diff --git a/src/Umbraco.Web/Editors/UsersController.cs b/src/Umbraco.Web/Editors/UsersController.cs index 8b618afde5..469a29da0f 100644 --- a/src/Umbraco.Web/Editors/UsersController.cs +++ b/src/Umbraco.Web/Editors/UsersController.cs @@ -65,6 +65,7 @@ namespace Umbraco.Web.Editors [AppendUserModifiedHeader("id")] [FileUploadCleanupFilter(false)] + [AdminUsersAuthorize] public async Task PostSetAvatar(int id) { return await PostSetAvatarInternal(Request, Services.UserService, AppCaches.RuntimeCache, id); @@ -128,6 +129,7 @@ namespace Umbraco.Web.Editors } [AppendUserModifiedHeader("id")] + [AdminUsersAuthorize] public HttpResponseMessage PostClearAvatar(int id) { var found = Services.UserService.GetUserById(id); @@ -166,6 +168,7 @@ namespace Umbraco.Web.Editors /// /// [OutgoingEditorModelEvent] + [AdminUsersAuthorize] public UserDisplay GetById(int id) { var user = Services.UserService.GetUserById(id); @@ -591,6 +594,7 @@ namespace Umbraco.Web.Editors /// Disables the users with the given user ids /// /// + [AdminUsersAuthorize("userIds")] public HttpResponseMessage PostDisableUsers([FromUri]int[] userIds) { var tryGetCurrentUserId = Security.GetUserId(); @@ -622,6 +626,7 @@ namespace Umbraco.Web.Editors /// Enables the users with the given user ids /// /// + [AdminUsersAuthorize("userIds")] public HttpResponseMessage PostEnableUsers([FromUri]int[] userIds) { var users = Services.UserService.GetUsersById(userIds).ToArray(); @@ -645,6 +650,7 @@ namespace Umbraco.Web.Editors /// Unlocks the users with the given user ids /// /// + [AdminUsersAuthorize("userIds")] public async Task PostUnlockUsers([FromUri]int[] userIds) { if (userIds.Length <= 0) @@ -677,6 +683,7 @@ namespace Umbraco.Web.Editors Services.TextService.Localize("speechBubbles/unlockUsersSuccess", new[] { userIds.Length.ToString() })); } + [AdminUsersAuthorize("userIds")] public HttpResponseMessage PostSetUserGroupsOnUsers([FromUri]string[] userGroupAliases, [FromUri]int[] userIds) { var users = Services.UserService.GetUsersById(userIds).ToArray(); @@ -702,7 +709,8 @@ namespace Umbraco.Web.Editors /// Limited to users that haven't logged in to avoid issues with related records constrained /// with a foreign key on the user Id /// - public async Task PostDeleteNonLoggedInUser(int id) + [AdminUsersAuthorize] + public HttpResponseMessage PostDeleteNonLoggedInUser(int id) { var user = Services.UserService.GetUserById(id); if (user == null) diff --git a/src/Umbraco.Web/Umbraco.Web.csproj b/src/Umbraco.Web/Umbraco.Web.csproj index c6cbc7cbaa..aea5d9376a 100755 --- a/src/Umbraco.Web/Umbraco.Web.csproj +++ b/src/Umbraco.Web/Umbraco.Web.csproj @@ -216,6 +216,7 @@ + diff --git a/src/Umbraco.Web/WebApi/Filters/AdminUsersAuthorizeAttribute.cs b/src/Umbraco.Web/WebApi/Filters/AdminUsersAuthorizeAttribute.cs new file mode 100644 index 0000000000..e9cb1d8c6e --- /dev/null +++ b/src/Umbraco.Web/WebApi/Filters/AdminUsersAuthorizeAttribute.cs @@ -0,0 +1,56 @@ +using System.Linq; +using System.Net; +using System.Net.Http; +using System.Web.Http; +using System.Web.Http.Controllers; +using Umbraco.Core; +using Umbraco.Web.Editors; + +namespace Umbraco.Web.WebApi.Filters +{ + /// + /// if the users being edited is an admin then we must ensure that the current user is also an admin + /// + /// + /// This will authorize against one or multiple ids + /// + public sealed class AdminUsersAuthorizeAttribute : AuthorizeAttribute + { + private readonly string _parameterName; + + public AdminUsersAuthorizeAttribute(string parameterName) + { + _parameterName = parameterName; + } + + public AdminUsersAuthorizeAttribute() : this("id") + { + } + + protected override bool IsAuthorized(HttpActionContext actionContext) + { + int[] userIds; + if (actionContext.ActionArguments.TryGetValue(_parameterName, out var userId)) + { + var intUserId = userId.TryConvertTo(); + if (intUserId) + userIds = new[] {intUserId.Result}; + else return base.IsAuthorized(actionContext); + } + else + { + var queryString = actionContext.Request.GetQueryNameValuePairs(); + var ids = queryString.Where(x => x.Key == _parameterName).ToArray(); + if (ids.Length == 0) + return base.IsAuthorized(actionContext); + userIds = ids.Select(x => x.Value.TryConvertTo()).Where(x => x.Success).Select(x => x.Result).ToArray(); + } + + if (userIds.Length == 0) return base.IsAuthorized(actionContext); + + var users = ApplicationContext.Current.Services.UserService.GetUsersById(userIds); + var authHelper = new UserEditorAuthorizationHelper(ApplicationContext.Current.Services.ContentService, ApplicationContext.Current.Services.MediaService, ApplicationContext.Current.Services.UserService, ApplicationContext.Current.Services.EntityService); + return users.All(user => authHelper.IsAuthorized(UmbracoContext.Current.Security.CurrentUser, user, null, null, null) != false); + } + } +}