fixes media authz resource policies
This commit is contained in:
Shannon
@@ -24,7 +24,6 @@ namespace Umbraco.Web.BackOffice.Authorization
|
||||
|
||||
protected override Task<bool> IsAuthorized(AuthorizationHandlerContext context, ContentPermissionsResourceRequirement requirement, ContentPermissionsResource resource)
|
||||
{
|
||||
|
||||
var permissionResult = resource.NodeId.HasValue
|
||||
? _contentPermissions.CheckPermissions(
|
||||
resource.NodeId.Value,
|
||||
|
||||
@@ -0,0 +1,20 @@
|
||||
using Umbraco.Core.Models;
|
||||
|
||||
namespace Umbraco.Web.BackOffice.Authorization
|
||||
{
|
||||
public class MediaPermissionsResource
|
||||
{
|
||||
public MediaPermissionsResource(IMedia media)
|
||||
{
|
||||
Media = media;
|
||||
}
|
||||
|
||||
public MediaPermissionsResource(int nodeId)
|
||||
{
|
||||
NodeId = nodeId;
|
||||
}
|
||||
|
||||
public int? NodeId { get; }
|
||||
public IMedia Media { get; }
|
||||
}
|
||||
}
|
||||
@@ -8,7 +8,7 @@ namespace Umbraco.Web.BackOffice.Authorization
|
||||
/// <summary>
|
||||
/// Used to authorize if the user has the correct permission access to the content for the <see cref="IContent"/> specified
|
||||
/// </summary>
|
||||
public class MediaPermissionsResourceHandler : MustSatisfyRequirementAuthorizationHandler<MediaPermissionsResourceRequirement, IMedia>
|
||||
public class MediaPermissionsResourceHandler : MustSatisfyRequirementAuthorizationHandler<MediaPermissionsResourceRequirement, MediaPermissionsResource>
|
||||
{
|
||||
private readonly IBackOfficeSecurityAccessor _backofficeSecurityAccessor;
|
||||
private readonly MediaPermissions _mediaPermissions;
|
||||
@@ -21,23 +21,16 @@ namespace Umbraco.Web.BackOffice.Authorization
|
||||
_mediaPermissions = mediaPermissions;
|
||||
}
|
||||
|
||||
protected override Task<bool> IsAuthorized(AuthorizationHandlerContext context, MediaPermissionsResourceRequirement requirement, IMedia resource)
|
||||
protected override Task<bool> IsAuthorized(AuthorizationHandlerContext context, MediaPermissionsResourceRequirement requirement, MediaPermissionsResource resource)
|
||||
{
|
||||
var permissionResult = MediaPermissions.MediaAccess.NotFound;
|
||||
|
||||
if (resource != null)
|
||||
{
|
||||
permissionResult = _mediaPermissions.CheckPermissions(
|
||||
resource,
|
||||
_backofficeSecurityAccessor.BackOfficeSecurity.CurrentUser);
|
||||
}
|
||||
else if (requirement.NodeId.HasValue)
|
||||
{
|
||||
permissionResult = _mediaPermissions.CheckPermissions(
|
||||
var permissionResult = resource.NodeId.HasValue
|
||||
? _mediaPermissions.CheckPermissions(
|
||||
_backofficeSecurityAccessor.BackOfficeSecurity.CurrentUser,
|
||||
requirement.NodeId.Value,
|
||||
out _);
|
||||
}
|
||||
resource.NodeId.Value,
|
||||
out _)
|
||||
: _mediaPermissions.CheckPermissions(
|
||||
resource.Media,
|
||||
_backofficeSecurityAccessor.BackOfficeSecurity.CurrentUser);
|
||||
|
||||
return Task.FromResult(permissionResult != MediaPermissions.MediaAccess.Denied);
|
||||
}
|
||||
|
||||
@@ -2,20 +2,12 @@
|
||||
|
||||
namespace Umbraco.Web.BackOffice.Authorization
|
||||
{
|
||||
|
||||
/// <summary>
|
||||
/// An authorization requirement for <see cref="MediaPermissionsResourceHandler"/>
|
||||
/// </summary>
|
||||
public class MediaPermissionsResourceRequirement : IAuthorizationRequirement
|
||||
{
|
||||
public MediaPermissionsResourceRequirement()
|
||||
{
|
||||
}
|
||||
|
||||
public MediaPermissionsResourceRequirement(int nodeId)
|
||||
{
|
||||
NodeId = nodeId;
|
||||
}
|
||||
|
||||
public int? NodeId { get; }
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -105,6 +105,12 @@ namespace Umbraco.Extensions
|
||||
|
||||
private static void CreatePolicies(AuthorizationOptions options, string backOfficeAuthenticationScheme)
|
||||
{
|
||||
options.AddPolicy(AuthorizationPolicies.MediaPermissionByResource, policy =>
|
||||
{
|
||||
policy.AuthenticationSchemes.Add(backOfficeAuthenticationScheme);
|
||||
policy.Requirements.Add(new MediaPermissionsResourceRequirement());
|
||||
});
|
||||
|
||||
options.AddPolicy(AuthorizationPolicies.MediaPermissionPathById, policy =>
|
||||
{
|
||||
policy.AuthenticationSchemes.Add(backOfficeAuthenticationScheme);
|
||||
|
||||
@@ -9,6 +9,7 @@ using Umbraco.Core.Models;
|
||||
using Umbraco.Core.Security;
|
||||
using Umbraco.Core.Services;
|
||||
using Umbraco.Web.BackOffice.Authorization;
|
||||
using Umbraco.Web.Common.Authorization;
|
||||
using Umbraco.Web.Models.ContentEditing;
|
||||
|
||||
namespace Umbraco.Web.BackOffice.Filters
|
||||
@@ -107,11 +108,15 @@ namespace Umbraco.Web.BackOffice.Filters
|
||||
return false;
|
||||
}
|
||||
|
||||
var requirement = contentToCheck == null
|
||||
? new MediaPermissionsResourceRequirement(contentIdToCheck)
|
||||
: new MediaPermissionsResourceRequirement();
|
||||
var resource = contentToCheck == null
|
||||
? new MediaPermissionsResource(contentIdToCheck)
|
||||
: new MediaPermissionsResource(contentToCheck);
|
||||
|
||||
var authorizationResult = await _authorizationService.AuthorizeAsync(
|
||||
actionContext.HttpContext.User,
|
||||
resource,
|
||||
AuthorizationPolicies.MediaPermissionByResource);
|
||||
|
||||
var authorizationResult = await _authorizationService.AuthorizeAsync(actionContext.HttpContext.User, contentToCheck, requirement);
|
||||
if (!authorizationResult.Succeeded)
|
||||
{
|
||||
actionContext.Result = new ForbidResult();
|
||||
|
||||
@@ -24,7 +24,9 @@
|
||||
public const string ContentPermissionBrowseById = nameof(ContentPermissionBrowseById);
|
||||
public const string ContentPermissionDeleteById = nameof(ContentPermissionDeleteById);
|
||||
|
||||
public const string MediaPermissionByResource = nameof(MediaPermissionByResource);
|
||||
public const string MediaPermissionPathById = nameof(MediaPermissionPathById);
|
||||
|
||||
|
||||
// Single section access
|
||||
|
||||
|
||||
Reference in New Issue
Block a user