yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implements more BackOfficeController and AuthenticationController, some web security and more, gets the back office UI almost rendering

Browse Source
This commit is contained in:
Shannon
2020-05-25 23:15:32 +10:00
parent 0730867d74
commit 9dcad544a9
16 changed files with 611 additions and 222 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
src/Umbraco.Web.Common/Security/WebSecurity.cs
View File

@@ -1,5 +1,6 @@
using System;
using System.Collections.Generic;
using System.Security;
using System.Text;
using Microsoft.AspNetCore.Http;
using Umbraco.Composing;
@@ -8,6 +9,7 @@ using Umbraco.Core.Configuration;
using Umbraco.Core.Hosting;
using Umbraco.Core.Models.Membership;
using Umbraco.Core.Services;
using Umbraco.Extensions;
using Umbraco.Web.Security;
namespace Umbraco.Web.Common.Security
@@ -17,10 +19,16 @@ namespace Umbraco.Web.Common.Security
public class WebSecurity : IWebSecurity
{
private readonly IUserService _userService;
private readonly IGlobalSettings _globalSettings;
private readonly IHostingEnvironment _hostingEnvironment;
private readonly IHttpContextAccessor _httpContextAccessor;
public WebSecurity(IUserService userService)
public WebSecurity(IUserService userService, IGlobalSettings globalSettings, IHostingEnvironment hostingEnvironment, IHttpContextAccessor httpContextAccessor)
{
_userService = userService;
_globalSettings = globalSettings;
_hostingEnvironment = hostingEnvironment;
_httpContextAccessor = httpContextAccessor;
}
private IUser _currentUser;
@@ -46,7 +54,13 @@ namespace Umbraco.Web.Common.Security
public ValidateRequestAttempt AuthorizeRequest(bool throwExceptions = false)
{
return ValidateRequestAttempt.Success;
// check for secure connection
if (_globalSettings.UseHttps && !_httpContextAccessor.GetRequiredHttpContext().Request.IsHttps)
{
if (throwExceptions) throw new SecurityException("This installation requires a secure connection (via SSL). Please update the URL to include https://");
return ValidateRequestAttempt.FailedNoSsl;
}
return ValidateCurrentUser(throwExceptions);
}
public void ClearCurrentLogin()
@@ -61,7 +75,8 @@ namespace Umbraco.Web.Common.Security
public bool IsAuthenticated()
{
return true;
var httpContext = _httpContextAccessor.HttpContext;
return httpContext?.User != null && httpContext.User.Identity.IsAuthenticated && httpContext.GetCurrentIdentity() != null;
}
public double PerformLogin(int userId)
@@ -81,7 +96,31 @@ namespace Umbraco.Web.Common.Security
public ValidateRequestAttempt ValidateCurrentUser(bool throwExceptions, bool requiresApproval = true)
{
//This will first check if the current user is already authenticated - which should be the case in nearly all circumstances
// since the authentication happens in the Module, that authentication also checks the ticket expiry. We don't
// need to check it a second time because that requires another decryption phase and nothing can tamper with it during the request.
if (IsAuthenticated() == false)
{
//There is no user
if (throwExceptions) throw new InvalidOperationException("The user has no umbraco contextid - try logging in");
return ValidateRequestAttempt.FailedNoContextId;
}
var user = CurrentUser;
// Check for console access
if (user == null || (requiresApproval && user.IsApproved == false) || (user.IsLockedOut && RequestIsInUmbracoApplication(_httpContextAccessor, _globalSettings, _hostingEnvironment)))
{
if (throwExceptions) throw new ArgumentException("You have no privileges to the umbraco console. Please contact your administrator");
return ValidateRequestAttempt.FailedNoPrivileges;
}
return ValidateRequestAttempt.Success;
}
private static bool RequestIsInUmbracoApplication(IHttpContextAccessor httpContextAccessor, IGlobalSettings globalSettings, IHostingEnvironment hostingEnvironment)
{
return httpContextAccessor.GetRequiredHttpContext().Request.Path.ToString().IndexOf(hostingEnvironment.ToAbsolute(globalSettings.UmbracoPath), StringComparison.InvariantCultureIgnoreCase) > -1;
}
}
}