yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/netcore/feature/AB4919-untable-umbraco-context' into netcore/feature/AB4919-untable-umbraco-context

Browse Source
This commit is contained in:
Bjarke Berg
2020-02-14 08:05:42 +01:00
parent a69b985002 e89096eeb6
commit 463a081968
9 changed files with 19 additions and 230 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/Umbraco.Abstractions/IUmbracoContext.cs
View File

@@ -88,8 +88,6 @@ namespace Umbraco.Web
/// </summary>
bool InPreviewMode { get; }
string PreviewToken { get; }
/// <summary>
/// Gets the url of a content identified by its identifier.
/// </summary>

8
src/Umbraco.Abstractions/Routing/IPublishedRequest.cs
View File

@@ -123,14 +123,6 @@ namespace Umbraco.Web.Routing
/// should use the specified description. The description will or will not be used, in due time.</remarks>
string ResponseStatusDescription { get; }
/// <summary>
/// Gets or sets the <c>System.Web.HttpCacheability</c>
/// </summary>
// Note: we used to set a default value here but that would then be the default
// for ALL requests, we shouldn't overwrite it though if people are using [OutputCache] for example
// see: https://our.umbraco.com/forum/using-umbraco-and-getting-started/79715-output-cache-in-umbraco-752
//HttpCacheability Cacheability { get; set; }
/// <summary>
/// Gets or sets a list of Extensions to append to the Response.Cache object.
/// </summary>

7
src/Umbraco.Abstractions/Routing/IPublishedUrlProvider.cs
View File

@@ -12,11 +12,6 @@ namespace Umbraco.Web.Routing
/// </summary>
UrlMode Mode { get; set; }
UrlMode GetMode(bool absolute);
IPublishedContent GetDocument(int id);
IPublishedContent GetDocument(Guid id);
IPublishedContent GetMedia(Guid id);
/// <summary>
/// Gets the url of a published content.
/// </summary>
@@ -107,4 +102,4 @@ namespace Umbraco.Web.Routing
/// </remarks>
string GetMediaUrl(IPublishedContent content, UrlMode mode = UrlMode.Default, string culture = null, string propertyAlias = Constants.Conventions.Media.File, Uri current = null);
}
}
}

36
src/Umbraco.Abstractions/Security/IWebSecurity.cs
View File

@@ -1,3 +1,4 @@
using System;
using Umbraco.Core;
using Umbraco.Core.Models.Membership;
@@ -11,41 +12,18 @@ namespace Umbraco.Web.Security
/// <value>The current user.</value>
IUser CurrentUser { get; }
/// <summary>
/// Logs a user in.
/// </summary>
/// <param name="userId">The user Id</param>
/// <returns>returns the number of seconds until their session times out</returns>
[Obsolete("This needs to be removed, ASP.NET Identity should always be used for this operation, this is currently only used in the installer which needs to be updated")]
double PerformLogin(int userId);
/// <summary>
/// Clears the current login for the currently logged in user
/// </summary>
[Obsolete("This needs to be removed, ASP.NET Identity should always be used for this operation, this is currently only used in the installer which needs to be updated")]
void ClearCurrentLogin();
/// <summary>
/// Validates credentials for a back office user
/// </summary>
/// <param name="username"></param>
/// <param name="password"></param>
/// <returns></returns>
/// <remarks>
/// This uses ASP.NET Identity to perform the validation
/// </remarks>
bool ValidateBackOfficeCredentials(string username, string password);
/// <summary>
/// Gets the current user's id.
/// </summary>
/// <returns></returns>
Attempt<int> GetUserId();
/// <summary>
/// Returns the current user's unique session id - used to mitigate csrf attacks or any other reason to validate a request
/// </summary>
/// <returns></returns>
string GetSessionId();
/// <summary>
/// Validates the currently logged in user and ensures they are not timed out
/// </summary>
@@ -75,14 +53,6 @@ namespace Umbraco.Web.Security
/// <returns></returns>
bool UserHasSectionAccess(string section, IUser user);
/// <summary>
/// Checks if the specified user by username as access to the app
/// </summary>
/// <param name="section"></param>
/// <param name="username"></param>
/// <returns></returns>
bool UserHasSectionAccess(string section, string username);
/// <summary>
/// Ensures that a back office user is logged in
/// </summary>

7
src/Umbraco.Web/Routing/UrlProvider.cs
View File

@@ -73,10 +73,9 @@ namespace Umbraco.Web.Routing
#region GetUrl
public UrlMode GetMode(bool absolute) => absolute ? UrlMode.Absolute : Mode;
public IPublishedContent GetDocument(int id) => _umbracoContext.Content.GetById(id);
public IPublishedContent GetDocument(Guid id) => _umbracoContext.Content.GetById(id);
public IPublishedContent GetMedia(Guid id) => _umbracoContext.Media.GetById(id);
private IPublishedContent GetDocument(int id) => _umbracoContext.Content.GetById(id);
private IPublishedContent GetDocument(Guid id) => _umbracoContext.Content.GetById(id);
private IPublishedContent GetMedia(Guid id) => _umbracoContext.Media.GetById(id);
/// <summary>
/// Gets the url of a published content.

85
src/Umbraco.Web/Security/WebSecurity.cs
View File

@@ -10,9 +10,7 @@ using Microsoft.Owin;
using Umbraco.Core.Configuration;
using Umbraco.Core.IO;
using Umbraco.Core.Models;
using Umbraco.Core.Models.Identity;
using Umbraco.Web.Models.Identity;
using Current = Umbraco.Web.Composing.Current;
namespace Umbraco.Web.Security
{
@@ -41,7 +39,7 @@ namespace Umbraco.Web.Security
/// Gets the current user.
/// </summary>
/// <value>The current user.</value>
public virtual IUser CurrentUser
public IUser CurrentUser
{
get
{
@@ -78,12 +76,8 @@ namespace Umbraco.Web.Security
protected BackOfficeUserManager<BackOfficeIdentityUser> UserManager
=> _userManager ?? (_userManager = _httpContext.GetOwinContext().GetBackOfficeUserManager());
/// <summary>
/// Logs a user in.
/// </summary>
/// <param name="userId">The user Id</param>
/// <returns>returns the number of seconds until their session times out</returns>
public virtual double PerformLogin(int userId)
[Obsolete("This needs to be removed, ASP.NET Identity should always be used for this operation, this is currently only used in the installer which needs to be updated")]
public double PerformLogin(int userId)
{
var owinCtx = _httpContext.GetOwinContext();
//ensure it's done for owin too
@@ -98,10 +92,8 @@ namespace Umbraco.Web.Security
return TimeSpan.FromMinutes(_globalSettings.TimeOutInMinutes).TotalSeconds;
}
/// <summary>
/// Clears the current login for the currently logged in user
/// </summary>
public virtual void ClearCurrentLogin()
[Obsolete("This needs to be removed, ASP.NET Identity should always be used for this operation, this is currently only used in the installer which needs to be updated")]
public void ClearCurrentLogin()
{
_httpContext.UmbracoLogout();
_httpContext.GetOwinContext().Authentication.SignOut(
@@ -112,67 +104,26 @@ namespace Umbraco.Web.Security
/// <summary>
/// Renews the user's login ticket
/// </summary>
public virtual void RenewLoginTimeout()
public void RenewLoginTimeout()
{
_httpContext.RenewUmbracoAuthTicket();
}
/// <summary>
/// Validates credentials for a back office user
/// </summary>
/// <param name="username"></param>
/// <param name="password"></param>
/// <returns></returns>
/// <remarks>
/// This uses ASP.NET Identity to perform the validation
/// </remarks>
public virtual bool ValidateBackOfficeCredentials(string username, string password)
{
//find the user by username
var user = UserManager.FindByNameAsync(username).Result;
return user != null && UserManager.CheckPasswordAsync(user, password).Result;
}
/// <summary>
/// Validates the current user to see if they have access to the specified app
/// </summary>
/// <param name="app"></param>
/// <returns></returns>
internal bool ValidateUserApp(string app)
{
//if it is empty, don't validate
if (app.IsNullOrWhiteSpace())
{
return true;
}
return CurrentUser.AllowedSections.Any(uApp => uApp.InvariantEquals(app));
}
/// <summary>
/// Gets the current user's id.
/// </summary>
/// <returns></returns>
public virtual Attempt<int> GetUserId()
public Attempt<int> GetUserId()
{
var identity = _httpContext.GetCurrentIdentity(false);
return identity == null ? Attempt.Fail<int>() : Attempt.Succeed(Convert.ToInt32(identity.Id));
}
/// <summary>
/// Returns the current user's unique session id - used to mitigate csrf attacks or any other reason to validate a request
/// </summary>
/// <returns></returns>
public virtual string GetSessionId()
{
var identity = _httpContext.GetCurrentIdentity(false);
return identity?.SessionId;
}
/// <summary>
/// Validates the currently logged in user and ensures they are not timed out
/// </summary>
/// <returns></returns>
public virtual bool ValidateCurrentUser()
public bool ValidateCurrentUser()
{
return ValidateCurrentUser(false, true) == ValidateRequestAttempt.Success;
}
@@ -183,7 +134,7 @@ namespace Umbraco.Web.Security
/// <param name="throwExceptions">set to true if you want exceptions to be thrown if failed</param>
/// <param name="requiresApproval">If true requires that the user is approved to be validated</param>
/// <returns></returns>
public virtual ValidateRequestAttempt ValidateCurrentUser(bool throwExceptions, bool requiresApproval = true)
public ValidateRequestAttempt ValidateCurrentUser(bool throwExceptions, bool requiresApproval = true)
{
//This will first check if the current user is already authenticated - which should be the case in nearly all circumstances
// since the authentication happens in the Module, that authentication also checks the ticket expiry. We don't
@@ -235,27 +186,11 @@ namespace Umbraco.Web.Security
/// <param name="section"></param>
/// <param name="user"></param>
/// <returns></returns>
public virtual bool UserHasSectionAccess(string section, IUser user)
public bool UserHasSectionAccess(string section, IUser user)
{
return user.HasSectionAccess(section);
}
/// <summary>
/// Checks if the specified user by username as access to the app
/// </summary>
/// <param name="section"></param>
/// <param name="username"></param>
/// <returns></returns>
public bool UserHasSectionAccess(string section, string username)
{
var user = _userService.GetByUsername(username);
if (user == null)
{
return false;
}
return user.HasSectionAccess(section);
}
/// <summary>
/// Ensures that a back office user is logged in
/// </summary>

1
src/Umbraco.Web/Umbraco.Web.csproj
View File

@@ -708,7 +708,6 @@
<DesignTime>True</DesignTime>
<DependentUpon>Reference.map</DependentUpon>
</Compile>
<Compile Include="UmbracoAuthorizedHttpHandler.cs" />
<Compile Include="UmbracoHttpHandler.cs" />
<Compile Include="UmbracoWebService.cs">
<SubType>Component</SubType>

100
src/Umbraco.Web/UmbracoAuthorizedHttpHandler.cs
View File

@@ -1,100 +0,0 @@
using System;
using System.Security;
using Umbraco.Core;
using Umbraco.Core.Cache;
using Umbraco.Core.Logging;
using Umbraco.Web.Security;
using Umbraco.Core.Models.Membership;
using Umbraco.Core.Services;
namespace Umbraco.Web
{
public abstract class UmbracoAuthorizedHttpHandler : UmbracoHttpHandler
{
protected UmbracoAuthorizedHttpHandler()
{
}
protected UmbracoAuthorizedHttpHandler(IUmbracoContextAccessor umbracoContextAccessor, UmbracoHelper umbracoHelper, ServiceContext service, IProfilingLogger plogger) : base(umbracoContextAccessor, umbracoHelper, service, plogger)
{
}
/// <summary>
/// Checks if the umbraco context id is valid
/// </summary>
/// <param name="currentUmbracoUserContextId"></param>
/// <returns></returns>
protected bool ValidateUserContextId(string currentUmbracoUserContextId)
{
return Security.ValidateCurrentUser();
}
/// <summary>
/// Checks if the username/password credentials are valid
/// </summary>
/// <param name="username"></param>
/// <param name="password"></param>
/// <returns></returns>
protected bool ValidateCredentials(string username, string password)
{
return Security.ValidateBackOfficeCredentials(username, password);
}
/// <summary>
/// Validates the user for access to a certain application
/// </summary>
/// <param name="app">The application alias.</param>
/// <param name="throwExceptions">true if an exception should be thrown if authorization fails</param>
/// <returns></returns>
protected bool AuthorizeRequest(string app, bool throwExceptions = false)
{
//ensure we have a valid user first!
if (!AuthorizeRequest(throwExceptions)) return false;
//if it is empty, don't validate
if (app.IsNullOrWhiteSpace())
{
return true;
}
var hasAccess = UserHasAppAccess(app, Security.CurrentUser);
if (!hasAccess && throwExceptions)
throw new SecurityException("The user does not have access to the required application");
return hasAccess;
}
/// <summary>
/// Checks if the specified user as access to the app
/// </summary>
/// <param name="app"></param>
/// <param name="user"></param>
/// <returns></returns>
protected bool UserHasAppAccess(string app, IUser user)
{
return Security.UserHasSectionAccess(app, user);
}
/// <summary>
/// Checks if the specified user by username as access to the app
/// </summary>
/// <param name="app"></param>
/// <param name="username"></param>
/// <returns></returns>
protected bool UserHasAppAccess(string app, string username)
{
return Security.UserHasSectionAccess(app, username);
}
/// <summary>
/// Returns true if there is a valid logged in user and that ssl is enabled if required
/// </summary>
/// <param name="throwExceptions">true if an exception should be thrown if authorization fails</param>
/// <returns></returns>
protected bool AuthorizeRequest(bool throwExceptions = false)
{
var result = Security.AuthorizeRequest(throwExceptions);
return result == ValidateRequestAttempt.Success;
}
}
}

3
src/Umbraco.Web/UmbracoContextFactory.cs
View File

@@ -90,7 +90,8 @@ namespace Umbraco.Web
public static HttpContextBase EnsureHttpContext(HttpContextBase httpContext = null)
{
if (Thread.GetDomain().GetData(".appPath") is null || Thread.GetDomain().GetData(".appVPath") is null)
var domain = Thread.GetDomain();
if (domain.GetData(".appPath") is null || domain.GetData(".appVPath") is null)
{
return httpContext ?? new HttpContextWrapper(HttpContext.Current ??
new HttpContext(new SimpleWorkerRequest("", "", "null.aspx", "", NullWriterInstance)));