From 348f1f2baee858c7a4fae7ac769eefa72b231272 Mon Sep 17 00:00:00 2001 From: Bjarke Berg Date: Tue, 1 Oct 2024 07:58:41 +0200 Subject: [PATCH] Change webhook permissions to require webhook tree access for all endpoints --- .../Controllers/Webhook/CreateWebhookController.cs | 3 --- .../Controllers/Webhook/DeleteWebhookController.cs | 3 --- .../Controllers/Webhook/UpdateWebhookController.cs | 3 --- .../Controllers/Webhook/WebhookControllerBase.cs | 3 +++ 4 files changed, 3 insertions(+), 9 deletions(-) diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Webhook/CreateWebhookController.cs b/src/Umbraco.Cms.Api.Management/Controllers/Webhook/CreateWebhookController.cs index c513c83d70..705292c82a 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Webhook/CreateWebhookController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Webhook/CreateWebhookController.cs @@ -1,5 +1,4 @@ using Asp.Versioning; -using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Factories; @@ -8,12 +7,10 @@ using Umbraco.Cms.Core; using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Core.Services.OperationStatus; -using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Webhook; [ApiVersion("1.0")] -[Authorize(Policy = AuthorizationPolicies.TreeAccessWebhooks)] public class CreateWebhookController : WebhookControllerBase { private readonly IWebhookService _webhookService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Webhook/DeleteWebhookController.cs b/src/Umbraco.Cms.Api.Management/Controllers/Webhook/DeleteWebhookController.cs index ecb8d7d9f7..a45302464a 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Webhook/DeleteWebhookController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Webhook/DeleteWebhookController.cs @@ -1,5 +1,4 @@ using Asp.Versioning; -using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Core; @@ -7,12 +6,10 @@ using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Security; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Core.Services.OperationStatus; -using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Webhook; [ApiVersion("1.0")] -[Authorize(Policy = AuthorizationPolicies.TreeAccessWebhooks)] public class DeleteWebhookController : WebhookControllerBase { private readonly IWebhookService _webhookService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Webhook/UpdateWebhookController.cs b/src/Umbraco.Cms.Api.Management/Controllers/Webhook/UpdateWebhookController.cs index c5469d575f..8f22721b5e 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Webhook/UpdateWebhookController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Webhook/UpdateWebhookController.cs @@ -1,5 +1,4 @@ using Asp.Versioning; -using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Factories; @@ -8,12 +7,10 @@ using Umbraco.Cms.Core; using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Core.Services.OperationStatus; -using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Webhook; [ApiVersion("1.0")] -[Authorize(Policy = AuthorizationPolicies.TreeAccessWebhooks)] public class UpdateWebhookController : WebhookControllerBase { private readonly IWebhookService _webhookService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/Webhook/WebhookControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/Webhook/WebhookControllerBase.cs index 98c3868c65..d32de4bf7a 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/Webhook/WebhookControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/Webhook/WebhookControllerBase.cs @@ -1,13 +1,16 @@ +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Common.Builders; using Umbraco.Cms.Api.Management.Routing; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.Webhook; [VersionedApiBackOfficeRoute("webhook")] [ApiExplorerSettings(GroupName = "Webhook")] +[Authorize(Policy = AuthorizationPolicies.TreeAccessWebhooks)] public abstract class WebhookControllerBase : ManagementApiControllerBase { protected IActionResult WebhookOperationStatusResult(WebhookOperationStatus status) =>