Skip to content

Authorize copy and move destination for the create granular permission #19303

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 13, 2025
Merged

Authorize copy and move destination for the create granular permission #19303

merged 3 commits into from
May 13, 2025

Conversation

AndyButland
Copy link
Contributor

@AndyButland AndyButland commented May 12, 2025
edited
Loading

Prerequisites

  • I have added steps to test this contribution in the description below

Fixes: #19269

Description

This PR corrects the copy and move document operations to check for the "create" permission on the target.

It also adds an interceptor for 403 responses so we can display a more informative error message.

Testing

  • Set up an editor with permissions to copy, move, delete update and publish only.
  • Use the editor to copy or move an existing document
  • Verify that an API error is now surfaced.

@Copilot Copilot AI review requested due to automatic review settings May 12, 2025 13:42
Copilot
Copilot AI reviewed May 12, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR ensures that copy and move document operations validate the "create" permission on the destination item before proceeding.

  • Introduces separate authorization checks for the source (copy/move) and destination (create) permissions.
  • Updates both MoveDocumentController and CopyDocumentController to improve security and error handling.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
src/Umbraco.Cms.Api.Management/Controllers/Document/MoveDocumentController.cs Added explicit destination permission check; verify if the subsequent combined authorization is necessary
src/Umbraco.Cms.Api.Management/Controllers/Document/CopyDocumentController.cs Split the authorization checks for source and destination using granular permission logic
Comments suppressed due to low confidence (1)

src/Umbraco.Cms.Api.Management/Controllers/Document/MoveDocumentController.cs:56

  • [nitpick] Review whether the combined authorization check (line 56) is necessary given the separate source and destination checks performed above. If the earlier checks provide the required granularity, consider removing the duplication to simplify the authorization logic.
AuthorizationResult authorizationResult = await _authorizationService.AuthorizeResourceAsync(

@iOvergaard
Copy link
Contributor

Looks good to me. The failing E2E test does not seem to be related to these changes.

@iOvergaard iOvergaard merged commit b0f3009 into release/16.0 May 13, 2025
21 of 23 checks passed
@iOvergaard iOvergaard deleted the v16/bugfix/correct-permission-on-move-and-copy branch May 13, 2025 08:00
@iOvergaard iOvergaard mentioned this pull request May 13, 2025
Closed
@AndyButland AndyButland mentioned this pull request May 27, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@iOvergaard iOvergaard iOvergaard approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AndyButland @iOvergaard