From 9f357173c3d88dcd1e437dec0b2dcd2200b9a057 Mon Sep 17 00:00:00 2001
From: Kenn Jacobsen <kja@umbraco.dk>
Date: Mon, 3 Feb 2025 12:50:23 +0100
Subject: [PATCH 1/4] Enforce user start nodes for media uploads through the
 RTE (#18204)

---
 .../RichTextEditorPastedImages.cs             | 51 ++++++++++++++++++-
 1 file changed, 50 insertions(+), 1 deletion(-)

diff --git a/src/Umbraco.Infrastructure/PropertyEditors/RichTextEditorPastedImages.cs b/src/Umbraco.Infrastructure/PropertyEditors/RichTextEditorPastedImages.cs
index 8dbe6ad5b3..64e349c245 100644
--- a/src/Umbraco.Infrastructure/PropertyEditors/RichTextEditorPastedImages.cs
+++ b/src/Umbraco.Infrastructure/PropertyEditors/RichTextEditorPastedImages.cs
@@ -8,12 +8,14 @@ using HtmlAgilityPack;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using Umbraco.Cms.Core.Cache;
 using Umbraco.Cms.Core.Configuration.Models;
 using Umbraco.Cms.Core.Exceptions;
 using Umbraco.Cms.Core.Hosting;
 using Umbraco.Cms.Core.IO;
 using Umbraco.Cms.Core.Media;
 using Umbraco.Cms.Core.Models;
+using Umbraco.Cms.Core.Models.Membership;
 using Umbraco.Cms.Core.Models.PublishedContent;
 using Umbraco.Cms.Core.Routing;
 using Umbraco.Cms.Core.Services;
@@ -38,6 +40,9 @@ public sealed class RichTextEditorPastedImages
     private readonly IUmbracoContextAccessor _umbracoContextAccessor;
     private readonly string _tempFolderAbsolutePath;
     private readonly IImageUrlGenerator _imageUrlGenerator;
+    private readonly IEntityService _entityService;
+    private readonly IUserService _userService;
+    private readonly AppCaches _appCaches;
     private readonly ContentSettings _contentSettings;
     private readonly Dictionary<string, GuidUdi> _uploadedImages = new();
 
@@ -67,6 +72,7 @@ public sealed class RichTextEditorPastedImages
     {
     }
 
+    [Obsolete("Use the non-obsolete constructor. Scheduled for removal in v14")]
     public RichTextEditorPastedImages(
         IUmbracoContextAccessor umbracoContextAccessor,
         ILogger<RichTextEditorPastedImages> logger,
@@ -79,6 +85,39 @@ public sealed class RichTextEditorPastedImages
         IPublishedUrlProvider publishedUrlProvider,
         IImageUrlGenerator imageUrlGenerator,
         IOptions<ContentSettings> contentSettings)
+        : this(
+            umbracoContextAccessor,
+            logger,
+            hostingEnvironment,
+            mediaService,
+            contentTypeBaseServiceProvider,
+            mediaFileManager,
+            mediaUrlGenerators,
+            shortStringHelper,
+            publishedUrlProvider,
+            imageUrlGenerator,
+            StaticServiceProvider.Instance.GetRequiredService<IEntityService>(),
+            StaticServiceProvider.Instance.GetRequiredService<IUserService>(),
+            StaticServiceProvider.Instance.GetRequiredService<AppCaches>(),
+            contentSettings)
+    {
+    }
+
+    public RichTextEditorPastedImages(
+        IUmbracoContextAccessor umbracoContextAccessor,
+        ILogger<RichTextEditorPastedImages> logger,
+        IHostingEnvironment hostingEnvironment,
+        IMediaService mediaService,
+        IContentTypeBaseServiceProvider contentTypeBaseServiceProvider,
+        MediaFileManager mediaFileManager,
+        MediaUrlGeneratorCollection mediaUrlGenerators,
+        IShortStringHelper shortStringHelper,
+        IPublishedUrlProvider publishedUrlProvider,
+        IImageUrlGenerator imageUrlGenerator,
+        IEntityService entityService,
+        IUserService userService,
+        AppCaches appCaches,
+        IOptions<ContentSettings> contentSettings)
     {
         _umbracoContextAccessor =
             umbracoContextAccessor ?? throw new ArgumentNullException(nameof(umbracoContextAccessor));
@@ -92,6 +131,9 @@ public sealed class RichTextEditorPastedImages
         _shortStringHelper = shortStringHelper;
         _publishedUrlProvider = publishedUrlProvider;
         _imageUrlGenerator = imageUrlGenerator;
+        _entityService = entityService;
+        _userService = userService;
+        _appCaches = appCaches;
         _contentSettings = contentSettings.Value;
 
         _tempFolderAbsolutePath = _hostingEnvironment.MapPathContentRoot(Constants.SystemDirectories.TempImageUploads);
@@ -270,7 +312,7 @@ public sealed class RichTextEditorPastedImages
                 : Constants.Conventions.MediaTypes.Image;
 
             IMedia mediaFile = mediaParentFolder == Guid.Empty
-                ? _mediaService.CreateMedia(mediaItemName, Constants.System.Root, mediaType, userId)
+                ? _mediaService.CreateMedia(mediaItemName, GetDefaultMediaRoot(userId), mediaType, userId)
                 : _mediaService.CreateMedia(mediaItemName, mediaParentFolder, mediaType, userId);
 
             var fileInfo = new FileInfo(absoluteTempImagePath);
@@ -354,4 +396,11 @@ public sealed class RichTextEditorPastedImages
     }
 
     private bool IsValidPath(string imagePath) => imagePath.StartsWith(_tempFolderAbsolutePath);
+
+    private int GetDefaultMediaRoot(int userId)
+    {
+        IUser user = _userService.GetUserById(userId) ?? throw new ArgumentException("User could not be found");
+        var userStartNodes = user.CalculateMediaStartNodeIds(_entityService, _appCaches);
+        return userStartNodes?.FirstOrDefault() ?? Constants.System.Root;
+    }
 }

From e7411244fde73cbc5d85a536a48caaff8f2b49fd Mon Sep 17 00:00:00 2001
From: Andy Butland <abutland73@gmail.com>
Date: Mon, 3 Feb 2025 13:24:58 +0100
Subject: [PATCH 2/4] Show notifications menu only to users with permission for
 the feature. (#18184)

---
 src/Umbraco.Web.BackOffice/Trees/ContentTreeController.cs | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/src/Umbraco.Web.BackOffice/Trees/ContentTreeController.cs b/src/Umbraco.Web.BackOffice/Trees/ContentTreeController.cs
index 4cdd8cef7c..0ef895e207 100644
--- a/src/Umbraco.Web.BackOffice/Trees/ContentTreeController.cs
+++ b/src/Umbraco.Web.BackOffice/Trees/ContentTreeController.cs
@@ -317,13 +317,7 @@ public class ContentTreeController : ContentTreeControllerBase, ISearchableTreeW
 
         if (_emailSender.CanSendRequiredEmail())
         {
-            menu.Items.Add(new MenuItem("notify", LocalizedTextService)
-            {
-                Icon = "icon-megaphone",
-                SeparatorBefore = true,
-                OpensDialog = true,
-                UseLegacyIcon = false
-            });
+            AddActionNode<ActionNotify>(item, menu, hasSeparator: true, opensDialog: true, useLegacyIcon: false);
         }
 
         if ((item is DocumentEntitySlim documentEntity && documentEntity.IsContainer) == false)

From b4a9dc0770a389b7e92a362e86e1e7b3f8490114 Mon Sep 17 00:00:00 2001
From: Mole <nikolajlauridsen@protonmail.ch>
Date: Mon, 3 Feb 2025 19:48:08 +0100
Subject: [PATCH 3/4] V13: Fix members while using basic auth. (#18206)

* Flow additional identities to new principal

* Add extension to more easily get member identity

* Ensure the member is used instead of the backoffice user in `MemberManager`

* Update snippet

* Fix the comment that I broke

* Update src/Umbraco.Web.Common/Extensions/MemberClaimsPrincipalExtensions.cs

Co-authored-by: Andy Butland <abutland73@gmail.com>

---------

Co-authored-by: Andy Butland <abutland73@gmail.com>
---
 .../Snippets/LoginStatus.cshtml               |  4 +--
 .../Extensions/HttpContextExtensions.cs       | 11 ++++++--
 .../MemberClaimsPrincipalExtensions.cs        | 18 ++++++++++++
 .../Security/MemberManager.cs                 | 28 ++++++++++++-------
 4 files changed, 47 insertions(+), 14 deletions(-)
 create mode 100644 src/Umbraco.Web.Common/Extensions/MemberClaimsPrincipalExtensions.cs

diff --git a/src/Umbraco.Core/EmbeddedResources/Snippets/LoginStatus.cshtml b/src/Umbraco.Core/EmbeddedResources/Snippets/LoginStatus.cshtml
index 8f5477bca4..aa70da23c8 100644
--- a/src/Umbraco.Core/EmbeddedResources/Snippets/LoginStatus.cshtml
+++ b/src/Umbraco.Core/EmbeddedResources/Snippets/LoginStatus.cshtml
@@ -5,7 +5,7 @@
 @using Umbraco.Extensions
 
 @{
-    var isLoggedIn = Context.User?.Identity?.IsAuthenticated ?? false;
+    var isLoggedIn = Context.User.GetMemberIdentity()?.IsAuthenticated ?? false;
     var logoutModel = new PostRedirectModel();
     // You can modify this to redirect to a different URL instead of the current one
     logoutModel.RedirectUrl = null;
@@ -15,7 +15,7 @@
 {
     <div class="login-status">
 
-        <p>Welcome back <strong>@Context?.User?.Identity?.Name</strong>!</p>
+        <p>Welcome back <strong>@Context.User?.GetMemberIdentity()?.Name</strong>!</p>
 
         @using (Html.BeginUmbracoForm<UmbLoginStatusController>("HandleLogout", new { RedirectUrl = logoutModel.RedirectUrl }))
         {
diff --git a/src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs b/src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs
index 0a84f318f6..fd46ef6903 100644
--- a/src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs
+++ b/src/Umbraco.Web.Common/Extensions/HttpContextExtensions.cs
@@ -62,9 +62,16 @@ public static class HttpContextExtensions
         // Update the HttpContext's user with the authenticated user's principal to ensure
         // that subsequent requests within the same context will recognize the user
         // as authenticated.
-        if (result.Succeeded)
+        if (result is { Succeeded: true, Principal.Identity: not null })
         {
-            httpContext.User = result.Principal;
+            // We need to get existing identities that are not the backoffice kind and flow them to the new identity
+            // Otherwise we can't log in as both a member and a backoffice user
+            // For instance if you've enabled basic auth.
+            ClaimsPrincipal? authenticatedPrincipal = result.Principal;
+            IEnumerable<ClaimsIdentity> existingIdentities = httpContext.User.Identities.Where(x => x.IsAuthenticated && x.AuthenticationType != authenticatedPrincipal.Identity.AuthenticationType);
+            authenticatedPrincipal.AddIdentities(existingIdentities);
+
+            httpContext.User = authenticatedPrincipal;
         }
 
         return result;
diff --git a/src/Umbraco.Web.Common/Extensions/MemberClaimsPrincipalExtensions.cs b/src/Umbraco.Web.Common/Extensions/MemberClaimsPrincipalExtensions.cs
new file mode 100644
index 0000000000..03205f7baa
--- /dev/null
+++ b/src/Umbraco.Web.Common/Extensions/MemberClaimsPrincipalExtensions.cs
@@ -0,0 +1,18 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Identity;
+
+namespace Umbraco.Extensions;
+
+public static class MemberClaimsPrincipalExtensions
+{
+    /// <summary>
+    /// Tries to get specifically the member identity from the ClaimsPrincipal
+    /// </summary>
+    /// <remarks>
+    /// The identity returned is the one with default authentication type.
+    /// </remarks>
+    /// <param name="principal">The principal to find the identity in.</param>
+    /// <returns>The default authenticated authentication type identity.</returns>
+    public static ClaimsIdentity? GetMemberIdentity(this ClaimsPrincipal principal)
+        => principal.Identities.FirstOrDefault(x => x.AuthenticationType == IdentityConstants.ApplicationScheme);
+}
diff --git a/src/Umbraco.Web.Common/Security/MemberManager.cs b/src/Umbraco.Web.Common/Security/MemberManager.cs
index 46d07deb88..40146275de 100644
--- a/src/Umbraco.Web.Common/Security/MemberManager.cs
+++ b/src/Umbraco.Web.Common/Security/MemberManager.cs
@@ -1,4 +1,5 @@
 using System.Globalization;
+using System.Security.Claims;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.Logging;
@@ -124,8 +125,11 @@ public class MemberManager : UmbracoUserManager<MemberIdentityUser, MemberPasswo
     /// <inheritdoc />
     public virtual bool IsLoggedIn()
     {
-        HttpContext? httpContext = _httpContextAccessor.HttpContext;
-        return httpContext?.User.Identity?.IsAuthenticated ?? false;
+        // We have to try and specifically find the member identity, it's entirely possible for there to be both backoffice and member.
+        ClaimsIdentity? memberIdentity = _httpContextAccessor.HttpContext?.User.GetMemberIdentity();
+
+        return memberIdentity is not null &&
+               memberIdentity.IsAuthenticated;
     }
 
     /// <inheritdoc />
@@ -181,23 +185,27 @@ public class MemberManager : UmbracoUserManager<MemberIdentityUser, MemberPasswo
     /// <inheritdoc />
     public virtual async Task<MemberIdentityUser?> GetCurrentMemberAsync()
     {
-        if (_currentMember == null)
+        if (_currentMember is not null)
         {
-            if (!IsLoggedIn())
-            {
-                return null;
-            }
-
-            _currentMember = await GetUserAsync(_httpContextAccessor.HttpContext?.User!);
+            return _currentMember;
         }
 
+        if (IsLoggedIn() is false)
+        {
+            return null;
+        }
+
+        // Create a principal the represents the member security context.
+        var memberPrincipal = new ClaimsPrincipal(_httpContextAccessor.HttpContext?.User.GetMemberIdentity()!);
+        _currentMember = await GetUserAsync(memberPrincipal);
+
         return _currentMember;
     }
 
     public virtual IPublishedContent? AsPublishedMember(MemberIdentityUser user) => _store.GetPublishedMember(user);
 
     /// <summary>
-    ///     This will check if the member has access to this path
+    /// This will check if the member has access to this path.
     /// </summary>
     /// <param name="path"></param>
     /// <returns></returns>

From 6620aca9fe11cb6d46255efd94e6b1e555fdb68d Mon Sep 17 00:00:00 2001
From: Callum Whyte <hey@callumwhyte.com>
Date: Tue, 4 Feb 2025 22:29:21 +1100
Subject: [PATCH 4/4] Cache null dictionary values by key (#15576)

* Add CacheNullValues option to RepositoryCachePolicy

* Cache null values in DictionaryByKeyRepository

* Fixed issue with nullable reference.

* Updated logic for caching of null values.

* Update src/Umbraco.Infrastructure/Cache/DefaultRepositoryCachePolicy.cs

Co-authored-by: Sven Geusens <geusens@gmail.com>

* Made the NullValueRepresentation overwritable in a generic manner

* Improve generic NullValueCachePolicyResolver

* Revert Commits and clarify logic with comment

This reverts commit 8befb437921cb6e3b87725cefb92a6afbf3d28fb "Improve generic NullValueCachePolicyResolver"
Also reverts 8adf0a2 - Made the NullValueRepresentation overwritable in a generic manner
And 8adf0a2 - Made the NullValueRepresentation overwritable in a generic manner

* Update src/Umbraco.Infrastructure/Cache/DefaultRepositoryCachePolicy.cs

---------

Co-authored-by: Andy Butland <abutland73@gmail.com>
Co-authored-by: Sven Geusens <geusens@gmail.com>
Co-authored-by: Sven Geusens <sge@umbraco.dk>
---
 .../Cache/RepositoryCachePolicyOptions.cs     |  7 ++++
 .../Cache/DefaultRepositoryCachePolicy.cs     | 32 +++++++++++++++++--
 .../Implement/DictionaryRepository.cs         | 17 +++++-----
 3 files changed, 45 insertions(+), 11 deletions(-)

diff --git a/src/Umbraco.Core/Cache/RepositoryCachePolicyOptions.cs b/src/Umbraco.Core/Cache/RepositoryCachePolicyOptions.cs
index ba7b251aa0..fa334e5c4a 100644
--- a/src/Umbraco.Core/Cache/RepositoryCachePolicyOptions.cs
+++ b/src/Umbraco.Core/Cache/RepositoryCachePolicyOptions.cs
@@ -11,6 +11,7 @@ public class RepositoryCachePolicyOptions
     public RepositoryCachePolicyOptions(Func<int> performCount)
     {
         PerformCount = performCount;
+        CacheNullValues = false;
         GetAllCacheValidateCount = true;
         GetAllCacheAllowZeroCount = false;
     }
@@ -21,6 +22,7 @@ public class RepositoryCachePolicyOptions
     public RepositoryCachePolicyOptions()
     {
         PerformCount = null;
+        CacheNullValues = false;
         GetAllCacheValidateCount = false;
         GetAllCacheAllowZeroCount = false;
     }
@@ -30,6 +32,11 @@ public class RepositoryCachePolicyOptions
     /// </summary>
     public Func<int>? PerformCount { get; set; }
 
+    /// <summary>
+    ///     True if the Get method will cache null results so that the db is not hit for repeated lookups
+    /// </summary>
+    public bool CacheNullValues { get; set; }
+
     /// <summary>
     ///     True/false as to validate the total item count when all items are returned from cache, the default is true but this
     ///     means that a db lookup will occur - though that lookup will probably be significantly less expensive than the
diff --git a/src/Umbraco.Infrastructure/Cache/DefaultRepositoryCachePolicy.cs b/src/Umbraco.Infrastructure/Cache/DefaultRepositoryCachePolicy.cs
index 7f7f8d6784..9494ed2eea 100644
--- a/src/Umbraco.Infrastructure/Cache/DefaultRepositoryCachePolicy.cs
+++ b/src/Umbraco.Infrastructure/Cache/DefaultRepositoryCachePolicy.cs
@@ -24,6 +24,8 @@ public class DefaultRepositoryCachePolicy<TEntity, TId> : RepositoryCachePolicyB
     private static readonly TEntity[] _emptyEntities = new TEntity[0]; // const
     private readonly RepositoryCachePolicyOptions _options;
 
+    private const string NullRepresentationInCache = "*NULL*";
+
     public DefaultRepositoryCachePolicy(IAppPolicyCache cache, IScopeAccessor scopeAccessor, RepositoryCachePolicyOptions options)
         : base(cache, scopeAccessor) =>
         _options = options ?? throw new ArgumentNullException(nameof(options));
@@ -116,6 +118,7 @@ public class DefaultRepositoryCachePolicy<TEntity, TId> : RepositoryCachePolicyB
         {
             // whatever happens, clear the cache
             var cacheKey = GetEntityCacheKey(entity.Id);
+
             Cache.Clear(cacheKey);
 
             // if there's a GetAllCacheAllowZeroCount cache, ensure it is cleared
@@ -127,20 +130,36 @@ public class DefaultRepositoryCachePolicy<TEntity, TId> : RepositoryCachePolicyB
     public override TEntity? Get(TId? id, Func<TId?, TEntity?> performGet, Func<TId[]?, IEnumerable<TEntity>?> performGetAll)
     {
         var cacheKey = GetEntityCacheKey(id);
+
         TEntity? fromCache = Cache.GetCacheItem<TEntity>(cacheKey);
 
-        // if found in cache then return else fetch and cache
-        if (fromCache != null)
+        // If found in cache then return immediately.
+        if (fromCache is not null)
         {
             return fromCache;
         }
 
+        // Because TEntity can never be a string, we will never be in a position where the proxy value collides withs a real value.
+        // Therefore this point can only be reached if there is a proxy null value => becomes null when cast to TEntity above OR the item simply does not exist.
+        // If we've cached a "null" value, return null.
+        if (_options.CacheNullValues && Cache.GetCacheItem<string>(cacheKey) == NullRepresentationInCache)
+        {
+            return null;
+        }
+
+        // Otherwise go to the database to retrieve.
         TEntity? entity = performGet(id);
 
         if (entity != null && entity.HasIdentity)
         {
+            // If we've found an identified entity, cache it for subsequent retrieval.
             InsertEntity(cacheKey, entity);
         }
+        else if (entity is null && _options.CacheNullValues)
+        {
+            // If we've not found an entity, and we're caching null values, cache a "null" value.
+            InsertNull(cacheKey);
+        }
 
         return entity;
     }
@@ -248,6 +267,15 @@ public class DefaultRepositoryCachePolicy<TEntity, TId> : RepositoryCachePolicyB
     protected virtual void InsertEntity(string cacheKey, TEntity entity)
         => Cache.Insert(cacheKey, () => entity, TimeSpan.FromMinutes(5), true);
 
+    protected virtual void InsertNull(string cacheKey)
+    {
+        // We can't actually cache a null value, as in doing so wouldn't be able to distinguish between
+        // a value that does exist but isn't yet cached, or a value that has been explicitly cached with a null value.
+        // Both would return null when we retrieve from the cache and we couldn't distinguish between the two.
+        // So we cache a special value that represents null, and then we can check for that value when we retrieve from the cache.
+        Cache.Insert(cacheKey, () => NullRepresentationInCache, TimeSpan.FromMinutes(5), true);
+    }
+
     protected virtual void InsertEntities(TId[]? ids, TEntity[]? entities)
     {
         if (ids?.Length == 0 && entities?.Length == 0 && _options.GetAllCacheAllowZeroCount)
diff --git a/src/Umbraco.Infrastructure/Persistence/Repositories/Implement/DictionaryRepository.cs b/src/Umbraco.Infrastructure/Persistence/Repositories/Implement/DictionaryRepository.cs
index 909c9cfec2..bf4799e938 100644
--- a/src/Umbraco.Infrastructure/Persistence/Repositories/Implement/DictionaryRepository.cs
+++ b/src/Umbraco.Infrastructure/Persistence/Repositories/Implement/DictionaryRepository.cs
@@ -102,11 +102,10 @@ internal class DictionaryRepository : EntityRepositoryBase<int, IDictionaryItem>
         var options = new RepositoryCachePolicyOptions
         {
             // allow zero to be cached
-            GetAllCacheAllowZeroCount = true,
+            GetAllCacheAllowZeroCount = true
         };
 
-        return new SingleItemsOnlyRepositoryCachePolicy<IDictionaryItem, int>(GlobalIsolatedCache, ScopeAccessor,
-            options);
+        return new SingleItemsOnlyRepositoryCachePolicy<IDictionaryItem, int>(GlobalIsolatedCache, ScopeAccessor, options);
     }
 
     protected IDictionaryItem ConvertFromDto(DictionaryDto dto)
@@ -190,11 +189,10 @@ internal class DictionaryRepository : EntityRepositoryBase<int, IDictionaryItem>
             var options = new RepositoryCachePolicyOptions
             {
                 // allow zero to be cached
-                GetAllCacheAllowZeroCount = true,
+                GetAllCacheAllowZeroCount = true
             };
 
-            return new SingleItemsOnlyRepositoryCachePolicy<IDictionaryItem, Guid>(GlobalIsolatedCache, ScopeAccessor,
-                options);
+            return new SingleItemsOnlyRepositoryCachePolicy<IDictionaryItem, Guid>(GlobalIsolatedCache, ScopeAccessor, options);
         }
     }
 
@@ -228,12 +226,13 @@ internal class DictionaryRepository : EntityRepositoryBase<int, IDictionaryItem>
         {
             var options = new RepositoryCachePolicyOptions
             {
+                // allow null to be cached
+                CacheNullValues = true,
                 // allow zero to be cached
-                GetAllCacheAllowZeroCount = true,
+                GetAllCacheAllowZeroCount = true
             };
 
-            return new SingleItemsOnlyRepositoryCachePolicy<IDictionaryItem, string>(GlobalIsolatedCache, ScopeAccessor,
-                options);
+            return new SingleItemsOnlyRepositoryCachePolicy<IDictionaryItem, string>(GlobalIsolatedCache, ScopeAccessor, options);
         }
     }