V8: Don't allow logins for users with no content and/or media s… (#5917)

Lovely work again
2020-01-30 10:52:09 +00:00
parent da20bf0b56 c7cceedbd6
commit 15291a66e3
1 changed files with 13 additions and 0 deletions
--- a/src/Umbraco.Web/Security/BackOfficeSignInManager.cs
+++ b/src/Umbraco.Web/Security/BackOfficeSignInManager.cs
@@ -112,6 +112,19 @@ namespace Umbraco.Web.Security
                    return SignInStatus.LockedOut;
                }

+                // We need to verify that the user belongs to one or more groups that define content and media start nodes.
+                // To do so we have to create the user claims identity and validate the calculated start nodes.
+                var userIdentity = await CreateUserIdentityAsync(user);
+                if (userIdentity is UmbracoBackOfficeIdentity backOfficeIdentity)
+                {
+                    if (backOfficeIdentity.StartContentNodes.Length == 0 || backOfficeIdentity.StartMediaNodes.Length == 0)
+                    {
+                        _logger.WriteCore(TraceEventType.Information, 0,
+                            $"Login attempt failed for username {userName} from IP address {_request.RemoteIpAddress}, no content and/or media start nodes could be found for any of the user's groups", null, null);
+                        return SignInStatus.Failure;
+                    }
+                }
+
                await UserManager.ResetAccessFailedCountAsync(user.Id);
                return await SignInOrTwoFactor(user, isPersistent);
            }