Merge commit from fork

* Fixed parsing of node if in content and media permission querystring handlers to retrieve expected value when multiple are provided in the querystring.

* Add HttpPost attributes to backoffice endpoints that should only accept post requests.

* Bumped version to 13.6.1.

* Narrow PermissionQueryString parsing to the releveant UmbracoObjectType

* Add missed update from v10

---------

Co-authored-by: Sven Geusens <sge@umbraco.dk>

Author: AndyButland

src/Umbraco.Web.BackOffice/Authorization/ContentPermissionsQueryStringHandler.cs

@@ -20,6 +20,8 @@ public class
 {
     private readonly ContentPermissions _contentPermissions;
 
+    protected override UmbracoObjectTypes KeyParsingFilterType => UmbracoObjectTypes.Document;
+
     /// <summary>
     ///     Initializes a new instance of the <see cref="ContentPermissionsQueryStringHandler" /> class.
     /// </summary>
@@ -48,7 +50,11 @@ protected override Task<bool> IsAuthorized(AuthorizationHandlerContext context,
                 return Task.FromResult(true);
             }
 
-            var argument = routeVal.ToString();
+            // Handle case where the incoming querystring could contain more than one value (e.g. ?id=1000&id=1001).
+            // It's the first one that'll be processed by the protected method so we should verify that.
+            var argument = routeVal.Count == 1
+                ? routeVal.ToString()
+                : routeVal.FirstOrDefault()?.ToString() ?? string.Empty;
 
             if (!TryParseNodeId(argument, out nodeId))
             {

src/Umbraco.Web.BackOffice/Authorization/MediaPermissionsQueryStringHandler.cs

@@ -18,6 +18,8 @@ public class MediaPermissionsQueryStringHandler : PermissionsQueryStringHandler<
 {
     private readonly MediaPermissions _mediaPermissions;
 
+    protected override UmbracoObjectTypes KeyParsingFilterType => UmbracoObjectTypes.Media;
+
     /// <summary>
     ///     Initializes a new instance of the <see cref="MediaPermissionsQueryStringHandler" /> class.
     /// </summary>
@@ -44,7 +46,11 @@ protected override Task<bool> IsAuthorized(AuthorizationHandlerContext context,
             return Task.FromResult(true);
         }
 
-        var argument = routeVal.ToString();
+        // Handle case where the incoming querystring could contain more than one value (e.g. ?id=1000&id=1001).
+        // It's the first one that'll be processed by the protected method so we should verify that.
+        var argument = routeVal.Count == 1
+            ? routeVal.ToString()
+            : routeVal.FirstOrDefault()?.ToString() ?? string.Empty;
 
         if (!TryParseNodeId(argument, out var nodeId))
         {

src/Umbraco.Web.BackOffice/Authorization/PermissionsQueryStringHandler.cs

@@ -49,12 +49,18 @@ public PermissionsQueryStringHandler(
     /// </summary>
     protected IEntityService EntityService { get; set; }
 
+    /// <summary>
+    /// Defaults to Unknown so all types are allowed, since Keys are unique across all node types this works,
+    /// but it if you are certain you are looking for a specific type this should be overwritten for DB query performance.
+    /// </summary>
+    protected virtual UmbracoObjectTypes KeyParsingFilterType => UmbracoObjectTypes.Unknown;
+
     /// <summary>
     ///     Attempts to parse a node ID from a string representation found in a querystring value.
     /// </summary>
     /// <param name="argument">Querystring value.</param>
     /// <param name="nodeId">Output parsed Id.</param>
-    /// <returns>True of node ID could be parased, false it not.</returns>
+    /// <returns>True of node ID could be parsed, false it not.</returns>
     protected bool TryParseNodeId(string argument, out int nodeId)
     {
         // If the argument is an int, it will parse and can be assigned to nodeId.
@@ -75,7 +81,7 @@ protected bool TryParseNodeId(string argument, out int nodeId)
 
         if (Guid.TryParse(argument, out Guid key))
         {
-            nodeId = EntityService.GetId(key, UmbracoObjectTypes.Document).Result;
+            nodeId = EntityService.GetId(key, KeyParsingFilterType).Result;
             return true;
         }
 

src/Umbraco.Web.BackOffice/Controllers/ContentController.cs

@@ -256,6 +256,7 @@ public IEnumerable<ContentItemDisplay> GetByIds([FromQuery] int[] ids)
     ///     Permission check is done for letter 'R' which is for <see cref="ActionRights" /> which the user must have access to
     ///     update
     /// </remarks>
+    [HttpPost]
     public async Task<ActionResult<IEnumerable<AssignedUserGroupPermissions?>?>> PostSaveUserGroupPermissions(
         UserGroupPermissionsSave saveModel)
     {
@@ -902,6 +903,7 @@ private bool EnsureUniqueName(string? name, IContent? content, string modelName)
     [Authorize(Policy = AuthorizationPolicies.TreeAccessDocumentTypes)]
     [FileUploadCleanupFilter]
     [ContentSaveValidation(skipUserAccessValidation:true)] // skip user access validation because we "only" require Settings access to create new blueprints from scratch
+    [HttpPost]
     public async Task<ActionResult<ContentItemDisplay<ContentVariantDisplay>?>?> PostSaveBlueprint(
         [ModelBinder(typeof(BlueprintItemBinder))] ContentItemSave contentItem)
     {
@@ -939,6 +941,7 @@ private bool EnsureUniqueName(string? name, IContent? content, string modelName)
     [FileUploadCleanupFilter]
     [ContentSaveValidation]
     [OutgoingEditorModelEvent]
+    [HttpPost]
     public async Task<ActionResult<ContentItemDisplay<ContentVariantScheduleDisplay>?>> PostSave(
         [ModelBinder(typeof(ContentItemBinder))] ContentItemSave contentItem)
     {
@@ -2089,6 +2092,7 @@ private string GetVariantName(string? culture, string? segment)
     ///     does not have Publish access to this node.
     /// </remarks>
     [Authorize(Policy = AuthorizationPolicies.ContentPermissionPublishById)]
+    [HttpPost]
     public IActionResult PostPublishById(int id)
     {
         IContent? foundContent = GetObjectFromRequest(() => _contentService.GetById(id));
@@ -2120,6 +2124,7 @@ public IActionResult PostPublishById(int id)
     ///     does not have Publish access to this node.
     /// </remarks>
     [Authorize(Policy = AuthorizationPolicies.ContentPermissionPublishById)]
+    [HttpPost]
     public IActionResult PostPublishByIdAndCulture(PublishContent model)
     {
         var languageCount = _allLangs.Value.Count();
@@ -2243,6 +2248,7 @@ public IActionResult EmptyRecycleBin()
     /// </summary>
     /// <param name="sorted"></param>
     /// <returns></returns>
+    [HttpPost]
     public async Task<IActionResult> PostSort(ContentSortOrder sorted)
     {
         if (sorted == null)
@@ -2294,6 +2300,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)
     /// </summary>
     /// <param name="move"></param>
     /// <returns></returns>
+    [HttpPost]
     public async Task<IActionResult?> PostMove(MoveOrCopy move)
     {
         // Authorize...
@@ -2333,6 +2340,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)
     /// </summary>
     /// <param name="copy"></param>
     /// <returns></returns>
+    [HttpPost]
     public async Task<ActionResult<IContent>?> PostCopy(MoveOrCopy copy)
     {
         // Authorize...
@@ -2372,6 +2380,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)
     /// <param name="model">The content and variants to unpublish</param>
     /// <returns></returns>
     [OutgoingEditorModelEvent]
+    [HttpPost]
     public async Task<ActionResult<ContentItemDisplayWithSchedule?>> PostUnpublish(UnpublishContent model)
     {
         IContent? foundContent = _contentService.GetById(model.Id);
@@ -3096,6 +3105,7 @@ public ActionResult<IEnumerable<NotifySetting>> GetNotificationOptions(int conte
         return notifications;
     }
 
+    [HttpPost]
     public IActionResult PostNotificationOptions(
         int contentId,
         [FromQuery(Name = "notifyOptions[]")] string[] notifyOptions)

src/Umbraco.Web.BackOffice/Controllers/MediaController.cs

@@ -386,6 +386,7 @@ public IActionResult DeleteById(int id)
     /// </summary>
     /// <param name="move"></param>
     /// <returns></returns>
+    [HttpPost]
     public async Task<IActionResult> PostMove(MoveOrCopy move)
     {
         // Authorize...
@@ -436,6 +437,7 @@ public async Task<IActionResult> PostMove(MoveOrCopy move)
     [FileUploadCleanupFilter]
     [MediaItemSaveValidation]
     [OutgoingEditorModelEvent]
+    [HttpPost]
     public ActionResult<MediaItemDisplay?>? PostSave(
         [ModelBinder(typeof(MediaItemBinder))] MediaItemSave contentItem)
     {
@@ -551,6 +553,7 @@ public IActionResult EmptyRecycleBin()
     /// </summary>
     /// <param name="sorted"></param>
     /// <returns></returns>
+    [HttpPost]
     public async Task<IActionResult> PostSort(ContentSortOrder sorted)
     {
         if (sorted == null)
@@ -595,6 +598,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)
         }
     }
 
+    [HttpPost]
     public async Task<ActionResult<MediaItemDisplay?>> PostAddFolder(PostedFolder folder)
     {
         ActionResult<int?>? parentIdResult = await GetParentIdAsIntAsync(folder.ParentId, true);
@@ -628,6 +632,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)
     /// <remarks>
     ///     We cannot validate this request with attributes (nicely) due to the nature of the multi-part for data.
     /// </remarks>
+    [HttpPost]
     public async Task<IActionResult> PostAddFile([FromForm] string path, [FromForm] string currentFolder,
         [FromForm] string contentTypeAlias, List<IFormFile> file)
     {

tests/Umbraco.Tests.UnitTests/Umbraco.Web.BackOffice/Authorization/ContentPermissionsQueryStringHandlerTests.cs

@@ -1,9 +1,7 @@
 // Copyright (c) Umbraco.
 // See LICENSE for more details.
 
-using System.Collections.Generic;
 using System.Security.Claims;
-using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Primitives;
@@ -34,7 +32,7 @@ public class ContentPermissionsQueryStringHandlerTests
     public async Task Node_Id_From_Requirement_With_Permission_Is_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext(NodeId);
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor();
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue();
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "A" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -46,7 +44,7 @@ public async Task Node_Id_From_Requirement_With_Permission_Is_Authorized()
     public async Task Node_Id_From_Requirement_Without_Permission_Is_Not_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext(NodeId);
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor();
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue();
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "B" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -59,7 +57,7 @@ public async Task Node_Id_From_Requirement_Without_Permission_Is_Not_Authorized(
     public async Task Node_Id_Missing_From_Requirement_And_QueryString_Is_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor("xxx");
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue("xxx");
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "A" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -71,7 +69,7 @@ public async Task Node_Id_Missing_From_Requirement_And_QueryString_Is_Authorized
     public async Task Node_Integer_Id_From_QueryString_With_Permission_Is_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: NodeId.ToString());
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: NodeId.ToString());
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "A" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -84,7 +82,21 @@ public async Task Node_Integer_Id_From_QueryString_With_Permission_Is_Authorized
     public async Task Node_Integer_Id_From_QueryString_Without_Permission_Is_Not_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: NodeId.ToString());
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: NodeId.ToString());
+        var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "B" });
+
+        await sut.HandleAsync(authHandlerContext);
+
+        Assert.IsFalse(authHandlerContext.HasSucceeded);
+        AssertContentCached(mockHttpContextAccessor);
+    }
+
+    [Test]
+    public async Task Node_Integer_Id_From_QueryString_Without_Permission_Is_Not_Authorized_Even_When_Additional_Parameter_For_Id_With_Permission_Is_Provided()
+    {
+        // Provides initially failing test and verifies fix for advisory https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wx5h-wqfq-v698
+        var authHandlerContext = CreateAuthorizationHandlerContext();
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValues(queryStringValues: [NodeId.ToString(), 1001.ToString()]);
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "B" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -97,7 +109,7 @@ public async Task Node_Integer_Id_From_QueryString_Without_Permission_Is_Not_Aut
     public async Task Node_Udi_Id_From_QueryString_With_Permission_Is_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: s_nodeUdi.ToString());
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: s_nodeUdi.ToString());
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "A" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -110,7 +122,7 @@ public async Task Node_Udi_Id_From_QueryString_With_Permission_Is_Authorized()
     public async Task Node_Udi_Id_From_QueryString_Without_Permission_Is_Not_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: s_nodeUdi.ToString());
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: s_nodeUdi.ToString());
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "B" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -123,7 +135,7 @@ public async Task Node_Udi_Id_From_QueryString_Without_Permission_Is_Not_Authori
     public async Task Node_Guid_Id_From_QueryString_With_Permission_Is_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: s_nodeGuid.ToString());
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: s_nodeGuid.ToString());
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "A" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -136,7 +148,7 @@ public async Task Node_Guid_Id_From_QueryString_With_Permission_Is_Authorized()
     public async Task Node_Guid_Id_From_QueryString_Without_Permission_Is_Not_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: s_nodeGuid.ToString());
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: s_nodeGuid.ToString());
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "B" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -149,7 +161,7 @@ public async Task Node_Guid_Id_From_QueryString_Without_Permission_Is_Not_Author
     public async Task Node_Invalid_Id_From_QueryString_Is_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: "invalid");
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: "invalid");
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "A" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -168,14 +180,20 @@ private static AuthorizationHandlerContext CreateAuthorizationHandlerContext(int
         return new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement }, user, resource);
     }
 
-    private static Mock<IHttpContextAccessor> CreateMockHttpContextAccessor(
+    private static Mock<IHttpContextAccessor> CreateMockHttpContextAccessorWithQueryStringValue(
         string queryStringName = QueryStringName,
         string queryStringValue = "")
+        => CreateMockHttpContextAccessorWithQueryStringValues(queryStringName, [queryStringValue]);
+
+    private static Mock<IHttpContextAccessor> CreateMockHttpContextAccessorWithQueryStringValues(
+        string queryStringName = QueryStringName,
+        string[]? queryStringValues = null)
     {
+        queryStringValues ??= [];
         var mockHttpContextAccessor = new Mock<IHttpContextAccessor>();
         var mockHttpContext = new Mock<HttpContext>();
         var mockHttpRequest = new Mock<HttpRequest>();
-        var queryParams = new Dictionary<string, StringValues> { { queryStringName, queryStringValue } };
+        var queryParams = new Dictionary<string, StringValues> { { queryStringName, new StringValues(queryStringValues) } };
         mockHttpRequest.SetupGet(x => x.Query).Returns(new QueryCollection(queryParams));
         mockHttpContext.SetupGet(x => x.Request).Returns(mockHttpRequest.Object);
         mockHttpContext.SetupGet(x => x.Items).Returns(new Dictionary<object, object>());