yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adds notes, only run back office authz policies on the back office scheme

Browse Source
This commit is contained in:
Shannon
2020-11-20 14:59:08 +11:00
parent e7b4c5a811
commit 84c2f75a27
4 changed files with 257 additions and 150 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/Umbraco.Web.BackOffice/Controllers/PreviewController.cs
View File

@@ -64,6 +64,9 @@ namespace Umbraco.Web.BackOffice.Controllers
_viewEngines = viewEngines;
}
// TODO: This should really be refactored. Redirection/Challenge is part of Authentication, not part of authorization directly
// We only use this redirectToUmbracoLogin flag in this one instance. I think this
// should be handled as part of the preview authentication process instead.
[UmbracoBackOfficeAuthorize(redirectToUmbracoLogin: true, requireApproval : false)]
[DisableBrowserCache]
public ActionResult Index()

187
src/Umbraco.Web.BackOffice/Extensions/BackOfficeServiceCollectionExtensions.cs
View File

@@ -118,10 +118,7 @@ namespace Umbraco.Extensions
private static void AddBackOfficeAuthorizationPolicies(this IServiceCollection services)
{
// NOTE: Even though we are registering these handlers globally they will only actually execute their logic for
// any auth defining a matching requirement. We don't want to get in the way of end-users own aspnet logic
// and although these will trigger for any of their requests that need authorization, the logic won't actually execute.
// Basically all registered IAuthorizationHandler will execute for all requests requiring authorization but their logic
// won't trigger unless the requirement/policy matches.
// any auth defining a matching requirement and scheme.
services.AddSingleton<IAuthorizationHandler, UmbracoTreeAuthorizeHandler>();
services.AddSingleton<IAuthorizationHandler, UmbracoSectionAuthorizeHandler>();
@@ -133,135 +130,245 @@ namespace Umbraco.Extensions
{
options.AddPolicy(AuthorizationPolicies.AdminUserEditsRequireAdmin, policy =>
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new AdminUsersAuthorizeRequirement());
policy.Requirements.Add(new AdminUsersAuthorizeRequirement("userIds"));
});
options.AddPolicy(AuthorizationPolicies.UserBelongsToUserGroupInRequest, policy =>
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new UserGroupAuthorizeRequirement());
policy.Requirements.Add(new UserGroupAuthorizeRequirement("userGroupIds"));
});
options.AddPolicy(AuthorizationPolicies.DenyLocalLoginIfConfigured, policy =>
policy.Requirements.Add(new DenyLocalLoginRequirement()));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new DenyLocalLoginRequirement());
});
options.AddPolicy(AuthorizationPolicies.SectionAccessContent, policy =>
policy.Requirements.Add(new SectionAliasesRequirement(Constants.Applications.Content)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new SectionAliasesRequirement(Constants.Applications.Content));
});
options.AddPolicy(AuthorizationPolicies.SectionAccessContentOrMedia, policy =>
policy.Requirements.Add(new SectionAliasesRequirement(Constants.Applications.Content, Constants.Applications.Media)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new SectionAliasesRequirement(Constants.Applications.Content, Constants.Applications.Media));
});
options.AddPolicy(AuthorizationPolicies.SectionAccessUsers, policy =>
policy.Requirements.Add(new SectionAliasesRequirement(Constants.Applications.Users)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new SectionAliasesRequirement(Constants.Applications.Users));
});
options.AddPolicy(AuthorizationPolicies.SectionAccessForTinyMce, policy =>
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new SectionAliasesRequirement(
Constants.Applications.Content, Constants.Applications.Media, Constants.Applications.Members)));
Constants.Applications.Content, Constants.Applications.Media, Constants.Applications.Members));
});
options.AddPolicy(AuthorizationPolicies.SectionAccessMedia, policy =>
policy.Requirements.Add(new SectionAliasesRequirement(Constants.Applications.Media)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new SectionAliasesRequirement(Constants.Applications.Media));
});
options.AddPolicy(AuthorizationPolicies.SectionAccessMembers, policy =>
policy.Requirements.Add(new SectionAliasesRequirement(Constants.Applications.Members)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new SectionAliasesRequirement(Constants.Applications.Members));
});
options.AddPolicy(AuthorizationPolicies.SectionAccessPackages, policy =>
policy.Requirements.Add(new SectionAliasesRequirement(Constants.Applications.Packages)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new SectionAliasesRequirement(Constants.Applications.Packages));
});
options.AddPolicy(AuthorizationPolicies.SectionAccessSettings, policy =>
policy.Requirements.Add(new SectionAliasesRequirement(Constants.Applications.Settings)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new SectionAliasesRequirement(Constants.Applications.Settings));
});
//We will not allow the tree to render unless the user has access to any of the sections that the tree gets rendered
// this is not ideal but until we change permissions to be tree based (not section) there's not much else we can do here.
options.AddPolicy(AuthorizationPolicies.SectionAccessForContentTree, policy =>
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new SectionAliasesRequirement(
Constants.Applications.Content, Constants.Applications.Media, Constants.Applications.Users,
Constants.Applications.Settings, Constants.Applications.Packages, Constants.Applications.Members)));
Constants.Applications.Settings, Constants.Applications.Packages, Constants.Applications.Members));
});
options.AddPolicy(AuthorizationPolicies.SectionAccessForMediaTree, policy =>
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new SectionAliasesRequirement(
Constants.Applications.Content, Constants.Applications.Media, Constants.Applications.Users,
Constants.Applications.Settings, Constants.Applications.Packages, Constants.Applications.Members)));
Constants.Applications.Settings, Constants.Applications.Packages, Constants.Applications.Members));
});
options.AddPolicy(AuthorizationPolicies.SectionAccessForMemberTree, policy =>
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new SectionAliasesRequirement(
Constants.Applications.Content, Constants.Applications.Media, Constants.Applications.Members)));
Constants.Applications.Content, Constants.Applications.Media, Constants.Applications.Members));
});
// Permission is granted to this policy if the user has access to any of these sections: Content, media, settings, developer, members
options.AddPolicy(AuthorizationPolicies.SectionAccessForDataTypeReading, policy =>
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new SectionAliasesRequirement(
Constants.Applications.Content, Constants.Applications.Media, Constants.Applications.Members,
Constants.Applications.Settings, Constants.Applications.Packages)));
Constants.Applications.Settings, Constants.Applications.Packages));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessDocuments, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.Content)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.Content));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessUsers, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.Users)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.Users));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessPartialViews, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.PartialViews)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.PartialViews));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessPartialViewMacros, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.PartialViewMacros)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.PartialViewMacros));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessPackages, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.Packages)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.Packages));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessLogs, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.LogViewer)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.LogViewer));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessDataTypes, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.DataTypes)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.DataTypes));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessTemplates, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.Templates)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.Templates));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessMemberTypes, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.MemberTypes)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.MemberTypes));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessRelationTypes, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.RelationTypes)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.RelationTypes));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessDocumentTypes, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.DocumentTypes)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.DocumentTypes));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessMemberGroups, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.MemberGroups)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.MemberGroups));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessMediaTypes, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.MediaTypes)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.MediaTypes));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessMacros, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.Macros)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.Macros));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessLanguages, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.Languages)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.Languages));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessDocumentTypes, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.Dictionary)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.Dictionary));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessDictionary, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.Dictionary, Constants.Trees.Dictionary)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.Dictionary, Constants.Trees.Dictionary));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessDictionaryOrTemplates, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.Dictionary, Constants.Trees.Templates)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.Dictionary, Constants.Trees.Templates));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessDocumentsOrDocumentTypes, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.DocumentTypes, Constants.Trees.Content)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.DocumentTypes, Constants.Trees.Content));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessMediaOrMediaTypes, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.MediaTypes, Constants.Trees.Media)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.MediaTypes, Constants.Trees.Media));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessMembersOrMemberTypes, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.MemberTypes, Constants.Trees.Members)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.MemberTypes, Constants.Trees.Members));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessAnySchemaTypes, policy =>
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.DataTypes, Constants.Trees.DocumentTypes, Constants.Trees.MediaTypes, Constants.Trees.MemberTypes)));
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(Constants.Trees.DataTypes, Constants.Trees.DocumentTypes, Constants.Trees.MediaTypes, Constants.Trees.MemberTypes));
});
options.AddPolicy(AuthorizationPolicies.TreeAccessAnyContentOrTypes, policy =>
{
policy.AuthenticationSchemes.Add(Constants.Security.BackOfficeAuthenticationType);
policy.Requirements.Add(new TreeAliasesRequirement(
Constants.Trees.DocumentTypes, Constants.Trees.Content,
Constants.Trees.MediaTypes, Constants.Trees.Media,
Constants.Trees.MemberTypes, Constants.Trees.Members)));
Constants.Trees.MemberTypes, Constants.Trees.Members));
});
});
}
}

107
src/Umbraco.Web.Common/Filters/UmbracoBackOfficeAuthorizeAttribute.cs
View File

@@ -1,4 +1,11 @@
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.AspNetCore.Routing;
using System;
using Umbraco.Core;
using Umbraco.Core.Hosting;
using Umbraco.Core.Security;
using Umbraco.Extensions;
namespace Umbraco.Web.Common.Filters
{
@@ -33,5 +40,105 @@ namespace Umbraco.Web.Common.Filters
{
Arguments = new object[] { redirectUrl };
}
/// <summary>
/// Ensures authorization is successful for a back office user.
/// </summary>
private class UmbracoBackOfficeAuthorizeFilter : IAuthorizationFilter
{
private readonly bool _requireApproval;
/// <summary>
/// Can be used by unit tests to enable/disable this filter
/// </summary>
internal static bool Enable = true;
private readonly IHostingEnvironment _hostingEnvironment;
private readonly IUmbracoContextAccessor _umbracoContext;
private readonly IRuntimeState _runtimeState;
private readonly LinkGenerator _linkGenerator;
// TODO: This should really be refactored. Redirection/Challenge is part of Authentication, not part of authorization directly
// We only use this redirectToUmbracoLogin flag in this one instance. I think this
// should be handled as part of the preview authentication process instead.
private readonly bool _redirectToUmbracoLogin;
private string _redirectUrl;
private UmbracoBackOfficeAuthorizeFilter(
IHostingEnvironment hostingEnvironment,
IUmbracoContextAccessor umbracoContext,
IRuntimeState runtimeState, LinkGenerator linkGenerator,
bool redirectToUmbracoLogin, bool requireApproval, string redirectUrl)
{
_hostingEnvironment = hostingEnvironment ?? throw new ArgumentNullException(nameof(hostingEnvironment));
_umbracoContext = umbracoContext ?? throw new ArgumentNullException(nameof(umbracoContext));
_runtimeState = runtimeState ?? throw new ArgumentNullException(nameof(runtimeState));
_linkGenerator = linkGenerator ?? throw new ArgumentNullException(nameof(linkGenerator));
_redirectToUmbracoLogin = redirectToUmbracoLogin;
_redirectUrl = redirectUrl;
_requireApproval = requireApproval;
}
/// <summary>
/// Default constructor
/// </summary>
/// <param name="hostingEnvironment"></param>
/// <param name="umbracoContext"></param>
/// <param name="runtimeState"></param>
/// <param name="linkGenerator"></param>
/// <param name="redirectUrl"></param>
public UmbracoBackOfficeAuthorizeFilter(
IHostingEnvironment hostingEnvironment,
IUmbracoContextAccessor umbracoContext,
IRuntimeState runtimeState, LinkGenerator linkGenerator,
string redirectUrl) : this(hostingEnvironment, umbracoContext, runtimeState, linkGenerator, false, false, redirectUrl)
{
}
public UmbracoBackOfficeAuthorizeFilter(
IHostingEnvironment hostingEnvironment,
IUmbracoContextAccessor umbracoContext,
IRuntimeState runtimeState, LinkGenerator linkGenerator,
bool redirectToUmbracoLogin, bool requireApproval) : this(hostingEnvironment, umbracoContext, runtimeState, linkGenerator, redirectToUmbracoLogin, requireApproval, null)
{
}
public void OnAuthorization(AuthorizationFilterContext context)
{
if (!IsAuthorized())
{
if (_redirectToUmbracoLogin)
{
_redirectUrl = _linkGenerator.GetBackOfficeUrl(_hostingEnvironment);
}
if (!_redirectUrl.IsNullOrWhiteSpace())
{
context.Result = new RedirectResult(_redirectUrl);
}
else
{
context.Result = new ForbidResult();
}
}
}
private bool IsAuthorized()
{
if (Enable == false)
return true;
try
{
// if not configured (install or upgrade) then we can continue
// otherwise we need to ensure that a user is logged in
return _runtimeState.Level == RuntimeLevel.Install
|| _runtimeState.Level == RuntimeLevel.Upgrade
|| _umbracoContext.UmbracoContext?.Security.ValidateCurrentUser(false, _requireApproval) == ValidateRequestAttempt.Success;
}
catch (Exception)
{
return false;
}
}
}
}
}

110
src/Umbraco.Web.Common/Filters/UmbracoBackOfficeAuthorizeFilter.cs
View File

@@ -1,110 +0,0 @@
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.AspNetCore.Routing;
using System;
using Umbraco.Core;
using Umbraco.Core.Security;
using Umbraco.Extensions;
using Umbraco.Web.Security;
using IHostingEnvironment = Umbraco.Core.Hosting.IHostingEnvironment;
namespace Umbraco.Web.Common.Filters
{
/// <summary>
/// Ensures authorization is successful for a back office user.
/// </summary>
public class UmbracoBackOfficeAuthorizeFilter : IAuthorizationFilter
{
private readonly bool _requireApproval;
/// <summary>
/// Can be used by unit tests to enable/disable this filter
/// </summary>
internal static bool Enable = true;
private readonly IHostingEnvironment _hostingEnvironment;
private readonly IUmbracoContextAccessor _umbracoContext;
private readonly IRuntimeState _runtimeState;
private readonly LinkGenerator _linkGenerator;
private readonly bool _redirectToUmbracoLogin;
private string _redirectUrl;
private UmbracoBackOfficeAuthorizeFilter(
IHostingEnvironment hostingEnvironment,
IUmbracoContextAccessor umbracoContext,
IRuntimeState runtimeState, LinkGenerator linkGenerator,
bool redirectToUmbracoLogin, bool requireApproval, string redirectUrl)
{
_hostingEnvironment = hostingEnvironment ?? throw new ArgumentNullException(nameof(hostingEnvironment));
_umbracoContext = umbracoContext ?? throw new ArgumentNullException(nameof(umbracoContext));
_runtimeState = runtimeState ?? throw new ArgumentNullException(nameof(runtimeState));
_linkGenerator = linkGenerator ?? throw new ArgumentNullException(nameof(linkGenerator));
_redirectToUmbracoLogin = redirectToUmbracoLogin;
_redirectUrl = redirectUrl;
_requireApproval = requireApproval;
}
/// <summary>
/// Default constructor
/// </summary>
/// <param name="hostingEnvironment"></param>
/// <param name="umbracoContext"></param>
/// <param name="runtimeState"></param>
/// <param name="linkGenerator"></param>
/// <param name="redirectUrl"></param>
public UmbracoBackOfficeAuthorizeFilter(
IHostingEnvironment hostingEnvironment,
IUmbracoContextAccessor umbracoContext,
IRuntimeState runtimeState, LinkGenerator linkGenerator,
string redirectUrl) : this(hostingEnvironment, umbracoContext, runtimeState, linkGenerator, false, false, redirectUrl)
{
}
public UmbracoBackOfficeAuthorizeFilter(
IHostingEnvironment hostingEnvironment,
IUmbracoContextAccessor umbracoContext,
IRuntimeState runtimeState, LinkGenerator linkGenerator,
bool redirectToUmbracoLogin, bool requireApproval) : this(hostingEnvironment, umbracoContext, runtimeState, linkGenerator, redirectToUmbracoLogin, requireApproval, null)
{
}
public void OnAuthorization(AuthorizationFilterContext context)
{
if (!IsAuthorized())
{
if (_redirectToUmbracoLogin)
{
_redirectUrl = _linkGenerator.GetBackOfficeUrl(_hostingEnvironment);
}
if (!_redirectUrl.IsNullOrWhiteSpace())
{
context.Result = new RedirectResult(_redirectUrl);
}
else
{
context.Result = new ForbidResult();
}
}
}
private bool IsAuthorized()
{
if (Enable == false)
return true;
try
{
// if not configured (install or upgrade) then we can continue
// otherwise we need to ensure that a user is logged in
return _runtimeState.Level == RuntimeLevel.Install
|| _runtimeState.Level == RuntimeLevel.Upgrade
|| _umbracoContext.UmbracoContext?.Security.ValidateCurrentUser(false, _requireApproval) == ValidateRequestAttempt.Success;
}
catch (Exception)
{
return false;
}
}
}
}