yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
aabb5b7c48903ebdd4d7ef487997d487e97f04ee
Umbraco-CMS/src/Umbraco.Core/Security/MediaPermissions.cs
Elitsa Marinovska fda866fc9e V14: Add authorization policies to Management API controllers - p2 (#15211) 
* Making ProblemDetails details more generic

* Adding authorizer that can be replaces for external authz in handlers. Adding handler and requirement for UserBelongsToUserGroupInRequest policy

* Adding method to get the GUID from claims

* Adding service methods to check user group authz

* Porting MustSatisfyRequirementAuthorizationHandler

* Adding controllers authz

* Fix return status code + produced response type

* Moving to folder

* Adding DenyLocalLogin policy scaffold

* Implement a temp DenyLocalLoginHandler

* Introducing a new Fobidden result

* Fix comment

* Introducing a helper class for authorizers

* Changed nullability for GetCurrentUser

* Changes from Attempt to Status + FIXME comments

* Create a UserGroupAuthorizationStatus to be used in the future

* Introduces a new authz status for checking media acess

* Introducing a new permission service for media

* Adding fixme

* Adding more policy configurations

* Adding Media policy requirement and handler

* Adding media authorizer

* Fix order of params

* Adding duplicate code comment

* Adding authz to media controllers

* Migrating more logic from MediaPermissions.cs

* Adding more MediaAuthorizationStatus-es

* Handling of new authorization status

* Fix comment

* Adding NotFound case

* Adding NewDenyLocalLoginIfConfigured policy && commenting [AllowAnonymous] where the policy is applied since it is already handled

* Changed Forbid() to Forbidden() to get the correct status code

* Remove policy that is applied on the base controller already

* Implement and apply NewUmbracoFeatureEnabled policy

* Renaming classes to add Permission in the name

* Register permission services

* Add FIXME

* Introduce new IUserGroupPermissionService and refactor accordingly

* Add single overload with default implementation

* Adding user permission policy and related

* Applying admin policy

* Register all new policies

* Better wording

* Add default implementation for a single overload

* Adding remarks to IContentPermissionService.cs

* Supporting null as key in ContentPermissionService

* Fix namespace

* Reverting back to not supporting null as content key, but having dedicated implementation

* Adding content authorizer with null values to represent root item

* Removing null key support and adding dedicated implementation

* Removing remarks

* Adding content resource with null support

* Removing null support

* Adding requirement and status

* Adding content authorizer + handlers

* Applying policies to content controllers

* Update comment

* Handling of Authorization Statuses

* More authz in controllers

* Fix comments

* New branch handler

* Obsolete old implementation

* Adding dedicated policies to root and bin

* Adding a branch specific namespace

* Bin specific requirement and namespace

* Root specific requirement and namespace

* Changing to new root policy

* Refactoring

* Save policies

* Fix null check/reference

* Add TODO comment

* Create media root- and bin-specific policies, handlers, etc.

* Apply correct policy in create and update media controllers

* Apply root policy to move and sort controllers

* Fix wording

* Adding UserGroupAuthorizationStatusResult

* Remove all AuthorizationStatusResult as we cannot get the specific AuthorizationStatus

* Fixing Umbraco feature policy

* Fix allow anonymous endpoints - the value returned from DenyLocalLoginHandler wasn't enough, we need to succeed DenyAnonymousAuthorizationRequirement as it is required for some of the endpoints that had the attribute

* Apply DenyLocalLoginIfConfigured policy to corresponding re-implementation of PostSetInvitedUserPassword

* Fix comment

* Renaming performingUser to user and fixing comments

* Rename helper method

* Fix references

* Re-add merge conflict deletion

* Adding Backoffice requirement and relevant

* Registering

* Added a simple policy test

* Fixed small test things and clean up

* Temp solution

* Added one more test and fix another static issue

* Fix another merge conflict

* Remove BackOfficePermissionRequirement and handler as they might not be necessary

* Comment out again [AllowAnonymous]

* Remove AuthorizationPolicies.BackOfficeAccessWithoutApproval policy as it might not be necessary

* Fix temp implementation

* Fix reference to correct handler

* Apply authz policy to new publish/unpublish controllers

* Fix comments

* Removing duplicate ProducesResponseTypes

* Added swagger documentation about the 401 and 403

* Added Resources to Media, User and UserGroup

* Handle root, recycle bin and branch in the same handler

* Handle both parent and target when moving

* Check Ids for all sort requests

* Xml docs

* Clean up

* Clean up

* Fix build

* Cleanup

* Remove TODO

* Added missing overload

* Use yield

* Adding some keys to check

---------

Co-authored-by: Bjarke Berg <mail@bergmania.dk>
Co-authored-by: Andreas Zerbst <andr317c@live.dk>
2023-12-11 08:25:29 +01:00

86 lines
2.6 KiB
C#
Raw Blame History

using Umbraco.Cms.Core.Cache;
using Umbraco.Cms.Core.Models;
using Umbraco.Cms.Core.Models.Membership;
using Umbraco.Cms.Core.Services;
namespace Umbraco.Cms.Core.Security;
/// <summary>
/// Checks user access to media
/// </summary>
[Obsolete($"Please use {nameof(IMediaPermissionService)} instead, scheduled for removal in V15.")]
public class MediaPermissions
{
private readonly AppCaches _appCaches;
public enum MediaAccess
{
Granted,
Denied,
NotFound,
}
private readonly IEntityService _entityService;
private readonly IMediaService _mediaService;
public MediaPermissions(IMediaService mediaService, IEntityService entityService, AppCaches appCaches)
{
_mediaService = mediaService;
_entityService = entityService;
_appCaches = appCaches;
}
/// <summary>
/// Performs a permissions check for the user to check if it has access to the node based on
/// start node and/or permissions for the node
/// </summary>
/// <param name="user"></param>
/// <param name="nodeId">The content to lookup, if the contentItem is not specified</param>
/// <param name="media"></param>
/// <returns></returns>
public MediaAccess CheckPermissions(IUser? user, int nodeId, out IMedia? media)
{
if (user == null)
{
throw new ArgumentNullException(nameof(user));
}
media = null;
if (nodeId != Constants.System.Root && nodeId != Constants.System.RecycleBinMedia)
{
media = _mediaService.GetById(nodeId);
}
if (media == null && nodeId != Constants.System.Root && nodeId != Constants.System.RecycleBinMedia)
{
return MediaAccess.NotFound;
}
var hasPathAccess = nodeId == Constants.System.Root
? user.HasMediaRootAccess(_entityService, _appCaches)
: nodeId == Constants.System.RecycleBinMedia
? user.HasMediaBinAccess(_entityService, _appCaches)
: user.HasPathAccess(media, _entityService, _appCaches);
return hasPathAccess ? MediaAccess.Granted : MediaAccess.Denied;
}
public MediaAccess CheckPermissions(IMedia? media, IUser? user)
{
if (user == null)
{
throw new ArgumentNullException(nameof(user));
}
if (media == null)
{
return MediaAccess.NotFound;
}
var hasPathAccess = user.HasPathAccess(media, _entityService, _appCaches);
return hasPathAccess ? MediaAccess.Granted : MediaAccess.Denied;
}
}
Reference in New Issue View Git Blame Copy Permalink