diff --git a/src/Umbraco.Web/Editors/MediaController.cs b/src/Umbraco.Web/Editors/MediaController.cs
index 3ca4195a26..ee6b175355 100644
--- a/src/Umbraco.Web/Editors/MediaController.cs
+++ b/src/Umbraco.Web/Editors/MediaController.cs
@@ -413,7 +413,69 @@ namespace Umbraco.Web.Editors
}
return Request.CreateResponse(HttpStatusCode.OK);
- }
+ }
+
+ ///
+ /// Given a parent id which could be a GUID, UDI or an INT, this will resolve the INT
+ ///
+ ///
+ ///
+ /// If true, this will check if the current user has access to the resolved integer parent id
+ /// and if that check fails an unauthorized exception will occur
+ ///
+ ///
+ private int GetParentIdAsInt(string parentId, bool validatePermissions)
+ {
+ int intParentId;
+ GuidUdi parentUdi;
+
+ // test for udi
+ if (GuidUdi.TryParse(parentId, out parentUdi))
+ {
+ parentId = parentUdi.Guid.ToString();
+ }
+
+ //if it's not an INT then we'll check for GUID
+ if (int.TryParse(parentId, out intParentId) == false)
+ {
+ // if a guid then try to look up the entity
+ Guid idGuid;
+ if (Guid.TryParse(parentId, out idGuid))
+ {
+ var entity = Services.EntityService.GetByKey(idGuid);
+ if (entity != null)
+ {
+ intParentId = entity.Id;
+ }
+ else
+ {
+ throw new EntityNotFoundException(parentId, "The passed id doesn't exist");
+ }
+ }
+ else
+ {
+ throw new HttpResponseException(
+ Request.CreateValidationErrorResponse("The request was not formatted correctly, the parentId is not an integer, Guid or UDI"));
+ }
+ }
+
+ //ensure the user has access to this folder by parent id!
+ if (CheckPermissions(
+ new Dictionary(),
+ Security.CurrentUser,
+ Services.MediaService,
+ intParentId) == false)
+ {
+ throw new HttpResponseException(Request.CreateResponse(
+ HttpStatusCode.Forbidden,
+ new SimpleNotificationModel(new Notification(
+ Services.TextService.Localize("speechBubbles/operationFailedHeader"),
+ Services.TextService.Localize("speechBubbles/invalidUserPermissionsText"),
+ SpeechBubbleIcon.Warning))));
+ }
+
+ return intParentId;
+ }
///
/// Change the sort order for media
@@ -574,11 +636,13 @@ namespace Umbraco.Web.Editors
}
}
- [EnsureUserPermissionForMedia("folder.ParentId")]
- public MediaItemDisplay PostAddFolder(EntityBasic folder)
+ public MediaItemDisplay PostAddFolder(PostedFolder folder)
{
- var mediaService = ApplicationContext.Services.MediaService;
- var f = mediaService.CreateMedia(folder.Name, folder.ParentId, Constants.Conventions.MediaTypes.Folder);
+ var intParentId = GetParentIdAsInt(folder.ParentId, validatePermissions: true);
+
+ var mediaService = ApplicationContext.Services.MediaService;
+
+ var f = mediaService.CreateMedia(folder.Name, intParentId, Constants.Conventions.MediaTypes.Folder);
mediaService.Save(f, Security.CurrentUser.Id);
return Mapper.Map(f);
@@ -649,21 +713,6 @@ namespace Umbraco.Web.Editors
}
}
-
- //ensure the user has access to this folder by parent id!
- if (CheckPermissions(
- new Dictionary(),
- Security.CurrentUser,
- Services.MediaService, parentId) == false)
- {
- return Request.CreateResponse(
- HttpStatusCode.Forbidden,
- new SimpleNotificationModel(new Notification(
- Services.TextService.Localize("speechBubbles/operationFailedHeader"),
- Services.TextService.Localize("speechBubbles/invalidUserPermissionsText"),
- SpeechBubbleIcon.Warning)));
- }
-
var tempFiles = new PostedFiles();
var mediaService = ApplicationContext.Services.MediaService;
@@ -793,8 +842,8 @@ namespace Umbraco.Web.Editors
if (origin.Value == "blueimp")
{
return Request.CreateResponse(HttpStatusCode.OK,
- tempFiles,
- //Don't output the angular xsrf stuff, blue imp doesn't like that
+ tempFiles,
+ //Don't output the angular xsrf stuff, blue imp doesn't like that
new JsonMediaTypeFormatter());
}
}
diff --git a/src/Umbraco.Web/Models/ContentEditing/PostedFolder.cs b/src/Umbraco.Web/Models/ContentEditing/PostedFolder.cs
new file mode 100644
index 0000000000..35cd908787
--- /dev/null
+++ b/src/Umbraco.Web/Models/ContentEditing/PostedFolder.cs
@@ -0,0 +1,17 @@
+using System.Runtime.Serialization;
+
+namespace Umbraco.Web.Models.ContentEditing
+{
+ ///
+ /// Used to create a folder with the MediaController
+ ///
+ [DataContract]
+ public class PostedFolder
+ {
+ [DataMember(Name = "parentId")]
+ public string ParentId { get; set; }
+
+ [DataMember(Name = "name")]
+ public string Name { get; set; }
+ }
+}
\ No newline at end of file
diff --git a/src/Umbraco.Web/Umbraco.Web.csproj b/src/Umbraco.Web/Umbraco.Web.csproj
index 16059f4e12..6b38bf6901 100644
--- a/src/Umbraco.Web/Umbraco.Web.csproj
+++ b/src/Umbraco.Web/Umbraco.Web.csproj
@@ -361,6 +361,7 @@
+