protected override bool IsAuthorized(HttpActionContext actionContext)
        {
            var umbCtx      = GetUmbracoContext();
            var currentUser = umbCtx.Security.CurrentUser;

            var queryString = actionContext.Request.GetQueryNameValuePairs();

            var ids = queryString.Where(x => x.Key == _paramName).ToArray();

            if (ids.Length == 0)
            {
                return(base.IsAuthorized(actionContext));
            }

            var intIds     = ids.Select(x => x.Value.TryConvertTo <int>()).Where(x => x.Success).Select(x => x.Result).ToArray();
            var authHelper = new UserGroupEditorAuthorizationHelper(
                umbCtx.Application.Services.UserService,
                umbCtx.Application.Services.ContentService,
                umbCtx.Application.Services.MediaService,
                umbCtx.Application.Services.EntityService);

            return(authHelper.AuthorizeGroupAccess(currentUser, intIds));
        }
Esempio n. 2
0
        public UserGroupDisplay PostSaveUserGroup(UserGroupSave userGroupSave)
        {
            if (userGroupSave == null)
            {
                throw new ArgumentNullException(nameof(userGroupSave));
            }

            //authorize that the user has access to save this user group
            var authHelper = new UserGroupEditorAuthorizationHelper(
                Services.UserService, Services.ContentService, Services.MediaService, Services.EntityService);

            var isAuthorized = authHelper.AuthorizeGroupAccess(Security.CurrentUser, userGroupSave.Alias);

            if (isAuthorized == false)
            {
                throw new HttpResponseException(Request.CreateResponse(HttpStatusCode.Unauthorized, isAuthorized.Result));
            }

            //if sections were added we need to check that the current user has access to that section
            isAuthorized = authHelper.AuthorizeSectionChanges(Security.CurrentUser,
                                                              userGroupSave.PersistedUserGroup.AllowedSections,
                                                              userGroupSave.Sections);
            if (isAuthorized == false)
            {
                throw new HttpResponseException(Request.CreateResponse(HttpStatusCode.Unauthorized, isAuthorized.Result));
            }

            //if start nodes were changed we need to check that the current user has access to them
            isAuthorized = authHelper.AuthorizeStartNodeChanges(Security.CurrentUser,
                                                                userGroupSave.PersistedUserGroup.StartContentId,
                                                                userGroupSave.StartContentId,
                                                                userGroupSave.PersistedUserGroup.StartMediaId,
                                                                userGroupSave.StartMediaId);
            if (isAuthorized == false)
            {
                throw new HttpResponseException(Request.CreateResponse(HttpStatusCode.Unauthorized, isAuthorized.Result));
            }

            //need to ensure current user is in a group if not an admin to avoid a 401
            EnsureNonAdminUserIsInSavedUserGroup(userGroupSave);

            //save the group
            Services.UserService.Save(userGroupSave.PersistedUserGroup, userGroupSave.Users.ToArray());

            //deal with permissions

            //remove ones that have been removed
            var existing = Services.UserService.GetPermissions(userGroupSave.PersistedUserGroup, true)
                           .ToDictionary(x => x.EntityId, x => x);
            var toRemove = existing.Keys.Except(userGroupSave.AssignedPermissions.Select(x => x.Key));

            foreach (var contentId in toRemove)
            {
                Services.UserService.RemoveUserGroupPermissions(userGroupSave.PersistedUserGroup.Id, contentId);
            }

            //update existing
            foreach (var assignedPermission in userGroupSave.AssignedPermissions)
            {
                Services.UserService.ReplaceUserGroupPermissions(
                    userGroupSave.PersistedUserGroup.Id,
                    assignedPermission.Value.Select(x => x[0]),
                    assignedPermission.Key);
            }

            var display = Mapper.Map <UserGroupDisplay>(userGroupSave.PersistedUserGroup);

            display.AddSuccessNotification(Services.TextService.Localize("speechBubbles/operationSavedHeader"), Services.TextService.Localize("speechBubbles/editUserGroupSaved"));
            return(display);
        }