Basic PR for #154 #156
Basic PR for #154 #156
Conversation
… only show redirects on nodes the user has access to. Doesn't solve risky payload issues, TBD w/ @abjerner later
|
Hi @jamiehowarth0 and thanks for the PR 👍 Unfortunately there are a number of issues with your PR, which was one of the reasons I suggested sharing your thoughts before creating a PR. I'll try to find some time to do a detailed reply 😉 But as mentioned in the issue, we should try to avoid breaking changes. Any changes to the method signatures of |
|
As mentioned in my previous comment, your PR introduces a number of breaking changes. As much as possible, we should avoid making those. PermissionsThe controller properly needs to deal with permissions. Since the package has never had permissions, checking against the user's start nodes should not be enabled by default, but be op-in. We can control this by adding a new property in {
"Skybrud": {
"Redirects": {
"Permissions": {
"UserStartNodes": true
}
}
}
}I've just added some logic that allows disabling the content app via RedirectsService
RedirectsController
There are likely other considerations to do as well, but if you can make the changes that I've described above, I can try testing it some more, and then hopefully merge it into the main branch. I hope this makes sense 😉 |
abjerner
added
type/feature
…r local multi-tenant instance and all seems to work well.
|
@abjerner this should do the trick, I hope? |
There was a problem hiding this comment.
Awesome @jamiehowarth0 👍
I just had a quick look through your changes, and made a few comments. Could you look into this? My comment about the interface part is the most important. The rest is minor stuff.
I haven't tested your changes yet, but I'll try finding some time to look into that as well.
| /// Gets or sets whether the user's start nodes should filter which redirects they have access to. Default is <see lanword="true"/>. | ||
| /// </summary> | ||
| public bool UserStartNodes { get; set; } = false; | ||
|
|
There was a problem hiding this comment.
Sorry - I made a mistake in my description about this property. My intention was to indicate whether to use starts nodes as the basis for permissions.
Could you rename this to UseStartsNodes?
The XML summary is also slightly wrong, as the default is false and not true. And lanword should be langword.
| items = rootNodes.Select(x => new RedirectRootNodeModel(x, _backOffice)) | ||
| }); | ||
| var rootNodes = _backOffice.Settings.ContentApp.UserStartNodes | ||
| ? _redirects.GetRootNodes(_backOffice.CurrentUser).ToArray() |
There was a problem hiding this comment.
Isn't the .ToArray() call redundant here?
| public RedirectRootNode[] GetRootNodes(IUser user) | ||
| { | ||
| var rootNodes = GetRootNodes(); | ||
| HashSet<int> rootNodeIds = new(); | ||
|
|
||
| if (user.StartContentIds != null) | ||
| { | ||
| foreach (var rootNodeId in user.StartContentIds) | ||
| { | ||
| rootNodeIds.Add(rootNodeId); | ||
| } | ||
| } | ||
|
|
||
| foreach (var group in user.Groups) | ||
| { | ||
| if (group.StartContentId != null) | ||
| { | ||
| rootNodeIds.Add(group.StartContentId.Value); | ||
| } | ||
| } | ||
|
|
||
| return rootNodes.Where(rootNode => rootNodeIds.Any(x => rootNode.Path.Contains(x))).ToArray(); |
There was a problem hiding this comment.
This is still a breaking change as you're introducing a new method. It's probably not very likely, but developers may choose to write their own implementation of the IRedirectsService interface, and if they do, they'll now be missing the GetRootNodes method.
C# 8 introduces default interface methods. So as the method doesn't use any dependencies, you should be able to move the method body to the interface instead. This ensures that we can add a new method without it being a breaking change.
Hope that makes sense 😉
|
Just pushed latest. That should hopefully do the trick. |
|
@abjerner Can you take a minute to review the last set of changes I pushed and see if they're good to merge in? |
|
It takes a bit more than a minute to review and test, which is why I haven't had the time to do this yet. I hope to get around to this soon though 😉 |
|
It's been some time since I last replied in this thread, so I thought I would give a quick update. I've been able to find some time here and there to look into your PR, but unfortunately I don't think the PR is in a state that I would consider complete, so it needs some more work before it can be merged and released. For now, you're the only one who was requested this feature, so I need to see this in the big picture, so it fits as many users as possible, and not just your specific use case. I'm not entirely sure yet what the end result should be like, so I'll need some more time looking into this. As such, it's also hard for me to give you suggestions on how to proceed. I hope that makes sense 😉 |
|
Hi @abjerner: Your refusal to accept this PR - or criticism of the security model at large - hinges on one fundamental issue: that everyone who accesses the Umbraco backoffice can be trusted. Umbraco has supported multi-tenancy for websites AFAIK since it's inception, with the ability to restrict access to content nodes on a per-user or per-group basis. The fact that the dashboard does not filter data based on Umbraco security rules, is very much a Skybrud problem for not forseeing this issue. If you don't want to fix it, that's fine, but we'll then be forced to release a Nuget package and fork your repository, explicitly highlighting the fact we've fixed a data leakage issue that you're not willing to address. Umbraco's always had multi-tenancy support (or at least, AFAIK, and I've been working with Umbraco since December 2009). Your failure to factor this into a security model, and assuming that every content editor belongs to one trusted authority, is a security design problem with you, not with us for highlighting the underlying issue at large. TL;DR: You have a fundamental security design flaw, by assuming that everyone who can access the Umbraco content area, can be trusted to manage global redirects across multiple nodes. This is patently false and ignores Umbraco's own user security checks. |
|
I've never wrote that I'm going to refuse this PR. In fact I wrote that I agree that this is something that should be added to the package. What holds back this PR is primarily a question about having the time to work on this. I'm currently not in a position where I can work on reviewing and merging this PR during business hours, which then means I have to work on it my spare time instead. I'm the only developer and maintainer of pretty much all our packages, so I need to prioritize what I'm working on. I'm okay with spending a some of my spare time working on and supporting these packages, but I'm typically prioritizing a mix of stuff that I need my self, and what I see that benefits the Umbraco community the most. In your case, I need to spent an unknown amount of hours finishing your code before I'm able to merge it, and so far I haven't been able to find that time. I dont really like seeing PRs like yours, that stay idle for long periods of time - but that's generally the way it has to be - otherwise I end up burning out if I jump on it all at once. I hope that makes sense 😉 |
# Conflicts: # src/Skybrud.Umbraco.Redirects/Controllers/Api/RedirectsController.cs # src/Skybrud.Umbraco.Redirects/Models/RedirectRootNode.cs
|
As I wrote earlier, I don't think this PR is fully complete. It touches some aspects of permissions, but primarily does so for the global dashboard, but not so much other parts of the package. If this PR should be merged, it should also touch some of these other parts of the package as well. So far, I've uncoved these parts that should be addressed:
Can you look into these parts as well? Feel free to use this thread for discussing the progress. I'll try to be better responding 😉 |
Basic node filtering applied for visible domains and redirects according to "Content start node" property on user and their respective groups.