umbraco · nul800sebastiaan · Feb 28, 2022 · Jan 13, 2022 · Jan 13, 2022 · Jan 13, 2022
diff --git a/src/Umbraco.Web.BackOffice/Controllers/MediaController.cs b/src/Umbraco.Web.BackOffice/Controllers/MediaController.cs
@@ -682,6 +682,32 @@ public async Task<ActionResult<MediaItemDisplay>> PostAddFolder(PostedFolder fol
                 return NotFound("The passed id doesn't exist");
             }
 
+            //Check parent permissions if we aren't creating a folder in the root directory
+            if (parentId != Constants.System.Root)
+            {
+                var mediaTypes = _mediaTypeService.GetAll().ToList();
+                var mediaFolderItem = _mediaService.GetById(parentId.Value);
+                var mediaFolderType =
+                    mediaTypes.FirstOrDefault(x => x.Alias == mediaFolderItem.ContentType.Alias);
+
+                var allowDefaultFolder = false;
+                if (mediaFolderType != null)
+                {
+                    allowDefaultFolder = mediaFolderType.AllowedContentTypes.Any(x => x.Alias == Constants.Conventions.MediaTypes.Folder);
+                }
+
+                if (!allowDefaultFolder)
+                {
+                    var tempFiles = new PostedFiles();
+
+                    tempFiles.Notifications.Add(new BackOfficeNotification(
+                        _localizedTextService.Localize("speechBubbles", "operationFailedHeader"),
+                        _localizedTextService.Localize("media", "disallowedFileType"),
+                        NotificationStyle.Warning));
+                    return Ok(tempFiles);
+                }
+            }
+
             var f = _mediaService.CreateMedia(folder.Name, parentId.Value, Constants.Conventions.MediaTypes.Folder);
             _mediaService.Save(f, _backofficeSecurityAccessor.BackOfficeSecurity.CurrentUser.Id);
 
@@ -735,7 +761,7 @@ public async Task<IActionResult> PostAddFile([FromForm] string path, [FromForm]
                     IMedia folderMediaItem;
 
                     //if uploading directly to media root and not a subfolder
-                    if (parentId == -1)
+                    if (parentId == Constants.System.Root)
                     {
                         //look for matching folder
                         folderMediaItem =
@@ -773,6 +799,40 @@ public async Task<IActionResult> PostAddFile([FromForm] string path, [FromForm]
                 }
             }
 
+            var mediaType = string.Empty;
+            var mediaTypes = _mediaTypeService.GetAll().ToList();
+
+            //Check if we have a parent folder before checking it's permissions.
+            if (parentId.HasValue && parentId != Constants.System.Root)
+            {
+                var mediaFolderItem = _mediaService.GetById(parentId.Value);
+                var mediaFolderType =
+                    mediaTypes.FirstOrDefault(x => x.Alias == mediaFolderItem.ContentType.Alias);
+
+                if (mediaFolderType != null)
+                {
+                    var allowedContentTypesCount = 0;
+                    IMediaType mediaTypeItem = null;
+                    foreach (var allowedContentType in mediaFolderType.AllowedContentTypes)
+                    {
+                        var checkMediaTypeItem = _mediaTypeService.Get(allowedContentType.Id.Value);
+                        var fileProperty = checkMediaTypeItem.CompositionPropertyTypes.FirstOrDefault(x => x.Alias == Constants.Conventions.Media.File);
+
+                        if (fileProperty != null)
+                        {
+                            allowedContentTypesCount++;
+                            mediaTypeItem = checkMediaTypeItem;
+                        }
+                    }
+
+                    //Only set the permission-based mediaType if we only allow 1 specific file under this parent.
+                    if (allowedContentTypesCount == 1 && mediaTypeItem != null)
+                    {
+                        mediaType = mediaTypeItem.Alias;
+                    }
+                }
+            }
+
             //get the files
             foreach (var formFile in file)
             {
@@ -782,57 +842,57 @@ public async Task<IActionResult> PostAddFile([FromForm] string path, [FromForm]
 
                 if (_contentSettings.IsFileAllowedForUpload(ext))
                 {
-                    var mediaType = Constants.Conventions.MediaTypes.File;
-
-                    if (contentTypeAlias == Constants.Conventions.MediaTypes.AutoSelect)
+                    if (string.IsNullOrEmpty(mediaType))
                     {
-                        var mediaTypes = _mediaTypeService.GetAll();
-                        // Look up MediaTypes
-                        foreach (var mediaTypeItem in mediaTypes)
+                        mediaType = Constants.Conventions.MediaTypes.File;
+
+                        if (contentTypeAlias == Constants.Conventions.MediaTypes.AutoSelect)
                         {
-                            var fileProperty = mediaTypeItem.CompositionPropertyTypes.FirstOrDefault(x => x.Alias == "umbracoFile");
-                            if (fileProperty != null)
+                            // Look up MediaTypes
+                            foreach (var mediaTypeItem in mediaTypes)
                             {
-                                var dataTypeKey = fileProperty.DataTypeKey;
-                                var dataType = _dataTypeService.GetDataType(dataTypeKey);
-
-                                if (dataType != null && dataType.Configuration is IFileExtensionsConfig fileExtensionsConfig)
+                                var fileProperty = mediaTypeItem.CompositionPropertyTypes.FirstOrDefault(x => x.Alias == Constants.Conventions.Media.File);
+                                if (fileProperty != null)
                                 {
-                                    var fileExtensions = fileExtensionsConfig.FileExtensions;
-                                    if (fileExtensions != null)
+                                    var dataTypeKey = fileProperty.DataTypeKey;
+                                    var dataType = _dataTypeService.GetDataType(dataTypeKey);
+
+                                    if (dataType != null && dataType.Configuration is IFileExtensionsConfig fileExtensionsConfig)
                                     {
-                                        if (fileExtensions.Where(x => x.Value == ext).Count() != 0)
+                                        var fileExtensions = fileExtensionsConfig.FileExtensions;
+                                        if (fileExtensions != null)
                                         {
-                                            mediaType = mediaTypeItem.Alias;
-                                            break;
+                                            if (fileExtensions.Where(x => x.Value == ext).Count() != 0)
+                                            {
+                                                mediaType = mediaTypeItem.Alias;
+                                                break;
+                                            }
                                         }
                                     }
                                 }
                             }
-                        }
 
-                        // If media type is still File then let's check if it's an image.
-                        if (mediaType == Constants.Conventions.MediaTypes.File && _imageUrlGenerator.SupportedImageFileTypes.Contains(ext))
+                            // If media type is still File then let's check if it's an image.
+                            if (mediaType == Constants.Conventions.MediaTypes.File && _imageUrlGenerator.SupportedImageFileTypes.Contains(ext))
+                            {
+                                mediaType = Constants.Conventions.MediaTypes.Image;
+                            }
+                        }
+                        else
                         {
-                            mediaType = Constants.Conventions.MediaTypes.Image;
+                            mediaType = contentTypeAlias;
                         }
                     }
-                    else
-                    {
-                        mediaType = contentTypeAlias;
-                    }
 
                     var mediaItemName = fileName.ToFriendlyName();
 
                     var f = _mediaService.CreateMedia(mediaItemName, parentId.Value, mediaType, _backofficeSecurityAccessor.BackOfficeSecurity.CurrentUser.Id);
 
-
                     await using (var stream = formFile.OpenReadStream())
                     {
                         f.SetValue(_mediaFileManager, _mediaUrlGenerators, _shortStringHelper, _contentTypeBaseServiceProvider, Constants.Conventions.Media.File, fileName, stream);
                     }
 
-
                     var saveResult = _mediaService.Save(f, _backofficeSecurityAccessor.BackOfficeSecurity.CurrentUser.Id);
                     if (saveResult == false)
                     {