protected override bool IsAuthorized(HttpActionContext actionContext) { var umbCtx = GetUmbracoContext(); var currentUser = umbCtx.Security.CurrentUser; var queryString = actionContext.Request.GetQueryNameValuePairs(); var ids = queryString.Where(x => x.Key == _paramName).ToArray(); if (ids.Length == 0) { return(base.IsAuthorized(actionContext)); } var intIds = ids.Select(x => x.Value.TryConvertTo <int>()).Where(x => x.Success).Select(x => x.Result).ToArray(); var authHelper = new UserGroupEditorAuthorizationHelper( umbCtx.Application.Services.UserService, umbCtx.Application.Services.ContentService, umbCtx.Application.Services.MediaService, umbCtx.Application.Services.EntityService); return(authHelper.AuthorizeGroupAccess(currentUser, intIds)); }
public UserGroupDisplay PostSaveUserGroup(UserGroupSave userGroupSave) { if (userGroupSave == null) { throw new ArgumentNullException(nameof(userGroupSave)); } //authorize that the user has access to save this user group var authHelper = new UserGroupEditorAuthorizationHelper( Services.UserService, Services.ContentService, Services.MediaService, Services.EntityService); var isAuthorized = authHelper.AuthorizeGroupAccess(Security.CurrentUser, userGroupSave.Alias); if (isAuthorized == false) { throw new HttpResponseException(Request.CreateResponse(HttpStatusCode.Unauthorized, isAuthorized.Result)); } //if sections were added we need to check that the current user has access to that section isAuthorized = authHelper.AuthorizeSectionChanges(Security.CurrentUser, userGroupSave.PersistedUserGroup.AllowedSections, userGroupSave.Sections); if (isAuthorized == false) { throw new HttpResponseException(Request.CreateResponse(HttpStatusCode.Unauthorized, isAuthorized.Result)); } //if start nodes were changed we need to check that the current user has access to them isAuthorized = authHelper.AuthorizeStartNodeChanges(Security.CurrentUser, userGroupSave.PersistedUserGroup.StartContentId, userGroupSave.StartContentId, userGroupSave.PersistedUserGroup.StartMediaId, userGroupSave.StartMediaId); if (isAuthorized == false) { throw new HttpResponseException(Request.CreateResponse(HttpStatusCode.Unauthorized, isAuthorized.Result)); } //need to ensure current user is in a group if not an admin to avoid a 401 EnsureNonAdminUserIsInSavedUserGroup(userGroupSave); //save the group Services.UserService.Save(userGroupSave.PersistedUserGroup, userGroupSave.Users.ToArray()); //deal with permissions //remove ones that have been removed var existing = Services.UserService.GetPermissions(userGroupSave.PersistedUserGroup, true) .ToDictionary(x => x.EntityId, x => x); var toRemove = existing.Keys.Except(userGroupSave.AssignedPermissions.Select(x => x.Key)); foreach (var contentId in toRemove) { Services.UserService.RemoveUserGroupPermissions(userGroupSave.PersistedUserGroup.Id, contentId); } //update existing foreach (var assignedPermission in userGroupSave.AssignedPermissions) { Services.UserService.ReplaceUserGroupPermissions( userGroupSave.PersistedUserGroup.Id, assignedPermission.Value.Select(x => x[0]), assignedPermission.Key); } var display = Mapper.Map <UserGroupDisplay>(userGroupSave.PersistedUserGroup); display.AddSuccessNotification(Services.TextService.Localize("speechBubbles/operationSavedHeader"), Services.TextService.Localize("speechBubbles/editUserGroupSaved")); return(display); }