Merge branch 'dev-v7' into dev-v8
# Conflicts: # src/Umbraco.Web/WebApi/Filters/UmbracoApplicationAuthorizeAttribute.cs
This commit is contained in:
Sebastiaan Janssen
@@ -65,6 +65,7 @@ namespace Umbraco.Web.Editors
|
||||
|
||||
[AppendUserModifiedHeader("id")]
|
||||
[FileUploadCleanupFilter(false)]
|
||||
[AdminUsersAuthorize]
|
||||
public async Task<HttpResponseMessage> PostSetAvatar(int id)
|
||||
{
|
||||
return await PostSetAvatarInternal(Request, Services.UserService, AppCaches.RuntimeCache, id);
|
||||
@@ -128,6 +129,7 @@ namespace Umbraco.Web.Editors
|
||||
}
|
||||
|
||||
[AppendUserModifiedHeader("id")]
|
||||
[AdminUsersAuthorize]
|
||||
public HttpResponseMessage PostClearAvatar(int id)
|
||||
{
|
||||
var found = Services.UserService.GetUserById(id);
|
||||
@@ -166,6 +168,7 @@ namespace Umbraco.Web.Editors
|
||||
/// <param name="id"></param>
|
||||
/// <returns></returns>
|
||||
[OutgoingEditorModelEvent]
|
||||
[AdminUsersAuthorize]
|
||||
public UserDisplay GetById(int id)
|
||||
{
|
||||
var user = Services.UserService.GetUserById(id);
|
||||
@@ -591,6 +594,7 @@ namespace Umbraco.Web.Editors
|
||||
/// Disables the users with the given user ids
|
||||
/// </summary>
|
||||
/// <param name="userIds"></param>
|
||||
[AdminUsersAuthorize("userIds")]
|
||||
public HttpResponseMessage PostDisableUsers([FromUri]int[] userIds)
|
||||
{
|
||||
var tryGetCurrentUserId = Security.GetUserId();
|
||||
@@ -622,6 +626,7 @@ namespace Umbraco.Web.Editors
|
||||
/// Enables the users with the given user ids
|
||||
/// </summary>
|
||||
/// <param name="userIds"></param>
|
||||
[AdminUsersAuthorize("userIds")]
|
||||
public HttpResponseMessage PostEnableUsers([FromUri]int[] userIds)
|
||||
{
|
||||
var users = Services.UserService.GetUsersById(userIds).ToArray();
|
||||
@@ -645,6 +650,7 @@ namespace Umbraco.Web.Editors
|
||||
/// Unlocks the users with the given user ids
|
||||
/// </summary>
|
||||
/// <param name="userIds"></param>
|
||||
[AdminUsersAuthorize("userIds")]
|
||||
public async Task<HttpResponseMessage> PostUnlockUsers([FromUri]int[] userIds)
|
||||
{
|
||||
if (userIds.Length <= 0)
|
||||
@@ -677,6 +683,7 @@ namespace Umbraco.Web.Editors
|
||||
Services.TextService.Localize("speechBubbles/unlockUsersSuccess", new[] { userIds.Length.ToString() }));
|
||||
}
|
||||
|
||||
[AdminUsersAuthorize("userIds")]
|
||||
public HttpResponseMessage PostSetUserGroupsOnUsers([FromUri]string[] userGroupAliases, [FromUri]int[] userIds)
|
||||
{
|
||||
var users = Services.UserService.GetUsersById(userIds).ToArray();
|
||||
@@ -702,7 +709,8 @@ namespace Umbraco.Web.Editors
|
||||
/// Limited to users that haven't logged in to avoid issues with related records constrained
|
||||
/// with a foreign key on the user Id
|
||||
/// </remarks>
|
||||
public async Task<HttpResponseMessage> PostDeleteNonLoggedInUser(int id)
|
||||
[AdminUsersAuthorize]
|
||||
public HttpResponseMessage PostDeleteNonLoggedInUser(int id)
|
||||
{
|
||||
var user = Services.UserService.GetUserById(id);
|
||||
if (user == null)
|
||||
|
||||
@@ -216,6 +216,7 @@
|
||||
<Compile Include="Models\TemplateQuery\OperatorFactory.cs" />
|
||||
<Compile Include="UmbracoContextFactory.cs" />
|
||||
<Compile Include="UmbracoContextReference.cs" />
|
||||
<Compile Include="WebApi\Filters\AdminUsersAuthorizeAttribute.cs" />
|
||||
<Compile Include="WebApi\Filters\OnlyLocalRequestsAttribute.cs" />
|
||||
<Compile Include="PropertyEditors\MultiUrlPickerConfiguration.cs" />
|
||||
<Compile Include="PropertyEditors\MultiUrlPickerConfigurationEditor.cs" />
|
||||
|
||||
@@ -0,0 +1,56 @@
|
||||
using System.Linq;
|
||||
using System.Net;
|
||||
using System.Net.Http;
|
||||
using System.Web.Http;
|
||||
using System.Web.Http.Controllers;
|
||||
using Umbraco.Core;
|
||||
using Umbraco.Web.Editors;
|
||||
|
||||
namespace Umbraco.Web.WebApi.Filters
|
||||
{
|
||||
/// <summary>
|
||||
/// if the users being edited is an admin then we must ensure that the current user is also an admin
|
||||
/// </summary>
|
||||
/// <remarks>
|
||||
/// This will authorize against one or multiple ids
|
||||
/// </remarks>
|
||||
public sealed class AdminUsersAuthorizeAttribute : AuthorizeAttribute
|
||||
{
|
||||
private readonly string _parameterName;
|
||||
|
||||
public AdminUsersAuthorizeAttribute(string parameterName)
|
||||
{
|
||||
_parameterName = parameterName;
|
||||
}
|
||||
|
||||
public AdminUsersAuthorizeAttribute() : this("id")
|
||||
{
|
||||
}
|
||||
|
||||
protected override bool IsAuthorized(HttpActionContext actionContext)
|
||||
{
|
||||
int[] userIds;
|
||||
if (actionContext.ActionArguments.TryGetValue(_parameterName, out var userId))
|
||||
{
|
||||
var intUserId = userId.TryConvertTo<int>();
|
||||
if (intUserId)
|
||||
userIds = new[] {intUserId.Result};
|
||||
else return base.IsAuthorized(actionContext);
|
||||
}
|
||||
else
|
||||
{
|
||||
var queryString = actionContext.Request.GetQueryNameValuePairs();
|
||||
var ids = queryString.Where(x => x.Key == _parameterName).ToArray();
|
||||
if (ids.Length == 0)
|
||||
return base.IsAuthorized(actionContext);
|
||||
userIds = ids.Select(x => x.Value.TryConvertTo<int>()).Where(x => x.Success).Select(x => x.Result).ToArray();
|
||||
}
|
||||
|
||||
if (userIds.Length == 0) return base.IsAuthorized(actionContext);
|
||||
|
||||
var users = ApplicationContext.Current.Services.UserService.GetUsersById(userIds);
|
||||
var authHelper = new UserEditorAuthorizationHelper(ApplicationContext.Current.Services.ContentService, ApplicationContext.Current.Services.MediaService, ApplicationContext.Current.Services.UserService, ApplicationContext.Current.Services.EntityService);
|
||||
return users.All(user => authHelper.IsAuthorized(UmbracoContext.Current.Security.CurrentUser, user, null, null, null) != false);
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user