Merge commit from fork

AndyButland · Migaroez · web-flow · commit 5b54bed40668 · 2025-03-11T05:11:08.000+01:00
* Fixed parsing of node if in content and media permission querystring handlers to retrieve expected value when multiple are provided in the querystring.

* Add HttpPost attributes to backoffice endpoints that should only accept post requests.

* Bumped version to 13.6.1.

* Narrow PermissionQueryString parsing to the releveant UmbracoObjectType

* Add missed update from v10

---------

Co-authored-by: Sven Geusens &lt;sge@umbraco.dk&gt;
diff --git a/src/Umbraco.Web.BackOffice/Authorization/ContentPermissionsQueryStringHandler.cs b/src/Umbraco.Web.BackOffice/Authorization/ContentPermissionsQueryStringHandler.cs
@@ -20,6 +20,8 @@ public class
 {
     private readonly ContentPermissions _contentPermissions;
 
+    protected override UmbracoObjectTypes KeyParsingFilterType => UmbracoObjectTypes.Document;
+
     /// <summary>
     ///     Initializes a new instance of the <see cref="ContentPermissionsQueryStringHandler" /> class.
     /// </summary>
@@ -48,7 +50,11 @@ protected override Task<bool> IsAuthorized(AuthorizationHandlerContext context,
                 return Task.FromResult(true);
             }
 
-            var argument = routeVal.ToString();
+            // Handle case where the incoming querystring could contain more than one value (e.g. ?id=1000&id=1001).
+            // It's the first one that'll be processed by the protected method so we should verify that.
+            var argument = routeVal.Count == 1
+                ? routeVal.ToString()
+                : routeVal.FirstOrDefault()?.ToString() ?? string.Empty;
 
             if (!TryParseNodeId(argument, out nodeId))
             {
diff --git a/src/Umbraco.Web.BackOffice/Authorization/MediaPermissionsQueryStringHandler.cs b/src/Umbraco.Web.BackOffice/Authorization/MediaPermissionsQueryStringHandler.cs
@@ -18,6 +18,8 @@ public class MediaPermissionsQueryStringHandler : PermissionsQueryStringHandler<
 {
     private readonly MediaPermissions _mediaPermissions;
 
+    protected override UmbracoObjectTypes KeyParsingFilterType => UmbracoObjectTypes.Media;
+
     /// <summary>
     ///     Initializes a new instance of the <see cref="MediaPermissionsQueryStringHandler" /> class.
     /// </summary>
@@ -44,7 +46,11 @@ protected override Task<bool> IsAuthorized(AuthorizationHandlerContext context,
             return Task.FromResult(true);
         }
 
-        var argument = routeVal.ToString();
+        // Handle case where the incoming querystring could contain more than one value (e.g. ?id=1000&id=1001).
+        // It's the first one that'll be processed by the protected method so we should verify that.
+        var argument = routeVal.Count == 1
+            ? routeVal.ToString()
+            : routeVal.FirstOrDefault()?.ToString() ?? string.Empty;
 
         if (!TryParseNodeId(argument, out var nodeId))
         {
diff --git a/src/Umbraco.Web.BackOffice/Authorization/PermissionsQueryStringHandler.cs b/src/Umbraco.Web.BackOffice/Authorization/PermissionsQueryStringHandler.cs
@@ -49,12 +49,18 @@ public PermissionsQueryStringHandler(
     /// </summary>
     protected IEntityService EntityService { get; set; }
 
+    /// <summary>
+    /// Defaults to Unknown so all types are allowed, since Keys are unique across all node types this works,
+    /// but it if you are certain you are looking for a specific type this should be overwritten for DB query performance.
+    /// </summary>
+    protected virtual UmbracoObjectTypes KeyParsingFilterType => UmbracoObjectTypes.Unknown;
+
     /// <summary>
     ///     Attempts to parse a node ID from a string representation found in a querystring value.
     /// </summary>
     /// <param name="argument">Querystring value.</param>
     /// <param name="nodeId">Output parsed Id.</param>
-    /// <returns>True of node ID could be parased, false it not.</returns>
+    /// <returns>True of node ID could be parsed, false it not.</returns>
     protected bool TryParseNodeId(string argument, out int nodeId)
     {
         // If the argument is an int, it will parse and can be assigned to nodeId.
@@ -75,7 +81,7 @@ protected bool TryParseNodeId(string argument, out int nodeId)
 
         if (Guid.TryParse(argument, out Guid key))
         {
-            nodeId = EntityService.GetId(key, UmbracoObjectTypes.Document).Result;
+            nodeId = EntityService.GetId(key, KeyParsingFilterType).Result;
             return true;
         }
 
diff --git a/src/Umbraco.Web.BackOffice/Controllers/ContentController.cs b/src/Umbraco.Web.BackOffice/Controllers/ContentController.cs
@@ -256,6 +256,7 @@ public IEnumerable<ContentItemDisplay> GetByIds([FromQuery] int[] ids)
     ///     Permission check is done for letter 'R' which is for <see cref="ActionRights" /> which the user must have access to
     ///     update
     /// </remarks>
+    [HttpPost]
     public async Task<ActionResult<IEnumerable<AssignedUserGroupPermissions?>?>> PostSaveUserGroupPermissions(
         UserGroupPermissionsSave saveModel)
     {
@@ -902,6 +903,7 @@ private bool EnsureUniqueName(string? name, IContent? content, string modelName)
     [Authorize(Policy = AuthorizationPolicies.TreeAccessDocumentTypes)]
     [FileUploadCleanupFilter]
     [ContentSaveValidation(skipUserAccessValidation:true)] // skip user access validation because we "only" require Settings access to create new blueprints from scratch
+    [HttpPost]
     public async Task<ActionResult<ContentItemDisplay<ContentVariantDisplay>?>?> PostSaveBlueprint(
         [ModelBinder(typeof(BlueprintItemBinder))] ContentItemSave contentItem)
     {
@@ -939,6 +941,7 @@ private bool EnsureUniqueName(string? name, IContent? content, string modelName)
     [FileUploadCleanupFilter]
     [ContentSaveValidation]
     [OutgoingEditorModelEvent]
+    [HttpPost]
     public async Task<ActionResult<ContentItemDisplay<ContentVariantScheduleDisplay>?>> PostSave(
         [ModelBinder(typeof(ContentItemBinder))] ContentItemSave contentItem)
     {
@@ -2089,6 +2092,7 @@ private string GetVariantName(string? culture, string? segment)
     ///     does not have Publish access to this node.
     /// </remarks>
     [Authorize(Policy = AuthorizationPolicies.ContentPermissionPublishById)]
+    [HttpPost]
     public IActionResult PostPublishById(int id)
     {
         IContent? foundContent = GetObjectFromRequest(() => _contentService.GetById(id));
@@ -2120,6 +2124,7 @@ public IActionResult PostPublishById(int id)
     ///     does not have Publish access to this node.
     /// </remarks>
     [Authorize(Policy = AuthorizationPolicies.ContentPermissionPublishById)]
+    [HttpPost]
     public IActionResult PostPublishByIdAndCulture(PublishContent model)
     {
         var languageCount = _allLangs.Value.Count();
@@ -2243,6 +2248,7 @@ public IActionResult EmptyRecycleBin()
     /// </summary>
     /// <param name="sorted"></param>
     /// <returns></returns>
+    [HttpPost]
     public async Task<IActionResult> PostSort(ContentSortOrder sorted)
     {
         if (sorted == null)
@@ -2294,6 +2300,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)
     /// </summary>
     /// <param name="move"></param>
     /// <returns></returns>
+    [HttpPost]
     public async Task<IActionResult?> PostMove(MoveOrCopy move)
     {
         // Authorize...
@@ -2333,6 +2340,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)
     /// </summary>
     /// <param name="copy"></param>
     /// <returns></returns>
+    [HttpPost]
     public async Task<ActionResult<IContent>?> PostCopy(MoveOrCopy copy)
     {
         // Authorize...
@@ -2372,6 +2380,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)
     /// <param name="model">The content and variants to unpublish</param>
     /// <returns></returns>
     [OutgoingEditorModelEvent]
+    [HttpPost]
     public async Task<ActionResult<ContentItemDisplayWithSchedule?>> PostUnpublish(UnpublishContent model)
     {
         IContent? foundContent = _contentService.GetById(model.Id);
@@ -3096,6 +3105,7 @@ public ActionResult<IEnumerable<NotifySetting>> GetNotificationOptions(int conte
         return notifications;
     }
 
+    [HttpPost]
     public IActionResult PostNotificationOptions(
         int contentId,
         [FromQuery(Name = "notifyOptions[]")] string[] notifyOptions)
diff --git a/src/Umbraco.Web.BackOffice/Controllers/MediaController.cs b/src/Umbraco.Web.BackOffice/Controllers/MediaController.cs
@@ -386,6 +386,7 @@ public IActionResult DeleteById(int id)
     /// </summary>
     /// <param name="move"></param>
     /// <returns></returns>
+    [HttpPost]
     public async Task<IActionResult> PostMove(MoveOrCopy move)
     {
         // Authorize...
@@ -436,6 +437,7 @@ public async Task<IActionResult> PostMove(MoveOrCopy move)
     [FileUploadCleanupFilter]
     [MediaItemSaveValidation]
     [OutgoingEditorModelEvent]
+    [HttpPost]
     public ActionResult<MediaItemDisplay?>? PostSave(
         [ModelBinder(typeof(MediaItemBinder))] MediaItemSave contentItem)
     {
@@ -551,6 +553,7 @@ public IActionResult EmptyRecycleBin()
     /// </summary>
     /// <param name="sorted"></param>
     /// <returns></returns>
+    [HttpPost]
     public async Task<IActionResult> PostSort(ContentSortOrder sorted)
     {
         if (sorted == null)
@@ -595,6 +598,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)
         }
     }
 
+    [HttpPost]
     public async Task<ActionResult<MediaItemDisplay?>> PostAddFolder(PostedFolder folder)
     {
         ActionResult<int?>? parentIdResult = await GetParentIdAsIntAsync(folder.ParentId, true);
@@ -628,6 +632,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)
     /// <remarks>
     ///     We cannot validate this request with attributes (nicely) due to the nature of the multi-part for data.
     /// </remarks>
+    [HttpPost]
     public async Task<IActionResult> PostAddFile([FromForm] string path, [FromForm] string currentFolder,
         [FromForm] string contentTypeAlias, List<IFormFile> file)
     {
diff --git a/tests/Umbraco.Tests.UnitTests/Umbraco.Web.BackOffice/Authorization/ContentPermissionsQueryStringHandlerTests.cs b/tests/Umbraco.Tests.UnitTests/Umbraco.Web.BackOffice/Authorization/ContentPermissionsQueryStringHandlerTests.cs
@@ -1,9 +1,7 @@
 // Copyright (c) Umbraco.
 // See LICENSE for more details.
 
-using System.Collections.Generic;
 using System.Security.Claims;
-using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Primitives;
@@ -34,7 +32,7 @@ public class ContentPermissionsQueryStringHandlerTests
     public async Task Node_Id_From_Requirement_With_Permission_Is_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext(NodeId);
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor();
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue();
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "A" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -46,7 +44,7 @@ public async Task Node_Id_From_Requirement_With_Permission_Is_Authorized()
     public async Task Node_Id_From_Requirement_Without_Permission_Is_Not_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext(NodeId);
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor();
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue();
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "B" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -59,7 +57,7 @@ public async Task Node_Id_From_Requirement_Without_Permission_Is_Not_Authorized(
     public async Task Node_Id_Missing_From_Requirement_And_QueryString_Is_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor("xxx");
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue("xxx");
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "A" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -71,7 +69,7 @@ public async Task Node_Id_Missing_From_Requirement_And_QueryString_Is_Authorized
     public async Task Node_Integer_Id_From_QueryString_With_Permission_Is_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: NodeId.ToString());
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: NodeId.ToString());
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "A" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -84,7 +82,21 @@ public async Task Node_Integer_Id_From_QueryString_With_Permission_Is_Authorized
     public async Task Node_Integer_Id_From_QueryString_Without_Permission_Is_Not_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: NodeId.ToString());
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: NodeId.ToString());
+        var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "B" });
+
+        await sut.HandleAsync(authHandlerContext);
+
+        Assert.IsFalse(authHandlerContext.HasSucceeded);
+        AssertContentCached(mockHttpContextAccessor);
+    }
+
+    [Test]
+    public async Task Node_Integer_Id_From_QueryString_Without_Permission_Is_Not_Authorized_Even_When_Additional_Parameter_For_Id_With_Permission_Is_Provided()
+    {
+        // Provides initially failing test and verifies fix for advisory https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-wx5h-wqfq-v698
+        var authHandlerContext = CreateAuthorizationHandlerContext();
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValues(queryStringValues: [NodeId.ToString(), 1001.ToString()]);
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "B" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -97,7 +109,7 @@ public async Task Node_Integer_Id_From_QueryString_Without_Permission_Is_Not_Aut
     public async Task Node_Udi_Id_From_QueryString_With_Permission_Is_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: s_nodeUdi.ToString());
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: s_nodeUdi.ToString());
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "A" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -110,7 +122,7 @@ public async Task Node_Udi_Id_From_QueryString_With_Permission_Is_Authorized()
     public async Task Node_Udi_Id_From_QueryString_Without_Permission_Is_Not_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: s_nodeUdi.ToString());
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: s_nodeUdi.ToString());
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "B" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -123,7 +135,7 @@ public async Task Node_Udi_Id_From_QueryString_Without_Permission_Is_Not_Authori
     public async Task Node_Guid_Id_From_QueryString_With_Permission_Is_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: s_nodeGuid.ToString());
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: s_nodeGuid.ToString());
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "A" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -136,7 +148,7 @@ public async Task Node_Guid_Id_From_QueryString_With_Permission_Is_Authorized()
     public async Task Node_Guid_Id_From_QueryString_Without_Permission_Is_Not_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: s_nodeGuid.ToString());
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: s_nodeGuid.ToString());
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "B" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -149,7 +161,7 @@ public async Task Node_Guid_Id_From_QueryString_Without_Permission_Is_Not_Author
     public async Task Node_Invalid_Id_From_QueryString_Is_Authorized()
     {
         var authHandlerContext = CreateAuthorizationHandlerContext();
-        var mockHttpContextAccessor = CreateMockHttpContextAccessor(queryStringValue: "invalid");
+        var mockHttpContextAccessor = CreateMockHttpContextAccessorWithQueryStringValue(queryStringValue: "invalid");
         var sut = CreateHandler(mockHttpContextAccessor.Object, NodeId, new[] { "A" });
 
         await sut.HandleAsync(authHandlerContext);
@@ -168,14 +180,20 @@ private static AuthorizationHandlerContext CreateAuthorizationHandlerContext(int
         return new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement }, user, resource);
     }
 
-    private static Mock<IHttpContextAccessor> CreateMockHttpContextAccessor(
+    private static Mock<IHttpContextAccessor> CreateMockHttpContextAccessorWithQueryStringValue(
         string queryStringName = QueryStringName,
         string queryStringValue = "")
+        => CreateMockHttpContextAccessorWithQueryStringValues(queryStringName, [queryStringValue]);
+
+    private static Mock<IHttpContextAccessor> CreateMockHttpContextAccessorWithQueryStringValues(
+        string queryStringName = QueryStringName,
+        string[]? queryStringValues = null)
     {
+        queryStringValues ??= [];
         var mockHttpContextAccessor = new Mock<IHttpContextAccessor>();
         var mockHttpContext = new Mock<HttpContext>();
         var mockHttpRequest = new Mock<HttpRequest>();
-        var queryParams = new Dictionary<string, StringValues> { { queryStringName, queryStringValue } };
+        var queryParams = new Dictionary<string, StringValues> { { queryStringName, new StringValues(queryStringValues) } };
         mockHttpRequest.SetupGet(x => x.Query).Returns(new QueryCollection(queryParams));
         mockHttpContext.SetupGet(x => x.Request).Returns(mockHttpRequest.Object);
         mockHttpContext.SetupGet(x => x.Items).Returns(new Dictionary<object, object>());
diff --git a/tests/Umbraco.Tests.UnitTests/Umbraco.Web.BackOffice/Authorization/MediaPermissionsQueryStringHandlerTests.cs b/tests/Umbraco.Tests.UnitTests/Umbraco.Web.BackOffice/Authorization/MediaPermissionsQueryStringHandlerTests.cs
diff --git a/tests/Umbraco.Tests.UnitTests/Umbraco.Web.BackOffice/Authorization/MediaPermissionsResourceHandlerTests.cs b/tests/Umbraco.Tests.UnitTests/Umbraco.Web.BackOffice/Authorization/MediaPermissionsResourceHandlerTests.cs

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,8 @@ public class`
`20`	`20`	`{`
`21`	`21`	`private readonly ContentPermissions _contentPermissions;`
`22`	`22`
	`23`	`+ protected override UmbracoObjectTypes KeyParsingFilterType => UmbracoObjectTypes.Document;`
	`24`	`+`
`23`	`25`	`/// <summary>`
`24`	`26`	`/// Initializes a new instance of the <see cref="ContentPermissionsQueryStringHandler" /> class.`
`25`	`27`	`/// </summary>`
`@@ -48,7 +50,11 @@ protected override Task<bool> IsAuthorized(AuthorizationHandlerContext context,`
`48`	`50`	`return Task.FromResult(true);`
`49`	`51`	`}`
`50`	`52`
`51`		`- var argument = routeVal.ToString();`
	`53`	`+ // Handle case where the incoming querystring could contain more than one value (e.g. ?id=1000&id=1001).`
	`54`	`+ // It's the first one that'll be processed by the protected method so we should verify that.`
	`55`	`+ var argument = routeVal.Count == 1`
	`56`	`+ ? routeVal.ToString()`
	`57`	`+ : routeVal.FirstOrDefault()?.ToString() ?? string.Empty;`
`52`	`58`
`53`	`59`	`if (!TryParseNodeId(argument, out nodeId))`
`54`	`60`	`{`
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,8 @@ public class MediaPermissionsQueryStringHandler : PermissionsQueryStringHandler<`
`18`	`18`	`{`
`19`	`19`	`private readonly MediaPermissions _mediaPermissions;`
`20`	`20`
	`21`	`+ protected override UmbracoObjectTypes KeyParsingFilterType => UmbracoObjectTypes.Media;`
	`22`	`+`
`21`	`23`	`/// <summary>`
`22`	`24`	`/// Initializes a new instance of the <see cref="MediaPermissionsQueryStringHandler" /> class.`
`23`	`25`	`/// </summary>`
`@@ -44,7 +46,11 @@ protected override Task<bool> IsAuthorized(AuthorizationHandlerContext context,`
`44`	`46`	`return Task.FromResult(true);`
`45`	`47`	`}`
`46`	`48`
`47`		`- var argument = routeVal.ToString();`
	`49`	`+ // Handle case where the incoming querystring could contain more than one value (e.g. ?id=1000&id=1001).`
	`50`	`+ // It's the first one that'll be processed by the protected method so we should verify that.`
	`51`	`+ var argument = routeVal.Count == 1`
	`52`	`+ ? routeVal.ToString()`
	`53`	`+ : routeVal.FirstOrDefault()?.ToString() ?? string.Empty;`
`48`	`54`
`49`	`55`	`if (!TryParseNodeId(argument, out var nodeId))`
`50`	`56`	`{`
Original file line number	Diff line number	Diff line change
`@@ -386,6 +386,7 @@ public IActionResult DeleteById(int id)`
`386`	`386`	`/// </summary>`
`387`	`387`	`/// <param name="move"></param>`
`388`	`388`	`/// <returns></returns>`
	`389`	`+ [HttpPost]`
`389`	`390`	`public async Task<IActionResult> PostMove(MoveOrCopy move)`
`390`	`391`	`{`
`391`	`392`	`// Authorize...`
`@@ -436,6 +437,7 @@ public async Task<IActionResult> PostMove(MoveOrCopy move)`
`436`	`437`	`[FileUploadCleanupFilter]`
`437`	`438`	`[MediaItemSaveValidation]`
`438`	`439`	`[OutgoingEditorModelEvent]`
	`440`	`+ [HttpPost]`
`439`	`441`	`public ActionResult<MediaItemDisplay?>? PostSave(`
`440`	`442`	`[ModelBinder(typeof(MediaItemBinder))] MediaItemSave contentItem)`
`441`	`443`	`{`
`@@ -551,6 +553,7 @@ public IActionResult EmptyRecycleBin()`
`551`	`553`	`/// </summary>`
`552`	`554`	`/// <param name="sorted"></param>`
`553`	`555`	`/// <returns></returns>`
	`556`	`+ [HttpPost]`
`554`	`557`	`public async Task<IActionResult> PostSort(ContentSortOrder sorted)`
`555`	`558`	`{`
`556`	`559`	`if (sorted == null)`
`@@ -595,6 +598,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)`
`595`	`598`	`}`
`596`	`599`	`}`
`597`	`600`
	`601`	`+ [HttpPost]`
`598`	`602`	`public async Task<ActionResult<MediaItemDisplay?>> PostAddFolder(PostedFolder folder)`
`599`	`603`	`{`
`600`	`604`	`ActionResult<int?>? parentIdResult = await GetParentIdAsIntAsync(folder.ParentId, true);`
`@@ -628,6 +632,7 @@ public async Task<IActionResult> PostSort(ContentSortOrder sorted)`
`628`	`632`	`/// <remarks>`
`629`	`633`	`/// We cannot validate this request with attributes (nicely) due to the nature of the multi-part for data.`
`630`	`634`	`/// </remarks>`
	`635`	`+ [HttpPost]`
`631`	`636`	`public async Task<IActionResult> PostAddFile([FromForm] string path, [FromForm] string currentFolder,`
`632`	`637`	`[FromForm] string contentTypeAlias, List<IFormFile> file)`
`633`	`638`	`{`