/// <inheritdoc/> protected override Task <bool> IsAuthorized(AuthorizationHandlerContext context, UserGroupRequirement requirement) { IUser currentUser = _backOfficeSecurityAccessor.BackOfficeSecurity.CurrentUser; var querystring = _httpContextAccessor.HttpContext?.Request.Query[requirement.QueryStringName]; if (querystring is null) { // Must succeed this requirement since we cannot process it. return(Task.FromResult(true)); } if (querystring.Value.Count == 0) { // Must succeed this requirement since we cannot process it. return(Task.FromResult(true)); } var intIds = querystring.Value.ToString().Split(Constants.CharArrays.Comma) .Select(x => int.TryParse(x, NumberStyles.Integer, CultureInfo.InvariantCulture, out var output) ? Attempt <int> .Succeed(output) : Attempt <int> .Fail()) .Where(x => x.Success).Select(x => x.Result).ToArray(); var authHelper = new UserGroupEditorAuthorizationHelper( _userService, _contentService, _mediaService, _entityService, _appCaches); Attempt <string> isAuth = authHelper.AuthorizeGroupAccess(currentUser, intIds); return(Task.FromResult(isAuth.Success)); }
public ActionResult <UserGroupDisplay?> PostSaveUserGroup(UserGroupSave userGroupSave) { if (userGroupSave == null) { throw new ArgumentNullException(nameof(userGroupSave)); } //authorize that the user has access to save this user group var authHelper = new UserGroupEditorAuthorizationHelper( _userService, _contentService, _mediaService, _entityService, _appCaches); Attempt <string?> isAuthorized = authHelper.AuthorizeGroupAccess(_backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser, userGroupSave.Alias); if (isAuthorized == false) { return(Unauthorized(isAuthorized.Result)); } //if sections were added we need to check that the current user has access to that section isAuthorized = authHelper.AuthorizeSectionChanges( _backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser, userGroupSave.PersistedUserGroup?.AllowedSections, userGroupSave.Sections); if (isAuthorized == false) { return(Unauthorized(isAuthorized.Result)); } //if start nodes were changed we need to check that the current user has access to them isAuthorized = authHelper.AuthorizeStartNodeChanges( _backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser, userGroupSave.PersistedUserGroup?.StartContentId, userGroupSave.StartContentId, userGroupSave.PersistedUserGroup?.StartMediaId, userGroupSave.StartMediaId); if (isAuthorized == false) { return(Unauthorized(isAuthorized.Result)); } //need to ensure current user is in a group if not an admin to avoid a 401 EnsureNonAdminUserIsInSavedUserGroup(userGroupSave); //map the model to the persisted instance _umbracoMapper.Map(userGroupSave, userGroupSave.PersistedUserGroup); if (userGroupSave.PersistedUserGroup is not null) { //save the group _userService.Save(userGroupSave.PersistedUserGroup, userGroupSave.Users?.ToArray()); } //deal with permissions //remove ones that have been removed var existing = _userService.GetPermissions(userGroupSave.PersistedUserGroup, true) .ToDictionary(x => x.EntityId, x => x); if (userGroupSave.AssignedPermissions is not null) { IEnumerable <int> toRemove = existing.Keys.Except(userGroupSave.AssignedPermissions.Select(x => x.Key)); foreach (var contentId in toRemove) { _userService.RemoveUserGroupPermissions(userGroupSave.PersistedUserGroup?.Id ?? default, contentId); } //update existing foreach (KeyValuePair <int, IEnumerable <string> > assignedPermission in userGroupSave.AssignedPermissions) { _userService.ReplaceUserGroupPermissions( userGroupSave.PersistedUserGroup?.Id ?? default, assignedPermission.Value.Select(x => x[0]), assignedPermission.Key); } } UserGroupDisplay?display = _umbracoMapper.Map <UserGroupDisplay>(userGroupSave.PersistedUserGroup); display?.AddSuccessNotification( _localizedTextService.Localize("speechBubbles", "operationSavedHeader"), _localizedTextService.Localize("speechBubbles", "editUserGroupSaved")); return(display); }