Merge pull request from GHSA-cfr5-7p54-4qg8

Zeegaan · bergmania · web-flow · commit cdd4d2a00078 · 2023-12-11T13:59:59.000+01:00
* Bump version

* Apply authorization policies to controllers

* Return bad request if we urltracking is disabled

* Apply authorization policies to controllers

* Return bad request if we urltracking is disabled

---------

Co-authored-by: Bjarke Berg &lt;mail@bergmania.dk&gt;
Co-authored-by: Zeegaan &lt;nge@umbraco.dk&gt;
diff --git a/src/Umbraco.Web.BackOffice/Controllers/AnalyticsController.cs b/src/Umbraco.Web.BackOffice/Controllers/AnalyticsController.cs
@@ -1,9 +1,12 @@
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Umbraco.Cms.Core.Models;
 using Umbraco.Cms.Core.Services;
+using Umbraco.Cms.Web.Common.Authorization;
 
 namespace Umbraco.Cms.Web.BackOffice.Controllers;
 
+[Authorize(Policy = AuthorizationPolicies.SectionAccessSettings)]
 public class AnalyticsController : UmbracoAuthorizedJsonController
 {
     private readonly IMetricsConsentService _metricsConsentService;
diff --git a/src/Umbraco.Web.BackOffice/Controllers/LanguageController.cs b/src/Umbraco.Web.BackOffice/Controllers/LanguageController.cs
@@ -18,6 +18,7 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers;
 ///     Backoffice controller supporting the dashboard for language administration.
 /// </summary>
 [PluginController(Constants.Web.Mvc.BackOfficeApiArea)]
+[Authorize(Policy = AuthorizationPolicies.SectionAccessSettings)]
 public class LanguageController : UmbracoAuthorizedJsonController
 {
     private readonly ILocalizationService _localizationService;
diff --git a/src/Umbraco.Web.BackOffice/Controllers/PublishedSnapshotCacheStatusController.cs b/src/Umbraco.Web.BackOffice/Controllers/PublishedSnapshotCacheStatusController.cs
@@ -1,13 +1,16 @@
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Umbraco.Cms.Core;
 using Umbraco.Cms.Core.Cache;
 using Umbraco.Cms.Core.PublishedCache;
 using Umbraco.Cms.Web.Common.Attributes;
+using Umbraco.Cms.Web.Common.Authorization;
 using Umbraco.Extensions;
 
 namespace Umbraco.Cms.Web.BackOffice.Controllers;
 
 [PluginController(Constants.Web.Mvc.BackOfficeApiArea)]
+[Authorize(Policy = AuthorizationPolicies.SectionAccessSettings)]
 public class PublishedSnapshotCacheStatusController : UmbracoAuthorizedApiController
 {
     private readonly DistributedCache _distributedCache;
diff --git a/src/Umbraco.Web.BackOffice/Controllers/RedirectUrlManagementController.cs b/src/Umbraco.Web.BackOffice/Controllers/RedirectUrlManagementController.cs
@@ -2,6 +2,7 @@
 // See LICENSE for more details.
 
 using System.Security;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
@@ -14,11 +15,13 @@
 using Umbraco.Cms.Core.Security;
 using Umbraco.Cms.Core.Services;
 using Umbraco.Cms.Web.Common.Attributes;
+using Umbraco.Cms.Web.Common.Authorization;
 using Umbraco.Extensions;
 
 namespace Umbraco.Cms.Web.BackOffice.Controllers;
 
 [PluginController(Constants.Web.Mvc.BackOfficeApiArea)]
+[Authorize(Policy = AuthorizationPolicies.SectionAccessContent)]
 public class RedirectUrlManagementController : UmbracoAuthorizedApiController
 {
     private readonly IBackOfficeSecurityAccessor _backofficeSecurityAccessor;
@@ -45,16 +48,17 @@ public RedirectUrlManagementController(
         _configManipulator = configManipulator ?? throw new ArgumentNullException(nameof(configManipulator));
     }
 
+    private bool IsEnabled => _webRoutingSettings.CurrentValue.DisableRedirectUrlTracking == false;
+
     /// <summary>
     ///     Returns true/false of whether redirect tracking is enabled or not
     /// </summary>
     /// <returns></returns>
     [HttpGet]
     public IActionResult GetEnableState()
     {
-        var enabled = _webRoutingSettings.CurrentValue.DisableRedirectUrlTracking == false;
         var userIsAdmin = _backofficeSecurityAccessor.BackOfficeSecurity?.CurrentUser?.IsAdmin() ?? false;
-        return Ok(new { enabled, userIsAdmin });
+        return Ok(new { enabled = IsEnabled, userIsAdmin });
     }
 
     //add paging
@@ -104,6 +108,11 @@ public RedirectUrlSearchResult RedirectUrlsForContentItem(string contentUdi)
     [HttpPost]
     public IActionResult DeleteRedirectUrl(Guid id)
     {
+        if (IsEnabled is false)
+        {
+            return BadRequest("Redirect URL tracking is disabled, and therefore no URLs can be deleted.");
+        }
+
         _redirectUrlService.Delete(id);
         return Ok();
     }
diff --git a/src/Umbraco.Web.BackOffice/Controllers/StylesheetController.cs b/src/Umbraco.Web.BackOffice/Controllers/StylesheetController.cs
@@ -1,8 +1,10 @@
+using Microsoft.AspNetCore.Authorization;
 using Umbraco.Cms.Core;
 using Umbraco.Cms.Core.Models;
 using Umbraco.Cms.Core.Models.ContentEditing;
 using Umbraco.Cms.Core.Services;
 using Umbraco.Cms.Web.Common.Attributes;
+using Umbraco.Cms.Web.Common.Authorization;
 using Umbraco.Extensions;
 using Stylesheet = Umbraco.Cms.Core.Models.ContentEditing.Stylesheet;
 
@@ -12,6 +14,7 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers;
 ///     The API controller used for retrieving available stylesheets
 /// </summary>
 [PluginController(Constants.Web.Mvc.BackOfficeApiArea)]
+[Authorize(Policy = AuthorizationPolicies.SectionAccessSettings)]
 public class StylesheetController : UmbracoAuthorizedJsonController
 {
     private readonly IFileService _fileService;

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ namespace Umbraco.Cms.Web.BackOffice.Controllers;`
`18`	`18`	`/// Backoffice controller supporting the dashboard for language administration.`
`19`	`19`	`/// </summary>`
`20`	`20`	`[PluginController(Constants.Web.Mvc.BackOfficeApiArea)]`
	`21`	`+[Authorize(Policy = AuthorizationPolicies.SectionAccessSettings)]`
`21`	`22`	`public class LanguageController : UmbracoAuthorizedJsonController`
`22`	`23`	`{`
`23`	`24`	`private readonly ILocalizationService _localizationService;`