Netcore: Fixes issues with user invites (#9616)

* AB9629
Fixes issues with user invites
- Issue with the generated link in the invite email
- Allow anonymous access to CurrentUserController.PostSetInvitedUserPassword, as it is used by users not logged in
- Allow anonymous access to AuthenticationController.GetPasswordConfig, as this is used to set a password for newly invited users, before they login

* Fix issues with invite flow

* Fix minor typos

* Fixed issue with validation response and remove/change avatar

* Fix issue with disable users, after all enums are handled like strings

* Fix tests

* Fix other validation issue

* Fix yet another validation issue

Co-authored-by: Elitsa Marinovska <elm@umbraco.dk>

src/Umbraco.Web.BackOffice/Controllers/CurrentUserController.cs

@@ -16,12 +16,14 @@ using Umbraco.Core.Hosting;
 using Umbraco.Core.IO;
 using Umbraco.Core.Mapping;
 using Umbraco.Core.Media;
+using Umbraco.Core.Models;
 using Umbraco.Core.Security;
 using Umbraco.Core.Services;
 using Umbraco.Core.Strings;
 using Umbraco.Extensions;
 using Umbraco.Web.BackOffice.Filters;
 using Umbraco.Web.BackOffice.Security;
+using Umbraco.Web.Common.ActionsResults;
 using Umbraco.Web.Common.Attributes;
 using Umbraco.Web.Common.Authorization;
 using Umbraco.Web.Common.Exceptions;
@@ -170,7 +172,7 @@ namespace Umbraco.Web.BackOffice.Controllers
         /// <remarks>
         /// This only works when the user is logged in (partially)
         /// </remarks>
-        [Authorize(Policy = AuthorizationPolicies.BackOfficeAccess)] // TODO: Why is this necessary? This inherits from UmbracoAuthorizedApiController
+        [AllowAnonymous]
         public async Task<UserDetail> PostSetInvitedUserPassword([FromBody]string newPassword)
         {
             var user = await _backOfficeUserManager.FindByIdAsync(_backofficeSecurityAccessor.BackOfficeSecurity.GetUserId().ResultOr(0).ToString());
@@ -201,10 +203,10 @@ namespace Umbraco.Web.BackOffice.Controllers
         }
 
         [AppendUserModifiedHeader]
-        public IActionResult PostSetAvatar(IList<IFormFile> files)
+        public IActionResult PostSetAvatar(IList<IFormFile> file)
         {
             //borrow the logic from the user controller
-            return UsersController.PostSetAvatarInternal(files, _userService, _appCaches.RuntimeCache,  _mediaFileSystem, _shortStringHelper, _contentSettings, _hostingEnvironment, _imageUrlGenerator, _backofficeSecurityAccessor.BackOfficeSecurity.GetUserId().ResultOr(0));
+            return UsersController.PostSetAvatarInternal(file, _userService, _appCaches.RuntimeCache,  _mediaFileSystem, _shortStringHelper, _contentSettings, _hostingEnvironment, _imageUrlGenerator, _backofficeSecurityAccessor.BackOfficeSecurity.GetUserId().ResultOr(0));
         }
 
         /// <summary>
@@ -214,7 +216,7 @@ namespace Umbraco.Web.BackOffice.Controllers
         /// <returns>
         /// If the password is being reset it will return the newly reset password, otherwise will return an empty value
         /// </returns>
-        public async Task<ModelWithNotifications<string>> PostChangePassword(ChangingPasswordModel data)
+        public async Task<ActionResult<ModelWithNotifications<string>>> PostChangePassword(ChangingPasswordModel data)
         {
             // TODO: Why don't we inject this? Then we can just inject a logger
             var passwordChanger = new PasswordChanger(_loggerFactory.CreateLogger<PasswordChanger>());
@@ -233,7 +235,7 @@ namespace Umbraco.Web.BackOffice.Controllers
                 ModelState.AddModelError(memberName, passwordChangeResult.Result.ChangeError.ErrorMessage);
             }
 
-            throw HttpResponseException.CreateValidationErrorResponse(ModelState);
+            return new ValidationErrorResult(new SimpleValidationModel(ModelState.ToErrorDictionary()));
         }
 
         // TODO: Why is this necessary? This inherits from UmbracoAuthorizedApiController