diff --git a/src/Umbraco.Web/Editors/DataTypeController.cs b/src/Umbraco.Web/Editors/DataTypeController.cs index c4c8d6a485..fb48858318 100644 --- a/src/Umbraco.Web/Editors/DataTypeController.cs +++ b/src/Umbraco.Web/Editors/DataTypeController.cs @@ -30,7 +30,7 @@ namespace Umbraco.Web.Editors /// access to ALL of the methods on this controller will need access to the developer application. /// [PluginController("UmbracoApi")] - [UmbracoApplicationAuthorize(Constants.Applications.Developer)] + [UmbracoTreeAuthorize(Constants.Trees.DataTypes)] public class DataTypeController : UmbracoAuthorizedJsonController { /// diff --git a/src/Umbraco.Web/Editors/TemplateController.cs b/src/Umbraco.Web/Editors/TemplateController.cs index 2906441203..3799be7e23 100644 --- a/src/Umbraco.Web/Editors/TemplateController.cs +++ b/src/Umbraco.Web/Editors/TemplateController.cs @@ -17,7 +17,7 @@ using Umbraco.Web.WebApi.Filters; namespace Umbraco.Web.Editors { [PluginController("UmbracoApi")] - [UmbracoApplicationAuthorize(Core.Constants.Applications.Settings)] + [UmbracoTreeAuthorize(Core.Constants.Trees.Templates)] public class TemplateController : UmbracoAuthorizedJsonController { /// diff --git a/src/Umbraco.Web/Trees/DataTypeTreeController.cs b/src/Umbraco.Web/Trees/DataTypeTreeController.cs index c428bdcc94..8e9b4c294a 100644 --- a/src/Umbraco.Web/Trees/DataTypeTreeController.cs +++ b/src/Umbraco.Web/Trees/DataTypeTreeController.cs @@ -14,7 +14,7 @@ using Constants = Umbraco.Core.Constants; namespace Umbraco.Web.Trees { - [UmbracoApplicationAuthorize(Constants.Applications.Developer)] + [UmbracoTreeAuthorize(Constants.Trees.DataTypes)] [Tree(Constants.Applications.Developer, Constants.Trees.DataTypes, "Data Types")] [PluginController("UmbracoTrees")] [CoreTree] diff --git a/src/Umbraco.Web/Umbraco.Web.csproj b/src/Umbraco.Web/Umbraco.Web.csproj index 5c2dac7a17..871d4f934b 100644 --- a/src/Umbraco.Web/Umbraco.Web.csproj +++ b/src/Umbraco.Web/Umbraco.Web.csproj @@ -537,6 +537,7 @@ + diff --git a/src/Umbraco.Web/WebApi/Filters/UmbracoTreeAuthorizeAttribute.cs b/src/Umbraco.Web/WebApi/Filters/UmbracoTreeAuthorizeAttribute.cs new file mode 100644 index 0000000000..f894712a82 --- /dev/null +++ b/src/Umbraco.Web/WebApi/Filters/UmbracoTreeAuthorizeAttribute.cs @@ -0,0 +1,54 @@ +using System.Linq; +using System.Web.Http; +using System.Web.Http.Controllers; +using Umbraco.Core; + +namespace Umbraco.Web.WebApi.Filters +{ + /// + /// Ensures that the current user has access to the application for which the specified tree(s) belongs + /// + /// + /// This would allow a tree to be moved between sections + /// + public sealed class UmbracoTreeAuthorizeAttribute : AuthorizeAttribute + { + /// + /// Can be used by unit tests to enable/disable this filter + /// + internal static bool Enable = true; + + private readonly string[] _treeAliases; + + /// + /// Constructor to set authorization to be based on a tree alias for which application security will be applied + /// + /// + /// If the user has access to the application that the treeAlias is specified in, they will be authorized. + /// Multiple trees may be specified. + /// + public UmbracoTreeAuthorizeAttribute(params string[] treeAliases) + { + _treeAliases = treeAliases; + } + + protected override bool IsAuthorized(HttpActionContext actionContext) + { + if (Enable == false) + { + return true; + } + + var apps = _treeAliases.Select(x => ApplicationContext.Current.Services.ApplicationTreeService + .GetByAlias(x)) + .WhereNotNull() + .Select(x => x.ApplicationAlias) + .Distinct() + .ToArray(); + + return UmbracoContext.Current.Security.CurrentUser != null + && apps.Any(app => UmbracoContext.Current.Security.UserHasAppAccess( + app, UmbracoContext.Current.Security.CurrentUser)); + } + } +} \ No newline at end of file