Merge pull request #1 from umbraco/dev-v7

Update from original

.gitignore

@@ -131,3 +131,4 @@ src/*.boltdata/
 src/umbraco.sln.ide/*
 build/UmbracoCms.*/
 src/.vs/
+src/Umbraco.Web.UI/umbraco/js/install.loader.js

build/NuSpecs/tools/Dashboard.config.install.xdt

@@ -62,13 +62,6 @@
         views/dashboard/default/startupdashboardintro.html
       </control>
     </tab>
-    <tab caption="Change password" xdt:Locator="Match(caption)" xdt:Transform="Remove" />
-    <tab caption="Change Password" xdt:Locator="Match(caption)" xdt:Transform="Remove" />
-    <tab caption="Change Password" xdt:Transform="Insert">
-      <control showOnce="false" addPanel="false" panelCaption="">
-        views/dashboard/ChangePassword.html
-      </control>
-    </tab>
     <tab caption="Last Edits" xdt:Locator="Match(caption)" xdt:Transform="Remove" />
   </section>
 

build/UmbracoVersion.txt

@@ -1,2 +1,2 @@
 # Usage: on line 2 put the release version, on line 3 put the version comment (example: beta)
-7.3.2
+7.3.3

src/SolutionInfo.cs

@@ -11,5 +11,5 @@
 
 [assembly: AssemblyVersion("1.0.*")]
 
-[assembly: AssemblyFileVersion("7.3.1")]
-[assembly: AssemblyInformationalVersion("7.3.1")]
+[assembly: AssemblyFileVersion("7.3.3")]
+[assembly: AssemblyInformationalVersion("7.3.3")]

src/Umbraco.Core/ApplicationContext.cs

@@ -283,7 +283,12 @@ private void Init()
                 {
                     var configStatus = ConfigurationStatus;
                     var currentVersion = UmbracoVersion.GetSemanticVersion();
-                    var ok = configStatus == currentVersion;
+
+                    var ok =
+                        //we are not configured if this is null    
+                        string.IsNullOrWhiteSpace(configStatus) == false
+                        //they must match
+                        && configStatus == currentVersion;
 
                     if (ok)
                     {
@@ -308,8 +313,9 @@ private void Init()
 
                     return ok;
                 }
-                catch
+                catch (Exception ex)
                 {
+                    LogHelper.Error<ApplicationContext>("Error determining if application is configured, returning false", ex);
                     return false;
                 }
 

src/Umbraco.Core/Configuration/UmbracoVersion.cs

@@ -6,7 +6,7 @@ namespace Umbraco.Core.Configuration
 {
     public class UmbracoVersion
     {
-        private static readonly Version Version = new Version("7.3.2");
+        private static readonly Version Version = new Version("7.3.3");
 
         /// <summary>
         /// Gets the current version of Umbraco.

src/Umbraco.Core/Constants-Web.cs

@@ -1,4 +1,7 @@
-namespace Umbraco.Core
+using System;
+using System.ComponentModel;
+
+namespace Umbraco.Core
 {
 	public static partial class Constants
 	{		
@@ -15,6 +18,8 @@ public static class Web
             /// <summary>
             /// The auth cookie name
             /// </summary>
+            [Obsolete("DO NOT USE THIS, USE ISecuritySection.AuthCookieName, this will be removed in future versions")]
+            [EditorBrowsable(EditorBrowsableState.Never)]
             public const string AuthCookieName = "UMB_UCONTEXT";
 
         }

src/Umbraco.Core/Models/Identity/IdentityModelMappings.cs

@@ -4,6 +4,7 @@
 
 using Umbraco.Core.Models.Mapping;
 using Umbraco.Core.Models.Membership;
+using Umbraco.Core.Security;
 
 namespace Umbraco.Core.Models.Identity
 {
@@ -24,6 +25,18 @@ public override void ConfigureMappings(IConfiguration config, ApplicationContext
                 .ForMember(user => user.UserTypeAlias, expression => expression.MapFrom(user => user.UserType.Alias))
                 .ForMember(user => user.AccessFailedCount, expression => expression.MapFrom(user => user.FailedPasswordAttempts))
                 .ForMember(user => user.AllowedSections, expression => expression.MapFrom(user => user.AllowedSections.ToArray()));
+
+            config.CreateMap<BackOfficeIdentityUser, UserData>()
+                .ConstructUsing((BackOfficeIdentityUser user) => new UserData(Guid.NewGuid().ToString("N"))) //this is the 'session id'
+                .ForMember(detail => detail.Id, opt => opt.MapFrom(user => user.Id))
+                .ForMember(detail => detail.AllowedApplications, opt => opt.MapFrom(user => user.AllowedSections))
+                .ForMember(detail => detail.RealName, opt => opt.MapFrom(user => user.Name))
+                .ForMember(detail => detail.Roles, opt => opt.MapFrom(user => new[] { user.UserTypeAlias }))
+                .ForMember(detail => detail.StartContentNode, opt => opt.MapFrom(user => user.StartContentId))
+                .ForMember(detail => detail.StartMediaNode, opt => opt.MapFrom(user => user.StartMediaId))
+                .ForMember(detail => detail.Username, opt => opt.MapFrom(user => user.UserName))
+                .ForMember(detail => detail.Culture, opt => opt.MapFrom(user => user.Culture))
+                .ForMember(detail => detail.SessionId, opt => opt.MapFrom(user => user.SecurityStamp.IsNullOrWhiteSpace() ? Guid.NewGuid().ToString("N") : user.SecurityStamp));
         }
 
         private string GetPasswordHash(string storedPass)

src/Umbraco.Core/Models/UserExtensions.cs

@@ -2,6 +2,7 @@
 using System.Globalization;
 using System.Linq;
 using System.Threading;
+using Umbraco.Core.Models.Identity;
 using Umbraco.Core.Models.Membership;
 using Umbraco.Core.Services;
 

src/Umbraco.Core/Security/AuthenticationExtensions.cs

@@ -2,6 +2,7 @@
 using System.Collections;
 using System.Collections.Generic;
 using System.Collections.Specialized;
+using System.ComponentModel;
 using System.Linq;
 using System.Net.Http;
 using System.Net.Http.Headers;
@@ -15,7 +16,6 @@
 using Newtonsoft.Json;
 using Umbraco.Core.Configuration;
 using Umbraco.Core.Models.Membership;
-using Microsoft.Owin;
 using Umbraco.Core.Logging;
 
 namespace Umbraco.Core.Security
@@ -157,9 +157,6 @@ internal static UmbracoBackOfficeIdentity GetCurrentIdentity(this HttpContext ht
             return new HttpContextWrapper(http).GetCurrentIdentity(authenticateRequestIfNotFound);
         }
 
-        /// <summary>
-        /// This clears the forms authentication cookie
-        /// </summary>
         public static void UmbracoLogout(this HttpContextBase http)
         {
             if (http == null) throw new ArgumentNullException("http");
@@ -170,6 +167,8 @@ public static void UmbracoLogout(this HttpContextBase http)
         /// This clears the forms authentication cookie for webapi since cookies are handled differently
         /// </summary>
         /// <param name="response"></param>
+        [Obsolete("Use OWIN IAuthenticationManager.SignOut instead")]
+        [EditorBrowsable(EditorBrowsableState.Never)]
         public static void UmbracoLogoutWebApi(this HttpResponseMessage response)
         {
             if (response == null) throw new ArgumentNullException("response");
@@ -195,11 +194,8 @@ public static void UmbracoLogoutWebApi(this HttpResponseMessage response)
             response.Headers.AddCookies(new[] { authCookie, prevCookie, extLoginCookie });
         }
 
-        /// <summary>
-        /// This adds the forms authentication cookie for webapi since cookies are handled differently
-        /// </summary>
-        /// <param name="response"></param>
-        /// <param name="user"></param>
+        [Obsolete("Use WebSecurity.SetPrincipalForRequest")]
+        [EditorBrowsable(EditorBrowsableState.Never)]
         public static FormsAuthenticationTicket UmbracoLoginWebApi(this HttpResponseMessage response, IUser user)
         {
             if (response == null) throw new ArgumentNullException("response");
@@ -250,26 +246,29 @@ internal static void UmbracoLogout(this HttpContext http)
             if (http == null) throw new ArgumentNullException("http");
             new HttpContextWrapper(http).UmbracoLogout();
         }
-
+        
         /// <summary>
-        /// Renews the Umbraco authentication ticket
+        /// This will force ticket renewal in the OWIN pipeline
         /// </summary>
         /// <param name="http"></param>
         /// <returns></returns>
         public static bool RenewUmbracoAuthTicket(this HttpContextBase http)
         {
             if (http == null) throw new ArgumentNullException("http");
-            return RenewAuthTicket(http,
-                UmbracoConfig.For.UmbracoSettings().Security.AuthCookieName,
-                UmbracoConfig.For.UmbracoSettings().Security.AuthCookieDomain,
-                //Umbraco has always persisted it's original cookie for 1 day so we'll keep it that way
-                1440);
+            http.Items["umbraco-force-auth"] = true;
+            return true;
         }
 
+        /// <summary>
+        /// This will force ticket renewal in the OWIN pipeline
+        /// </summary>
+        /// <param name="http"></param>
+        /// <returns></returns>
         internal static bool RenewUmbracoAuthTicket(this HttpContext http)
         {
             if (http == null) throw new ArgumentNullException("http");
-            return new HttpContextWrapper(http).RenewUmbracoAuthTicket();
+            http.Items["umbraco-force-auth"] = true;
+            return true;
         }
 
         /// <summary>
@@ -390,8 +389,7 @@ private static void Logout(this HttpContextBase http, string cookieName)
                     //ensure there's def an expired cookie
                     http.Response.Cookies.Add(new HttpCookie(c) { Expires = DateTime.Now.AddYears(-1) });
                 }               
-            }            
-
+            }
         }
 
         private static FormsAuthenticationTicket GetAuthTicket(this HttpContextBase http, string cookieName)
@@ -432,51 +430,6 @@ private static FormsAuthenticationTicket GetAuthTicket(IDictionary<string, strin
             return FormsAuthentication.Decrypt(formsCookie);
         }
 
-        /// <summary>
-        /// Renews the forms authentication ticket & cookie
-        /// </summary>
-        /// <param name="http"></param>
-        /// <param name="cookieName"></param>
-        /// <param name="cookieDomain"></param>
-        /// <param name="minutesPersisted"></param>
-        /// <returns>true if there was a ticket to renew otherwise false if there was no ticket</returns>
-        private static bool RenewAuthTicket(this HttpContextBase http, string cookieName, string cookieDomain, int minutesPersisted)
-        {
-            if (http == null) throw new ArgumentNullException("http");
-            //get the ticket
-            var ticket = GetAuthTicket(http, cookieName);
-            //renew the ticket
-            var renewed = FormsAuthentication.RenewTicketIfOld(ticket);
-            if (renewed == null)
-            {
-                return false;
-            }
-
-            //get the request cookie to get it's expiry date, 
-            //NOTE: this will never be null becaues we already do this
-            // check in teh GetAuthTicket.
-            var formsCookie = http.Request.Cookies[cookieName];
-
-            //encrypt it
-            var hash = FormsAuthentication.Encrypt(renewed);
-            //write it to the response
-            var cookie = new HttpCookie(cookieName, hash)
-                {                    
-                    Expires = DateTime.Now.AddMinutes(minutesPersisted),
-                    Domain = cookieDomain
-                };
-
-            if (GlobalSettings.UseSSL)
-                cookie.Secure = true;
-
-            //ensure http only, this should only be able to be accessed via the server
-            cookie.HttpOnly = true;
-
-            //rewrite the cooke
-            http.Response.Cookies.Set(cookie);
-            return true;
-        }
-
         /// <summary>
         /// Creates a custom FormsAuthentication ticket with the data specified
         /// </summary>

src/Umbraco.Core/Security/BackOfficeCookieAuthenticationProvider.cs

@@ -1,12 +1,38 @@
+using System;
 using System.Globalization;
+using System.Net.Http.Headers;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.Owin;
 using Microsoft.Owin.Security.Cookies;
+using Umbraco.Core.Configuration;
 
 namespace Umbraco.Core.Security
 {
     public class BackOfficeCookieAuthenticationProvider : CookieAuthenticationProvider
     {
+        public override void ResponseSignOut(CookieResponseSignOutContext context)
+        {
+            base.ResponseSignOut(context);
+
+            //Make sure the definitely all of these cookies are cleared when signing out with cookies
+            context.Response.Cookies.Append(UmbracoConfig.For.UmbracoSettings().Security.AuthCookieName, "", new CookieOptions
+            {
+                Expires = DateTime.Now.AddYears(-1),
+                Path = "/"
+            });
+            context.Response.Cookies.Append(Constants.Web.PreviewCookieName, "", new CookieOptions
+            {
+                Expires = DateTime.Now.AddYears(-1),
+                Path = "/"
+            });
+            context.Response.Cookies.Append(Constants.Security.BackOfficeExternalCookieName, "", new CookieOptions
+            {
+                Expires = DateTime.Now.AddYears(-1),
+                Path = "/"
+            });
+        }
+
         /// <summary>
         /// Ensures that the culture is set correctly for the current back office user
         /// </summary>

src/Umbraco.Core/Security/BackOfficeSignInManager.cs

@@ -53,6 +53,11 @@ public async override Task<SignInStatus> PasswordSignInAsync(string userName, st
             switch (result)
             {
                 case SignInStatus.Success:
+                    _logger.WriteCore(TraceEventType.Information, 0,
+                        string.Format(
+                            "User: {0} logged in from IP address {1}",
+                            userName,
+                            _request.RemoteIpAddress), null, null);
                     break;
                 case SignInStatus.LockedOut:
                     _logger.WriteCore(TraceEventType.Information, 0,

src/Umbraco.Core/Services/EntityXmlSerializer.cs

@@ -100,6 +100,8 @@ public XElement Serialize(IDataTypeService dataTypeService, IMember member)
 
             xml.Add(new XAttribute("loginName", member.Username));
             xml.Add(new XAttribute("email", member.Email));
+
+            xml.Add(new XAttribute("icon", member.ContentType.Icon));
 
             return xml;
         }