U4 10147 - Bypass User Security option in pickers (#2441)

2019-03-23 04:51:36 -07:00
parent 4e1634754b
commit cc9a7ff942
35 changed files with 3025 additions and 2780 deletions
--- a/src/Umbraco.Web/Trees/ContentTreeControllerBase.cs
+++ b/src/Umbraco.Web/Trees/ContentTreeControllerBase.cs
@@ -69,7 +69,7 @@ namespace Umbraco.Web.Trees
        {
            var node = base.CreateRootNode(queryStrings);

-            if (IsDialog(queryStrings) && UserStartNodes.Contains(Constants.System.Root) == false)
+            if (IsDialog(queryStrings) && UserStartNodes.Contains(Constants.System.Root) == false && IgnoreUserStartNodes(queryStrings) == false)
            {
                node.AdditionalData["noAccess"] = true;
            }
@@ -91,7 +91,7 @@ namespace Umbraco.Web.Trees
        {
            bool hasPathAccess;
            var entityIsAncestorOfStartNodes = Security.CurrentUser.IsInBranchOfStartNode(e, Services.EntityService, RecycleBinId, out hasPathAccess);
-            if (entityIsAncestorOfStartNodes == false)
+            if (IgnoreUserStartNodes(queryStrings) == false && entityIsAncestorOfStartNodes == false)
                return null;

            var treeNode = GetSingleTreeNode(e, parentId, queryStrings);
@@ -101,7 +101,7 @@ namespace Umbraco.Web.Trees
                //the node so we need to return null;
                return null;
            }
-            if (hasPathAccess == false)
+            if (IgnoreUserStartNodes(queryStrings) == false && hasPathAccess == false)
            {
                treeNode.AdditionalData["noAccess"] = true;
            }
@@ -141,7 +141,7 @@ namespace Umbraco.Web.Trees

                // ensure that the user has access to that node, otherwise return the empty tree nodes collection
                // TODO: in the future we could return a validation statement so we can have some UI to notify the user they don't have access
-                if (HasPathAccess(id, queryStrings) == false)
+                if (IgnoreUserStartNodes(queryStrings) == false && HasPathAccess(id, queryStrings) == false)
                {
                    LogHelper.Warn<ContentTreeControllerBase>("User " + Security.CurrentUser.Username + " does not have access to node with id " + id);
                    return nodes;
@@ -158,7 +158,7 @@ namespace Umbraco.Web.Trees

            // get child entities - if id is root, but user's start nodes do not contain the
            // root node, this returns the start nodes instead of root's children
-            var entities = GetChildEntities(id).ToList();
+            var entities = GetChildEntities(id, queryStrings).ToList();
            nodes.AddRange(entities.Select(x => GetSingleTreeNodeWithAccessCheck(x, id, queryStrings)).Where(x => x != null));

            // if the user does not have access to the root node, what we have is the start nodes,
@@ -190,7 +190,7 @@ namespace Umbraco.Web.Trees

        protected abstract UmbracoObjectTypes UmbracoObjectType { get; }

-        protected IEnumerable<IUmbracoEntity> GetChildEntities(string id)
+        protected IEnumerable<IUmbracoEntity> GetChildEntities(string id, FormDataCollection queryStrings)
        {
            // try to parse id as an integer else use GetEntityFromId
            // which will grok Guids, Udis, etc and let use obtain the id