Merge remote-tracking branch 'origin/v11/dev' into v12/dev
# Conflicts: # src/Umbraco.Web.BackOffice/Controllers/MediaController.cs
This commit is contained in:
Bjarke Berg
@@ -719,6 +719,7 @@
|
||||
<key alias="by">af</key>
|
||||
<key alias="cancel">Fortryd</key>
|
||||
<key alias="cellMargin">Celle margen</key>
|
||||
<key alias="change">Skift</key>
|
||||
<key alias="choose">Vælg</key>
|
||||
<key alias="clear">Ryd</key>
|
||||
<key alias="close">Luk</key>
|
||||
|
||||
@@ -759,6 +759,7 @@
|
||||
<key alias="by">by</key>
|
||||
<key alias="cancel">Cancel</key>
|
||||
<key alias="cellMargin">Cell margin</key>
|
||||
<key alias="change">Change</key>
|
||||
<key alias="choose">Choose</key>
|
||||
<key alias="clear">Clear</key>
|
||||
<key alias="close">Close</key>
|
||||
|
||||
@@ -583,10 +583,10 @@ public class MediaController : ContentControllerBase
|
||||
Directory.CreateDirectory(root);
|
||||
|
||||
//must have a file
|
||||
if (file.Count == 0)
|
||||
if (file is null || file.Count == 0)
|
||||
{
|
||||
_postAddFileSemaphore.Release();
|
||||
return NotFound();
|
||||
return NotFound("No file was uploaded");
|
||||
}
|
||||
|
||||
//get the string json from the request
|
||||
@@ -769,12 +769,26 @@ public class MediaController : ContentControllerBase
|
||||
break;
|
||||
}
|
||||
|
||||
// If media type is still File then let's check if it's an image.
|
||||
// If media type is still File then let's check if it's an imageor a custom image type.
|
||||
if (mediaTypeAlias == Constants.Conventions.MediaTypes.File &&
|
||||
_imageUrlGenerator.IsSupportedImageFormat(ext))
|
||||
{
|
||||
if (allowedContentTypes.Any(mt => mt.Alias == Constants.Conventions.MediaTypes.Image))
|
||||
{
|
||||
mediaTypeAlias = Constants.Conventions.MediaTypes.Image;
|
||||
}
|
||||
else
|
||||
{
|
||||
IMediaType? customType = allowedContentTypes.FirstOrDefault(mt =>
|
||||
mt.CompositionPropertyTypes.Any(pt =>
|
||||
pt.PropertyEditorAlias == Constants.PropertyEditors.Aliases.ImageCropper));
|
||||
|
||||
if (customType is not null)
|
||||
{
|
||||
mediaTypeAlias = customType.Alias;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
@@ -60,14 +60,14 @@ public class UmbracoMemberAuthorizeFilter : IAsyncAuthorizationFilter
|
||||
{
|
||||
context.HttpContext.SetReasonPhrase(
|
||||
"Resource restricted: the member is not of a permitted type or group.");
|
||||
context.HttpContext.Response.StatusCode = 403;
|
||||
context.Result = new ForbidResult();
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
context.HttpContext.SetReasonPhrase(
|
||||
"Resource restricted: the member is not logged in.");
|
||||
context.Result = new UnauthorizedResult();
|
||||
context.HttpContext.Response.StatusCode = 401;
|
||||
context.Result = new ForbidResult();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -1,10 +1,12 @@
|
||||
using Microsoft.AspNetCore.Authentication.Cookies;
|
||||
using Microsoft.AspNetCore.Http;
|
||||
using Microsoft.AspNetCore.Identity;
|
||||
using Microsoft.AspNetCore.Mvc.Controllers;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using Microsoft.Extensions.Options;
|
||||
using Umbraco.Cms.Core.Routing;
|
||||
using Umbraco.Cms.Core.Services;
|
||||
using Umbraco.Cms.Web.Common.Controllers;
|
||||
using Umbraco.Extensions;
|
||||
|
||||
namespace Umbraco.Cms.Web.Common.Security;
|
||||
@@ -58,7 +60,16 @@ public sealed class ConfigureMemberCookieOptions : IConfigureNamedOptions<Cookie
|
||||
},
|
||||
OnRedirectToAccessDenied = ctx =>
|
||||
{
|
||||
ctx.Response.StatusCode = StatusCodes.Status403Forbidden;
|
||||
// When the controller is an UmbracoAPIController, we want to return a StatusCode instead of a redirect.
|
||||
// All other cases should use the default Redirect of the CookieAuthenticationEvent.
|
||||
var controllerDescriptor = ctx.HttpContext.GetEndpoint()?.Metadata
|
||||
.OfType<ControllerActionDescriptor>()
|
||||
.FirstOrDefault();
|
||||
|
||||
if (!controllerDescriptor?.ControllerTypeInfo.IsSubclassOf(typeof(UmbracoApiController)) ?? false)
|
||||
{
|
||||
new CookieAuthenticationEvents().OnRedirectToAccessDenied(ctx);
|
||||
}
|
||||
|
||||
return Task.CompletedTask;
|
||||
},
|
||||
|
||||
@@ -344,10 +344,14 @@ function clipboardService($window, notificationsService, eventsService, localSto
|
||||
// Clean up each entry
|
||||
var copiedDatas = datas.map(data => prepareEntryForStorage(type, data, firstLevelClearupMethod));
|
||||
|
||||
// remove previous copies of this entry:
|
||||
// remove previous copies of this entry (Make sure to not remove copies from unsaved content):
|
||||
storage.entries = storage.entries.filter(
|
||||
(entry) => {
|
||||
return entry.unique !== uniqueKey;
|
||||
if (entry.unique === 0) {
|
||||
return displayLabel !== entry.label;
|
||||
} else {
|
||||
return entry.unique !== uniqueKey;
|
||||
}
|
||||
}
|
||||
);
|
||||
|
||||
|
||||
@@ -0,0 +1,126 @@
|
||||
using System.Net;
|
||||
using Microsoft.AspNetCore.Authentication.Cookies;
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using Microsoft.Extensions.Options;
|
||||
using Moq;
|
||||
using NUnit.Framework;
|
||||
using Umbraco.Cms.Core.Cache;
|
||||
using Umbraco.Cms.Core.Logging;
|
||||
using Umbraco.Cms.Core.Routing;
|
||||
using Umbraco.Cms.Core.Security;
|
||||
using Umbraco.Cms.Core.Services;
|
||||
using Umbraco.Cms.Core.Web;
|
||||
using Umbraco.Cms.Infrastructure.Persistence;
|
||||
using Umbraco.Cms.Tests.Integration.TestServerTest;
|
||||
using Umbraco.Cms.Web.Common.Controllers;
|
||||
using Umbraco.Cms.Web.Common.Filters;
|
||||
using Umbraco.Cms.Web.Common.Security;
|
||||
using Umbraco.Cms.Web.Website.Controllers;
|
||||
|
||||
namespace Umbraco.Cms.Tests.Integration.Umbraco.Web.Website.Security
|
||||
{
|
||||
public class MemberAuthorizeTests : UmbracoTestServerTestBase
|
||||
{
|
||||
private Mock<IMemberManager> _memberManagerMock = new();
|
||||
|
||||
protected override void ConfigureTestServices(IServiceCollection services)
|
||||
{
|
||||
_memberManagerMock = new Mock<IMemberManager>();
|
||||
services.Remove(new ServiceDescriptor(typeof(IMemberManager), typeof(MemberManager), ServiceLifetime.Scoped));
|
||||
services.Remove(new ServiceDescriptor(typeof(MemberManager), ServiceLifetime.Scoped));
|
||||
services.AddScoped(_ => _memberManagerMock.Object);
|
||||
}
|
||||
|
||||
[Test]
|
||||
public async Task Secure_SurfaceController_Should_Return_Redirect_WhenNotLoggedIn()
|
||||
{
|
||||
_memberManagerMock.Setup(x => x.IsLoggedIn()).Returns(false);
|
||||
|
||||
var url = PrepareSurfaceControllerUrl<TestSurfaceController>(x => x.Secure());
|
||||
|
||||
var response = await Client.GetAsync(url);
|
||||
|
||||
var cookieAuthenticationOptions = Services.GetService<IOptions<CookieAuthenticationOptions>>();
|
||||
Assert.AreEqual(HttpStatusCode.Redirect, response.StatusCode);
|
||||
Assert.AreEqual(cookieAuthenticationOptions.Value.AccessDeniedPath.ToString(), response.Headers.Location?.AbsolutePath);
|
||||
}
|
||||
|
||||
[Test]
|
||||
public async Task Secure_SurfaceController_Should_Return_Redirect_WhenNotAuthorized()
|
||||
{
|
||||
_memberManagerMock.Setup(x => x.IsLoggedIn()).Returns(true);
|
||||
_memberManagerMock.Setup(x => x.IsMemberAuthorizedAsync(
|
||||
It.IsAny<IEnumerable<string>>(),
|
||||
It.IsAny<IEnumerable<string>>(),
|
||||
It.IsAny<IEnumerable<int>>()))
|
||||
.ReturnsAsync(false);
|
||||
|
||||
var url = PrepareSurfaceControllerUrl<TestSurfaceController>(x => x.Secure());
|
||||
|
||||
var response = await Client.GetAsync(url);
|
||||
|
||||
var cookieAuthenticationOptions = Services.GetService<IOptions<CookieAuthenticationOptions>>();
|
||||
Assert.AreEqual(HttpStatusCode.Redirect, response.StatusCode);
|
||||
Assert.AreEqual(cookieAuthenticationOptions.Value.AccessDeniedPath.ToString(), response.Headers.Location?.AbsolutePath);
|
||||
}
|
||||
|
||||
|
||||
[Test]
|
||||
public async Task Secure_ApiController_Should_Return_Unauthorized_WhenNotLoggedIn()
|
||||
{
|
||||
_memberManagerMock.Setup(x => x.IsLoggedIn()).Returns(false);
|
||||
var url = PrepareApiControllerUrl<TestApiController>(x => x.Secure());
|
||||
|
||||
var response = await Client.GetAsync(url);
|
||||
|
||||
Assert.AreEqual(HttpStatusCode.Unauthorized, response.StatusCode);
|
||||
}
|
||||
|
||||
[Test]
|
||||
public async Task Secure_ApiController_Should_Return_Forbidden_WhenNotAuthorized()
|
||||
{
|
||||
_memberManagerMock.Setup(x => x.IsLoggedIn()).Returns(true);
|
||||
_memberManagerMock.Setup(x => x.IsMemberAuthorizedAsync(
|
||||
It.IsAny<IEnumerable<string>>(),
|
||||
It.IsAny<IEnumerable<string>>(),
|
||||
It.IsAny<IEnumerable<int>>()))
|
||||
.ReturnsAsync(false);
|
||||
|
||||
var url = PrepareApiControllerUrl<TestApiController>(x => x.Secure());
|
||||
|
||||
var response = await Client.GetAsync(url);
|
||||
|
||||
Assert.AreEqual(HttpStatusCode.Forbidden, response.StatusCode);
|
||||
}
|
||||
}
|
||||
|
||||
public class TestSurfaceController : SurfaceController
|
||||
{
|
||||
public TestSurfaceController(
|
||||
IUmbracoContextAccessor umbracoContextAccessor,
|
||||
IUmbracoDatabaseFactory databaseFactory,
|
||||
ServiceContext services,
|
||||
AppCaches appCaches,
|
||||
IProfilingLogger profilingLogger,
|
||||
IPublishedUrlProvider publishedUrlProvider)
|
||||
: base(
|
||||
umbracoContextAccessor,
|
||||
databaseFactory,
|
||||
services,
|
||||
appCaches,
|
||||
profilingLogger,
|
||||
publishedUrlProvider)
|
||||
{
|
||||
}
|
||||
|
||||
[UmbracoMemberAuthorize]
|
||||
public IActionResult Secure() => NoContent();
|
||||
}
|
||||
|
||||
public class TestApiController : UmbracoApiController
|
||||
{
|
||||
[UmbracoMemberAuthorize]
|
||||
public IActionResult Secure() => NoContent();
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user