yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #4994 from umbraco/temp-user-controller-authz

Browse Source 
Fixes the authorization for certain endpoints on the UsersController
This commit is contained in:
Bjarke Berg
2019-03-15 12:27:50 +01:00
committed by GitHub
parent 92453c4652 d74ec8f8cb
commit 7d67a734f0
4 changed files with 68 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/Umbraco.Web/Editors/UsersController.cs
View File

@@ -82,6 +82,7 @@ namespace Umbraco.Web.Editors
[AppendUserModifiedHeader("id")]
[FileUploadCleanupFilter(false)]
[AdminUsersAuthorize]
public async Task<HttpResponseMessage> PostSetAvatar(int id)
{
return await PostSetAvatarInternal(Request, Services.UserService, ApplicationContext.ApplicationCache.StaticCache, id);
@@ -145,6 +146,7 @@ namespace Umbraco.Web.Editors
}
[AppendUserModifiedHeader("id")]
[AdminUsersAuthorize]
public HttpResponseMessage PostClearAvatar(int id)
{
var found = Services.UserService.GetUserById(id);
@@ -183,6 +185,7 @@ namespace Umbraco.Web.Editors
/// <param name="id"></param>
/// <returns></returns>
[OutgoingEditorModelEvent]
[AdminUsersAuthorize]
public UserDisplay GetById(int id)
{
var user = Services.UserService.GetUserById(id);
@@ -602,12 +605,13 @@ namespace Umbraco.Web.Editors
display.AddSuccessNotification(Services.TextService.Localize("speechBubbles/operationSavedHeader"), Services.TextService.Localize("speechBubbles/editUserSaved"));
return display;
}
}
/// <summary>
/// Disables the users with the given user ids
/// </summary>
/// <param name="userIds"></param>
[AdminUsersAuthorize("userIds")]
public HttpResponseMessage PostDisableUsers([FromUri]int[] userIds)
{
if (userIds.Contains(Security.GetUserId()))
@@ -638,6 +642,7 @@ namespace Umbraco.Web.Editors
/// Enables the users with the given user ids
/// </summary>
/// <param name="userIds"></param>
[AdminUsersAuthorize("userIds")]
public HttpResponseMessage PostEnableUsers([FromUri]int[] userIds)
{
var users = Services.UserService.GetUsersById(userIds).ToArray();
@@ -661,6 +666,7 @@ namespace Umbraco.Web.Editors
/// Unlocks the users with the given user ids
/// </summary>
/// <param name="userIds"></param>
[AdminUsersAuthorize("userIds")]
public async Task<HttpResponseMessage> PostUnlockUsers([FromUri]int[] userIds)
{
if (userIds.Length <= 0)
@@ -693,6 +699,7 @@ namespace Umbraco.Web.Editors
Services.TextService.Localize("speechBubbles/unlockUsersSuccess", new[] { userIds.Length.ToString() }));
}
[AdminUsersAuthorize("userIds")]
public HttpResponseMessage PostSetUserGroupsOnUsers([FromUri]string[] userGroupAliases, [FromUri]int[] userIds)
{
var users = Services.UserService.GetUsersById(userIds).ToArray();
@@ -718,7 +725,8 @@ namespace Umbraco.Web.Editors
/// Limited to users that haven't logged in to avoid issues with related records constrained
/// with a foreign key on the user Id
/// </remarks>
public async Task<HttpResponseMessage> PostDeleteNonLoggedInUser(int id)
[AdminUsersAuthorize]
public HttpResponseMessage PostDeleteNonLoggedInUser(int id)
{
var user = Services.UserService.GetUserById(id);
if (user == null)

1
src/Umbraco.Web/Umbraco.Web.csproj
View File

@@ -832,6 +832,7 @@
<Compile Include="WebApi\Binders\BlueprintItemBinder.cs" />
<Compile Include="WebApi\Binders\MemberBinder.cs" />
<Compile Include="WebApi\EnableDetailedErrorsAttribute.cs" />
<Compile Include="WebApi\Filters\AdminUsersAuthorizeAttribute.cs" />
<Compile Include="WebApi\Filters\AngularAntiForgeryHelper.cs" />
<Compile Include="WebApi\Filters\AppendCurrentEventMessagesAttribute.cs" />
<Compile Include="WebApi\Filters\AppendUserModifiedHeaderAttribute.cs" />

56
src/Umbraco.Web/WebApi/Filters/AdminUsersAuthorizeAttribute.cs Normal file
View File

@@ -0,0 +1,56 @@
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Web.Http;
using System.Web.Http.Controllers;
using Umbraco.Core;
using Umbraco.Web.Editors;
namespace Umbraco.Web.WebApi.Filters
{
/// <summary>
/// if the users being edited is an admin then we must ensure that the current user is also an admin
/// </summary>
/// <remarks>
/// This will authorize against one or multiple ids
/// </remarks>
public sealed class AdminUsersAuthorizeAttribute : AuthorizeAttribute
{
private readonly string _parameterName;
public AdminUsersAuthorizeAttribute(string parameterName)
{
_parameterName = parameterName;
}
public AdminUsersAuthorizeAttribute() : this("id")
{
}
protected override bool IsAuthorized(HttpActionContext actionContext)
{
int[] userIds;
if (actionContext.ActionArguments.TryGetValue(_parameterName, out var userId))
{
var intUserId = userId.TryConvertTo<int>();
if (intUserId)
userIds = new[] {intUserId.Result};
else return base.IsAuthorized(actionContext);
}
else
{
var queryString = actionContext.Request.GetQueryNameValuePairs();
var ids = queryString.Where(x => x.Key == _parameterName).ToArray();
if (ids.Length == 0)
return base.IsAuthorized(actionContext);
userIds = ids.Select(x => x.Value.TryConvertTo<int>()).Where(x => x.Success).Select(x => x.Result).ToArray();
}
if (userIds.Length == 0) return base.IsAuthorized(actionContext);
var users = ApplicationContext.Current.Services.UserService.GetUsersById(userIds);
var authHelper = new UserEditorAuthorizationHelper(ApplicationContext.Current.Services.ContentService, ApplicationContext.Current.Services.MediaService, ApplicationContext.Current.Services.UserService, ApplicationContext.Current.Services.EntityService);
return users.All(user => authHelper.IsAuthorized(UmbracoContext.Current.Security.CurrentUser, user, null, null, null) != false);
}
}
}

3
src/Umbraco.Web/WebApi/Filters/UmbracoApplicationAuthorizeAttribute.cs
View File

@@ -1,5 +1,4 @@
using System.Linq;
using System.Web.Http;
using System.Web.Http.Controllers;
namespace Umbraco.Web.WebApi.Filters
@@ -41,4 +40,4 @@ namespace Umbraco.Web.WebApi.Filters
return authorized;
}
}
}
}