* Making ProblemDetails details more generic
* Adding authorizer that can be replaces for external authz in handlers. Adding handler and requirement for UserBelongsToUserGroupInRequest policy
* Adding method to get the GUID from claims
* Adding service methods to check user group authz
* Porting MustSatisfyRequirementAuthorizationHandler
* Adding controllers authz
* Fix return status code + produced response type
* Moving to folder
* Adding DenyLocalLogin policy scaffold
* Implement a temp DenyLocalLoginHandler
* Introducing a new Fobidden result
* Fix comment
* Introducing a helper class for authorizers
* Changed nullability for GetCurrentUser
* Changes from Attempt to Status + FIXME comments
* Create a UserGroupAuthorizationStatus to be used in the future
* Introduces a new authz status for checking media acess
* Introducing a new permission service for media
* Adding fixme
* Adding more policy configurations
* Adding Media policy requirement and handler
* Adding media authorizer
* Fix order of params
* Adding duplicate code comment
* Adding authz to media controllers
* Migrating more logic from MediaPermissions.cs
* Adding more MediaAuthorizationStatus-es
* Handling of new authorization status
* Fix comment
* Adding NotFound case
* Adding NewDenyLocalLoginIfConfigured policy && commenting [AllowAnonymous] where the policy is applied since it is already handled
* Changed Forbid() to Forbidden() to get the correct status code
* Remove policy that is applied on the base controller already
* Implement and apply NewUmbracoFeatureEnabled policy
* Renaming classes to add Permission in the name
* Register permission services
* Add FIXME
* Introduce new IUserGroupPermissionService and refactor accordingly
* Add single overload with default implementation
* Adding user permission policy and related
* Applying admin policy
* Register all new policies
* Better wording
* Add default implementation for a single overload
* Adding remarks to IContentPermissionService.cs
* Supporting null as key in ContentPermissionService
* Fix namespace
* Reverting back to not supporting null as content key, but having dedicated implementation
* Adding content authorizer with null values to represent root item
* Removing null key support and adding dedicated implementation
* Removing remarks
* Adding content resource with null support
* Removing null support
* Adding requirement and status
* Adding content authorizer + handlers
* Applying policies to content controllers
* Update comment
* Handling of Authorization Statuses
* More authz in controllers
* Fix comments
* New branch handler
* Obsolete old implementation
* Adding dedicated policies to root and bin
* Adding a branch specific namespace
* Bin specific requirement and namespace
* Root specific requirement and namespace
* Changing to new root policy
* Refactoring
* Save policies
* Fix null check/reference
* Add TODO comment
* Create media root- and bin-specific policies, handlers, etc.
* Apply correct policy in create and update media controllers
* Apply root policy to move and sort controllers
* Fix wording
* Adding UserGroupAuthorizationStatusResult
* Remove all AuthorizationStatusResult as we cannot get the specific AuthorizationStatus
* Fixing Umbraco feature policy
* Fix allow anonymous endpoints - the value returned from DenyLocalLoginHandler wasn't enough, we need to succeed DenyAnonymousAuthorizationRequirement as it is required for some of the endpoints that had the attribute
* Apply DenyLocalLoginIfConfigured policy to corresponding re-implementation of PostSetInvitedUserPassword
* Fix comment
* Renaming performingUser to user and fixing comments
* Rename helper method
* Fix references
* Re-add merge conflict deletion
* Adding Backoffice requirement and relevant
* Registering
* Added a simple policy test
* Fixed small test things and clean up
* Temp solution
* Added one more test and fix another static issue
* Fix another merge conflict
* Remove BackOfficePermissionRequirement and handler as they might not be necessary
* Comment out again [AllowAnonymous]
* Remove AuthorizationPolicies.BackOfficeAccessWithoutApproval policy as it might not be necessary
* Fix temp implementation
* Fix reference to correct handler
* Apply authz policy to new publish/unpublish controllers
* Fix comments
* Removing duplicate ProducesResponseTypes
* Added swagger documentation about the 401 and 403
* Added Resources to Media, User and UserGroup
* Handle root, recycle bin and branch in the same handler
* Handle both parent and target when moving
* Check Ids for all sort requests
* Xml docs
* Clean up
* Clean up
* Fix build
* Cleanup
* Remove TODO
* Added missing overload
* Use yield
* Adding some keys to check
---------
Co-authored-by: Bjarke Berg <mail@bergmania.dk>
Co-authored-by: Andreas Zerbst <andr317c@live.dk>
* Setting actionContext.Result when authz wasn't successful
* Taking into account permissions when it is a new node
* Cleanup
* Passing nodeId as path when new item
* Refactor OpenIddict for shared usage between APIs + implement member authentication and handling within the Delivery API
* Make SwaggerRouteTemplatePipelineFilter UI config overridable
* Enable token revocation + rename logout endpoint to signout
* Add default implementation of SwaggerGenOptions configuration for enabling Delivery API member auth in Swagger
* Correct notification handling when (un)protecting content
* Fixing integration test framework
* Cleanup test to not execute some composers twice
* Update paths to match docs
* Return Forbidden when a member is authorized but not allowed to access the requested resource
* Cleanup
* Rename RequestMemberService to RequestMemberAccessService
* Rename badly named variable
* Review comments
* Hide the auth controller from Swagger
* Remove semaphore
* Add security requirements for content API operations in Swagger
* Hide the back-office auth endpoints from Swagger
* Fix merge
* Update back-office API auth endpoint paths + add revoke and sign-out endpoints (as of now they do not exist, a separate task will fix that)
* Swap endpoint order to maintain backwards compat with the current login screen for new back-office (will be swapped back again to ensure correct .well-known endpoints, see FIXME comment)
* Make "items by IDs" endpoint support member auth
* Add 401 and 403 to "items by IDs" endpoint responses
---------
Co-authored-by: Bjarke Berg <mail@bergmania.dk>
Co-authored-by: Elitsa <elm@umbraco.dk>
* chore: Fix XML warnings
* docs: Fix XML warnings
* docs: Fix XML in resource designer
* docs: Fix XML warnings
* Revert "docs: Fix XML in resource designer"
This reverts commit 8ea61c51ac161e1853ae080db7fe1b4d4cb4d2be.
* Added attribute filter to ensure a request is taking a minimum time to response
* Added functionality to management api to send forgot password emails and verify these + do the actual reset using the token
* Renamed UserKey to UserId and updated OpenApi.json
* Update src/Umbraco.Core/Services/IUserService.cs
Co-authored-by: Elitsa Marinovska <21998037+elit0451@users.noreply.github.com>
* Cleanup
* Renaming param
* Fixing send user username instead of email + wrong EmailTypes
* Fixed issue with forgot password functionality after reusing other functionality
* Rename prop
* Adding docs and renaming param
* Handle password validation return types
* More cleanup
---------
Co-authored-by: Elitsa <elm@umbraco.dk>
Co-authored-by: Elitsa Marinovska <21998037+elit0451@users.noreply.github.com>
* Implemented modular architecture for filestream security sanitization with an svg-html example
* 31440: Refactoring, applied to more entry points and removed test analyzer
* 31440 Added Unittests for FileStreamSecurityValidator
* PR fixes and better unittest mock names
---------
Co-authored-by: Sven Geusens <sge@umbraco.dk>
* Added functionality to verify user invite tokens and create the initial password
* Add response types
* Fail ValidateCredentialsAsync when user is not approved
* Enable user as part of initial password creating using validation token
* Adds documentation to badrequest and changed nocontent to ok, to align with other APIs
* Fixed tests and added a new one
---------
Co-authored-by: nikolajlauridsen <nikolajlauridsen@protonmail.ch>
* Add current user data endpoint
* Add Change password endpoint
* Add SetAvatar
* Add get node permissions
* Add endpoint for getting currently logged in users linked logins
* Add tour service
* Add get tours
* Add set tour endpoint
* Split permissions endpoint in two, one for media and one for document
* Add specific not found results
* Add tests for the enable/disable not found tweak
* Cache ids and key in UserIdKeyResolver
* Don't cache null keys
* BackOffice not Backoffice
* Move fetching the user out of the ChangePasswordUsersController
* Move resolving user out of SetAvatar
* Move resolving user out of Update
* Return more specific notfound in bykey
* Use ErrorResult for all endpoints with unknown errors
* Split integration tests
* Add mappers
* Use ?: consistently
* Add reuseable iso code validator
* Validate ISO code
* Update supressions
* Use method from base to get current user key
* Rename ISo to Iso
* Use keys in services instead of user groups + Added a couple of new validations
---------
Co-authored-by: Bjarke Berg <mail@bergmania.dk>
* Add UserResponseModel
* Add factory to created UserResponseModel
* Add GetByKey controller
* Add GetAllUsers endpoint
* User proper response model
* Make naming consistent
* Order by username in GetAll
* Add user filter endpoint
* Fix includer user states
* Remove gravatar from the backend
* Send user avatars in response
* Add create user model
* start working on create
* Validate the create model
* Add authorization to create
* Use UserRepository instead of UserService to ValidateSessíonId
* Create IBackofficeUserStore interface
This is essentially a core-friendly version of the BackOfficeUserStore, additionally it contains basic methods for managing users, I.E. Get users, save users, create users, etc.
* Remove more usages of user service
* Remove usages of IUserService in BackofficeUserStore
* Add documentation
* Fix tests and DI
* add IBackOfficeUserStoreAccessor to resolve it in singleton services
* Resolve circular dependency
* Remove obsolete constructor
* Add core friendly user manager
* Finish createasync in user service
* Add WIP create endpoint
* Save newly creates users user groups
* Use service scope for user service
* Remove now unnecessary accessors
* Add response types
* Add update user endpoint
* Add EmailUserInviteSender
* Add technology free way of creating confirmation token
* Add invite uri provider
* Add invite user to user service
* Add invite user controller
* Add delete endpoint
* Add operation status responses
* Add operation status responses
* Added temporary file uploads including a repository implementation using local temp folder.
* Add Disable users endpoint
* missing files
* Fixed copy paste error
* Fix create users return type
* Updated OpenApi.json
* Updated OpenApi.json
* Handle if created failed in identity
* Add enable user
* Make users plural in enable/disable
We're doing the operation on multiple entities
* Added file extension check
* Add unlock user endpoint
* Clean up. Removed old TemporaryFileService and UploadFileService and updated dictionary items to use this new items
* Clean up
* Add reset password
* Add UpdateUserGroupsOnUsers method
* Add UpdateUserGroups
* Get rid of stream directly on TemporaryFileModel, and use delegate to open stream instead.
* Fix post merge
* Use keys instead of IDs
* Add ClearAvatar endpoint
* Review changes
* Moved models to their own files
* Reverted launch settings
* Move enlist extension to its own namespace
* Create set avatar endpoint
* Add reponse types
* Remove infrastructure extension after merge
* Add Cmapatibility suppressions
* Add test suppression
* Add integration tests
* Fix issue found in tests
* Add invited user to UserInvitationResult
* Add more tests
* Add update tests
* Hide different tests under parent
* Return DuplicatUserName user operation status if username matches an email
* Add update tests
* Change sorted set to HashSet
It doesn't work if it's not IComparable
* Change ID to Key when checking super
* Add get tests
* Add more GetAllTests
* Move tests to the right namespace
* Add filter test
* Fix including disabled users bug found by test
* Add test to ensure invited user state
* Add test case for UserState.All
* Add more filter tests
* Add enable disable tests
* Add resolver for keys and ids
* Replace usages of IUserService with IUserIdKeyResolver
* Add CompatibilitySuppressions
* Add UserIdKeyResolverTests
* Fix UserIdKeyResolver
* Add missing user operation results
* Updates from review
* ID not key
* Post instead of patch
* Use set instead of params for enable/disable
* Don't call to array
* Use sets for usergroup keys and user keys instead
* LanguageIsoCode instead of Language
* Update CompatibilitySuppressions after changin enumerable to set
---------
Co-authored-by: Bjarke Berg <mail@bergmania.dk>
Co-authored-by: kjac <kja@umbraco.dk>
* Move AuditService to core project
* Move two factor login service to core
* Move ServerRegistrationService to core
* Move BasicAuthService to Core project
* Move IdKeyMap to core project
* Added CacheInstructionService to the infrastructure namespace
* Move DataTypeService to core namespace
* Update CacheInstructionService.cs to use CoreScopeProvider
* Move core editors to core
* Move more Property editors and configuration
* Remove obsoleted constructors in internal classes
* Update PropertyEditors to use new ctors
* Fix propertyEditors to use new ctors
* Use the right property editor constructors
* add DI in the property method
* Update grid to use new ctor
* Fix non-assignment of variable
* Apply suggestions from code review
Co-authored-by: Mole <nikolajlauridsen@protonmail.ch>
* Fix suggestions from code review
Co-authored-by: Nikolaj Geisle <niko737@edu.ucl.dk>
Co-authored-by: Kevin Jump <kevin@thejumps.co.uk>
Co-authored-by: Mole <nikolajlauridsen@protonmail.ch>
* Further enhancements for legacy password support.
For users - try new style passwords first and fallback on failure seeing
as a valid modern password is the norm, rehash is only one time.
For both users and members also deals with the fact that for
useLegacyEncoding we could store any old thing in passwordConfig
e.g. it's possible to get Umbraco8 to store "HMACSHA384" alongside
the hash even though it's really HMACSHA1 with password used as key
(try it out by tweaking machine key settings and setting
useLegacyEncoding=true).
Has behavioral breaking changes in LegacyPasswordSecurity as the
code now expects consumers to to respect IsSupportedHashAlgorithm
rather than ignoring it.
* Less rushed removals
* Bugfix - Take ufprt from form data if the request has form content type, otherwise fallback to use the query
* External linking for members
* Changed migration to reuse old table
* removed unnecessary web.config files
* Cleanup
* Extracted class to own file
* Clean up
* Rollback changes to Umbraco.Web.UI.csproj
* Fixed migration for SqlCE
* Change notification handler to be on deleted
* Update src/Umbraco.Infrastructure/Security/MemberUserStore.cs
Co-authored-by: Mole <nikolajlauridsen@protonmail.ch>
* Fixed issue with errors not shown on member linking
* fixed issue with errors
* clean up
* Fix issue where external logins could not be used to upgrade Umbraco, because the externalLogin table was expected to look different. (Like after the migration)
* Fixed issue in Ignore legacy column now using result column.
Co-authored-by: Mole <nikolajlauridsen@protonmail.ch>
