From 8d291efedd90d0aa43048caff0de8b31cd7dd96c Mon Sep 17 00:00:00 2001
From: Sebastiaan Janssen <sebastiaan@umbraco.com>
Date: Sun, 4 Sep 2016 11:44:16 +0200
Subject: [PATCH] In the spirit of DRY: centralized IsAdmin() check in an
 extension method Made sure that non-admins can't trigger the enable/disable
 URL tracker endpoint Renamed "admin" in GetEnableState to "isUserAdmin" for
 clarity

---
 src/Umbraco.Core/Models/UserExtensions.cs       | 17 ++++++++++++++---
 .../developer/redirecturls.controller.js        |  4 ++--
 .../views/dashboard/developer/redirecturls.html |  2 +-
 .../Editors/RedirectUrlManagementController.cs  | 16 ++++++++++++++--
 .../Editors/UpdateCheckController.cs            |  6 ++----
 src/umbraco.businesslogic/User.cs               |  3 ++-
 6 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/src/Umbraco.Core/Models/UserExtensions.cs b/src/Umbraco.Core/Models/UserExtensions.cs
index 5b9f63cf48..ece63b4889 100644
--- a/src/Umbraco.Core/Models/UserExtensions.cs
+++ b/src/Umbraco.Core/Models/UserExtensions.cs
@@ -1,8 +1,5 @@
 using System;
 using System.Globalization;
-using System.Linq;
-using System.Threading;
-using Umbraco.Core.Models.Identity;
 using Umbraco.Core.Models.Membership;
 using Umbraco.Core.Services;
 
@@ -83,5 +80,19 @@ namespace Umbraco.Core.Models
             if (media == null) throw new ArgumentNullException("media");
             return HasPathAccess(media.Path, user.StartMediaId, Constants.System.RecycleBinMedia);
         }
+
+
+        /// <summary>
+        /// Determines whether this user is an admin.
+        /// </summary>
+        /// <param name="user"></param>
+        /// <returns>
+        /// 	<c>true</c> if this user is admin; otherwise, <c>false</c>.
+        /// </returns>
+        public static bool IsAdmin(this IUser user)
+        {
+            if (user == null) throw new ArgumentNullException("user");
+            return user.UserType.Alias == "admin";
+        }
     }
 }
\ No newline at end of file
diff --git a/src/Umbraco.Web.UI.Client/src/views/dashboard/developer/redirecturls.controller.js b/src/Umbraco.Web.UI.Client/src/views/dashboard/developer/redirecturls.controller.js
index 98e7ea6b1e..2d34974d7c 100644
--- a/src/Umbraco.Web.UI.Client/src/views/dashboard/developer/redirecturls.controller.js
+++ b/src/Umbraco.Web.UI.Client/src/views/dashboard/developer/redirecturls.controller.js
@@ -15,7 +15,7 @@
             searchTerm: "",
             loading: false,
             urlTrackerDisabled: false,
-            admin: false
+            userIsAdmin: false
         };
 
         vm.pagination = {
@@ -43,7 +43,7 @@
             vm.dashboard.loading = true;
             return redirectUrlsResource.getEnableState().then(function (response) {
                 vm.dashboard.urlTrackerDisabled = response.enabled !== true;
-                vm.dashboard.admin = response.admin;
+                vm.dashboard.userIsAdmin = response.userIsAdmin;
                 vm.dashboard.loading = false;
             });
         }
diff --git a/src/Umbraco.Web.UI.Client/src/views/dashboard/developer/redirecturls.html b/src/Umbraco.Web.UI.Client/src/views/dashboard/developer/redirecturls.html
index c885a77997..c083f9a429 100644
--- a/src/Umbraco.Web.UI.Client/src/views/dashboard/developer/redirecturls.html
+++ b/src/Umbraco.Web.UI.Client/src/views/dashboard/developer/redirecturls.html
@@ -6,7 +6,7 @@
 
         <umb-editor-sub-header-content-right>
 
-            <umb-editor-sub-header-section ng-if="vm.dashboard.admin === true">
+            <umb-editor-sub-header-section ng-if="vm.dashboard.userIsAdmin === true">
 
                 <button
                     ng-if="vm.dashboard.urlTrackerDisabled === false"
diff --git a/src/Umbraco.Web/Editors/RedirectUrlManagementController.cs b/src/Umbraco.Web/Editors/RedirectUrlManagementController.cs
index 2270e250c8..8ccfd6dde7 100644
--- a/src/Umbraco.Web/Editors/RedirectUrlManagementController.cs
+++ b/src/Umbraco.Web/Editors/RedirectUrlManagementController.cs
@@ -4,7 +4,10 @@ using System.Xml;
 using System.Collections.Generic;
 using System.Linq;
 using AutoMapper;
+using umbraco.businesslogic.Exceptions;
 using Umbraco.Core.Configuration;
+using Umbraco.Core.Logging;
+using Umbraco.Core.Models;
 using Umbraco.Web.Models.ContentEditing;
 using Umbraco.Web.Mvc;
 using Umbraco.Web.WebApi;
@@ -24,8 +27,8 @@ namespace Umbraco.Web.Editors
         public IHttpActionResult GetEnableState()
         {
             var enabled = UmbracoConfig.For.UmbracoSettings().WebRouting.DisableRedirectUrlTracking == false;
-            var admin = Umbraco.UmbracoContext.Security.CurrentUser.UserType.Alias == "admin"; // assuming this is what qualifies admins
-            return Ok(new { enabled, admin });
+            var userIsAdmin = Umbraco.UmbracoContext.Security.CurrentUser.IsAdmin();
+            return Ok(new { enabled, userIsAdmin });
         }
 
         //add paging
@@ -66,6 +69,15 @@ namespace Umbraco.Web.Editors
         [HttpPost]
         public IHttpActionResult ToggleUrlTracker(bool disable)
         {
+            var userIsAdmin = Umbraco.UmbracoContext.Security.CurrentUser.IsAdmin();
+            if (userIsAdmin == false)
+            {
+                var errorMessage = string.Format("User of type {0} is not allowed to toggle the URL tracker", 
+                    Umbraco.UmbracoContext.Security.CurrentUser.UserType.Alias);
+                LogHelper.Debug<RedirectUrlManagementController>(errorMessage);
+                throw new UserAuthorizationException(errorMessage);
+            }
+
             var httpContext = TryGetHttpContext();
             if (httpContext.Success == false) throw new InvalidOperationException("Cannot acquire HttpContext");
             var configFilePath = httpContext.Result.Server.MapPath("~/config/umbracoSettings.config");
diff --git a/src/Umbraco.Web/Editors/UpdateCheckController.cs b/src/Umbraco.Web/Editors/UpdateCheckController.cs
index 8f159d308d..e42ef0ffb9 100644
--- a/src/Umbraco.Web/Editors/UpdateCheckController.cs
+++ b/src/Umbraco.Web/Editors/UpdateCheckController.cs
@@ -1,12 +1,10 @@
 using System;
-using System.Collections.Generic;
 using System.Linq;
 using System.Net.Http;
 using System.Net.Http.Headers;
-using System.Text;
-using System.Threading.Tasks;
 using System.Web.Http.Filters;
 using Umbraco.Core.Configuration;
+using Umbraco.Core.Models;
 using Umbraco.Web.Models;
 using Umbraco.Web.Mvc;
 
@@ -20,7 +18,7 @@ namespace Umbraco.Web.Editors
         {
             var updChkCookie = Request.Headers.GetCookies("UMB_UPDCHK").FirstOrDefault();
             var updateCheckCookie = updChkCookie != null ? updChkCookie["UMB_UPDCHK"].Value : "";            
-            if (GlobalSettings.VersionCheckPeriod > 0 && string.IsNullOrEmpty(updateCheckCookie) && Security.CurrentUser.UserType.Alias == "admin")
+            if (GlobalSettings.VersionCheckPeriod > 0 && string.IsNullOrEmpty(updateCheckCookie) && Security.CurrentUser.IsAdmin())
             {
                 try
                 {
diff --git a/src/umbraco.businesslogic/User.cs b/src/umbraco.businesslogic/User.cs
index b7beb7db5d..59b6c19a41 100644
--- a/src/umbraco.businesslogic/User.cs
+++ b/src/umbraco.businesslogic/User.cs
@@ -184,9 +184,10 @@ namespace umbraco.BusinessLogic
         /// <returns>
         /// 	<c>true</c> if this user is admin; otherwise, <c>false</c>.
         /// </returns>
+        [Obsolete("Use Umbraco.Core.Models.IsAdmin extension method instead", false)]
         public bool IsAdmin()
         {
-            return UserType.Alias == "admin";
+            return UserEntity.IsAdmin();
         }
 
         [Obsolete("Do not use this method to validate credentials, use the user's membership provider to do authentication. This method will not work if the password format is 'Encrypted'")]