From dbdf3cf03d1786a28ef5047ab3dbb64e1a28c27d Mon Sep 17 00:00:00 2001 From: Elitsa Marinovska <21998037+elit0451@users.noreply.github.com> Date: Thu, 14 Dec 2023 15:03:35 +0100 Subject: [PATCH] V14: Tighten permissions for folder controllers (#15457) * Fixing folder controller policies * Remove unused policy --- .../Controllers/DataType/Folder/DataTypeFolderControllerBase.cs | 2 +- .../DocumentType/Folder/DocumentTypeFolderControllerBase.cs | 2 +- .../MediaType/Folder/MediaTypeFolderControllerBase.cs | 2 +- .../BackOfficeAuthPolicyBuilderExtensions.cs | 1 - 4 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DataType/Folder/DataTypeFolderControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/DataType/Folder/DataTypeFolderControllerBase.cs index 1466c2667e..80194b97d1 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DataType/Folder/DataTypeFolderControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DataType/Folder/DataTypeFolderControllerBase.cs @@ -12,7 +12,7 @@ namespace Umbraco.Cms.Api.Management.Controllers.DataType.Folder; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.DataType}/folder")] [ApiExplorerSettings(GroupName = "Data Type")] -[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDocumentsOrDocumentTypes)] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDocumentTypes)] public abstract class DataTypeFolderControllerBase : FolderManagementControllerBase { protected DataTypeFolderControllerBase( diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/Folder/DocumentTypeFolderControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/Folder/DocumentTypeFolderControllerBase.cs index 01488d86d7..cbe7ceb4e2 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/Folder/DocumentTypeFolderControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/Folder/DocumentTypeFolderControllerBase.cs @@ -12,7 +12,7 @@ namespace Umbraco.Cms.Api.Management.Controllers.DocumentType.Folder; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.DocumentType}/folder")] [ApiExplorerSettings(GroupName = "Document Type")] -[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDocumentsOrDocumentTypes)] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessDocumentTypes)] public abstract class DocumentTypeFolderControllerBase : FolderManagementControllerBase { protected DocumentTypeFolderControllerBase( diff --git a/src/Umbraco.Cms.Api.Management/Controllers/MediaType/Folder/MediaTypeFolderControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/MediaType/Folder/MediaTypeFolderControllerBase.cs index 142db0127b..f1e3be8be7 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/MediaType/Folder/MediaTypeFolderControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/MediaType/Folder/MediaTypeFolderControllerBase.cs @@ -12,7 +12,7 @@ namespace Umbraco.Cms.Api.Management.Controllers.MediaType.Folder; [ApiController] [VersionedApiBackOfficeRoute($"{Constants.UdiEntityType.MediaType}/folder")] [ApiExplorerSettings(GroupName = "Media Type")] -[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessMediaOrMediaTypes)] +[Authorize(Policy = "New" + AuthorizationPolicies.TreeAccessMediaTypes)] public abstract class MediaTypeFolderControllerBase : FolderManagementControllerBase { protected MediaTypeFolderControllerBase( diff --git a/src/Umbraco.Cms.Api.Management/DependencyInjection/BackOfficeAuthPolicyBuilderExtensions.cs b/src/Umbraco.Cms.Api.Management/DependencyInjection/BackOfficeAuthPolicyBuilderExtensions.cs index d816a02881..8907c37933 100644 --- a/src/Umbraco.Cms.Api.Management/DependencyInjection/BackOfficeAuthPolicyBuilderExtensions.cs +++ b/src/Umbraco.Cms.Api.Management/DependencyInjection/BackOfficeAuthPolicyBuilderExtensions.cs @@ -86,7 +86,6 @@ internal static class BackOfficeAuthPolicyBuilderExtensions AddPolicy(AuthorizationPolicies.TreeAccessDocumentTypes, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Settings); AddPolicy(AuthorizationPolicies.TreeAccessLanguages, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Settings); AddPolicy(AuthorizationPolicies.TreeAccessMediaTypes, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Settings); - AddPolicy(AuthorizationPolicies.TreeAccessMediaOrMediaTypes, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Media, Constants.Applications.Settings); AddPolicy(AuthorizationPolicies.TreeAccessMemberGroups, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Members); AddPolicy(AuthorizationPolicies.TreeAccessMemberTypes, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Settings); AddPolicy(AuthorizationPolicies.TreeAccessPartialViews, Constants.Security.AllowedApplicationsClaimType, Constants.Applications.Settings);