Migrates UmbracoBackOfficeAuthorizeAttribute to authz policies and adds notes/questions
This commit is contained in:
Shannon
@@ -110,8 +110,8 @@ namespace Umbraco.Web.BackOffice.Controllers
|
||||
/// <summary>
|
||||
/// Returns the configuration for the backoffice user membership provider - used to configure the change password dialog
|
||||
/// </summary>
|
||||
/// <returns></returns>
|
||||
[UmbracoBackOfficeAuthorize]
|
||||
/// <returns></returns>
|
||||
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
|
||||
public IDictionary<string, object> GetPasswordConfig(int userId)
|
||||
{
|
||||
return _passwordConfiguration.GetConfiguration(userId != _backofficeSecurityAccessor.BackOfficeSecurity.CurrentUser.Id);
|
||||
@@ -157,7 +157,7 @@ namespace Umbraco.Web.BackOffice.Controllers
|
||||
return _umbracoMapper.Map<UserDisplay>(user);
|
||||
}
|
||||
|
||||
[UmbracoBackOfficeAuthorize]
|
||||
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
|
||||
[ValidateAngularAntiForgeryToken]
|
||||
public async Task<IActionResult> PostUnLinkLogin(UnLinkLoginModel unlinkLoginModel)
|
||||
{
|
||||
@@ -242,7 +242,7 @@ namespace Umbraco.Web.BackOffice.Controllers
|
||||
/// is valid before the login screen is displayed. The Auth cookie can be persisted for up to a day but the csrf cookies are only session
|
||||
/// cookies which means that the auth cookie could be valid but the csrf cookies are no longer there, in that case we need to re-set the csrf cookies.
|
||||
/// </remarks>
|
||||
[UmbracoBackOfficeAuthorize]
|
||||
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
|
||||
[SetAngularAntiForgeryTokens]
|
||||
//[CheckIfUserTicketDataIsStale] // TODO: Migrate this, though it will need to be done differently at the cookie auth level
|
||||
public UserDetail GetCurrentUser()
|
||||
@@ -264,7 +264,7 @@ namespace Umbraco.Web.BackOffice.Controllers
|
||||
/// <remarks>
|
||||
/// We cannot user GetCurrentUser since that requires they are approved, this is the same as GetCurrentUser but doesn't require them to be approved
|
||||
/// </remarks>
|
||||
[UmbracoBackOfficeAuthorize(redirectToUmbracoLogin: false, requireApproval: false)]
|
||||
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccessWithoutApproval)]
|
||||
[SetAngularAntiForgeryTokens]
|
||||
[Authorize(Policy = AuthorizationPolicies.DenyLocalLoginIfConfigured)]
|
||||
public ActionResult<UserDetail> GetCurrentInvitedUser()
|
||||
|
||||
@@ -34,6 +34,8 @@ using Microsoft.AspNetCore.Identity;
|
||||
using System.Security.Claims;
|
||||
using Microsoft.AspNetCore.Http;
|
||||
using Umbraco.Web.Security;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using Umbraco.Web.Common.Authorization;
|
||||
|
||||
namespace Umbraco.Web.BackOffice.Controllers
|
||||
{
|
||||
@@ -231,7 +233,7 @@ namespace Umbraco.Web.BackOffice.Controllers
|
||||
return nestedDictionary;
|
||||
}
|
||||
|
||||
[UmbracoBackOfficeAuthorize(Order = 0)]
|
||||
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
|
||||
[HttpGet]
|
||||
public IEnumerable<IGridEditorConfig> GetGridConfig()
|
||||
{
|
||||
@@ -242,7 +244,7 @@ namespace Umbraco.Web.BackOffice.Controllers
|
||||
/// Returns the JavaScript object representing the static server variables javascript object
|
||||
/// </summary>
|
||||
/// <returns></returns>
|
||||
[UmbracoBackOfficeAuthorize(Order = 0)]
|
||||
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
|
||||
[MinifyJavaScriptResult(Order = 1)]
|
||||
public async Task<JavaScriptResult> ServerVariables()
|
||||
{
|
||||
@@ -278,7 +280,7 @@ namespace Umbraco.Web.BackOffice.Controllers
|
||||
/// </summary>
|
||||
/// <param name="provider"></param>
|
||||
/// <returns></returns>
|
||||
[UmbracoBackOfficeAuthorize]
|
||||
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
|
||||
[HttpPost]
|
||||
public ActionResult LinkLogin(string provider)
|
||||
{
|
||||
@@ -314,7 +316,7 @@ namespace Umbraco.Web.BackOffice.Controllers
|
||||
/// <summary>
|
||||
/// Callback path when the user initiates a link login request from the back office to the external provider from the <see cref="LinkLogin(string)"/> action
|
||||
/// </summary>
|
||||
[UmbracoBackOfficeAuthorize]
|
||||
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
|
||||
[HttpGet]
|
||||
public async Task<IActionResult> ExternalLinkLoginCallback()
|
||||
{
|
||||
|
||||
@@ -130,7 +130,8 @@ namespace Umbraco.Web.BackOffice.Controllers
|
||||
/// </summary>
|
||||
/// <returns></returns>
|
||||
[HttpGet]
|
||||
[UmbracoBackOfficeAuthorize, OverrideAuthorization]
|
||||
// TODO: Does this override work? What is best practices for this?
|
||||
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess), OverrideAuthorization]
|
||||
public bool AllowsCultureVariation()
|
||||
{
|
||||
var contentTypes = _contentTypeService.GetAll();
|
||||
|
||||
@@ -27,6 +27,8 @@ using Umbraco.Web.Common.Exceptions;
|
||||
using Umbraco.Web.Common.Filters;
|
||||
using Umbraco.Web.Models;
|
||||
using Umbraco.Web.Models.ContentEditing;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using Umbraco.Web.Common.Authorization;
|
||||
|
||||
namespace Umbraco.Web.BackOffice.Controllers
|
||||
{
|
||||
@@ -170,7 +172,7 @@ namespace Umbraco.Web.BackOffice.Controllers
|
||||
/// <remarks>
|
||||
/// This only works when the user is logged in (partially)
|
||||
/// </remarks>
|
||||
[UmbracoBackOfficeAuthorize(redirectToUmbracoLogin: false, requireApproval : true)]
|
||||
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)] // TODO: Why is this necessary? This inherits from UmbracoAuthorizedApiController
|
||||
public async Task<UserDetail> PostSetInvitedUserPassword([FromBody]string newPassword)
|
||||
{
|
||||
var user = await _backOfficeUserManager.FindByIdAsync(_backofficeSecurityAccessor.BackOfficeSecurity.GetUserId().ResultOr(0).ToString());
|
||||
@@ -236,7 +238,8 @@ namespace Umbraco.Web.BackOffice.Controllers
|
||||
throw HttpResponseException.CreateValidationErrorResponse(ModelState);
|
||||
}
|
||||
|
||||
[UmbracoBackOfficeAuthorize]
|
||||
// TODO: Why is this necessary? This inherits from UmbracoAuthorizedApiController
|
||||
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
|
||||
[ValidateAngularAntiForgeryToken]
|
||||
public async Task<Dictionary<string, string>> GetCurrentUserLinkedLogins()
|
||||
{
|
||||
|
||||
@@ -20,6 +20,8 @@ using Umbraco.Web.BackOffice.Filters;
|
||||
using Umbraco.Web.Common.Attributes;
|
||||
using Umbraco.Web.Common.Controllers;
|
||||
using Umbraco.Web.Common.Filters;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using Umbraco.Web.Common.Authorization;
|
||||
|
||||
namespace Umbraco.Web.BackOffice.Controllers
|
||||
{
|
||||
@@ -28,7 +30,7 @@ namespace Umbraco.Web.BackOffice.Controllers
|
||||
[ValidationFilter]
|
||||
[AngularJsonOnlyConfiguration] // TODO: This could be applied with our Application Model conventions
|
||||
[IsBackOffice]
|
||||
[UmbracoBackOfficeAuthorize]
|
||||
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
|
||||
public class DashboardController : UmbracoApiController
|
||||
{
|
||||
private readonly IUmbracoContextAccessor _umbracoContextAccessor;
|
||||
|
||||
@@ -25,6 +25,8 @@ using Umbraco.Web.Services;
|
||||
using Umbraco.Web.Trees;
|
||||
using Umbraco.Web.WebAssets;
|
||||
using Constants = Umbraco.Core.Constants;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using Umbraco.Web.Common.Authorization;
|
||||
|
||||
namespace Umbraco.Web.BackOffice.Controllers
|
||||
{
|
||||
@@ -66,8 +68,10 @@ namespace Umbraco.Web.BackOffice.Controllers
|
||||
|
||||
// TODO: This should really be refactored. Redirection/Challenge is part of Authentication, not part of authorization directly
|
||||
// We only use this redirectToUmbracoLogin flag in this one instance. I think this
|
||||
// should be handled as part of the preview authentication process instead.
|
||||
[UmbracoBackOfficeAuthorize(redirectToUmbracoLogin: true, requireApproval : false)]
|
||||
// should be handled as part of the preview authentication process instead.
|
||||
// I'm actually not even sure this is required? Wouldn't we automatically redirect to the umbraco login screen anyway here?
|
||||
//[UmbracoBackOfficeAuthorize(redirectToUmbracoLogin: true, requireApproval : false)]
|
||||
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccessWithoutApproval)]
|
||||
[DisableBrowserCache]
|
||||
public ActionResult Index()
|
||||
{
|
||||
@@ -110,7 +114,7 @@ namespace Umbraco.Web.BackOffice.Controllers
|
||||
/// The endpoint that is loaded within the preview iframe
|
||||
/// </summary>
|
||||
/// <returns></returns>
|
||||
[UmbracoBackOfficeAuthorize]
|
||||
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
|
||||
public ActionResult Frame(int id, string culture)
|
||||
{
|
||||
EnterPreview(id);
|
||||
|
||||
@@ -1,6 +1,8 @@
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
using Umbraco.Web.BackOffice.Filters;
|
||||
using Umbraco.Web.Common.Attributes;
|
||||
using Umbraco.Web.Common.Authorization;
|
||||
using Umbraco.Web.Common.Controllers;
|
||||
using Umbraco.Web.Common.Filters;
|
||||
|
||||
@@ -16,7 +18,7 @@ namespace Umbraco.Web.BackOffice.Controllers
|
||||
/// </remarks>
|
||||
[IsBackOffice]
|
||||
[UmbracoUserTimeoutFilter]
|
||||
[UmbracoBackOfficeAuthorize]
|
||||
[Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)]
|
||||
[DisableBrowserCache]
|
||||
[RequireHttps]
|
||||
[CheckIfUserTicketDataIsStale]
|
||||
|
||||
Reference in New Issue
Block a user