From ebb6a580dc1da2c772a99838dc7b4660bf77eb9c Mon Sep 17 00:00:00 2001 From: Andy Butland Date: Tue, 11 Mar 2025 05:11:36 +0100 Subject: [PATCH] Merge commit from fork * Tighten management API endpoint access rules. * Bumped version to 15.2.1. --- .../Controllers/DataType/CopyDataTypeController.cs | 3 +++ .../Controllers/DataType/CreateDataTypeController.cs | 5 ++++- .../Controllers/DataType/DeleteDataTypeController.cs | 5 ++++- .../Controllers/DataType/MoveDataTypeController.cs | 3 +++ .../Controllers/DataType/UpdateDataTypeController.cs | 5 ++++- .../Controllers/DocumentType/ExportDocumentTypeController.cs | 3 +++ .../DocumentType/ImportExistingDocumentTypeController.cs | 4 +++- .../DocumentType/ImportNewDocumentTypeController.cs | 4 +++- .../Controllers/MediaType/ExportMediaTypeController.cs | 3 +++ .../MediaType/ImportExistingMediaTypeController.cs | 4 +++- .../Controllers/MediaType/ImportNewMediaTypeController.cs | 5 +++-- .../Controllers/MediaType/MediaTypeControllerBase.cs | 3 +-- 12 files changed, 37 insertions(+), 10 deletions(-) diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DataType/CopyDataTypeController.cs b/src/Umbraco.Cms.Api.Management/Controllers/DataType/CopyDataTypeController.cs index 2bafe73532..6bf47269d5 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DataType/CopyDataTypeController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DataType/CopyDataTypeController.cs @@ -1,4 +1,5 @@ using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.ViewModels.DataType; @@ -7,10 +8,12 @@ using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Security; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.DataType; [ApiVersion("1.0")] +[Authorize(Policy = AuthorizationPolicies.TreeAccessDataTypes)] public class CopyDataTypeController : DataTypeControllerBase { private readonly IDataTypeService _dataTypeService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DataType/CreateDataTypeController.cs b/src/Umbraco.Cms.Api.Management/Controllers/DataType/CreateDataTypeController.cs index 9275e25001..1acea39696 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DataType/CreateDataTypeController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DataType/CreateDataTypeController.cs @@ -1,4 +1,5 @@ -using Asp.Versioning; +using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Factories; @@ -8,10 +9,12 @@ using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Security; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.DataType; [ApiVersion("1.0")] +[Authorize(Policy = AuthorizationPolicies.TreeAccessDataTypes)] public class CreateDataTypeController : DataTypeControllerBase { private readonly IDataTypeService _dataTypeService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DataType/DeleteDataTypeController.cs b/src/Umbraco.Cms.Api.Management/Controllers/DataType/DeleteDataTypeController.cs index aed80dc5fe..ba6cb63d8f 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DataType/DeleteDataTypeController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DataType/DeleteDataTypeController.cs @@ -1,4 +1,5 @@ -using Asp.Versioning; +using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Core; @@ -6,10 +7,12 @@ using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Security; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.DataType; [ApiVersion("1.0")] +[Authorize(Policy = AuthorizationPolicies.TreeAccessDataTypes)] public class DeleteDataTypeController : DataTypeControllerBase { private readonly IDataTypeService _dataTypeService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DataType/MoveDataTypeController.cs b/src/Umbraco.Cms.Api.Management/Controllers/DataType/MoveDataTypeController.cs index bec84124b5..e8f5230463 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DataType/MoveDataTypeController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DataType/MoveDataTypeController.cs @@ -1,4 +1,5 @@ using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.ViewModels.DataType; @@ -7,10 +8,12 @@ using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Security; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.DataType; [ApiVersion("1.0")] +[Authorize(Policy = AuthorizationPolicies.TreeAccessDataTypes)] public class MoveDataTypeController : DataTypeControllerBase { private readonly IDataTypeService _dataTypeService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DataType/UpdateDataTypeController.cs b/src/Umbraco.Cms.Api.Management/Controllers/DataType/UpdateDataTypeController.cs index 71afc06b26..4b67b55653 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DataType/UpdateDataTypeController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DataType/UpdateDataTypeController.cs @@ -1,4 +1,5 @@ -using Asp.Versioning; +using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Factories; @@ -8,10 +9,12 @@ using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Security; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.DataType; [ApiVersion("1.0")] +[Authorize(Policy = AuthorizationPolicies.TreeAccessDataTypes)] public class UpdateDataTypeController : DataTypeControllerBase { private readonly IDataTypeService _dataTypeService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/ExportDocumentTypeController.cs b/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/ExportDocumentTypeController.cs index d0c66d0599..4d2eba27eb 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/ExportDocumentTypeController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/ExportDocumentTypeController.cs @@ -1,14 +1,17 @@ using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Factories; using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.DocumentType; [ApiVersion("1.0")] +[Authorize(Policy = AuthorizationPolicies.TreeAccessDocumentTypes)] public class ExportDocumentTypeController : DocumentTypeControllerBase { private readonly IContentTypeService _contentTypeService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/ImportExistingDocumentTypeController.cs b/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/ImportExistingDocumentTypeController.cs index 9b1d6506a1..46f28d3665 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/ImportExistingDocumentTypeController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/ImportExistingDocumentTypeController.cs @@ -1,17 +1,19 @@ using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.ViewModels.DocumentType; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Models; -using Umbraco.Cms.Core.Models.Membership; using Umbraco.Cms.Core.Security; using Umbraco.Cms.Core.Services.ImportExport; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.DocumentType; [ApiVersion("1.0")] +[Authorize(Policy = AuthorizationPolicies.TreeAccessDocumentTypes)] public class ImportExistingDocumentTypeController : DocumentTypeControllerBase { private readonly IBackOfficeSecurityAccessor _backOfficeSecurityAccessor; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/ImportNewDocumentTypeController.cs b/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/ImportNewDocumentTypeController.cs index 5b4fbde199..9b0cb2af0d 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/ImportNewDocumentTypeController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/DocumentType/ImportNewDocumentTypeController.cs @@ -1,17 +1,19 @@ using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.ViewModels.DocumentType; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Models; -using Umbraco.Cms.Core.Models.Membership; using Umbraco.Cms.Core.Security; using Umbraco.Cms.Core.Services.ImportExport; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.DocumentType; [ApiVersion("1.0")] +[Authorize(Policy = AuthorizationPolicies.TreeAccessDocumentTypes)] public class ImportNewDocumentTypeController : DocumentTypeControllerBase { private readonly IBackOfficeSecurityAccessor _backOfficeSecurityAccessor; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/MediaType/ExportMediaTypeController.cs b/src/Umbraco.Cms.Api.Management/Controllers/MediaType/ExportMediaTypeController.cs index 12f8540a4e..40423c3b1d 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/MediaType/ExportMediaTypeController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/MediaType/ExportMediaTypeController.cs @@ -1,14 +1,17 @@ using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Factories; using Umbraco.Cms.Core.Models; using Umbraco.Cms.Core.Services; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.MediaType; [ApiVersion("1.0")] +[Authorize(Policy = AuthorizationPolicies.TreeAccessMediaTypes)] public class ExportMediaTypeController : MediaTypeControllerBase { private readonly IMediaTypeService _mediaTypeService; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/MediaType/ImportExistingMediaTypeController.cs b/src/Umbraco.Cms.Api.Management/Controllers/MediaType/ImportExistingMediaTypeController.cs index 9c4ba5ed95..9aedac01e4 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/MediaType/ImportExistingMediaTypeController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/MediaType/ImportExistingMediaTypeController.cs @@ -1,17 +1,19 @@ using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.ViewModels.MediaType; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Models; -using Umbraco.Cms.Core.Models.Membership; using Umbraco.Cms.Core.Security; using Umbraco.Cms.Core.Services.ImportExport; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.MediaType; [ApiVersion("1.0")] +[Authorize(Policy = AuthorizationPolicies.TreeAccessMediaTypes)] public class ImportExistingMediaTypeController : MediaTypeControllerBase { private readonly IBackOfficeSecurityAccessor _backOfficeSecurityAccessor; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/MediaType/ImportNewMediaTypeController.cs b/src/Umbraco.Cms.Api.Management/Controllers/MediaType/ImportNewMediaTypeController.cs index 868822e494..e71e2b2abb 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/MediaType/ImportNewMediaTypeController.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/MediaType/ImportNewMediaTypeController.cs @@ -1,18 +1,19 @@ using Asp.Versioning; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; -using Umbraco.Cms.Api.Management.Controllers.DocumentType; using Umbraco.Cms.Api.Management.ViewModels.MediaType; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Models; -using Umbraco.Cms.Core.Models.Membership; using Umbraco.Cms.Core.Security; using Umbraco.Cms.Core.Services.ImportExport; using Umbraco.Cms.Core.Services.OperationStatus; +using Umbraco.Cms.Web.Common.Authorization; namespace Umbraco.Cms.Api.Management.Controllers.MediaType; [ApiVersion("1.0")] +[Authorize(Policy = AuthorizationPolicies.TreeAccessMediaTypes)] public class ImportNewMediaTypeController : MediaTypeControllerBase { private readonly IBackOfficeSecurityAccessor _backOfficeSecurityAccessor; diff --git a/src/Umbraco.Cms.Api.Management/Controllers/MediaType/MediaTypeControllerBase.cs b/src/Umbraco.Cms.Api.Management/Controllers/MediaType/MediaTypeControllerBase.cs index 38d11c175d..387d260cde 100644 --- a/src/Umbraco.Cms.Api.Management/Controllers/MediaType/MediaTypeControllerBase.cs +++ b/src/Umbraco.Cms.Api.Management/Controllers/MediaType/MediaTypeControllerBase.cs @@ -1,9 +1,8 @@ -using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Umbraco.Cms.Api.Management.Controllers.DocumentType; using Umbraco.Cms.Api.Management.Routing; -using Umbraco.Cms.Api.Management.ViewModels.MediaType; using Umbraco.Cms.Core; using Umbraco.Cms.Core.Services.OperationStatus; using Umbraco.Cms.Web.Common.Authorization;