntityType.DataType}")] [ApiExplorerSettings(GroupName = "Data Type")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDataTypes)] public class DataTypeTreeControllerBase : FolderTreeControllerBase { private readonly IDataTypeService _dataTypeService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Dictionary/DictionaryControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Dictionary/DictionaryControllerBase.cs index 1e15bef9b1..5d88a56b6a 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Dictionary/DictionaryControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Dictionary/DictionaryControllerBase.cs @@ -1,16 +1,17 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Dictionary; [ApiController] [VersionedApiBackOfficeRoute("dictionary")] [ApiExplorerSettings(GroupName = "Dictionary")] -// TODO: Add authentication +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDictionary)] public abstract class DictionaryControllerBase : ManagementApiControllerBase { protected IActionResult DictionaryItemOperationStatusResult(DictionaryItemOperationStatus status) => diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Dictionary/Item/DictionaryItemControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Dictionary/Item/DictionaryItemControllerBase.cs index c676ab5f85..38371601c2 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Dictionary/Item/DictionaryItemControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Dictionary/Item/DictionaryItemControllerBase.cs @@ -1,12 +1,14 @@ -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; -using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Dictionary.Item; [ApiController] [VersionedApiBackOfficeRoute("dictionary")] [ApiExplorerSettings(GroupName = "Dictionary")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDictionary)] public class DictionaryItemControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Dictionary/Tree/DictionaryTreeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Dictionary/Tree/DictionaryTreeControllerBase.cs index 34da2f1035..e87a2a8985 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Dictionary/Tree/DictionaryTreeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Dictionary/Tree/DictionaryTreeControllerBase.cs @@ -1,4 +1,4 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Models; @@ -6,12 +6,14 @@ using Umbraco.Cms.Core.Services; using Umbraco.Cms.Api.Management.Controllers.Tree; using Umbraco.Cms.Api.Management.ViewModels.Tree; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Dictionary.Tree; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.Web.RoutePath.Tree}/dictionary")] [ApiExplorerSettings(GroupName = "Dictionary")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDictionaryOrTemplates)] // NOTE: at the moment dictionary items (renamed to dictionary tree) aren't supported by EntityService, so we have little use of the // tree controller base. We'll keep it though, in the hope that we can mend EntityService. public class DictionaryTreeControllerBase : EntityTreeControllerBase diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Document/AllowedChildrenByKeyDocumentController.cs b/src/Umbraco.Cms.Api.Management/Controllers/Document/AllowedChildrenByKeyDocumentController.cs index 3039c3c3aa..0bd273f279 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Document/AllowedChildrenByKeyDocumentController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Document/AllowedChildrenByKeyDocumentController.cs @@ -1,4 +1,5 @@ using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.ViewModels.Pagination; @@ -8,9 +9,11 @@ using Umbraco.Cms.Core.Mapping; using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Document; +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDocumentsOrDocumentTypes)] public class AllowedChildrenByKeyDocumentController : DocumentControllerBase { private readonly IUmbracoMapper _umbracoMapper; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Document/AllowedChildrenOfRootDocumentController.cs b/src/Umbraco.Cms.Api.Management/Controllers/Document/AllowedChildrenOfRootDocumentController.cs index 4bfa6b6662..eca4323bcd 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Document/AllowedChildrenOfRootDocumentController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Document/AllowedChildrenOfRootDocumentController.cs @@ -1,4 +1,5 @@ using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.ViewModels.Pagination; @@ -6,9 +7,11 @@ using Umbraco.Cms.Api.Management.ViewModels.DocumentType; using Umbraco.Cms.Core.Mapping; using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Services; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Document; +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDocumentsOrDocumentTypes)] public class AllowedChildrenOfRootDocumentController : DocumentControllerBase { private readonly IContentTypeService _contentTypeService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Document/DocumentControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Document/DocumentControllerBase.cs index 937457858b..52958c2345 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Document/DocumentControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Document/DocumentControllerBase.cs @@ -1,13 +1,16 @@ -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Content; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Document; [ApiController] [VersionedApiBackOfficeRoute(Constants.UdiEntityType.Document)] [ApiExplorerSettings(GroupName = nameof(Constants.UdiEntityType.Document))] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDocuments)] public abstract class DocumentControllerBase : ContentControllerBase { protected IActionResult DocumentNotFound() => NotFound("The requested Document could not be found"); diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Document/Item/DocumentItemControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Document/Item/DocumentItemControllerBase.cs index 314662a5f1..6b3bf2fdc4 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Document/Item/DocumentItemControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Document/Item/DocumentItemControllerBase.cs @@ -1,13 +1,15 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Document.Item; [ApiController] [VersionedApiBackOfficeRoute(Constants.UdiEntityType.Document)] [ApiExplorerSettings(GroupName = nameof(Constants.UdiEntityType.Document))] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDocuments)] public class DocumentItemControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Document/RecycleBin/DocumentRecycleBinControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Document/RecycleBin/DocumentRecycleBinControllerBase.cs index 9e099cd1d2..12dc774a8c 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Document/RecycleBin/DocumentRecycleBinControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Document/RecycleBin/DocumentRecycleBinControllerBase.cs @@ -1,4 +1,4 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Core; @@ -9,6 +9,7 @@ using Umbraco.Cms.Api.Management.Controllers.RecycleBin; using Umbraco.Cms.Api.Management.Filters; using Umbraco.Cms.Api.Management.ViewModels.RecycleBin; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Document.RecycleBin; @@ -17,6 +18,7 @@ namespace Umbraco.Cms.Api.Management.Controllers.Document.RecycleBin; [RequireDocumentTreeRootAccess] [ProducesResponseType(StatusCodes.Status401Unauthorized)] [ApiExplorerSettings(GroupName = nameof(Constants.UdiEntityType.Document))] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDocuments)] public class DocumentRecycleBinControllerBase : RecycleBinControllerBase { public DocumentRecycleBinControllerBase(IEntityService entityService) diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Document/Tree/DocumentTreeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Document/Tree/DocumentTreeControllerBase.cs index 7c30b37106..75acc6e731 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Document/Tree/DocumentTreeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Document/Tree/DocumentTreeControllerBase.cs @@ -1,4 +1,4 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Cache; @@ -11,12 +11,14 @@ using Umbraco.Cms.Api.Management.Services.Entities; using Umbraco.Cms.Api.Management.ViewModels.Tree; using Umbraco.Extensions; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Document.Tree; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.Web.RoutePath.Tree}/{Constants.UdiEntityType.Document}")] [ApiExplorerSettings(GroupName = nameof(Constants.UdiEntityType.Document))] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessForContentTree)] public abstract class DocumentTreeControllerBase : UserStartNodeTreeControllerBase { private readonly IPublicAccessService _publicAccessService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DocumentBlueprint/Item/DocumentBlueprintItemControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/DocumentBlueprint/Item/DocumentBlueprintItemControllerBase.cs index 2f308c7741..3953071e40 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DocumentBlueprint/Item/DocumentBlueprintItemControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DocumentBlueprint/Item/DocumentBlueprintItemControllerBase.cs @@ -1,12 +1,15 @@ -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.DocumentBlueprint.Item; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.DocumentBlueprint}")] [ApiExplorerSettings(GroupName = "Document Blueprint")] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessContent)] public class DocumentBlueprintItemControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DocumentBlueprint/Tree/DocumentBlueprintTreeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/DocumentBlueprint/Tree/DocumentBlueprintTreeControllerBase.cs index 9cb5fde5ae..7ada226ea7 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DocumentBlueprint/Tree/DocumentBlueprintTreeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DocumentBlueprint/Tree/DocumentBlueprintTreeControllerBase.cs @@ -1,4 +1,4 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Models; @@ -7,12 +7,14 @@ using Umbraco.Cms.Core.Services; using Umbraco.Cms.Api.Management.Controllers.Tree; using Umbraco.Cms.Api.Management.ViewModels.Tree; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.DocumentBlueprint.Tree; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.Web.RoutePath.Tree}/{Constants.UdiEntityType.DocumentBlueprint}")] [ApiExplorerSettings(GroupName = "Document Blueprint")] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessContent)] public class DocumentBlueprintTreeControllerBase : EntityTreeControllerBase { private readonly IContentTypeService _contentTypeService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/DocumentTypeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/DocumentTypeControllerBase.cs index e216c63d15..a417132b45 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/DocumentTypeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/DocumentTypeControllerBase.cs @@ -1,13 +1,15 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.DocumentType; [ApiController] [VersionedApiBackOfficeRoute(Constants.UdiEntityType.DocumentType)] [ApiExplorerSettings(GroupName = "Document Type")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDocumentTypes)] public abstract class DocumentTypeControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/Item/DocumentTypeItemControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/Item/DocumentTypeItemControllerBase.cs index 936c80c555..6291307c0e 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/Item/DocumentTypeItemControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/Item/DocumentTypeItemControllerBase.cs @@ -1,12 +1,15 @@ -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.DocumentType.Item; [ApiController] [VersionedApiBackOfficeRoute(Constants.UdiEntityType.DocumentType)] [ApiExplorerSettings(GroupName = "Document Type")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDocumentTypes)] public class DocumentTypeItemControllerBase : ManagementApiControllerBase { diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/Tree/DocumentTypeTreeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/Tree/DocumentTypeTreeControllerBase.cs index 1e3a33034f..6d6607ff15 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/Tree/DocumentTypeTreeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/Tree/DocumentTypeTreeControllerBase.cs @@ -1,4 +1,4 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Models; @@ -7,12 +7,14 @@ using Umbraco.Cms.Core.Services; using Umbraco.Cms.Api.Management.Controllers.Tree; using Umbraco.Cms.Api.Management.ViewModels.Tree; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.DocumentType.Tree; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.Web.RoutePath.Tree}/{Constants.UdiEntityType.DocumentType}")] [ApiExplorerSettings(GroupName = "Document Type")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDocumentTypes)] public class DocumentTypeTreeControllerBase : FolderTreeControllerBase { private readonly IContentTypeService _contentTypeService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/HealthCheck/Group/HealthCheckGroupControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/HealthCheck/Group/HealthCheckGroupControllerBase.cs index 77502d2a10..22bc4b8777 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/HealthCheck/Group/HealthCheckGroupControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/HealthCheck/Group/HealthCheckGroupControllerBase.cs @@ -1,6 +1,7 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; using Constants = Umbraco.Cms.Core.Constants; namespace Umbraco.Cms.Api.Management.Controllers.HealthCheck.Group; @@ -8,6 +9,7 @@ namespace Umbraco.Cms.Api.Management.Controllers.HealthCheck.Group; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.HealthChecks.RoutePath.HealthCheck}-group")] [ApiExplorerSettings(GroupName = "Health Check")] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessSettings)] public abstract class HealthCheckGroupControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/HealthCheck/HealthCheckControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/HealthCheck/HealthCheckControllerBase.cs index 6ba666bc27..42e721db1d 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/HealthCheck/HealthCheckControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/HealthCheck/HealthCheckControllerBase.cs @@ -1,6 +1,7 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; using Constants = Umbraco.Cms.Core.Constants; namespace Umbraco.Cms.Api.Management.Controllers.HealthCheck; @@ -8,6 +9,7 @@ namespace Umbraco.Cms.Api.Management.Controllers.HealthCheck; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.HealthChecks.RoutePath.HealthCheck}")] [ApiExplorerSettings(GroupName = "Health Check")] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessSettings)] public abstract class HealthCheckControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Help/HelpControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Help/HelpControllerBase.cs index b728d8ad5e..779dbfc743 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Help/HelpControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Help/HelpControllerBase.cs @@ -1,5 +1,4 @@ -using Asp.Versioning; -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; namespace Umbraco.Cms.Api.Management.Controllers.Help; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Language/CreateLanguageController.cs b/src/Umbraco.Cms.Api.Management/Controllers/Language/CreateLanguageController.cs index b09dbbfe00..ed6715e777 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Language/CreateLanguageController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Language/CreateLanguageController.cs @@ -1,4 +1,5 @@ using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.ViewModels.Language; @@ -8,10 +9,12 @@ using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Security; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Language; [ApiVersion("1.0")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessLanguages)] public class CreateLanguageController : LanguageControllerBase { private readonly ILanguageService _languageService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Language/DeleteLanguageController.cs b/src/Umbraco.Cms.Api.Management/Controllers/Language/DeleteLanguageController.cs index 4c5b99f870..f14256c567 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Language/DeleteLanguageController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Language/DeleteLanguageController.cs @@ -1,4 +1,5 @@ using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Core; @@ -6,10 +7,12 @@ using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Security; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Language; [ApiVersion("1.0")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessLanguages)] public class DeleteLanguageController : LanguageControllerBase { private readonly ILanguageService _languageService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Language/Item/LanguageEntityControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Language/Item/LanguageEntityControllerBase.cs index 469626ecd5..6de6aa650c 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Language/Item/LanguageEntityControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Language/Item/LanguageEntityControllerBase.cs @@ -1,12 +1,15 @@ -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Language.Item; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.Language}")] [ApiExplorerSettings(GroupName = "Language")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessLanguages)] public class LanguageEntityControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Language/LanguageControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Language/LanguageControllerBase.cs index 81fdf030d2..ed48d6fe49 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Language/LanguageControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Language/LanguageControllerBase.cs @@ -1,5 +1,4 @@ -using Asp.Versioning; -using Microsoft.AspNetCore.Http; +using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; using Umbraco.Cms.Api.Management.Routing; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Language/UpdateLanguageController.cs b/src/Umbraco.Cms.Api.Management/Controllers/Language/UpdateLanguageController.cs index 0ab4a60257..ab697ae16f 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Language/UpdateLanguageController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Language/UpdateLanguageController.cs @@ -1,4 +1,5 @@ using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.ViewModels.Language; @@ -8,10 +9,12 @@ using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Security; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Language; [ApiVersion("1.0")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessLanguages)] public class UpdateLanguageController : LanguageControllerBase { private readonly ILanguageService _languageService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/LogViewer/LogViewerControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/LogViewer/LogViewerControllerBase.cs index d8a6d2abb5..9fd53c4db2 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/LogViewer/LogViewerControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/LogViewer/LogViewerControllerBase.cs @@ -1,15 +1,17 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.LogViewer; [ApiController] [VersionedApiBackOfficeRoute("log-viewer")] [ApiExplorerSettings(GroupName = "Log Viewer")] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessSettings)] public abstract class LogViewerControllerBase : ManagementApiControllerBase { protected IActionResult LogViewerOperationStatusResult(LogViewerOperationStatus status) => diff --git a/src/Umbraco.Cms.Api.Management/Controllers/LogViewer/SavedSearch/SavedSearchLogViewerControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/LogViewer/SavedSearch/SavedSearchLogViewerControllerBase.cs index 0b4cfd3d1f..ba39a9a463 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/LogViewer/SavedSearch/SavedSearchLogViewerControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/LogViewer/SavedSearch/SavedSearchLogViewerControllerBase.cs @@ -1,4 +1,3 @@ -using Asp.Versioning; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Media/Item/MediaItemControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Media/Item/MediaItemControllerBase.cs index 4df02e948c..72a0b1bc3d 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Media/Item/MediaItemControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Media/Item/MediaItemControllerBase.cs @@ -1,7 +1,9 @@ using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Media.Item; @@ -9,6 +11,7 @@ namespace Umbraco.Cms.Api.Management.Controllers.Media.Item; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.Media}")] [ApiExplorerSettings(GroupName = nameof(Constants.UdiEntityType.Media))] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessForMediaTree)] public class MediaItemControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Media/MediaControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Media/MediaControllerBase.cs index 8cdf8cb0f9..4542e366a5 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Media/MediaControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Media/MediaControllerBase.cs @@ -1,14 +1,16 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Content; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Media; [ApiController] [VersionedApiBackOfficeRoute(Constants.UdiEntityType.Media)] [ApiExplorerSettings(GroupName = nameof(Constants.UdiEntityType.Media))] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessMedia)] public class MediaControllerBase : ContentControllerBase { protected IActionResult MediaNotFound() => NotFound("The requested Media could not be found"); diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Media/RecycleBin/MediaRecycleBinControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Media/RecycleBin/MediaRecycleBinControllerBase.cs index 8d06a1d01d..253097b822 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Media/RecycleBin/MediaRecycleBinControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Media/RecycleBin/MediaRecycleBinControllerBase.cs @@ -1,4 +1,4 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Core; @@ -9,6 +9,7 @@ using Umbraco.Cms.Api.Management.Controllers.RecycleBin; using Umbraco.Cms.Api.Management.Filters; using Umbraco.Cms.Api.Management.ViewModels.RecycleBin; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Media.RecycleBin; @@ -17,6 +18,7 @@ namespace Umbraco.Cms.Api.Management.Controllers.Media.RecycleBin; [RequireMediaTreeRootAccess] [ProducesResponseType(StatusCodes.Status401Unauthorized)] [ApiExplorerSettings(GroupName = nameof(Constants.UdiEntityType.Media))] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessMedia)] public class MediaRecycleBinControllerBase : RecycleBinControllerBase { public MediaRecycleBinControllerBase(IEntityService entityService) diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Media/Tree/MediaTreeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Media/Tree/MediaTreeControllerBase.cs index 26828a997d..4938aee7b8 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Media/Tree/MediaTreeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Media/Tree/MediaTreeControllerBase.cs @@ -1,4 +1,5 @@ -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Cache; using Umbraco.Cms.Core.Models; @@ -9,12 +10,14 @@ using Umbraco.Cms.Api.Management.Controllers.Tree; using Umbraco.Cms.Api.Management.Services.Entities; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Api.Management.ViewModels.Media.Item; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Media.Tree; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.Web.RoutePath.Tree}/{Constants.UdiEntityType.Media}")] [ApiExplorerSettings(GroupName = nameof(Constants.UdiEntityType.Media))] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessForMediaTree)] public class MediaTreeControllerBase : UserStartNodeTreeControllerBase { private readonly AppCaches _appCaches; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/MediaType/Item/MediaTypeItemControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/MediaType/Item/MediaTypeItemControllerBase.cs index 5132e56262..9d8bfec1fe 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/MediaType/Item/MediaTypeItemControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/MediaType/Item/MediaTypeItemControllerBase.cs @@ -1,13 +1,15 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.MediaType.Item; [ApiController] [VersionedApiBackOfficeRoute(Constants.UdiEntityType.MediaType)] [ApiExplorerSettings(GroupName = "Media Type")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessMediaTypes)] public class MediaTypeItemControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/MediaType/MediaTypeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/MediaType/MediaTypeControllerBase.cs index 6909a747cb..17837f70f3 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/MediaType/MediaTypeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/MediaType/MediaTypeControllerBase.cs @@ -1,13 +1,15 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.MediaType; [ApiController] [VersionedApiBackOfficeRoute(Constants.UdiEntityType.MediaType)] [ApiExplorerSettings(GroupName = "Media Type")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessMediaTypes)] public abstract class MediaTypeControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/MediaType/Tree/MediaTypeTreeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/MediaType/Tree/MediaTypeTreeControllerBase.cs index cf8f331715..e8b23cf971 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/MediaType/Tree/MediaTypeTreeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/MediaType/Tree/MediaTypeTreeControllerBase.cs @@ -1,4 +1,5 @@ -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Models.Entities; @@ -6,12 +7,14 @@ using Umbraco.Cms.Core.Services; using Umbraco.Cms.Api.Management.Controllers.Tree; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Api.Management.ViewModels.MediaType.Item; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.MediaType.Tree; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.Web.RoutePath.Tree}/{Constants.UdiEntityType.MediaType}")] [ApiExplorerSettings(GroupName = "Media Type")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessMediaTypes)] public class MediaTypeTreeControllerBase : FolderTreeControllerBase { private readonly IMediaTypeService _mediaTypeService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Member/Item/MemberItemControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Member/Item/MemberItemControllerBase.cs index 040213af67..0f63a0f314 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Member/Item/MemberItemControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Member/Item/MemberItemControllerBase.cs @@ -1,13 +1,15 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Member.Item; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.Member}")] [ApiExplorerSettings(GroupName = "Member")] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessForMemberTree)] public class MemberItemControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/MemberGroup/Item/MemberGroupItemControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/MemberGroup/Item/MemberGroupItemControllerBase.cs index 4cddc2e3b4..7a01998885 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/MemberGroup/Item/MemberGroupItemControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/MemberGroup/Item/MemberGroupItemControllerBase.cs @@ -1,13 +1,15 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.MemberGroup.Item; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.MemberGroup}")] [ApiExplorerSettings(GroupName = "Member Group")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessMemberGroups)] public class MemberGroupItemControllerBase : ManagementApiControllerBase { diff --git a/src/Umbraco.Cms.Api.Management/Controllers/MemberGroup/Tree/MemberGroupTreeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/MemberGroup/Tree/MemberGroupTreeControllerBase.cs index 355529dfdf..73aa5e19ac 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/MemberGroup/Tree/MemberGroupTreeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/MemberGroup/Tree/MemberGroupTreeControllerBase.cs @@ -1,4 +1,5 @@ -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Models.Entities; @@ -6,12 +7,14 @@ using Umbraco.Cms.Core.Services; using Umbraco.Cms.Api.Management.Controllers.Tree; using Umbraco.Cms.Api.Management.ViewModels.Tree; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.MemberGroup.Tree; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.Web.RoutePath.Tree}/{Constants.UdiEntityType.MemberGroup}")] [ApiExplorerSettings(GroupName = "Member Group")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessMemberGroups)] public class MemberGroupTreeControllerBase : EntityTreeControllerBase { public MemberGroupTreeControllerBase(IEntityService entityService) diff --git a/src/Umbraco.Cms.Api.Management/Controllers/MemberType/Items/MemberTypeItemControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/MemberType/Items/MemberTypeItemControllerBase.cs index 9d4019a598..9daf296b09 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/MemberType/Items/MemberTypeItemControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/MemberType/Items/MemberTypeItemControllerBase.cs @@ -1,13 +1,15 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.MemberType.Items; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.MemberType}")] [ApiExplorerSettings(GroupName = "Member Type")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessMemberTypes)] public class MemberTypeItemControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/MemberType/Tree/MemberTypeTreeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/MemberType/Tree/MemberTypeTreeControllerBase.cs index 2f14739844..e1c2c4a65b 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/MemberType/Tree/MemberTypeTreeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/MemberType/Tree/MemberTypeTreeControllerBase.cs @@ -1,4 +1,5 @@ -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Models.Entities; @@ -6,12 +7,14 @@ using Umbraco.Cms.Core.Services; using Umbraco.Cms.Api.Management.Controllers.Tree; using Umbraco.Cms.Api.Management.ViewModels.Tree; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.MemberType.Tree; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.Web.RoutePath.Tree}/{Constants.UdiEntityType.MemberType}")] [ApiExplorerSettings(GroupName = "Member Type")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessMemberTypes)] public class MemberTypeTreeControllerBase : EntityTreeControllerBase { public MemberTypeTreeControllerBase(IEntityService entityService) diff --git a/src/Umbraco.Cms.Api.Management/Controllers/ModelsBuilder/ModelsBuilderControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/ModelsBuilder/ModelsBuilderControllerBase.cs index a4ff21f515..114015361e 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/ModelsBuilder/ModelsBuilderControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/ModelsBuilder/ModelsBuilderControllerBase.cs @@ -1,12 +1,14 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.ModelsBuilder; [ApiController] [VersionedApiBackOfficeRoute("models-builder")] [ApiExplorerSettings(GroupName = "Models Builder")] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessSettings)] public class ModelsBuilderControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/ObjectTypes/ObjectTypesControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/ObjectTypes/ObjectTypesControllerBase.cs index 653a924fbf..d932acd146 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/ObjectTypes/ObjectTypesControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/ObjectTypes/ObjectTypesControllerBase.cs @@ -1,5 +1,4 @@ -using Asp.Versioning; -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; namespace Umbraco.Cms.Api.Management.Controllers.ObjectTypes; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Package/Created/CreatedPackageControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Package/Created/CreatedPackageControllerBase.cs index 5153f07216..45e8967858 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Package/Created/CreatedPackageControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Package/Created/CreatedPackageControllerBase.cs @@ -1,4 +1,3 @@ -using Asp.Versioning; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Package/PackageControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Package/PackageControllerBase.cs index 93e16c6ee1..a1f5073c14 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Package/PackageControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Package/PackageControllerBase.cs @@ -1,15 +1,17 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Package; [ApiController] [VersionedApiBackOfficeRoute("package")] [ApiExplorerSettings(GroupName = "Package")] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessPackages)] public abstract class PackageControllerBase : ManagementApiControllerBase { protected IActionResult PackageOperationStatusResult(PackageOperationStatus status) => diff --git a/src/Umbraco.Cms.Api.Management/Controllers/PartialView/Folder/PartialViewFolderControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/PartialView/Folder/PartialViewFolderControllerBase.cs index 8b032c7ede..25088bda40 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/PartialView/Folder/PartialViewFolderControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/PartialView/Folder/PartialViewFolderControllerBase.cs @@ -1,4 +1,4 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; @@ -8,12 +8,14 @@ using Umbraco.Cms.Core.Mapping; using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.PartialView.Folder; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.PartialView}/folder")] [ApiExplorerSettings(GroupName = "Partial View")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessPartialViews)] public class PartialViewFolderControllerBase : PathFolderManagementControllerBase { private readonly IPartialViewFolderService _partialViewFolderService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/PartialView/Items/PartialViewItemControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/PartialView/Items/PartialViewItemControllerBase.cs index 9750548305..4137c5499a 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/PartialView/Items/PartialViewItemControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/PartialView/Items/PartialViewItemControllerBase.cs @@ -1,13 +1,15 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.PartialView.Items; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.PartialView}")] [ApiExplorerSettings(GroupName = "Partial View")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessPartialViews)] public class PartialViewItemControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/PartialView/PartialViewControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/PartialView/PartialViewControllerBase.cs index f4a7e82800..c8a017f59d 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/PartialView/PartialViewControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/PartialView/PartialViewControllerBase.cs @@ -1,16 +1,18 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.PartialView; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.PartialView}")] [ApiExplorerSettings(GroupName = "Partial View")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessPartialViews)] public class PartialViewControllerBase : ManagementApiControllerBase { protected IActionResult PartialViewOperationStatusResult(PartialViewOperationStatus status) => diff --git a/src/Umbraco.Cms.Api.Management/Controllers/PartialView/Tree/PartialViewTreeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/PartialView/Tree/PartialViewTreeControllerBase.cs index 08501dbfa6..0627302535 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/PartialView/Tree/PartialViewTreeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/PartialView/Tree/PartialViewTreeControllerBase.cs @@ -1,14 +1,17 @@ -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Core; using Umbraco.Cms.Core.IO; using Umbraco.Cms.Api.Management.Controllers.Tree; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.PartialView.Tree; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.Web.RoutePath.Tree}/{Constants.UdiEntityType.PartialView}")] [ApiExplorerSettings(GroupName = "Partial View")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessPartialViews)] public class PartialViewTreeControllerBase : FileSystemTreeControllerBase { public PartialViewTreeControllerBase(FileSystems fileSystems) diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Profiling/ProfilingControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Profiling/ProfilingControllerBase.cs index 99c5d2c790..f868c2a30e 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Profiling/ProfilingControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Profiling/ProfilingControllerBase.cs @@ -1,15 +1,17 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Profiling; [ApiController] [VersionedApiBackOfficeRoute("profiling")] [ApiExplorerSettings(GroupName = "Profiling")] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessSettings)] public class ProfilingControllerBase : ManagementApiControllerBase { diff --git a/src/Umbraco.Cms.Api.Management/Controllers/PropertyType/PropertyTypeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/PropertyType/PropertyTypeControllerBase.cs index 3305b51f39..dbf73d5269 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/PropertyType/PropertyTypeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/PropertyType/PropertyTypeControllerBase.cs @@ -1,14 +1,16 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.PropertyType; [ApiController] [VersionedApiBackOfficeRoute("property-type")] [ApiExplorerSettings(GroupName = "Property Type")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDocumentTypes)] public abstract class PropertyTypeControllerBase : ManagementApiControllerBase { protected IActionResult PropertyTypeOperationStatusResult(PropertyTypeOperationStatus status) => diff --git a/src/Umbraco.Cms.Api.Management/Controllers/PublishedCache/PublishedCacheControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/PublishedCache/PublishedCacheControllerBase.cs index 5ec43cc9e3..717fee6f55 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/PublishedCache/PublishedCacheControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/PublishedCache/PublishedCacheControllerBase.cs @@ -1,5 +1,4 @@ -using Asp.Versioning; -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; namespace Umbraco.Cms.Api.Management.Controllers.PublishedCache; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/RedirectUrlManagement/RedirectUrlManagementControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/RedirectUrlManagement/RedirectUrlManagementControllerBase.cs index 90baba3cb3..f1636b1830 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/RedirectUrlManagement/RedirectUrlManagementControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/RedirectUrlManagement/RedirectUrlManagementControllerBase.cs @@ -1,12 +1,14 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.RedirectUrlManagement; [ApiController] [VersionedApiBackOfficeRoute("redirect-management")] [ApiExplorerSettings(GroupName = "Redirect Management")] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessContent)] public class RedirectUrlManagementControllerBase : ManagementApiControllerBase { diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Relation/RelationControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Relation/RelationControllerBase.cs index db12dd9406..725854d64c 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Relation/RelationControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Relation/RelationControllerBase.cs @@ -1,15 +1,16 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Relation; [ApiController] [VersionedApiBackOfficeRoute("relation")] [ApiExplorerSettings(GroupName = "Relation")] -// TODO: Implement Authentication +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessContent)] public abstract class RelationControllerBase : ManagementApiControllerBase { protected IActionResult RelationOperationStatusResult(RelationOperationStatus status) => diff --git a/src/Umbraco.Cms.Api.Management/Controllers/RelationType/Item/RelationTypeItemControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/RelationType/Item/RelationTypeItemControllerBase.cs index 43afafd1d6..13be145489 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/RelationType/Item/RelationTypeItemControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/RelationType/Item/RelationTypeItemControllerBase.cs @@ -1,13 +1,15 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.RelationType.Item; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.RelationType}")] [ApiExplorerSettings(GroupName = "Relation Type")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessRelationTypes)] public class RelationTypeItemControllerBase : ManagementApiControllerBase { diff --git a/src/Umbraco.Cms.Api.Management/Controllers/RelationType/Query/RelationTypeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/RelationType/Query/RelationTypeControllerBase.cs index aba0df4aa2..ea3821a057 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/RelationType/Query/RelationTypeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/RelationType/Query/RelationTypeControllerBase.cs @@ -1,15 +1,17 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.RelationType.Query; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.RelationType}")] [ApiExplorerSettings(GroupName = "Relation Type")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessRelationTypes)] public class RelationTypeControllerBase : ManagementApiControllerBase { protected IActionResult RelationTypeOperationStatusResult(RelationTypeOperationStatus status) => diff --git a/src/Umbraco.Cms.Api.Management/Controllers/RelationType/Tree/RelationTypeTreeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/RelationType/Tree/RelationTypeTreeControllerBase.cs index 57c676f7e0..6f7a0a4ce0 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/RelationType/Tree/RelationTypeTreeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/RelationType/Tree/RelationTypeTreeControllerBase.cs @@ -1,16 +1,19 @@ -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Api.Management.Controllers.Tree; using Umbraco.Cms.Api.Management.ViewModels.Tree; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.RelationType.Tree; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.Web.RoutePath.Tree}/{Constants.UdiEntityType.RelationType}")] [ApiExplorerSettings(GroupName = "Relation Type")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessRelationTypes)] // NOTE: at the moment relation types aren't supported by EntityService, so we have little use of the // tree controller base. We'll keep it though, in the hope that we can mend EntityService. public class RelationTypeTreeControllerBase : EntityTreeControllerBase diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Script/Folder/ScriptFolderControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Script/Folder/ScriptFolderControllerBase.cs index 6a046c9a06..23cb60453f 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Script/Folder/ScriptFolderControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Script/Folder/ScriptFolderControllerBase.cs @@ -1,4 +1,4 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; @@ -8,12 +8,14 @@ using Umbraco.Cms.Core.Mapping; using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Script.Folder; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.Script}/folder")] [ApiExplorerSettings(GroupName = "Script")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessScripts)] public class ScriptFolderControllerBase : PathFolderManagementControllerBase { private readonly IScriptFolderService _scriptFolderService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Script/Item/ScriptItemControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Script/Item/ScriptItemControllerBase.cs index 47aa5c4a91..45b517030c 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Script/Item/ScriptItemControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Script/Item/ScriptItemControllerBase.cs @@ -1,13 +1,15 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Script.Item; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.Script}")] [ApiExplorerSettings(GroupName = nameof(Constants.UdiEntityType.Script))] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessScripts)] public class ScriptItemControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Script/ScriptControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Script/ScriptControllerBase.cs index 8e0bfe941b..8701853603 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Script/ScriptControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Script/ScriptControllerBase.cs @@ -1,16 +1,18 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Script; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.Script}")] [ApiExplorerSettings(GroupName = nameof(Constants.UdiEntityType.Script))] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessScripts)] public class ScriptControllerBase : ManagementApiControllerBase { protected IActionResult ScriptOperationStatusResult(ScriptOperationStatus status) => diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Script/Tree/ScriptTreeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Script/Tree/ScriptTreeControllerBase.cs index 62a6cb1e06..ea86b67b3b 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Script/Tree/ScriptTreeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Script/Tree/ScriptTreeControllerBase.cs @@ -1,14 +1,17 @@ -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Controllers.Tree; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; using Umbraco.Cms.Core.IO; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Script.Tree; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.Web.RoutePath.Tree}/{Constants.UdiEntityType.Script}")] [ApiExplorerSettings(GroupName = nameof(Constants.UdiEntityType.Script))] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessScripts)] public class ScriptTreeControllerBase : FileSystemTreeControllerBase { public ScriptTreeControllerBase(FileSystems fileSystems) diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Security/BackOfficeController.cs b/src/Umbraco.Cms.Api.Management/Controllers/Security/BackOfficeController.cs index f13e589e40..eaaded72ca 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Security/BackOfficeController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Security/BackOfficeController.cs @@ -151,10 +151,6 @@ public class BackOfficeController : ManagementApiControllerBase ClaimsPrincipal backOfficePrincipal = await _backOfficeSignInManager.CreateUserPrincipalAsync(backOfficeUser); backOfficePrincipal.SetClaim(OpenIddictConstants.Claims.Subject, backOfficeUser.Key.ToString()); - // TODO: it is not optimal to append all claims to the token. - // the token size grows with each claim, although it is still smaller than the old cookie. - // see if we can find a better way so we do not risk leaking sensitive data in bearer tokens. - // maybe work with scopes instead? Claim[] backOfficeClaims = backOfficePrincipal.Claims.ToArray(); foreach (Claim backOfficeClaim in backOfficeClaims) { diff --git a/src/Umbraco.Cms.Api.Management/Controllers/StaticFile/Item/StaticFileItemControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/StaticFile/Item/StaticFileItemControllerBase.cs index cd1f712925..849d28174e 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/StaticFile/Item/StaticFileItemControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/StaticFile/Item/StaticFileItemControllerBase.cs @@ -1,5 +1,4 @@ -using Asp.Versioning; -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; namespace Umbraco.Cms.Api.Management.Controllers.StaticFile.Item; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Stylesheet/Folder/StylesheetFolderControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Stylesheet/Folder/StylesheetFolderControllerBase.cs index 2568ceea1f..28f5700711 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Stylesheet/Folder/StylesheetFolderControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Stylesheet/Folder/StylesheetFolderControllerBase.cs @@ -1,4 +1,4 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; @@ -8,12 +8,14 @@ using Umbraco.Cms.Core.Mapping; using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Stylesheet.Folder; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.Stylesheet}/folder")] [ApiExplorerSettings(GroupName = "Stylesheet")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessStylesheets)] public class StylesheetFolderControllerBase : PathFolderManagementControllerBase { private readonly IStylesheetFolderService _stylesheetFolderService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Stylesheet/Item/StylesheetItemControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Stylesheet/Item/StylesheetItemControllerBase.cs index 764f653bed..00806838a9 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Stylesheet/Item/StylesheetItemControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Stylesheet/Item/StylesheetItemControllerBase.cs @@ -1,13 +1,15 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Stylesheet.Item; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.Stylesheet}")] [ApiExplorerSettings(GroupName = nameof(Constants.UdiEntityType.Stylesheet))] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessStylesheets)] public class StylesheetItemControllerBase : ManagementApiControllerBase { diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Stylesheet/StylesheetControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Stylesheet/StylesheetControllerBase.cs index 0b600ec830..865519a20c 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Stylesheet/StylesheetControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Stylesheet/StylesheetControllerBase.cs @@ -1,16 +1,18 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Stylesheet; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.Stylesheet}")] [ApiExplorerSettings(GroupName = "Stylesheet")] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessStylesheets)] public class StylesheetControllerBase : ManagementApiControllerBase { protected IActionResult StylesheetOperationStatusResult(StylesheetOperationStatus status) => diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Stylesheet/Tree/StylesheetTreeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Stylesheet/Tree/StylesheetTreeControllerBase.cs index e5c564b02b..9b58647c16 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Stylesheet/Tree/StylesheetTreeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Stylesheet/Tree/StylesheetTreeControllerBase.cs @@ -1,14 +1,17 @@ -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Controllers.Tree; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; using Umbraco.Cms.Core.IO; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Stylesheet.Tree; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.Web.RoutePath.Tree}/{Constants.UdiEntityType.Stylesheet}")] [ApiExplorerSettings(GroupName = nameof(Constants.UdiEntityType.Stylesheet))] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessStylesheets)] public class StylesheetTreeControllerBase : FileSystemTreeControllerBase { public StylesheetTreeControllerBase(FileSystems fileSystems) diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Tag/TagControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Tag/TagControllerBase.cs index 86ae45ea70..209bc85558 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Tag/TagControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Tag/TagControllerBase.cs @@ -1,5 +1,4 @@ -using Asp.Versioning; -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; namespace Umbraco.Cms.Api.Management.Controllers.Tag; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Telemetry/TelemetryControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Telemetry/TelemetryControllerBase.cs index 5791470433..4530e284c4 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Telemetry/TelemetryControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Telemetry/TelemetryControllerBase.cs @@ -1,12 +1,14 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Telemetry; [ApiController] [VersionedApiBackOfficeRoute("telemetry")] [ApiExplorerSettings(GroupName = "Telemetry")] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessSettings)] public abstract class TelemetryControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Template/Item/TemplateItemControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Template/Item/TemplateItemControllerBase.cs index 50aa1382ac..415690fc75 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Template/Item/TemplateItemControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Template/Item/TemplateItemControllerBase.cs @@ -1,12 +1,15 @@ -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Template.Item; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.Template}")] [ApiExplorerSettings(GroupName = nameof(Constants.UdiEntityType.Template))] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessTemplates)] public class TemplateItemControllerBase : ManagementApiControllerBase { diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Template/TemplateControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Template/TemplateControllerBase.cs index 0929f0c2e1..34651683aa 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Template/TemplateControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Template/TemplateControllerBase.cs @@ -1,16 +1,18 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Template; [ApiController] [VersionedApiBackOfficeRoute(Constants.UdiEntityType.Template)] [ApiExplorerSettings(GroupName = nameof(Constants.UdiEntityType.Template))] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessTemplates)] public class TemplateControllerBase : ManagementApiControllerBase { protected IActionResult TemplateOperationStatusResult(TemplateOperationStatus status) => diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Template/Tree/TemplateTreeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Template/Tree/TemplateTreeControllerBase.cs index be561e2295..f25fcaa439 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Template/Tree/TemplateTreeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Template/Tree/TemplateTreeControllerBase.cs @@ -1,4 +1,4 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Models; @@ -7,12 +7,14 @@ using Umbraco.Cms.Core.Services; using Umbraco.Cms.Api.Management.Controllers.Tree; using Umbraco.Cms.Api.Management.ViewModels.Tree; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Template.Tree; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.Web.RoutePath.Tree}/{Constants.UdiEntityType.Template}")] [ApiExplorerSettings(GroupName = nameof(Constants.UdiEntityType.Template))] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessTemplates)] public class TemplateTreeControllerBase : EntityTreeControllerBase { public TemplateTreeControllerBase(IEntityService entityService) diff --git a/src/Umbraco.Cms.Api.Management/Controllers/TrackedReference/TrackedReferencesControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/TrackedReference/TrackedReferencesControllerBase.cs index 3b6eefcf64..1d8212637b 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/TrackedReference/TrackedReferencesControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/TrackedReference/TrackedReferencesControllerBase.cs @@ -1,11 +1,14 @@ -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.TrackedReference; [ApiController] [VersionedApiBackOfficeRoute("tracked-reference")] [ApiExplorerSettings(GroupName = "Tracked Reference")] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessContentOrMedia)] public abstract class TrackedReferenceControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Upgrade/UpgradeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Upgrade/UpgradeControllerBase.cs index 80bb617ff8..810fe82d3b 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Upgrade/UpgradeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Upgrade/UpgradeControllerBase.cs @@ -1,16 +1,17 @@ -using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Core; using Umbraco.Cms.Api.Management.Filters; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Upgrade; -// TODO: This needs to be an authorized controller. - [ApiController] [RequireRuntimeLevel(RuntimeLevel.Upgrade)] [VersionedApiBackOfficeRoute("upgrade")] [ApiExplorerSettings(GroupName = "Upgrade")] +[Authorize(Policy = "New" + AuthorizationPolicies.RequireAdminAccess)] public abstract class UpgradeControllerBase : ManagementApiControllerBase { diff --git a/src/Umbraco.Cms.Api.Management/Controllers/User/Item/UserItemControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/User/Item/UserItemControllerBase.cs index aa12890268..6047d73eff 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/User/Item/UserItemControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/User/Item/UserItemControllerBase.cs @@ -1,12 +1,14 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.User.Item; [ApiController] [VersionedApiBackOfficeRoute("user")] [ApiExplorerSettings(GroupName = "User")] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessUsers)] public class UserItemControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/User/UsersControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/User/UsersControllerBase.cs index 0ca74fa942..31882604b1 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/User/UsersControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/User/UsersControllerBase.cs @@ -1,15 +1,18 @@ -using Microsoft.AspNetCore.Http; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core.Models.Membership; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.User; [ApiController] [VersionedApiBackOfficeRoute("user")] [ApiExplorerSettings(GroupName = "User")] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessUsers)] public abstract class UserControllerBase : ManagementApiControllerBase { protected IActionResult UserOperationStatusResult(UserOperationStatus status, ErrorMessageResult? errorMessageResult = null) => diff --git a/src/Umbraco.Cms.Api.Management/Controllers/UserGroup/Item/UserGroupItemControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/UserGroup/Item/UserGroupItemControllerBase.cs index 8e3ed25261..27a1782b27 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/UserGroup/Item/UserGroupItemControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/UserGroup/Item/UserGroupItemControllerBase.cs @@ -1,12 +1,14 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Routing; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.UserGroup.Item; [ApiController] [VersionedApiBackOfficeRoute("user-group")] [ApiExplorerSettings(GroupName = "User Group")] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessUsers)] public class UserGroupItemControllerBase : ManagementApiControllerBase { } diff --git a/src/Umbraco.Cms.Api.Management/Controllers/UserGroup/UserGroupsControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/UserGroup/UserGroupsControllerBase.cs index 97e9f37290..b3c7596c36 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/UserGroup/UserGroupsControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/UserGroup/UserGroupsControllerBase.cs @@ -1,17 +1,17 @@ -using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.UserGroup; -// TODO: This needs to be an authorized controller. - [ApiController] [VersionedApiBackOfficeRoute("user-group")] [ApiExplorerSettings(GroupName = "User Group")] +[Authorize(Policy = "New" + AuthorizationPolicies.SectionAccessUsers)] public class UserGroupControllerBase : ManagementApiControllerBase { protected IActionResult UserGroupOperationStatusResult(UserGroupOperationStatus status) => diff --git a/src/Umbraco.Cms.Api.Management/DependencyInjection/BackOfficeAuthBuilderExtensions.cs b/src/Umbraco.Cms.Api.Management/DependencyInjection/BackOfficeAuthBuilderExtensions.cs index 236e5e45c0..e8c2257be4 100644 --- a/src/Umbraco.Cms.Api.Management/DependencyInjection/BackOfficeAuthBuilderExtensions.cs +++ b/src/Umbraco.Cms.Api.Management/DependencyInjection/BackOfficeAuthBuilderExtensions.cs @@ -1,12 +1,9 @@ -using Microsoft.AspNetCore.Authorization; -using Microsoft.AspNetCore.Builder; +using Microsoft.AspNetCore.Builder; using Microsoft.Extensions.DependencyInjection; -using OpenIddict.Validation.AspNetCore; using Umbraco.Cms.Core; using Umbraco.Cms.Core.DependencyInjection; using Umbraco.Cms.Api.Management.Middleware; using Umbraco.Cms.Api.Management.Security; -using Umbraco.Cms.Web.Common.Authorization; using Umbraco.Cms.Infrastructure.HostedServices; using Umbraco.Cms.Infrastructure.Security; using Umbraco.Cms.Web.Common.ApplicationBuilder; @@ -27,7 +24,7 @@ public static class BackOfficeAuthBuilderExtensions private static IUmbracoBuilder AddOpenIddict(this IUmbracoBuilder builder) { builder.Services.AddAuthentication(); - builder.Services.AddAuthorization(CreatePolicies); + builder.AddAuthorizationPolicies(); builder.Services.AddOpenIddict() // Register the OpenIddict server components. @@ -112,32 +109,6 @@ public static class BackOfficeAuthBuilderExtensions return builder; } - - - // TODO: move this to an appropriate location and implement the policy scheme that should be used for the new management APIs - private static void CreatePolicies(AuthorizationOptions options) - { - void AddPolicy(string policyName, string claimType, params string[] allowedClaimValues) - { - options.AddPolicy($"New{policyName}", policy => - { - policy.AuthenticationSchemes.Add(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme); - policy.RequireClaim(claimType, allowedClaimValues); - }); - } - - options.AddPolicy($"New{AuthorizationPolicies.BackOfficeAccess}", policy => - { - policy.AuthenticationSchemes.Add(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme); - policy.RequireAuthenticatedUser(); - }); - // NOTE: these are ONLY sample policies that allow us to test the new management APIs - AddPolicy(AuthorizationPolicies.SectionAccessContent, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Content); - AddPolicy(AuthorizationPolicies.SectionAccessForContentTree, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Content); - AddPolicy(AuthorizationPolicies.SectionAccessForMediaTree, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Media); - AddPolicy(AuthorizationPolicies.SectionAccessMedia, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Media); - AddPolicy(AuthorizationPolicies.SectionAccessContentOrMedia, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Content, Constants.Applications.Media); - } } internal class BackofficePipelineFilter : UmbracoPipelineFilter diff --git a/src/Umbraco.Cms.Api.Management/DependencyInjection/BackOfficeAuthPolicyBuilderExtensions.cs b/src/Umbraco.Cms.Api.Management/DependencyInjection/BackOfficeAuthPolicyBuilderExtensions.cs new file mode 100644 index 0000000000..b375ae00bb --- /dev/null +++ b/src/Umbraco.Cms.Api.Management/DependencyInjection/BackOfficeAuthPolicyBuilderExtensions.cs @@ -0,0 +1,69 @@ +using System.Security.Claims; +using Microsoft.AspNetCore.Authorization; +using Microsoft.Extensions.DependencyInjection; +using OpenIddict.Validation.AspNetCore; +using Umbraco.Cms.Core; +using Umbraco.Cms.Core.DependencyInjection; +using Umbraco.Cms.Web.Common.Authorization; + +namespace Umbraco.Cms.Api.Management.DependencyInjection; + +internal static class BackOfficeAuthPolicyBuilderExtensions +{ + internal static IUmbracoBuilder AddAuthorizationPolicies(this IUmbracoBuilder builder) + { + builder.Services.AddAuthorization(CreatePolicies); + return builder; + } + + private static void CreatePolicies(AuthorizationOptions options) + { + void AddPolicy(string policyName, string claimType, params string[] allowedClaimValues) + { + options.AddPolicy($"New{policyName}", policy => + { + policy.AuthenticationSchemes.Add(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme); + policy.RequireClaim(claimType, allowedClaimValues); + }); + } + + options.AddPolicy($"New{AuthorizationPolicies.BackOfficeAccess}", policy => + { + policy.AuthenticationSchemes.Add(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme); + policy.RequireAuthenticatedUser(); + }); + + AddPolicy(AuthorizationPolicies.SectionAccessContent, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Content); + AddPolicy(AuthorizationPolicies.SectionAccessContentOrMedia, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Content, Constants.Applications.Media); + AddPolicy(AuthorizationPolicies.SectionAccessForContentTree, Constants.Security.AllowedApplicationsClaimType, + Constants.Applications.Content, Constants.Applications.Media, Constants.Applications.Users, + Constants.Applications.Settings, Constants.Applications.Packages, Constants.Applications.Members); + AddPolicy(AuthorizationPolicies.SectionAccessForMediaTree, Constants.Security.AllowedApplicationsClaimType, + Constants.Applications.Content, Constants.Applications.Media, Constants.Applications.Users, + Constants.Applications.Settings, Constants.Applications.Packages, Constants.Applications.Members); + AddPolicy(AuthorizationPolicies.SectionAccessForMemberTree, Constants.Security.AllowedApplicationsClaimType, + Constants.Applications.Content, Constants.Applications.Media, Constants.Applications.Members); + AddPolicy(AuthorizationPolicies.SectionAccessMedia, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Media); + AddPolicy(AuthorizationPolicies.SectionAccessPackages, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Packages); + AddPolicy(AuthorizationPolicies.SectionAccessSettings, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Settings); + AddPolicy(AuthorizationPolicies.SectionAccessUsers, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Users); + + AddPolicy(AuthorizationPolicies.TreeAccessDataTypes, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Settings); + AddPolicy(AuthorizationPolicies.TreeAccessDictionary, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Translation); + AddPolicy(AuthorizationPolicies.TreeAccessDictionaryOrTemplates, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Translation, Constants.Applications.Settings); + AddPolicy(AuthorizationPolicies.TreeAccessDocuments, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Content); + AddPolicy(AuthorizationPolicies.TreeAccessDocumentsOrDocumentTypes, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Content, Constants.Applications.Settings); + AddPolicy(AuthorizationPolicies.TreeAccessDocumentTypes, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Settings); + AddPolicy(AuthorizationPolicies.TreeAccessLanguages, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Settings); + AddPolicy(AuthorizationPolicies.TreeAccessMediaTypes, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Settings); + AddPolicy(AuthorizationPolicies.TreeAccessMemberGroups, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Members); + AddPolicy(AuthorizationPolicies.TreeAccessMemberTypes, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Settings); + AddPolicy(AuthorizationPolicies.TreeAccessPartialViews, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Settings); + AddPolicy(AuthorizationPolicies.TreeAccessRelationTypes, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Settings); + AddPolicy(AuthorizationPolicies.TreeAccessScripts, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Settings); + AddPolicy(AuthorizationPolicies.TreeAccessStylesheets, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Settings); + AddPolicy(AuthorizationPolicies.TreeAccessTemplates, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Settings); + + AddPolicy(AuthorizationPolicies.RequireAdminAccess, ClaimsIdentity.DefaultRoleClaimType, Constants.Security.AdminGroupAlias); + } +} diff --git a/src/Umbraco.Core/Constants-Security.cs b/src/Umbraco.Core/Constants-Security.cs index bdc7eb40b2..156250c21c 100644 --- a/src/Umbraco.Core/Constants-Security.cs +++ b/src/Umbraco.Core/Constants-Security.cs @@ -32,7 +32,6 @@ public static partial class Constants /// public const string UnknownUserName = "SYSTEM"; - [Obsolete("Use AdminGroupKey instead. Scheduled for removal in V15.")] public const string AdminGroupAlias = "admin"; [Obsolete("Use EditorGroupKey instead. Scheduled for removal in V15.")] diff --git a/src/Umbraco.Web.Common/Authorization/AuthorizationPolicies.cs b/src/Umbraco.Web.Common/Authorization/AuthorizationPolicies.cs index 50e399d4f0..efb63224af 100644 --- a/src/Umbraco.Web.Common/Authorization/AuthorizationPolicies.cs +++ b/src/Umbraco.Web.Common/Authorization/AuthorizationPolicies.cs @@ -12,6 +12,7 @@ public static class AuthorizationPolicies public const string UserBelongsToUserGroupInRequest = nameof(UserBelongsToUserGroupInRequest); public const string AdminUserEditsRequireAdmin = nameof(AdminUserEditsRequireAdmin); public const string DenyLocalLoginIfConfigured = nameof(DenyLocalLoginIfConfigured); + public const string RequireAdminAccess = nameof(RequireAdminAccess); // Content permission access public const string ContentPermissionByResource = nameof(ContentPermissionByResource); @@ -59,6 +60,8 @@ public static class AuthorizationPolicies public const string TreeAccessMemberGroups = nameof(TreeAccessMemberGroups); public const string TreeAccessDocumentTypes = nameof(TreeAccessDocumentTypes); public const string TreeAccessMemberTypes = nameof(TreeAccessMemberTypes); + public const string TreeAccessScripts = nameof(TreeAccessScripts); + public const string TreeAccessStylesheets = nameof(TreeAccessStylesheets); // Custom access based on multiple trees public const string TreeAccessDocumentsOrDocumentTypes = nameof(TreeAccessDocumentsOrDocumentTypes);