Merge pull request from GHSA-cfr5-7p54-4qg8

* Bump version * Apply authorization policies to controllers * Return bad request if we urltracking is disabled * Apply authorization policies to controllers * Return bad request if we urltracking is disabled --------- Co-authored-by: Bjarke Berg <mail@bergmania.dk> Co-authored-by: Zeegaan <nge@umbraco.dk>
2023-12-11 13:59:59 +01:00
parent be5a740c96
commit cdd4d2a000
5 changed files with 21 additions and 2 deletions
--- a/src/Umbraco.Web.BackOffice/Controllers/AnalyticsController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/AnalyticsController.cs
@@ -1,9 +1,12 @@
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Umbraco.Cms.Core.Models;
 using Umbraco.Cms.Core.Services;
+using Umbraco.Cms.Web.Common.Authorization;

 namespace Umbraco.Cms.Web.BackOffice.Controllers;

+[Authorize(Policy = AuthorizationPolicies.SectionAccessSettings)]
 public class AnalyticsController : UmbracoAuthorizedJsonController
 {
    private readonly IMetricsConsentService _metricsConsentService;
--- a/src/Umbraco.Web.BackOffice/Controllers/LanguageController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/LanguageController.cs
@@ -18,6 +18,7 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers;
 ///     Backoffice controller supporting the dashboard for language administration.
 /// </summary>
 [PluginController(Constants.Web.Mvc.BackOfficeApiArea)]
+[Authorize(Policy = AuthorizationPolicies.SectionAccessSettings)]
 public class LanguageController : UmbracoAuthorizedJsonController
 {
    private readonly ILocalizationService _localizationService;
--- a/src/Umbraco.Web.BackOffice/Controllers/PublishedSnapshotCacheStatusController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/PublishedSnapshotCacheStatusController.cs
@@ -1,13 +1,16 @@
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Umbraco.Cms.Core;
 using Umbraco.Cms.Core.Cache;
 using Umbraco.Cms.Core.PublishedCache;
 using Umbraco.Cms.Web.Common.Attributes;
+using Umbraco.Cms.Web.Common.Authorization;
 using Umbraco.Extensions;

 namespace Umbraco.Cms.Web.BackOffice.Controllers;

 [PluginController(Constants.Web.Mvc.BackOfficeApiArea)]
+[Authorize(Policy = AuthorizationPolicies.SectionAccessSettings)]
 public class PublishedSnapshotCacheStatusController : UmbracoAuthorizedApiController
 {
    private readonly DistributedCache _distributedCache;
--- a/src/Umbraco.Web.BackOffice/Controllers/RedirectUrlManagementController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/RedirectUrlManagementController.cs
@@ -2,6 +2,7 @@
 // See LICENSE for more details.

 using System.Security;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
@@ -14,11 +15,13 @@ using Umbraco.Cms.Core.Models.ContentEditing;
 using Umbraco.Cms.Core.Security;
 using Umbraco.Cms.Core.Services;
 using Umbraco.Cms.Web.Common.Attributes;
+using Umbraco.Cms.Web.Common.Authorization;
 using Umbraco.Extensions;

 namespace Umbraco.Cms.Web.BackOffice.Controllers;

 [PluginController(Constants.Web.Mvc.BackOfficeApiArea)]
+[Authorize(Policy = AuthorizationPolicies.SectionAccessContent)]
 public class RedirectUrlManagementController : UmbracoAuthorizedApiController
 {
    private readonly IBackOfficeSecurityAccessor _backofficeSecurityAccessor;
@@ -45,6 +48,8 @@ public class RedirectUrlManagementController : UmbracoAuthorizedApiController
        _configManipulator = configManipulator ?? throw new ArgumentNullException(nameof(configManipulator));
    }

+    private bool IsEnabled => _webRoutingSettings.CurrentValue.DisableRedirectUrlTracking == false;
+
    /// <summary>
    ///     Returns true/false of whether redirect tracking is enabled or not
    /// </summary>
@@ -52,9 +57,8 @@ public class RedirectUrlManagementController : UmbracoAuthorizedApiController
    [HttpGet]
    public IActionResult GetEnableState()
    {
-        var enabled = _webRoutingSettings.CurrentValue.DisableRedirectUrlTracking == false;
        var userIsAdmin = _backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser?.IsAdmin() ?? false;
-        return Ok(new { enabled, userIsAdmin });
+        return Ok(new { enabled = IsEnabled, userIsAdmin });
    }

    //add paging
@@ -104,6 +108,11 @@ public class RedirectUrlManagementController : UmbracoAuthorizedApiController
    [HttpPost]
    public IActionResult DeleteRedirectUrl(Guid id)
    {
+        if (IsEnabled is false)
+        {
+            return BadRequest("Redirect URL tracking is disabled, and therefore no URLs can be deleted.");
+        }
+
        _redirectUrlService.Delete(id);
        return Ok();
    }
--- a/src/Umbraco.Web.BackOffice/Controllers/StylesheetController.cs
+++ b/src/Umbraco.Web.BackOffice/Controllers/StylesheetController.cs
@@ -1,8 +1,10 @@
+using Microsoft.AspNetCore.Authorization;
 using Umbraco.Cms.Core;
 using Umbraco.Cms.Core.Models;
 using Umbraco.Cms.Core.Models.ContentEditing;
 using Umbraco.Cms.Core.Services;
 using Umbraco.Cms.Web.Common.Attributes;
+using Umbraco.Cms.Web.Common.Authorization;
 using Umbraco.Extensions;
 using Stylesheet = Umbraco.Cms.Core.Models.ContentEditing.Stylesheet;

@@ -12,6 +14,7 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers;
 ///     The API controller used for retrieving available stylesheets
 /// </summary>
 [PluginController(Constants.Web.Mvc.BackOfficeApiArea)]
+[Authorize(Policy = AuthorizationPolicies.SectionAccessSettings)]
 public class StylesheetController : UmbracoAuthorizedJsonController
 {
    private readonly IFileService _fileService;