AB#6233 - Install in .NET Core

2020-04-20 12:20:47 +02:00
parent 9335f39495
commit 79e9235338
59 changed files with 1593 additions and 350 deletions
--- a/src/Umbraco.Web.Common/Attributes/AngularJsonOnlyConfigurationAttribute.cs
+++ b/src/Umbraco.Web.Common/Attributes/AngularJsonOnlyConfigurationAttribute.cs
@@ -0,0 +1,36 @@
+using System.Buffers;
+using System.Collections.Generic;
+using System.Text.Json;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.AspNetCore.Mvc.Formatters;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using Newtonsoft.Json;
+using Umbraco.Web.Common.Formatters;
+
+namespace Umbraco.Web.Common.Attributes
+{
+    /// <summary>
+    /// Applying this attribute to any controller will ensure that it only contains one json formatter compatible with the angular json vulnerability prevention.
+    /// </summary>
+    public class AngularJsonOnlyConfigurationAttribute : ActionFilterAttribute
+    {
+
+        public override void OnResultExecuting(ResultExecutingContext context)
+        {
+
+            var mvcNewtonsoftJsonOptions = context.HttpContext.RequestServices.GetService<IOptions<MvcNewtonsoftJsonOptions>>();
+            var arrayPool = context.HttpContext.RequestServices.GetService<ArrayPool<char>>();
+            var mvcOptions = context.HttpContext.RequestServices.GetService<IOptions<MvcOptions>>();
+
+
+            if (context.Result is ObjectResult objectResult)
+            {
+                objectResult.Formatters.Add(new AngularJsonMediaTypeFormatter(mvcNewtonsoftJsonOptions.Value.SerializerSettings, arrayPool, mvcOptions.Value));
+            }
+
+            base.OnResultExecuting(context);
+        }
+    }
+}
--- a/src/Umbraco.Web.Common/Attributes/FeatureAuthorizeAttribute.cs
+++ b/src/Umbraco.Web.Common/Attributes/FeatureAuthorizeAttribute.cs
@@ -0,0 +1,51 @@
+
+using System;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Controllers;
+using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.AspNetCore.Mvc.Rendering;
+using Microsoft.Extensions.DependencyInjection;
+using Umbraco.Web.Features;
+using Umbraco.Core;
+using Umbraco.Web.Install;
+
+namespace Umbraco.Web.WebApi.Filters
+{
+    /// <summary>
+    /// Ensures that the controller is an authorized feature.
+    /// </summary>
+    /// <remarks>Else returns unauthorized.</remarks>
+    public class FeatureAuthorizeAttribute : TypeFilterAttribute
+    {
+        public FeatureAuthorizeAttribute() : base(typeof(FeatureAuthorizeFilter))
+        {
+        }
+
+        private class FeatureAuthorizeFilter : IAuthorizationFilter
+        {
+            public void OnAuthorization(AuthorizationFilterContext context)
+            {
+                var serviceProvider = context.HttpContext.RequestServices;
+                var umbracoFeatures = serviceProvider.GetService<UmbracoFeatures>();
+
+                if (!IsAllowed(context, umbracoFeatures))
+                {
+                    context.Result = new ForbidResult();
+                }
+            }
+
+            private static bool IsAllowed(AuthorizationFilterContext context, UmbracoFeatures umbracoFeatures)
+            {
+                // if no features resolver has been set then return true, this will occur in unit
+                // tests and we don't want users to have to set a resolver
+                //just so their unit tests work.
+
+                if (umbracoFeatures == null) return true;
+                if (!(context.ActionDescriptor is ControllerActionDescriptor contextActionDescriptor)) return true;
+
+                var controllerType = contextActionDescriptor.ControllerTypeInfo.AsType();
+                return umbracoFeatures.IsControllerEnabled(controllerType);
+            }
+        }
+    }
+}
--- a/src/Umbraco.Web.Common/Attributes/IsBackOfficeAttribute.cs
+++ b/src/Umbraco.Web.Common/Attributes/IsBackOfficeAttribute.cs
@@ -0,0 +1,13 @@
+using System;
+
+namespace Umbraco.Web.Common.Attributes
+{
+    /// <summary>
+    /// When applied to an api controller it will be routed to the /Umbraco/BackOffice prefix route so we can determine if it
+    /// is a back office route or not.
+    /// </summary>
+    [AttributeUsage(AttributeTargets.Class, AllowMultiple = false, Inherited = true)]
+    public sealed class IsBackOfficeAttribute : Attribute
+    {
+    }
+}
--- a/src/Umbraco.Web.Common/Attributes/PluginControllerAttribute.cs
+++ b/src/Umbraco.Web.Common/Attributes/PluginControllerAttribute.cs
@@ -0,0 +1,30 @@
+using System;
+using System.Linq;
+
+namespace Umbraco.Web.Common.Attributes
+{
+    /// <summary>
+    /// Indicates that a controller is a plugin tree controller and should be routed to its own area.
+    /// </summary>
+    [AttributeUsage(AttributeTargets.Class, AllowMultiple = false)]
+    public class PluginControllerAttribute : Attribute
+    {
+        /// <summary>
+        /// Initializes a new instance of the <see cref="PluginControllerAttribute"/> class.
+        /// </summary>
+        /// <param name="areaName"></param>
+        public PluginControllerAttribute(string areaName)
+        {
+            // validate this, only letters and digits allowed.
+            if (areaName.Any(c => !char.IsLetterOrDigit(c)))
+                throw new FormatException($"Invalid area name \"{areaName}\": the area name can only contains letters and digits.");
+
+            AreaName = areaName;
+        }
+
+        /// <summary>
+        /// Gets the name of the area.
+        /// </summary>
+        public string AreaName { get; }
+    }
+}