yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixes the authorization for certain endpoints by non admins so that data cannot be seen and avatars cannot be changed

Browse Source
This commit is contained in:
Shannon
2019-03-15 12:20:24 +11:00
parent c72a5c07fe
commit e24b22f6bd
4 changed files with 47 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/Umbraco.Web/Editors/UsersController.cs
View File

@@ -82,6 +82,7 @@ namespace Umbraco.Web.Editors
[AppendUserModifiedHeader("id")]
[FileUploadCleanupFilter(false)]
[AdminUsersAuthorize]
public async Task<HttpResponseMessage> PostSetAvatar(int id)
{
return await PostSetAvatarInternal(Request, Services.UserService, ApplicationContext.ApplicationCache.StaticCache, id);
@@ -145,6 +146,7 @@ namespace Umbraco.Web.Editors
}
[AppendUserModifiedHeader("id")]
[AdminUsersAuthorize]
public HttpResponseMessage PostClearAvatar(int id)
{
var found = Services.UserService.GetUserById(id);
@@ -183,6 +185,7 @@ namespace Umbraco.Web.Editors
/// <param name="id"></param>
/// <returns></returns>
[OutgoingEditorModelEvent]
[AdminUsersAuthorize]
public UserDisplay GetById(int id)
{
var user = Services.UserService.GetUserById(id);

1
src/Umbraco.Web/Umbraco.Web.csproj
View File

@@ -832,6 +832,7 @@
<Compile Include="WebApi\Binders\BlueprintItemBinder.cs" />
<Compile Include="WebApi\Binders\MemberBinder.cs" />
<Compile Include="WebApi\EnableDetailedErrorsAttribute.cs" />
<Compile Include="WebApi\Filters\AdminUsersAuthorizeAttribute.cs" />
<Compile Include="WebApi\Filters\AngularAntiForgeryHelper.cs" />
<Compile Include="WebApi\Filters\AppendCurrentEventMessagesAttribute.cs" />
<Compile Include="WebApi\Filters\AppendUserModifiedHeaderAttribute.cs" />

42
src/Umbraco.Web/WebApi/Filters/AdminUsersAuthorizeAttribute.cs Normal file
View File

@@ -0,0 +1,42 @@
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Web.Http;
using System.Web.Http.Controllers;
using Umbraco.Core;
using Umbraco.Web.Editors;
namespace Umbraco.Web.WebApi.Filters
{
/// <summary>
/// if the user being edited is an admin then we must ensure that the current user is also an admin
/// </summary>
public sealed class AdminUsersAuthorizeAttribute : AuthorizeAttribute
{
protected override bool IsAuthorized(HttpActionContext actionContext)
{
if (actionContext.ActionArguments.TryGetValue("id", out var userId) == false)
{
var queryString = actionContext.Request.GetQueryNameValuePairs();
var ids = queryString.Where(x => x.Key == "id").ToArray();
if (ids.Length == 0)
return base.IsAuthorized(actionContext);
userId = ids[0].Value;
}
if (userId == null) return base.IsAuthorized(actionContext);
var intUserId = userId.TryConvertTo<int>();
if (intUserId.Success == false)
return base.IsAuthorized(actionContext);
var user = ApplicationContext.Current.Services.UserService.GetUserById(intUserId.Result);
if (user == null)
return base.IsAuthorized(actionContext);
//Perform authorization here to see if the current user can actually save this user with the info being requested
var authHelper = new UserEditorAuthorizationHelper(ApplicationContext.Current.Services.ContentService, ApplicationContext.Current.Services.MediaService, ApplicationContext.Current.Services.UserService, ApplicationContext.Current.Services.EntityService);
var canSaveUser = authHelper.IsAuthorized(UmbracoContext.Current.Security.CurrentUser, user, null, null, null);
return canSaveUser;
}
}
}

3
src/Umbraco.Web/WebApi/Filters/UmbracoApplicationAuthorizeAttribute.cs
View File

@@ -1,5 +1,4 @@
using System.Linq;
using System.Web.Http;
using System.Web.Http.Controllers;
namespace Umbraco.Web.WebApi.Filters
@@ -41,4 +40,4 @@ namespace Umbraco.Web.WebApi.Filters
return authorized;
}
}
}
}