Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Made some internal classes public #15638

Merged
merged 1 commit into from
Jan 31, 2024
Merged

Made some internal classes public #15638

merged 1 commit into from
Jan 31, 2024

Conversation

bergmania
Copy link
Member

Made some internal classes public, so its possible to bypass security for packages like DTGE.
Related: #15572

Fixes: #15560

Example

using Umbraco.Core;
using Umbraco.Core.Cache;
using Umbraco.Core.Configuration;
using Umbraco.Core.Logging;
using Umbraco.Core.Persistence;
using Umbraco.Core.PropertyEditors;
using Umbraco.Core.Scoping;
using Umbraco.Core.Services;
using Umbraco.Web;
using Umbraco.Web.Editors;
using Umbraco.Web.Models.ContentEditing;
using Umbraco.Web.WebApi.Filters;
using Umbraco.Web.Editors.Filters;
using Umbraco.Web.Editors.Binders;
using System.Web.Http.ModelBinding;

namespace ClassLibrary2
{

    [Umbraco.Web.Mvc.PluginController("dtge")]
    [UmbracoApplicationAuthorize(Constants.Applications.Content)]
    public class WhateverController : BackOfficeNotificationsController
    {
        private ContentController _contentController;

        public WhateverController(PropertyEditorCollection propertyEditors, IGlobalSettings globalSettings,
     IUmbracoContextAccessor umbracoContextAccessor, ISqlContext sqlContext, ServiceContext services,
     AppCaches appCaches, IProfilingLogger logger, IRuntimeState runtimeState, UmbracoHelper umbracoHelper,
     IScopeProvider scopeProvider)
     : base(globalSettings, umbracoContextAccessor, sqlContext, services, appCaches, logger, runtimeState, umbracoHelper)
        {
            _contentController = new ContentController(propertyEditors, globalSettings, umbracoContextAccessor, sqlContext, services, appCaches,logger,runtimeState,umbracoHelper,scopeProvider);
        }


        [FileUploadCleanupFilter]
        [ContentSaveValidation(skipUserAccessValidation: true)]
        public ContentItemDisplay PostSaveBlueprint([ModelBinder(typeof(BlueprintItemBinder))] ContentItemSave contentItem)
        {
            return _contentController.PostSaveBlueprint(contentItem);
        }
    }
}

@Matthew-Wise
Copy link
Contributor

Matthew-Wise commented Jan 30, 2024
edited
Loading

Hi,
Is there a planned release date for this a currently have 2 live sites with this issue one of which is chasing for a fix date as they dont want to give all editors settings access.

Thanks
Matt

@bergmania
Copy link
Member Author

Plan is next week.. I'll create it on our now

nikolajlauridsen
nikolajlauridsen approved these changes Jan 31, 2024
View reviewed changes
Copy link
Contributor

@nikolajlauridsen nikolajlauridsen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@nikolajlauridsen nikolajlauridsen merged commit 3ce0854 into v8/8.18 Jan 31, 2024
7 checks passed
@nikolajlauridsen nikolajlauridsen deleted the v8/hotfix/make-classes-public-for-blueprints branch January 31, 2024 07:55
@ws-graham
Copy link

Hi, Is there a planned release date for this a currently have 2 live sites with this issue one of which is chasing for a fix date as they dont want to give all editors settings access.

Thanks Matt

Does this fix resolve the issue with editors or does this open up the ability for the DTGE to be modified to fix the issue? As on #15572 I understood modifications needed to be made with the DTGE package as well?

bergmania added a commit that referenced this pull request Feb 1, 2024
@bergmania
V10+ version of #15638
36797cb
@bergmania bergmania mentioned this pull request Feb 1, 2024
Merged
bergmania added a commit that referenced this pull request Feb 1, 2024
@bergmania
V10+ version of #15638 (#15664)
118ac8e
bergmania added a commit that referenced this pull request Feb 1, 2024
@bergmania
V10+ version of #15638 (#15664)
ac02e97
bergmania added a commit that referenced this pull request Feb 1, 2024
@bergmania
V10+ version of #15638 (#15664)
e7c53d4
@lukehook
Copy link

lukehook commented Feb 2, 2024

Hi, Is there a planned release date for this a currently have 2 live sites with this issue one of which is chasing for a fix date as they dont want to give all editors settings access.
Thanks Matt

Does this fix resolve the issue with editors or does this open up the ability for the DTGE to be modified to fix the issue? As on #15572 I understood modifications needed to be made with the DTGE package as well?

As far as I understand it, yes this simply opens it up so that the DTGE package can be amended to circumvent the issues. I'm unsure of the status of anybody picking that up DTGE end

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nikolajlauridsen nikolajlauridsen nikolajlauridsen approved these changes

Assignees
No one assigned
Labels
release/8.18.13 release/10.8.4 release/12.3.7 release/13.1.1 type/improvement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bergmania @Matthew-Wise @ws-graham @lukehook @nikolajlauridsen