From 68488eb5a72853f74863f88f42e580cadd7dc48b Mon Sep 17 00:00:00 2001 From: Elitsa Marinovska Date: Thu, 4 Jun 2020 13:55:07 +0200 Subject: [PATCH] Another round of injecting webSecurity directly --- .../OutgoingEditorModelEventAttribute.cs | 13 ++++++++----- .../Editors/Filters/ContentModelValidator.cs | 9 +++++---- .../Editors/Filters/MemberSaveModelValidator.cs | 7 ++++--- .../Mvc/UmbracoAuthorizeAttribute.cs | 17 ++++++++--------- .../WebApi/UmbracoAuthorizeAttribute.cs | 16 +++++++--------- 5 files changed, 32 insertions(+), 30 deletions(-) diff --git a/src/Umbraco.Web.BackOffice/Filters/OutgoingEditorModelEventAttribute.cs b/src/Umbraco.Web.BackOffice/Filters/OutgoingEditorModelEventAttribute.cs index 5c9e646ba0..d433ba9886 100644 --- a/src/Umbraco.Web.BackOffice/Filters/OutgoingEditorModelEventAttribute.cs +++ b/src/Umbraco.Web.BackOffice/Filters/OutgoingEditorModelEventAttribute.cs @@ -1,7 +1,9 @@ -using Microsoft.AspNetCore.Mvc; +using System; +using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc.Filters; using Umbraco.Core; using Umbraco.Web.Editors; +using Umbraco.Web.Security; namespace Umbraco.Web.WebApi.Filters { @@ -11,10 +13,12 @@ namespace Umbraco.Web.WebApi.Filters internal sealed class OutgoingEditorModelEventAttribute : ActionFilterAttribute { private readonly IUmbracoContextAccessor _umbracoContextAccessor; + private readonly IWebSecurity _webSecurity; - public OutgoingEditorModelEventAttribute(IUmbracoContextAccessor umbracoContextAccessor) + public OutgoingEditorModelEventAttribute(IUmbracoContextAccessor umbracoContextAccessor, IWebSecurity webSecurity) { - _umbracoContextAccessor = umbracoContextAccessor; + _umbracoContextAccessor = umbracoContextAccessor ?? throw new ArgumentNullException(nameof(umbracoContextAccessor)); + _webSecurity = webSecurity ?? throw new ArgumentNullException(nameof(webSecurity)); } public override void OnActionExecuted(ActionExecutedContext context) @@ -22,7 +26,7 @@ namespace Umbraco.Web.WebApi.Filters if (context.Result == null) return; var umbracoContext = _umbracoContextAccessor.GetRequiredUmbracoContext(); - var user = umbracoContext.Security.CurrentUser; + var user = _webSecurity.CurrentUser; if (user == null) return; if (context.Result is ObjectResult objectContent) @@ -41,6 +45,5 @@ namespace Umbraco.Web.WebApi.Filters base.OnActionExecuted(context); } - } } diff --git a/src/Umbraco.Web/Editors/Filters/ContentModelValidator.cs b/src/Umbraco.Web/Editors/Filters/ContentModelValidator.cs index bd27a872d0..7841e547aa 100644 --- a/src/Umbraco.Web/Editors/Filters/ContentModelValidator.cs +++ b/src/Umbraco.Web/Editors/Filters/ContentModelValidator.cs @@ -10,6 +10,7 @@ using Umbraco.Core.Models; using Umbraco.Core.PropertyEditors; using Umbraco.Core.Services; using Umbraco.Web.Models.ContentEditing; +using Umbraco.Web.Security; namespace Umbraco.Web.Editors.Filters { @@ -18,13 +19,13 @@ namespace Umbraco.Web.Editors.Filters /// internal abstract class ContentModelValidator { - protected IUmbracoContextAccessor UmbracoContextAccessor { get; } + protected IWebSecurity WebSecurity { get; } protected ILogger Logger { get; } - protected ContentModelValidator(ILogger logger, IUmbracoContextAccessor umbracoContextAccessor) + protected ContentModelValidator(ILogger logger, IWebSecurity webSecurity) { Logger = logger ?? throw new ArgumentNullException(nameof(logger)); - UmbracoContextAccessor = umbracoContextAccessor ?? throw new ArgumentNullException(nameof(umbracoContextAccessor)); + WebSecurity = webSecurity ?? throw new ArgumentNullException(nameof(webSecurity)); } } @@ -45,7 +46,7 @@ namespace Umbraco.Web.Editors.Filters { private readonly ILocalizedTextService _textService; - protected ContentModelValidator(ILogger logger, IUmbracoContextAccessor umbracoContextAccessor, ILocalizedTextService textService) : base(logger, umbracoContextAccessor) + protected ContentModelValidator(ILogger logger, IWebSecurity webSecurity, ILocalizedTextService textService) : base(logger, webSecurity) { _textService = textService ?? throw new ArgumentNullException(nameof(textService)); } diff --git a/src/Umbraco.Web/Editors/Filters/MemberSaveModelValidator.cs b/src/Umbraco.Web/Editors/Filters/MemberSaveModelValidator.cs index 1b2ddf2ace..77dc1a1c27 100644 --- a/src/Umbraco.Web/Editors/Filters/MemberSaveModelValidator.cs +++ b/src/Umbraco.Web/Editors/Filters/MemberSaveModelValidator.cs @@ -11,6 +11,7 @@ using Umbraco.Core.Models; using Umbraco.Core.Services; using Umbraco.Core.Strings; using Umbraco.Web.Models.ContentEditing; +using Umbraco.Web.Security; namespace Umbraco.Web.Editors.Filters { @@ -25,12 +26,12 @@ namespace Umbraco.Web.Editors.Filters public MemberSaveModelValidator( ILogger logger, - IUmbracoContextAccessor umbracoContextAccessor, + IWebSecurity webSecurity, ILocalizedTextService textService, IMemberTypeService memberTypeService, IMemberService memberService, IShortStringHelper shortStringHelper) - : base(logger, umbracoContextAccessor, textService) + : base(logger, webSecurity, textService) { _memberTypeService = memberTypeService ?? throw new ArgumentNullException(nameof(memberTypeService)); _memberService = memberService ?? throw new ArgumentNullException(nameof(memberService)); @@ -101,7 +102,7 @@ namespace Umbraco.Web.Editors.Filters //if the user doesn't have access to sensitive values, then we need to validate the incoming properties to check //if a sensitive value is being submitted. - if (UmbracoContextAccessor.UmbracoContext.Security.CurrentUser.HasAccessToSensitiveData() == false) + if (WebSecurity.CurrentUser.HasAccessToSensitiveData() == false) { var contentType = _memberTypeService.Get(model.PersistedContent.ContentTypeId); var sensitiveProperties = contentType diff --git a/src/Umbraco.Web/Mvc/UmbracoAuthorizeAttribute.cs b/src/Umbraco.Web/Mvc/UmbracoAuthorizeAttribute.cs index dc647a5fe3..b5c6185069 100644 --- a/src/Umbraco.Web/Mvc/UmbracoAuthorizeAttribute.cs +++ b/src/Umbraco.Web/Mvc/UmbracoAuthorizeAttribute.cs @@ -4,6 +4,7 @@ using System.Web.Mvc; using Umbraco.Core; using Umbraco.Web.Composing; using Umbraco.Core.Configuration; +using Umbraco.Web.Security; namespace Umbraco.Web.Mvc { @@ -12,25 +13,23 @@ namespace Umbraco.Web.Mvc public sealed class UmbracoAuthorizeAttribute : AuthorizeAttribute { // see note in HttpInstallAuthorizeAttribute - private readonly IUmbracoContext _umbracoContext; + private readonly IWebSecurity _webSecurity; private readonly IRuntimeState _runtimeState; private readonly string _redirectUrl; private IRuntimeState RuntimeState => _runtimeState ?? Current.RuntimeState; - private IUmbracoContext UmbracoContext => _umbracoContext ?? Current.UmbracoContext; + private IWebSecurity WebSecurity => _webSecurity ?? Current.UmbracoContext.Security; /// /// THIS SHOULD BE ONLY USED FOR UNIT TESTS /// - /// + /// /// - public UmbracoAuthorizeAttribute(IUmbracoContext umbracoContext, IRuntimeState runtimeState) + public UmbracoAuthorizeAttribute(IWebSecurity webSecurity, IRuntimeState runtimeState) { - if (umbracoContext == null) throw new ArgumentNullException(nameof(umbracoContext)); - if (runtimeState == null) throw new ArgumentNullException(nameof(runtimeState)); - _umbracoContext = umbracoContext; - _runtimeState = runtimeState; + _webSecurity = webSecurity ?? throw new ArgumentNullException(nameof(webSecurity)); + _runtimeState = runtimeState ?? throw new ArgumentNullException(nameof(runtimeState)); } /// @@ -75,7 +74,7 @@ namespace Umbraco.Web.Mvc // otherwise we need to ensure that a user is logged in return RuntimeState.Level == RuntimeLevel.Install || RuntimeState.Level == RuntimeLevel.Upgrade - || UmbracoContext.Security.ValidateCurrentUser(); + || WebSecurity.ValidateCurrentUser(); } catch (Exception) { diff --git a/src/Umbraco.Web/WebApi/UmbracoAuthorizeAttribute.cs b/src/Umbraco.Web/WebApi/UmbracoAuthorizeAttribute.cs index 000c4860c6..69c697d0fc 100644 --- a/src/Umbraco.Web/WebApi/UmbracoAuthorizeAttribute.cs +++ b/src/Umbraco.Web/WebApi/UmbracoAuthorizeAttribute.cs @@ -19,24 +19,22 @@ namespace Umbraco.Web.WebApi internal static bool Enable = true; // TODO: inject! - private readonly IUmbracoContext _umbracoContext; + private readonly IWebSecurity _webSecurity; private readonly IRuntimeState _runtimeState; private IRuntimeState RuntimeState => _runtimeState ?? Current.RuntimeState; - private IUmbracoContext UmbracoContext => _umbracoContext ?? Current.UmbracoContext; + private IWebSecurity WebSecurity => _webSecurity ?? Current.UmbracoContext.Security; /// /// THIS SHOULD BE ONLY USED FOR UNIT TESTS /// - /// + /// /// - public UmbracoAuthorizeAttribute(IUmbracoContext umbracoContext, IRuntimeState runtimeState) + public UmbracoAuthorizeAttribute(IWebSecurity webSecurity, IRuntimeState runtimeState) { - if (umbracoContext == null) throw new ArgumentNullException(nameof(umbracoContext)); - if (runtimeState == null) throw new ArgumentNullException(nameof(runtimeState)); - _umbracoContext = umbracoContext; - _runtimeState = runtimeState; + _webSecurity = webSecurity ?? throw new ArgumentNullException(nameof(webSecurity)); + _runtimeState = runtimeState ?? throw new ArgumentNullException(nameof(runtimeState)); } public UmbracoAuthorizeAttribute() : this(true) @@ -60,7 +58,7 @@ namespace Umbraco.Web.WebApi // otherwise we need to ensure that a user is logged in return RuntimeState.Level == RuntimeLevel.Install || RuntimeState.Level == RuntimeLevel.Upgrade - || UmbracoContext.Security.ValidateCurrentUser(false, _requireApproval) == ValidateRequestAttempt.Success; + || WebSecurity.ValidateCurrentUser(false, _requireApproval) == ValidateRequestAttempt.Success; } catch (Exception) {