yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Changes UserController to be CurrentUserController - and removes the other methods in there since that was an overlooked security issue. This controller is responsible solely for dealing with the currently logged in user. Changes over to be currentuser.resource as well.

Browse Source
This commit is contained in:
Shannon
2013-11-12 18:07:10 +11:00
parent a532b49485
commit 5f5f535f05
6 changed files with 146 additions and 231 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
src/Umbraco.Web.UI.Client/src/common/resources/currentuser.resource.js Normal file
View File

@@ -0,0 +1,53 @@
/**
* @ngdoc service
* @name umbraco.resources.currentUserResource
* @description Used for read/updates for the currently logged in user
*
*
**/
function currentUserResource($q, $http, umbRequestHelper) {
//the factory object returned
return {
/**
* @ngdoc method
* @name umbraco.resources.currentUserResource#changePassword
* @methodOf umbraco.resources.currentUserResource
*
* @description
* Changes the current users password
*
* @returns {Promise} resourcePromise object containing the user array.
*
*/
changePassword: function (changePasswordArgs) {
return umbRequestHelper.resourcePromise(
$http.post(
umbRequestHelper.getApiUrl(
"currentUserApiBaseUrl",
"PostChangePassword"),
changePasswordArgs),
'Failed to change password');
},
/**
* @ngdoc method
* @name umbraco.resources.currentUserResource#getMembershipProviderConfig
* @methodOf umbraco.resources.currentUserResource
*
* @description
* Gets the configuration of the user membership provider which is used to configure the change password form
*/
getMembershipProviderConfig: function () {
return umbRequestHelper.resourcePromise(
$http.get(
umbRequestHelper.getApiUrl(
"currentUserApiBaseUrl",
"GetMembershipProviderConfig")),
'Failed to retreive membership provider config');
},
};
}
angular.module('umbraco.resources').factory('currentUserResource', currentUserResource);

113
src/Umbraco.Web.UI.Client/src/common/resources/user.resource.js
View File

@@ -1,113 +0,0 @@
/**
* @ngdoc service
* @name umbraco.resources.userResource
* @description Retrives user data from the server, cannot be used for authentication, for this, use the user.service
*
*
**/
function userResource($q, $http, umbRequestHelper) {
//the factory object returned
return {
/**
* @ngdoc method
* @name umbraco.resources.userResource#getById
* @methodOf umbraco.resources.userResource
*
* @description
* Gets a user with a given id
*
* ##usage
* <pre>
* userResource.getById(1234)
* .then(function(ent) {
* var myUser = ent;
* alert('im here!');
* });
* </pre>
*
* @param {Int} id id of user to return
* @returns {Promise} resourcePromise object containing the user.
*
*/
getById: function (id) {
return umbRequestHelper.resourcePromise(
$http.get(
umbRequestHelper.getApiUrl(
"userApiBaseUrl",
"GetById",
[{ id: id }])),
'Failed to retreive user data for id ' + id);
},
/**
* @ngdoc method
* @name umbraco.resources.userResource#getAll
* @methodOf umbraco.resources.userResource
*
* @description
* Gets all users available on the system
*
* ##usage
* <pre>
* contentResource.getAll()
* .then(function(userArray) {
* var myUsers = userArray;
* alert('they are here!');
* });
* </pre>
*
* @returns {Promise} resourcePromise object containing the user array.
*
*/
getAll: function () {
return umbRequestHelper.resourcePromise(
$http.get(
umbRequestHelper.getApiUrl(
"userApiBaseUrl",
"GetAll")),
'Failed to retreive all users');
},
/**
* @ngdoc method
* @name umbraco.resources.userResource#changePassword
* @methodOf umbraco.resources.userResource
*
* @description
* Changes the current users password
*
* @returns {Promise} resourcePromise object containing the user array.
*
*/
changePassword: function (changePasswordArgs) {
return umbRequestHelper.resourcePromise(
$http.post(
umbRequestHelper.getApiUrl(
"userApiBaseUrl",
"PostChangePassword"),
changePasswordArgs),
'Failed to change password');
},
/**
* @ngdoc method
* @name umbraco.resources.userResource#getMembershipProviderConfig
* @methodOf umbraco.resources.userResource
*
* @description
* Gets the configuration of the user membership provider which is used to configure the change password form
*/
getMembershipProviderConfig: function () {
return umbRequestHelper.resourcePromise(
$http.get(
umbRequestHelper.getApiUrl(
"userApiBaseUrl",
"GetMembershipProviderConfig")),
'Failed to retreive membership provider config');
},
};
}
angular.module('umbraco.resources').factory('userResource', userResource);

6
src/Umbraco.Web.UI.Client/src/views/dashboard/dashboard.tabs.controller.js
View File

@@ -80,7 +80,7 @@ function MediaFolderBrowserDashboardController($rootScope, $scope, assetsService
angular.module("umbraco").controller("Umbraco.Dashboard.MediaFolderBrowserDashboardController", MediaFolderBrowserDashboardController);
function ChangePasswordDashboardController($scope, xmlhelper, $log, userResource, formHelper) {
function ChangePasswordDashboardController($scope, xmlhelper, $log, currentUserResource, formHelper) {
//create the initial model for change password property editor
$scope.changePasswordModel = {
@@ -91,7 +91,7 @@ function ChangePasswordDashboardController($scope, xmlhelper, $log, userResource
};
//go get the config for the membership provider and add it to the model
userResource.getMembershipProviderConfig().then(function(data) {
currentUserResource.getMembershipProviderConfig().then(function(data) {
$scope.changePasswordModel.config = data;
//ensure the hasPassword config option is set to true (the user of course has a password already assigned)
//this will ensure the oldPassword is shown so they can change it
@@ -105,7 +105,7 @@ function ChangePasswordDashboardController($scope, xmlhelper, $log, userResource
$scope.changePassword = function() {
if (formHelper.submitForm({ scope: $scope })) {
userResource.changePassword($scope.changePasswordModel.value).then(function(data) {
currentUserResource.changePassword($scope.changePasswordModel.value).then(function(data) {
//if the password has been reset, then update our model
if (data.value) {

4
src/Umbraco.Web/Editors/BackOfficeController.cs
View File

@@ -102,8 +102,8 @@ namespace Umbraco.Web.Editors
controller => controller.PostLogin(null, null))
},
{
"userApiBaseUrl", Url.GetUmbracoApiServiceBaseUrl<UserController>(
controller => controller.GetAll())
"currentUserApiBaseUrl", Url.GetUmbracoApiServiceBaseUrl<CurrentUserController>(
controller => controller.GetMembershipProviderConfig())
},
{
"legacyApiBaseUrl", Url.GetUmbracoApiServiceBaseUrl<LegacyController>(

199
src/Umbraco.Web/Editors/UserController.cs → src/Umbraco.Web/Editors/CurrentUserController.cs
View File

@@ -1,112 +1,87 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Text;
using System.Threading.Tasks;
using System.Web.Http;
using System.Web.Security;
using AutoMapper;
using Umbraco.Core.Configuration;
using Umbraco.Web.Models;
using Umbraco.Web.Models.ContentEditing;
using Umbraco.Web.Models.Mapping;
using Umbraco.Web.Mvc;
using Umbraco.Web.UI;
using Umbraco.Web.WebApi;
using umbraco;
using legacyUser = umbraco.BusinessLogic.User;
using System.Net.Http;
using System.Collections.Specialized;
using Constants = Umbraco.Core.Constants;
namespace Umbraco.Web.Editors
{
/// <summary>
/// Controller to back the User.Resource service, used for fetching user data when already authenticated. user.service is currently used for handling authentication
/// </summary>
[PluginController("UmbracoApi")]
public class UserController : UmbracoAuthorizedJsonController
{
/// <summary>
/// Returns the configuration for the backoffice user membership provider - used to configure the change password dialog
/// </summary>
/// <returns></returns>
public IDictionary<string, object> GetMembershipProviderConfig()
{
var provider = Membership.Providers[UmbracoConfig.For.UmbracoSettings().Providers.DefaultBackOfficeUserProvider];
if (provider == null)
{
throw new InvalidOperationException("No back office membership provider found with the name " + UmbracoConfig.For.UmbracoSettings().Providers.DefaultBackOfficeUserProvider);
}
return provider.GetConfiguration();
}
/// <summary>
/// Returns a user by id
/// </summary>
/// <param name="id"></param>
/// <returns></returns>
public UserDetail GetById(int id)
{
var user = Services.UserService.GetUserById(id);
if (user == null)
{
throw new HttpResponseException(HttpStatusCode.NotFound);
}
return Mapper.Map<UserDetail>(user);
}
/// <summary>
/// Changes the users password
/// </summary>
/// <param name="data"></param>
/// <returns>
/// If the password is being reset it will return the newly reset password, otherwise will return an empty value
/// </returns>
public ModelWithNotifications<string> PostChangePassword(ChangingPasswordModel data)
{
var userProvider = Membership.Providers[UmbracoConfig.For.UmbracoSettings().Providers.DefaultBackOfficeUserProvider];
if (userProvider == null)
{
throw new InvalidOperationException("No membership provider found with the name " + UmbracoConfig.For.UmbracoSettings().Providers.DefaultBackOfficeUserProvider);
}
//TODO: WE need to support this! - requires UI updates, etc...
if (userProvider.RequiresQuestionAndAnswer)
{
throw new NotSupportedException("Currently the user editor does not support providers that have RequiresQuestionAndAnswer specified");
}
var passwordChangeResult = Security.ChangePassword(Security.CurrentUser.Username, data, userProvider);
if (passwordChangeResult.Success)
{
//even if we weren't resetting this, it is the correct value (null), otherwise if we were resetting then it will contain the new pword
var result = new ModelWithNotifications<string>(passwordChangeResult.Result.ResetPassword);
result.AddSuccessNotification(ui.Text("user", "password"), ui.Text("user", "passwordChanged"));
return result;
}
//it wasn't successful, so add the change error to the model state, we've name the property alias _umb_password on the form
// so that is why it is being used here.
ModelState.AddPropertyError(
passwordChangeResult.Result.ChangeError,
string.Format("{0}password", Constants.PropertyEditors.InternalGenericPropertiesPrefix));
throw new HttpResponseException(Request.CreateValidationErrorResponse(ModelState));
}
/// <summary>
/// Returns all active users
/// </summary>
/// <returns></returns>
public IEnumerable<UserBasic> GetAll()
{
return Services.UserService.GetAllUsers().Where(x => x.IsLockedOut == false).Select(Mapper.Map<UserBasic>);
}
}
}
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Text;
using System.Threading.Tasks;
using System.Web.Http;
using System.Web.Security;
using AutoMapper;
using Umbraco.Core.Configuration;
using Umbraco.Web.Models;
using Umbraco.Web.Models.ContentEditing;
using Umbraco.Web.Models.Mapping;
using Umbraco.Web.Mvc;
using Umbraco.Web.UI;
using Umbraco.Web.WebApi;
using umbraco;
using legacyUser = umbraco.BusinessLogic.User;
using System.Net.Http;
using System.Collections.Specialized;
using Constants = Umbraco.Core.Constants;
namespace Umbraco.Web.Editors
{
/// <summary>
/// Controller to back the User.Resource service, used for fetching user data when already authenticated. user.service is currently used for handling authentication
/// </summary>
[PluginController("UmbracoApi")]
public class CurrentUserController : UmbracoAuthorizedJsonController
{
/// <summary>
/// Returns the configuration for the backoffice user membership provider - used to configure the change password dialog
/// </summary>
/// <returns></returns>
public IDictionary<string, object> GetMembershipProviderConfig()
{
var provider = Membership.Providers[UmbracoConfig.For.UmbracoSettings().Providers.DefaultBackOfficeUserProvider];
if (provider == null)
{
throw new InvalidOperationException("No back office membership provider found with the name " + UmbracoConfig.For.UmbracoSettings().Providers.DefaultBackOfficeUserProvider);
}
return provider.GetConfiguration();
}
/// <summary>
/// Changes the users password
/// </summary>
/// <param name="data"></param>
/// <returns>
/// If the password is being reset it will return the newly reset password, otherwise will return an empty value
/// </returns>
public ModelWithNotifications<string> PostChangePassword(ChangingPasswordModel data)
{
var userProvider = Membership.Providers[UmbracoConfig.For.UmbracoSettings().Providers.DefaultBackOfficeUserProvider];
if (userProvider == null)
{
throw new InvalidOperationException("No membership provider found with the name " + UmbracoConfig.For.UmbracoSettings().Providers.DefaultBackOfficeUserProvider);
}
//TODO: WE need to support this! - requires UI updates, etc...
if (userProvider.RequiresQuestionAndAnswer)
{
throw new NotSupportedException("Currently the user editor does not support providers that have RequiresQuestionAndAnswer specified");
}
var passwordChangeResult = Security.ChangePassword(Security.CurrentUser.Username, data, userProvider);
if (passwordChangeResult.Success)
{
//even if we weren't resetting this, it is the correct value (null), otherwise if we were resetting then it will contain the new pword
var result = new ModelWithNotifications<string>(passwordChangeResult.Result.ResetPassword);
result.AddSuccessNotification(ui.Text("user", "password"), ui.Text("user", "passwordChanged"));
return result;
}
//it wasn't successful, so add the change error to the model state, we've name the property alias _umb_password on the form
// so that is why it is being used here.
ModelState.AddPropertyError(
passwordChangeResult.Result.ChangeError,
string.Format("{0}password", Constants.PropertyEditors.InternalGenericPropertiesPrefix));
throw new HttpResponseException(Request.CreateValidationErrorResponse(ModelState));
}
}
}

2
src/Umbraco.Web/Umbraco.Web.csproj
View File

@@ -362,7 +362,7 @@
<Compile Include="Editors\EntityController.cs" />
<Compile Include="Editors\MediaPostValidateAttribute.cs" />
<Compile Include="Editors\MemberController.cs" />
<Compile Include="Editors\UserController.cs" />
<Compile Include="Editors\CurrentUserController.cs" />
<Compile Include="Install\Steps\MajorUpgradeReport.cs" />
<Compile Include="Models\ContentEditing\DashboardControl.cs" />
<Compile Include="Models\ContentEditing\DataTypeDisplay.cs" />