From dc273683972c857b01b572142ba7e4a56bebe2fa Mon Sep 17 00:00:00 2001
From: Shannon <sdeminick@gmail.com>
Date: Thu, 27 Nov 2014 17:57:33 +1100
Subject: [PATCH] Fixes: U4-5891

---
 src/Umbraco.Web/Trees/LegacyTreeController.cs |  2 +-
 src/Umbraco.Web/Umbraco.Web.csproj            |  3 +-
 .../Filters/LegacyTreeAuthorizeAttribute.cs   | 28 +++++++++++++++++++
 3 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100644 src/Umbraco.Web/WebApi/Filters/LegacyTreeAuthorizeAttribute.cs

diff --git a/src/Umbraco.Web/Trees/LegacyTreeController.cs b/src/Umbraco.Web/Trees/LegacyTreeController.cs
index a3475ce0bd..cf8d90e0c4 100644
--- a/src/Umbraco.Web/Trees/LegacyTreeController.cs
+++ b/src/Umbraco.Web/Trees/LegacyTreeController.cs
@@ -19,7 +19,7 @@ namespace Umbraco.Web.Trees
     /// This is used to output JSON from legacy trees
     /// </summary>
     [PluginController("UmbracoTrees")]
-    //public class LegacyTreeController : UmbracoAuthorizedApiController
+    [LegacyTreeAuthorizeAttribute]
     public class LegacyTreeController : TreeControllerBase
     {
         private readonly XmlTreeNode _xmlTreeNode;
diff --git a/src/Umbraco.Web/Umbraco.Web.csproj b/src/Umbraco.Web/Umbraco.Web.csproj
index 22cf8b3965..85bc54c778 100644
--- a/src/Umbraco.Web/Umbraco.Web.csproj
+++ b/src/Umbraco.Web/Umbraco.Web.csproj
@@ -552,6 +552,7 @@
     <Compile Include="WebApi\Filters\ClearAngularAntiForgeryTokenAttribute.cs" />
     <Compile Include="WebApi\Filters\DisableBrowserCacheAttribute.cs" />
     <Compile Include="WebApi\Filters\FilterGrouping.cs" />
+    <Compile Include="WebApi\Filters\LegacyTreeAuthorizeAttribute.cs" />
     <Compile Include="WebApi\Filters\OutgoingNoHyphenGuidFormatAttribute.cs" />
     <Compile Include="WebApi\Filters\SetAngularAntiForgeryTokensAttribute.cs" />
     <Compile Include="WebApi\Filters\UmbracoBackOfficeLogoutAttribute.cs" />
@@ -2158,4 +2159,4 @@
     <!--<PostBuildEvent>xcopy "$(ProjectDir)..\..\lib\*.dll" "$(TargetDir)*.dll" /Y</PostBuildEvent>-->
   </PropertyGroup>
   <Import Project="$(SolutionDir)\.nuget\nuget.targets" />
-</Project>
+</Project>
\ No newline at end of file
diff --git a/src/Umbraco.Web/WebApi/Filters/LegacyTreeAuthorizeAttribute.cs b/src/Umbraco.Web/WebApi/Filters/LegacyTreeAuthorizeAttribute.cs
new file mode 100644
index 0000000000..a337b36989
--- /dev/null
+++ b/src/Umbraco.Web/WebApi/Filters/LegacyTreeAuthorizeAttribute.cs
@@ -0,0 +1,28 @@
+using System.Web.Http;
+using System.Web.Http.Controllers;
+using Umbraco.Core;
+
+namespace Umbraco.Web.WebApi.Filters
+{
+    internal class LegacyTreeAuthorizeAttribute : AuthorizeAttribute
+    {
+        protected override bool IsAuthorized(HttpActionContext actionContext)
+        {
+            var httpContext = actionContext.Request.TryGetHttpContext();
+            if (httpContext)
+            {
+                var treeRequest = httpContext.Result.Request.QueryString["treeType"];
+                if (treeRequest.IsNullOrWhiteSpace()) return false;
+
+                var tree = ApplicationContext.Current.Services.ApplicationTreeService.GetByAlias(treeRequest);
+                if (tree == null) return false;
+
+                return UmbracoContext.Current.Security.CurrentUser != null
+                       && UmbracoContext.Current.Security.UserHasAppAccess(tree.ApplicationAlias, UmbracoContext.Current.Security.CurrentUser);
+            }
+            return false;
+
+            
+        }
+    }
+}
\ No newline at end of file